Request my free demo

Digital Rights Management: It’s Time to Take Control of Data Usage

Contractual rights management, also known as digital rights management (DRM), has emerged as a hot issue in financial information and market data circles.

It refers to the ability to understand how commercially supplied data sets may be consumed or redistributed within a financial institution, with the intention of ensuring that firms are not at risk of falling out of compliance with the licensing agreements they hold with data vendors.

While Rights Management may be seen in the context of the broader Know Your Vendor/Supplier initiative, which aims to mitigate risks to supply chains in the event of a supplier default, for financial firms the fear of audit is a major driver. The costs involved in an audit of firms’ financial data usage have been highlighted by a number of public instances involving well known institutions. The financial penalties that resulted, as well as the significant reputational damage, appear to have sparked firms’ awareness of the issue of non-compliance with licensing agreements.

The industry’s response so far, to get behind the broader and industry-agnostic Open Digital Rights Language (ODRL) initiative, is a step in the right direction. But despite industry support and good intentions, implementation and adoption may be some years away. What’s more, ODRL only solves for part of the problem, and will require firms to conduct their own analysis of their vendor agreements and implement software tools to use the new language.

This article looks at the challenges of proactively managing vendor relationships through Rights Management, and offers some ideas on how firms can act now to protect themselves from non-compliance with vendor licensing agreements.

Why Digital Rights Management Now?

The emergence of rights management on data managers' list of priorities has coincided with a hardening of attitudes toward licensing compliance among financial information providers.

This in turn has stemmed both from the increasing complexity of data licensing (to include elements like non-display data, derived data creation and fees for delayed and historical data) and from the disconnect between applications and the data sources that drive them. This latter phenomenon, wherein applications increasingly share data services rather than draw upon their own dedicated sources, has highlighted a lack of controls over data lineage, resulting in some highly public audits carrying significant financial penalties for the firms involved.

In these instances, firms have been forced to settle for substantial amounts with market data suppliers and exchanges when audits found widespread unauthorized use of the supplier’s data services throughout the organizations. The marketplace was startled, not only by the reported size of some of the settlements, but by the damage to the firms’ reputations as a result of the publicity.

These cases crystallize the industry-wide fear of a market data audit. But the fear manifests itself in several ways.

First and most obviously is the financial cost of settling for any unlicensed data usage discovered by the audit. Without proper entitlements and governance procedures in place, firms may find unauthorized users are accessing and consuming data sets they don’t have rights to.

This is most likely to be inadvertent. Developers working on new applications, The Industry Response for example, may draw upon existing data sets to fuel their testing routines, ignorant of the fact that this is in breach of the firm’s licensing agreement. But there have been, and most likely still are, instances of deliberate unauthorized use of restricted data. Should either be discovered through an audit, the vendor in question will most likely seek to recover the costs of
unauthorized usage.

Added to the financial cost is the prospect of reputational damage imposed by a negative audit result. Once one vendor has secured compensation for unauthorized data usage, others may seek the same, raising the prospect of multiple audits. These could not only result in similar settlements but can be costly to administer, since administration and management of audit processes eat up internal resource.

The damage to the firm’s reputation can also make it difficult to attract new talent, interact with counterparties in transactions involving third-party data or analytics based on third-party data, and will likely negatively impact commercial discussions with vendors, placing the firm at a disadvantage when it comes to subscribing to new data sets.

Even where there is no audit, the cost of mitigating against the possibility of audit can be high. Firms need to conduct their own internal monitoring and assessment of data usage. This can be a highly manual process and can prove costly, especially for firms with large and complex data infrastructures.

But there are benefits to getting compliance right. Contractual Rights Management, used in concert with the correct tools and systems, allows firms to get control over their data usage. By understanding how data services are used, firms can ensure their value is optimized and any duplicate or excess services are switched off. As well as ensuring more effective management of the data services they consume, Rights Management ensures firms are compliant with their
suppliers’ usage policies, resulting in few commercial surprises in the form of unexpected additional charges for unauthorized or unknown usage. Rights Management can also help standardize access to data services and simplify delivery structures internally. It can also shorten time to market for new products, since the evaluation of the data use case and the resulting compliance review is more efficient.

