Cloud computing has become a mainstream option for hosting applications and processing workloads across the financial services industry. More than ever, technology leaders must be in lockstep with the evolving global regulatory landscape and adopt policies and procedures that minimize the risk of non-compliance.
Related: Utilizing Technology to Handle Market Volatility
The bottom line is cloud services are evolving at a growing rate and regulators across the globe are increasing their focus on the risks and benefits that come with these services. To harness the innovation and scale of the public cloud and the business opportunities it unlocks, it’s important for firms to stay current and compliant with their regulatory obligations.
To keep up with this evolution, DTCC’s Dave Chayer, Managing Director of Cloud, IT Product Management, shares four key considerations for financial services firms when leveraging the cloud as part of their platform strategy.
#1: Robust cloud regulatory governance is not a problem for IT to solve on its own.
- Whether regulated firms are leveraging the cloud for Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), well-defined governance processes are important and IT must closely partner with their legal, compliance, and privacy departments.
- Collaboration between technology and control functions is vital. This helps ensure timely input and reviews, and that all various risk dimensions are considered, from security, brand, privacy and legal, to compliance and third-party.
- Technology leaders must embrace their organization’s control functions as partners, not barriers, when advancing their strategic technical vision. A “go at it alone” approach may seem like the quickest path to success, but can easily lead to audit findings from internal and regulatory supervisors.
#2: Resiliency must be frequently tested and assessed.
- Resiliency is more than just disaster recovery, and must be assessed across a range of failure scenarios — including the need to exit a particular cloud service provider (CSP). Strong resilience practices must be demonstrated through a firm’s risk assessment processes and as an ongoing capability even after solutions are deployed in the cloud.
- More common events, such as regional service failures, should be mitigated through proper cloud infrastructure design and architecture, supported by automated and orchestrated recovery methods.
#3: Third Party Risk Management is critical to meeting regulatory obligations.
- Most regulators view the cloud as another form of outsourcing. When regulated firms partner with CSPs, they are still responsible for ensuring strong governance of the CSP and compliance with all applicable laws and regulations for the jurisdictions they operate in.
- A pre-implementation risk assessment is an important part of cloud governance, and beyond assessments of financial and security risks, they should also include evaluations of data sovereignty, brand, resiliency, and concentration risks. All risk assessments should be clearly and centrally documented with quality artifacts.
#4: Establish early partnerships with regulatory supervisors and quickly respond to evolving guidance.
- Cloud is still relatively new and evolving, long-standing rules and guidance don’t always neatly apply to the cloud. Regulators are providing increasingly more prescriptive guidance; it’s important for firms to maintain open lines of communication and ensure their robust governance processes meet regulatory expectations.
- For example, the Monetary Authority of Singapore (MAS) has been clear that they have no objections to financial institutions using the cloud, but that the use of CSPs does not change a firm’s obligation to comply with the laws and regulations of Singapore. They expect boards of directors and senior management to ensure prudent risk management frameworks and outsourcing policies and procedures are in-place and followed.
- In the European Union (EU), the European Securities Market Authority (ESMA) is advancing their draft regulation, the Digital Operational Resiliency Act (DORA), with a specific focus on the oversight of critical third parties in the information and communications technologies (ICT) space — CSPs are an example. Early partnerships between firms and CSPs will ensure these agreements are in place before the regulatory compliance date.