In the tightly-regulated arena of financial services, the most devastating fines rarely stem from a failure of core banking systems or massive, centralised database breaches. Instead, they often originate in the most mundane of places: a single, unvetted Excel spreadsheet, a forgotten CSV export, or an unmonitored "shadow" folder.
For regulators like the Financial Conduct Authority (FCA) in the UK and the US Securities and Exchange Commission (SEC), the issue is not just the error in the data, but the failure of the oversight framework that allowed the error to exist, go undetected, and influence critical financial reporting.
The anatomy of a regulatory failure: The spreadsheet trap
History is replete with examples where "End User Computing" (EUC) failures led to multi-million-dollar penalties. While the specific mechanics vary, the root cause is almost always a breakdown in data governance and lineage.
Financial institutions recently hauled across the coals by regulators include Citibank who were fined $136miilion in July 2024 for their failure to address longstanding data issues, Deutsche Bank who faced a penalty of $186million in 2023 for making insufficient progress to tighten, amongst other things, poor compliance oversight practices and Goldman Sachs International who were hit with a double whammy when they were penalised by The FCA and the Prudential Regulation Authority to the tune of £96.6m for internal process shortcomings.
1. The "Broken Model" Scenario (The operational failure)
In several of these high-profile cases involving European and US banks, regulators have levied fines following the discovery of "model risk" stemming from unmanaged spreadsheets. In these instances, critical capital adequacy calculations or liquidity-stress tests were performed using Excel models that lacked version control, peer review, software-testing, or audit trails. The "failure" wasn't just a calculation error; it was the firm's inability to demonstrate that its reporting process was sufficiently robust, accurate and reliable as well as reproducible.
2. The "Shadow Data" scenario (The governance failure)
Regulators have also targeted institutions where "shadow" datasets i.e. unstructured files containing PII or sensitive market-moving information were discovered in unmanaged areas of the estate. The fine here is not for the data itself, but for the failure of supervision. When a regulator asks, "How do you know all your sensitive data is identified and protected?" and the firm can only point to a manual, error-prone inventory, apenalty is inevitable.
In both cases, the common denominator is a visibility gap: the inability to prove that a process is functioning appropriately and serving its intended control purpose.
The compliance gap: Why traditional IT fails
Traditional IT governance tools are designed for the "known universe", the databases and applications that IT manages directly. They are effectively blind to the "unstructured universe" which may include some and in certain instances all of the following:
The "dark" Excel files: Workbooks that live on local drives, outside the view of central enterprise resource planning (ERP) systems.
The "broken" lineage: The "black box" where data is transformed via undocumented macros, unverified links and lookups, manual copy-pastes and tribal knowledge.
The "invisible" lifecycle: Data that is created, used for a critical report, and then "abandoned" in a shared folder without any lifecycle management.
Workscope: Turning unstructured risk into demonstrable oversight
The fundamental challenge for a Chief Risk Officer (CRO) is to move from "trusting" that processes are managed to "demonstrating" it to a regulator. This is where Workscope’s agentic discovery and classification provide a transformative "risk treatment."
Workscope does not attempt to replace the spreadsheet; it governs the environment in which the spreadsheet lives.
1. Automated identification (Closing the visibility gap)
Workscope’s autonomous agents perform continuous, deep-level discovery across the entire estate. They do not just find "files"; they identify the presence of unmanaged EUC (End User Computing) assets. By bringing these "shadow" spreadsheets into a searchable, catalogued inventory, Workscope eliminates the "we didn't know it existed" defence, which regulators no longer accept.
2. Intelligent classification (The proof of context)
Through advanced AI-driven classification, Workscope identifies the nature of the data within the unstructured files. By automatically tagging spreadsheets containing PII, MNPI (Material Non-Public Information), or sensitive financial parameters, Workscope provides the granularity of oversight that regulators demand. Detailed analysis of Excel models identifies errors, links and cross-workbook lookups and macros, while automated policy enforcement includes the triggering of questionnaires and classification prompts which require users to identify and explain their models. Cumulatively, this has the effect of implementing data governance policies at the procedural level, rather than requiring expensive remediation further down the line.
3. Automated Lineage (The audit trail)
Perhaps most critically for regulatory-ready reporting, Workscope’s agents track the lineage of data movement. By observing how data moves from a structured database into an unstructured Excel model, and subsequently into a regulatory report and onwards, Workscope creates a verifiable audit trail of the process.
From liability to audit-ready asset
In the eyes of a regulator, organisations need to demonstrate strong governance, deliver effective risk management and comply fully with their regulatory requirements regardless of how strict or onerous.
For a regulator, "unmanaged" is a synonym for "uncontrolled." For any organisation concerned that vulnerabilities exist within their operations, whether known or unknown, they can draw comfort from knowing that tools exist to eliminate these “blind spots.” The implementation of Workscope does not simply "find" files; it provides clear evidence of the oversight required to satisfy the most stringent audits. By transforming the "unstructured shadow" into a "catalogued asset," Workscope allows financial institutions to move from a state of reactive panic to a state of proactive, automated, and crucially, auditable compliance.
───
Interested to learn more?
Keen to learn more about Workscope and how it works in practice? Simply click here to watch our short demo video.
If you would like to understand the role Workscope could play in strengthening your data governance, don’t hesitate to get in touch.