For many practitioners, the threat of audit combined with the benefits of getting their data licensing houses in order, create a compelling case for embracing Rights Management. But many remain in the dark: If you’re not worried about any of the above, and you don’t have a solution in place, then you don’t know what you don’t know!

The Industry Response

For practitioners and data suppliers alike, rights management presents an opportunity to clean up the data subscription and delivery process, with the promise of operational efficiencies and a real impact to the bottom line.

Presented with this carrot, as well as, for consumers, the stick of censure for non-compliance with licensing agreements, the industry’s most visible response to date has been to get behind the ODRL initiative.

Open Digital Rights Language (ODRL), an XML variant developed and managed under the auspices of the World Wide Web Consortium (W3C) standards organization, has been designed as an industry-agnostic language for the assignment of usage rights to content. It was initially created for use in the media industry but is now being promoted as a Rights Management solution for the financial information marketplace. Key supporters in this space include Goldman Sachs, CME Group and Refinitiv, which is now building the standard into its own product development, access control and rights management activities.

ODRL will define how usage rights are assigned, using the same WC3-standardized languages describing the so-called ‘semantic web’, including RDF and OWL. It holds the promise of an industrywide framework for assigning and managing usage rights in a cloud-based environment, which could ultimately streamline the relationship between content owners, redistributors and content consumers in financial markets.

Ultimately, financial institutions hope to be able to use ODRL-compliant tools to preclude internally developed applications, for example, from non-compliant usage, so there is no way to programmatically use data in a non-compliant way. This is appealing to suppliers as consuming firms typically pay upfront, and with this use-case vendors would not need to audit and claw back revenues later.

But ODRL is a work in progress. It’s essentially a base language upon which firms can build their own solutions, incorporating their own interpretations of licensing agreements, which will require additional tools both for handling ODRL and the metadata it needs to reference. So far, it doesn’t deal with index and reference data sets.

Even with industry support behind it, some have estimated that ODRL may take up to five years to evolve into a fully formed solution that is adopted by the marketplace and made available on commercially viable terms. With the pressures described above, practitioners across the board are keen to move quickly to mitigate the risk and cost of an audit, and to gain more control over how their organizations consume financial information services.

Finally, while one of the main protagonists, Refinitiv, has committed to adding market data specific language to ODRL and incorporating the result into its data and data delivery product roadmap, it isn’t yet clear whether the company plans to make its internal ODRL specifications widely available to marketplace via open-source or other distribution model. This raises the prospect of other financial data suppliers’ deciding to create their own specifications, leaving the marketplace with a proliferation of similar ODRL-based specifications but with different definitions.

So, if ODRL is not the silver bullet, what can firms do?

Best Practices for Digital Rights Management

Firms need to set in place five key elements if they are to establish a robust approach to Rights Management that can help them avoid the potential distraction, cost and reputational risk posed by an audit, and enjoy the be.

Capture

Rights Management starts with understanding the terms of the data license contract. This entails extracting the core usage rights from the broader contract terms and analysing so that stakeholders know what data they are entitled to have access to and what is off-limits to them.

Storage

To enable a Rights Management process, firms need to store the highlighted elements of the contract in a database in a structured way that allows access to those who need the details of the usage rights under the terms of the licensing agreement.

Interpretation

Different data providers and redistributors use different terms to describe how their services may be consumed. Once the key contract clauses have been identified, it’s important that they are reviewed and interpreted by people with expert knowledge of the concepts of the contract and the stance of the providers involved.

Socialization

Having established what the contract means in terms of usage rights, this knowledge needs to be shared with relevant teams. These could include market data, but also developers, end-users and others who touch the data. This may extend to product management where services for clients include data elements.

Compliance/Lineage

The final piece to the puzzle is ensuring the firm is compliant. Data lineage is key to ensuring that business owners and stakeholders are comfortable that their activities comply with their contractual agreements with data suppliers. A key aspect to this is tracking data flows so that managers understand where data is being used and by what systems and applications. In this way, any unauthorized usage can be quickly flagged and dealt with.

