How to build the regulator’s confidence in the cloud
When moving to the cloud, meeting all risk, legal and compliance requirements is non-negotiable. The key question regulators are asking financial services providers is whether they have identified the operational risks associated with migrating to cloud computing and if banks understand the process of managing these obstacles.
Part of the answer lies in the cloud itself. Cloud solutions can help identify risk gaps in advance and develop corrective actions that respond to the regulator’s expectations. As the world becomes more digitalised, firms have easier access to data, but this, in turn, creates more data each day.
Finextra spoke with Preetha Bedi, financial services, technology advisory, cloud risk & regulatory compliance lead, at Accenture about how to cope with the rapid increase of data and storage of such data and with Nikhil Varma, senior manager in finance & risk practice, on the emergence of Regtech and implications on the cloud. Accenture is a Premier Consulting Partner in the AWS Partner Technology Network and has achieved AWS Financial Services Competency for its expertise in helping financial institutions accelerate their journeys to the cloud.
These two experts explained many of the critical steps to be taken by risk professionals that are captured in the Accenture document: Transforming Risk Systems with Accenture and Amazon Web Services.
Organisations are leveraging cloud-based technologies to provide innovative, agile, cheaper and scalable solutions and in doing so, must meet the stringent security controls required by regulators. Bedi explores how controls need to help build the confidence of the regulator around four critical aspects of cloud operations: outsourcing, operational risk mitigation, internal governance and the risk operating model.
- Outsourcing: Strong contractual obligations need to address data regulations, right to audit, exit strategy, concentration risk, service provider KPIs and need to conduct Material Outsourcing Assessments
- Operational risk mitigation: Need to address systemic risk across areas like business continuity, disaster recovery, security, data, infrastructure, service delivery and an ability to demonstrate that the financial institutions are aware of their risk exposure and are on the way to mitigate these risks and reduce exposures
- Internal governance: Prior to implementation of the solution, there is a requirement to ensure that internal governance forums, risk committees, local operational committees and local executive committees within the organisation must approve the solution and assessments prior to obtaining regulatory approval.
- Risk operating model: There must be an ongoing risk function to ensure ongoing compliance with the regulations and contractually.
Assessing operational risk
For cloud operations, Accenture advises focusing on operational risk and the underlying risks to assess and identify gaps and design controls, incorporating global and local jurisdictional restrictions such as banking secrecy, data residency and information barriers to plan the overall journey timeline and provide a set of recommendations following the assessment results. Accenture also uses a three-step process so that banks and financial services providers can assess their operational risk exposure. Namely:
- Step 1: Conduct an operational assessment across the firm for navigating to the cloud
- Step 2: Review lower-level controls, conduct analysis to identify gaps, and document solutions, including mitigating solutions and prioritising quick wins
- Step 3: Create a roadmap for the overall journey with a focus on aligning with regulatory approval timelines and risk mitigation
This framework is designed to help banks reach important objectives such as balancing regulatory compliance with business growth and reducing costs, and as Bedi points out, the excess of data plays an important part in this area. “Business growth is directly related to the management of costs and in today’s world, as it becomes more digitalised, data is at the centre of everything. The increasing volume of security threats to critical business applications such as cyber-attacks, data breaches, compromised and/or broken authentication and hacking, that are threatening organisations’ ability to comply with new regulations,” Bedi says.
To ensure risk exposure is retained at a reduced level and the ability to service customers and business impact are also reduced, Bedi believes that resilience is significant. Financial institutions should always be considering a third, or fourth, a party solution that is resilient, because some geographical regions may need a more stringent application of controls.
Bedi adds that banks need to prioritise growth goes on a parallel basis to their regulatory expectations. The question is, can cloud computing solutions help financial institutions rise to the challenge? Bedi believes that the answer is yes. She says cloud computing is “the on-demand delivery of IT resources and applications using innovative commercial constructs that allows financial institutions to scale with demand.”
In addition, in order to solve security pressures and meet regulatory requirements, Bedi believes standards can be built into the cloud solution, taking into consideration that the two most common areas for security failure on the cloud are exposure of API/Access Keys and data exposures. If banks take the ‘Secure by Design’ approach, these reasons for security failure are considered early in the design phase, with encryption, secrets management, identity vaults and network design in place. Bedi comments: “Clients should leverage the multitude of security and configuration monitoring solutions available. It is important that a clear data classification policy exists and how to handle the data. This will ensure that the right approach to data security is always taken.”
Returning to her point on geography, Bedi advises taking the chosen cloud service provider into consideration, as each country or region deals with data storage in varying legal approaches, so all organisations need to be vigilant as technology advances. “As digitisation continues, the regulatory world will continue to publish more and more regulatory documents and legislative initiatives aimed at controlling the use of data. However, such catalogues of regulatory data will need to be integrated into one platform that allows for internal control, management of risk/control frameworks,” Bedi says.
The emergence of RegTech
This convergence of regulation and technology, more commonly known as RegTech today, has mainly targeted process automation and has been used to improve inefficiencies within regulatory reporting, easing the burden of compliance. Varma asserts, RegTech “represents a broader promise to encourage a ‘systems evolution’ or redesigning of the regulatory architecture which may include anything from payment systems to shared reporting utilities. Furthermore, augmenting the role of regulators with a technology-friendly approach to regulation might help to reduce complexity, improve oversight, and allow for regulators to better monitor systemic and local risk in an increasingly data-driven world.”
RegTech can improve, speed, integration and agility with cloud-based solutions. Financial institutions can source and normalize regulatory data from multiple systems into data lakes on the cloud and harness cloud benefits such as near-infinite compute and next-generation services for analytics, surveillance and reporting. Furthermore, while digital transformation is crucial for traditional solutions to become viable competitors against those that are more digital-centric, and automation reduces cost and the risk of human error, centralised data allows for big data solutions that drive analytics and machine learning forward, as both have a dependency on the data that is available. However, while this shift to digital persists, challenges remain with legacy systems, regulators and applicable regulations, support from management and scalability.
Varma points out, to combat these challenges, banks should be aware of the data they possess and understand the organisational regulatory technology that already exists in their systems. In addition to this, they must, “leverage existing technology investment and not discount the capabilities of powerful cloud solutions which have been proven to overcome operational challenges.”
In a final call to action, Bedi recommends: “Bank executives need to understand their upcoming regulatory data and reporting requirements in line with the next set of regulations impacting the business (keeping the overall organisation’s technology strategy in mind).” Using cloud solutions to meet regulatory obligations helps keep overall costs low.
It is also important to communicate with the RegTech ecosystem to find out about new solutions, but at the same time, embrace technology and use knowledge to plan a roadmap for the products. In the short term, RegTech will help firms to automate the more mundane compliance tasks and reduce operational risks associated with meeting compliance and reporting obligations, and cloud will play an important role.
Learn more about this topic by downloading Accenture’s paper Transforming Risk Systems with Accenture and Amazon Web Services.
All credits for this article to the source below: