The PNC Financial Services Group, Inc. (PNC) Earnings Call Transcript & Summary

Joining me today is a group of data leaders here to discuss mitigating data risks and meeting the increased demand for data protection. Thank you so much for joining us today, everyone. It's so great to have you joining us virtually for FIMA. And I want to go ahead and do some brief introductions before we get into the conversation. We typically just go [indiscernible] by first name. So Joe, would love to start -- excuse me, Doug, would love to start off with you first, please. Welcome.

Hey, thanks for having me. My name is Doug Stewart. I lead Vanguard's enterprise data office. Vanguard, large asset manager located in Malvern, Pennsylvania. Excited to be here.

Thank you so much. And Joe, welcome back. We'd love to hear from you next, please.

My name is Joseph Incorvati. I work for PNC Bank here in Pittsburgh, Pennsylvania, where we are based. PNC is a large retail as well as commercial bank essentially located in PA, but we do have offices pretty much all over the United States at this point.

Glad to have you here. And welcome back, Scott. We'd love to hear from you next, please.

Thanks, Marissa. I'm Scott Preiss, Managing Director and Global Head of CUSIP Global Services, which is operated by S&P Global Market Intelligence for the American Bankers Association. And I'm delighted to participate on this very timely panel, and I hope to bring a bit of a different view with regard to data protection.

Well, thank you so much, and we're so glad to have you all here today for, yes, what is quite a timely panel.

I wanted to get right into the conversation here. And Doug, would love to hear from you first, please, a little bit about which are the categories with sensitive data that needs to be protected at a higher standard? And maybe just talk a little bit about how that's evolving as well, please.

Yes. So I can talk about -- and obviously, there's a variety of them, but I can talk specifically about our interactions with clients. And obviously, something that's very important, actually something that is changing by the ballots in California is personal identifiable information, right? So consumer information that we have on our clients is some of the most sensitive and some of the most critical information that we have. One of the things, I would say, that's unique about that and that's something that has always been critical, GDPR, CCPA, various legislation and regulation has made even more critical as we begin to think about that data as being owned and the responsibility of -- or the right for clients to understand how that data is being used, that grows. The sensitivity of that data and the ability to protect and manage it grows as well. One of the things, I would say, that is a bit unique is the growth in -- that we've seen in video data. So if you think about this video right now, right, if you think about almost every day, all day, all of us are in Zoom calls or Microsoft Teams, whatever that may be. So we're actually seeing a really big growth in the amount of sensitive information we have on employee data, right? So as employees are sitting in meetings through Teams or through Zoom, whatever it may be, those meetings are being recorded. And so what you end up having is kind of a -- it's creating a bit of a risk and some potential to use that data, really beneficial reasons by enabling spread of information more effectively, but there's potential risk there in that there's a lot of PII information in our faces and our voices that's kind of being recorded and held in a very distributed way across the company. So we've done a little bit of work with the privacy team to begin putting in some standards in place to make sure that as we record more and more of our meetings and as we have more and more video with the families with our homes in the background, that we're really doing the right things to make sure that we're protecting that data.

Anything else -- thank you so much for that, Doug, and that's a really interesting perspective, I think, about how we're all working so differently and the implications for that. Anything else to add here on this one, Joe?

Yes. I would concur with Doug that those are areas that are concerning as we start to venture into more and more of a virtual type environment, whether it be just working from home or actually trying to meet with clients from home. We, too, as well as what's going on there, Vanguard, looking -- for Vanguard, looking at how that data is collected, where can we physically store and perpetuate that data. I think they're on the big data environment, and then what types of security needs to be placed on top of that environment because it is, by the nature of it, very unstructured. You don't have a nice database that's associated with that data set that you can easily place security over. So you have to get a little bit more creative and understanding around what type of data could possibly be in there and then what those recordings could actually contain because it's not uncommon for, in a recording, for somebody to actually rattle off their social security number or rattle off their address, et cetera. Things that are typically identified in a tabular format are now being identified in a video format. So it does get a little bit more problematic, and you've got to pay attention to those items.