With these elements in place, firms can take a major step toward robust contractual rights management that can improve their understanding of how the business side uses data, keep them compliant with vendor licensing agreements, and generate evidence of compliance, thereby alleviating the need for expensive and distracting audits.

Introducing TRG Screen Contractual Rights Management Solutions

TRG Screen offers a portfolio of capabilities that addresses the needs of financial institutions throughout the CRM workflow. Using these services, clients today are able to extract and capture their usage rights, interpret them, socialize them within their organizations, and stay in compliance with them.

Capture

TRG Axon’s PEAR product provides management of exchange agreements as a core offering, with many contracts downloadable from the portal. PEAR offers capture and storage in a standardized and structured format, allowing clients to extract key contract clauses covering usage rights. TRG is currently conducting a proof of concept of contract-parsing technology that uses advanced rules, artificial intelligence and machine learning to extract relevant contractual terms from PDF and Word documents, and expects to launch the capability next year.

Storage

TRG Axon’s PEAR handles storage of contract details for exchange data, providing a single point of reference for usage rights for all exchange services, with a new module for non-exchange data in development. Meanwhile, a new Rights Management module for TRG's FITS product has been released. This first release – based on feedback from their financial industry clients - includes a new repository to store contractual rights backed by a data dictionary of over 50 types of contractual terms.

Interpretation

TRG's industry experts are available to help clients understand and interpret their contractual obligations and usage rights. They have decades of experience in dealing with vendor licensing agreements and can advise on how to deal with the grey areas of contracts. The importance of correct interpretation cannot be overstated: the socialization and data lineage tracking will not be effective if working to an incorrect assumption. TRG Axon PEAR is a repository of exchange policy information and is ideally positioned for the interpretation aspect of Rights Management. It can be used in combination with other TRG Screen components to ensure a standardized approach across the organization.

Socialization

TRG Axon’s PEAR keeps track of exchange agreements and notifies application owners when terms change. TRG Axon’s Application Compliance Tool (ACT) manages details of internal applications, surveys the application owners, and links applications to the exchange services they’re consuming. The new FITS Rights Management also includes a portal providing users and developers with a catalogue of data with usage rights attached. This will allow business users and developers to view the contractual usage terms for the services they subscribe to, or develop with. Additional planned releases next year will add visibility of contractual rights during ordering and surveys/certification, potentially integrating with TRG ResearchMonitor, so that users are prompted with their usage rights and data sharing restrictions when they log into webbased market data and research services.

Compliance/Lineage

TRG Axon’s ACT is a database for defining internal applications, based on surveys of application owners, with API linkage into PEAR. It flags changes to exchanges’ market data usage rules in addition to highlighting licensing requirements and identifying any licensing gaps to ensure covered applications remain compliant. TRG ResearchMonitor tracks subscriptions to non-exchange services.

TRG Screen also offers XPansion FTS’s XMon, which provides monitoring of realtime and static data feeds, providing analysis of data flow and lineage, and flagging issues in real time. XMon is a comprehensive solution for monitoring the ingress of data feeds, such as Bloomberg Data License and Refinitiv DataScope, in to an organization and the flow, and lineage, of data as it’s shared between internal systems.

Using this portfolio of solutions, firms are able to introduce accountability into their contract compliance processes. The approach ensures that data rights are clearly translated, displayed and accepted by the application owners.

What’s clear is that firms need to proactively manage their vendor relationships and gain control over access to the data services they subscribe to. It’s no longer enough to be reactive and wait for a vendor or exchange audit; data managers need to be certain they have done enough to mitigate against the risk of non-compliance and a potentially expensive audit.

TRG Screen’s suite of Rights Management capabilities makes the company well positioned to address firms’ usage rights challenges, with products that address each stage of the Rights Management process and implementation path.

Ready to establish a robust approach to Rights Management? We think you are!

Talk to an expert       Request my free demo