And Scott, anything else to add to that? Maybe talk to us about the pre-trade environment as well.

Yes. Thanks, Marissa. So my nexus to data protection is a little differently. So CUSIP Global Services' entire existence really is predicated on providing key fundamental market and reference data to global market participants. So how we ensure that our data is protected as well as primarily sourced, maintained with the highest degree of integrity and distributed is really part of our DNA. So data protection is a core component in terms of how we serve market participants. And one example is really the actual workflow process governing registration in the pre-trade environment, as you said, of new issuing entities, securities offerings across multiple asset classes and associated data. And so for example, new issuing entities as well as existing corporate and municipal issuers as well as their agents, like managing underwriters, all approach CUSIP Global Services in the pre-trade environment, and they share private draft offering documentation and other legal documents and preliminary data. And so when you consider the timing, the multiple asset classes or other considerations, such as whether an instrument might be issued pursuant to certain regulation like 144A or Reg S, the protection and the release of that data to the market must be pristine. And for instance, on a complex new security, that could be as many as 60 discrete data points that are required to guarantee uniqueness and fungibility of that instrument. And the issuer or the issuer's agent may desire to keep that information confidential until certainly after announcement, but maybe even through -- and up until the post-trade environment. So when we think about private placements and syndicated bank loans, issuers not necessarily wanting the public to know that they're tapping the capital markets with a new instrument forthcoming, there needs to be a sustained investment in technology and people and processes all around data protection.

Yes. I think it's just becoming so much more important as everything is changing. And I want to talk now a little bit about how organizations are starting to organize themselves to protect data more effectively. Doug, wanted to turn to you on that one.

Yes. So we've gone through a pretty major shift, I would say, in the last couple of years, moving from what was really a project-driven organization where we would have the data management and data -- data management capability that would tackle projects that would come on, whether it be GDPR or CCPA, trying to figure out what the requirements are and then tackle those things, put them on the shelf and then move on to the next project. So we're shifting from that type of environment to much more of a product-oriented environment where you have sustainable teams that exist in perpetuity focused on a specific capability or focused on a specific set of capabilities. So the way that we've divided it up is a team that's focused specifically on data access and usage, right, so constantly working on the tools and the capabilities and the processes around how people access data and how we determine who uses data for what purpose. So those team will come out with a new set of features, and instead of it being a project and then moving on to something else, they're there in perpetuity. So they build this product, they manage it in production and then they continually try to improve it. So moving from a system where we'll kind of address -- it felt like very ad hoc where we're kind of addressing challenges, addressing changes in the environment as needed to one where we have these durable product teams that are constantly looking and constantly developing new features focused on data management. Those product teams, the way we've divided it is a team focused on data quality, so constantly building out the capability there; data governance, determining really usage and access of data; data cataloging, right, so the extent to which we are cataloging and creating a lineage of data; and data discovery, right, which is becoming a bigger component obviously with the CCPA, making sure that we have the ability to discover data like we talked about, big data, right, unstructured, structured, determine where it is. So that's kind of the suite of products we have now and -- year-over-year. So the net new investment isn't necessarily a project, but it's saying, okay, what new products or what new capabilities do we need. Maybe we need to stand up a new product family.

Great. Thank you so much for sharing a little bit about how you're organizing at Vanguard around that. Joe, I wanted to turn to you next a little bit about the different partnerships that you're forming within PNC with CSO, legal compliance. Tell us a little bit about what that's looking like as you're managing information sets, as we're seeing benchmarks becoming increasingly stringent.

Yes. Similar to what Doug described, what we found was, specifically related to California Consumer Privacy Act, was a call for there to be a strong partnership between privacy, compliance, data management as well as information security and then ultimately, legal. And that partnership really was formed in 2018 and '19 for us to really prepare us for what would be the long-term product, as Doug referred to it, as the kind of data protection office, right, that would actually create and sustain the ability for individuals on the outside of PNC to come in, make a request for information or request for deletion of their data in one format and in one structure. It was a really pivotal time for us because we went from reading the law and then pushing it out to our lines of businesses and having an expectation of them becoming compliant with the law, to reading the law and then figuring out whether or not it really made sense for us to create an internal centralized capability to achieve compliance to that law versus pushing it out and allowing the lines of business to just do their own way. That changed for us with CCPA. And with GDPR and then CPRA, which is coming right on the heels of CCPA, there likely will be a larger investment for us specifically related to how that centralized utility or capability, as Doug called it, being available to more and more of our lines of businesses so that we don't have a one-off being done in one line of business that's different than how all the other lines of businesses at doing it. And one of the things that really helped us do that was specifically that partnership that we talked about between legal, our compliance office, our chief privacy office and then our data office itself because you needed to have all of those folks in the room to actually come to a conclusion on what was the right thing to do for PNC as it relates to that law.

And Scott, anything else to add here?

Yes. I would certainly quickly echo the sentiments expressed by Doug and Joe. I think the answer is almost embedded in the question. It's all about partnering. And given CUSIP's industry utility role, we're really careful, if not obsessive, about not making data protection or distribution decisions in a vacuum. We work very closely and, in fact, daily with our firewall technology team and leadership and specific subject matter experts across legal and compliance to ensure that both our inbound and our outbound data processes are solid and tested very frequently. And given that the CUSIP franchise is owned by the American Bankers Association, safety and soundness rightfully is the mantra of the banks who formed the CUSIP system, and that principle certainly remains today.

All right. And I wanted to know -- look a little bit more at data compliance programs. And Scott, wanted to turn to you on that one and have you shed some light on how are you seeing data compliance programs evolving and audits as well and what role do they play in ensuring market data is protected.

Yes. Thanks again, Marissa. So at first blush, data compliance and audit may not strike one as data protection in nature, and I know that just the expression audit often has negative connotation. So generally, what our focus is, is more on usage reviews. And so CUSIP Global Services, given that the intellectual property or the data is really owned by the American Bankers Association, really need to understand with clarity where, how, in what volumes and for what purposes CUSIP content is used, stored and distributed. And so under the guidance of our senior industry Board of Trustees, the usage review process has really evolved from a few years ago where that was more of a reluctant discussion with a licensee or a user to what we're proud of is really a 1-hour or less, noninvasive discussion that many described as a nonevent. So some of our folks have really developed a subject matter expertise that makes it more a surgical procedure. And through this dialogue and through partnering with our users and ensuring that actual usage is in lockstep with their licensing agreement and the terms and conditions of that agreement, we actually assist CDOs and other stakeholders, other data stewards in being fully compliant. And interestingly, the pandemic has actually provided a great deal of flexibility in these what are now virtual usage reviews. We're getting really good feedback on that, especially on the noninvasive nature of these discussions. And it's important to note that the objective of these discussions is not to assess any penalty even for unwilful, past misuse of content. That's not the point. The point is to get it right, get everyone on a level-playing field among similarly situated users going forward. And we also use a third-party at times who is not compensated for what they find nor compensated by the hour. They're really indifferent in terms of the finance. So we find that's really important in terms of independence. So from a data protection perspective, understanding, again, with clarity where that data is flowing and how it's used gives tremendous benefit to the user community. Often, we're rightsizing licenses and reducing fees, and that's been really well-received and all of this, again, in the name of data protection.

Great. And any other thoughts here before we move on? Doug, I saw you nodding quite a bit.

Yes. Just to validate Scott's comments there, I think we've experienced some of that as well. Just creating the lineage and transparency in terms of how external purchase data is being used enabled us to find -- obviously, to ensure that we're meeting the right -- complying with the usage of that data as per contract. But we'd actually found redundancy, right, in purchases of data, and we found that there is duplication of efforts and work. And so to your point, Scott, it ended up actually being a benefit both from a risk standpoint and from a cost standpoint.

Great. I wanted to move on to the topic of data risk now. And Joe, I wanted to ask you, what are the different components of data risk to measure data risk across various programs?

Yes. So here at PNC, we actually simplified our definition of data risk, and it's really -- it comes down to that risk of that data being inaccurate or incomplete. And with that focus, we're able to very narrowly go in, in detail for our Board of Directors exactly what data is important to the organization and whether or not that data is being effectively monitored and we're effectively managing that data across its life cycle. Our data risk function in and of itself is not a very large function, but we do actually create and highlight a quarterly report to the Board on where the most important data to the organization is run relative to its accuracy, its completeness as well as relative to its data management principle. And so what that did for us, what it allowed us to actually highlight where the important areas are. We recognize that there is a treasure trove of data within any institution. It'd be very easy to get lost in that detail of that data and whether or not that data has any risk associated to it. So what we did is we created a function to allow us to actually zero in on what we call critical data of the organization and then more importantly, build metrics on that critical data that help the Board as well as our management teams understand exactly whether or not that data is accurate, it's complete, what its relative quality looks like, whether or not we have good lineage on that data and how that lineage is actually being managed and updated regularly as part of data management principles. And so our risk view is actually focused on that view of data versus trying to dive into the information security risk of it, the usage risk of it, those types of things. What we're really focused on is accuracy and completeness.

Doug, anything else to add here around how you're quantifying data risk at Vanguard?

Yes, I would second that. We largely measure it as an input, right? So to what extent are we -- one of the big measures we use is to what extent are we -- or what percentage of our data is being actively managed. So by that we mean what percentage of our data has gone through the quality controls that it needs to, has business metadata terms, has technical metadata terms, has clarity of ownership and lineage. And so constantly trying to increase that. What we want to get to is more of an outcome measure. So obviously, we're pursuing those things in an effort to reduce risk and/or effort to reduce cost on the offensive side, right, with our business clients leveraging that data. And so the extent to which people believe data to be an asset or liability, right, a balance sheet item, we want to try to put some kind of a financial metric in place. We haven't kind of cracked the code on that yet. But obviously, as an asset manager and as -- in the financial services industry, I think that we kind of -- we treat our assets or other assets kind of with -- in the same vein. So we're looking to how we think about metrics and value at risk on the investment management side and thinking about applying those types of things on the data side.

Great. Any final thoughts on this one, Scott?

I would say in terms of data assets, for the CUSIP business at least given our utility function, it's more a consistent review of our processes, knowing which data elements, for example, are being captured, which ones and why, understanding the specific purpose behind each data element as well as a periodic review of those data points and making certain we have enough data to guarantee uniqueness with the purpose of cutting risk exposure, but also some tangential issues like ensuring that there's appropriate storage for and security of the data as well as putting processes in place for periodic purging of dormant records and for end-user data that should be purged periodically. So circling back on those disciplines is really important in terms of how we apply an assessment of data assets.

Okay. Great. And I think this is going to tie nicely to the next theme I wanted to talk about, which is around the life cycle management of data and a little bit more around kind of tokenizing and kind of effective controls for data. Joe, I know we talked quite a bit about this like idea of tokenizing PII. I wonder if you can talk a little bit about that and where in the life cycle of data are these controls most effective in contributing to better data quality.

The interesting thing here is there's 2 types of risk that you're going after. One of them is the, obviously, the risk of the data being inaccurate or incomplete. And then there's the risk of the data actually being exposed, which is part of the reason why you would tokenize it. In terms of its relative accuracy and completeness or the quality of that data, what we have found is in the life cycle, putting as many of those controls as early on in its data -- in a data journey as possible. So at the point of capture, you should be indicating whether or not a specific field meets a specific standard, for example, social security number, date of birth, those types of things. You can build a number of those controls right upfront, so it minimizes the risk of it being inaccurate or incomplete or in some cases, just blank. And the reality of it is, is when it comes to then that data at rest, where you're starting to consider how you would then secure that data through tokenization or anonymization, that's usually done typically on the back end of the life cycle, just before you get to where you're looking at the data for whether or not it's stale and it needs to be purged, those types of things. So we are investing right now in an effort to actually tokenize a load of our data that's actually housed on our big data platforms and other -- in our teradata data warehouses, primarily driven by the fact that we want to make sure that, that data at rest is actually secured both from a security perspective, just from a pure kind of information security perspective, but also knowing that we have the right people that have the right access to that data and they're viewing it through the right lens. And so only those individuals will be given the keys to actually see the data that they need to see.

Great. And we have time for about one last kind of deep question here. So I want to talk a little bit more about the question of access. Let's get into that a little bit more. But how are you addressing the question of access and data permissioning to guard against the leakage of data? Scott, wanted to start off with you first with this in regards to the data compliance program.

Thanks, Marissa. So given my earlier comments regarding our compliance program, data leakage is certainly a concern and a focus. And so the usage review process that I discussed earlier, it's certainly a valuable tool. Knowing with certainty where and why data is used and where it's flowing is part of that. No surprise to my colleagues, I'm sure, on the panel and market participants in general that entitlements -- building entitlements into services and even within services, data entitlements regarding specific fields or specific asset classes. So we have customers of our web-based tools and services who are only interested in corporate equities and others that only want a window into syndicated bank loans. So being able to protect data by system, by entitlements is also an important component, as is more granular or formal reporting by data distributors, being able to identify with certainty downstream users and making certain that one and only one appropriate license is in place so an end user can take multiple data inputs from multiple sources. So making sure that process works and what the guardrails of an agreement are. And then finally, I would call this watermarking data, which is really still an emerging concept. But the use of distinctive characteristics within a data set to assist in tracking that data throughout its lifestyle has really proven to be very valuable in terms of data protection, but also protecting the client and making sure they're within the confines of allowable usage.

Anything else to add here, Joe or Doug?

Yes. I'd say -- I mean, access is a really interesting space. There's been a lot of innovation. To Scott's point, I think one of the tools that we're pursuing is finer-grained control, right? So not to project, but in our experience, access has been limited to broad sets of groups, to broad sets of data, not because they couldn't access any of it, but because we didn't have the ability to control exactly which rows or exactly which columns every single individual is able to access. So with that greater level of precision, right, so we kind of have these big hammers that we'd use, sort of these big firewalls that we would use, say, well, you can't use any of this because it has some PII in it. Instead, if we can begin to peel that away and provide fine-grained row/column level access, it kind of changes the game there. And that said, it requires a really strong level of transparency into your data, right? It's a pretty -- it increase -- it makes -- adds complexity into the system because now you have to provide fine-grained -- not just, hey, this bucket, yes or no. It's, well, okay, which columns can which employee access. So automation behind the scenes is really critical there and really strong data catalog is really critical there. We believe so that's kind of -- that's the pathway we're beginning to explore right now, and we're partnering with AWS on that work.

Thanks. Any final thoughts, Joe?

Yes. Likewise with what Doug had just mentioned there, giving that access at a row -- at a record row level versus just at a system level is something we started to toy with a bit with our big data environment. We're actually looking at using AI, if you will, to help us determine where those specific intersections could be or should be, if you will, for access to be granted because there is a lot of data for us to go through and to consider when you're looking at row-level type security or even record field level type security. You really have a lot of information to go through. So if you can have a bot do a lot of that work for you upfront to determine what those credentials need to be or need to look like for that security to be implemented, it's massively helpful. And so that's one of the things that internally within our organization, we've invested in. It's not the fun stuff that people like to do to actually generate revenue. It's more of the stuff that we like to do internally with the data management to make sure we're securing the data appropriately.

Great. Well, I believe that we're out of time now, but I wanted to thank you all so much, again, for joining us here today. It's been a pleasure chatting with you all and certainly look forward to hearing more from you as we continue to evolve the story around data risk and data protection. Thank you so much again.

Thank you.

Thank you.

Yes, thanks for having us.