The cloud is beckoning, and security is job number one. Regulatory reporting has shifted from accounting values to full-fledged risk management, encompassing credit, liquidity and market risk as financial institutions (FIs) increase in size, have larger geographic footprints and continue to offer complex products.
FIs must make substantial investments in technology to manage the ever-changing and expanding requirements of regulators and the corresponding increases in data volumes, calculation complexities and reporting frequencies. Because of this, FIs are finding that cloud computing, now mature, is increasingly the most viable option. The cloud is a key driver of enterprise-class business success, enabling agility and cost optimisation.
Finextra spoke with Eric Rothrock, senior vice president, cloud product management at AxiomSL about addressing the speed of regulatory change, increasing data volumes, and key tactics FIs are using to maintain data security and integrity. AxiomSL is an Advanced Technology Partner in the AWS Partner Network (APN).
“Financial players consider the cloud a key driver to address today’s regulatory and risk reporting challenges and reduce the total cost of ownership (TCO) of regulatory solutions. FIs are eager to take advantage of its benefits. Regulators, too, are beginning to appreciate the reality of cloud,” Rothrock highlights.
However, the shift to the cloud must be executed prudently. “Regulatory requirements must not only be fulfilled timely and accurately, but FIs’ sensitive material non-public information (MNPI) also must have the highest protections,” Rothrock explains, adding: “The cloud is attractive in the regulatory reporting space, and FIs must determine the best, most secure way to obtain its scale, cost and agility benefits.”
AxiomSL believes that the most secure way to obtain these benefits is with risk data management and regulatory reporting securely deployed on the cloud. Once relieved of the burden of owning and operating complex hardware and software infrastructures, FIs can become agile and innovative. Rothrock captures the practical steps FIs need to take in his article on Unclouding the Risks of Cloud Implementations for Regulatory and Risk Reporting.
“Cloud-based access to regulatory and risk data enables FIs to extend collaboration on regulatory initiatives enterprise-wide by eliminating location and time-zone barriers to productivity. A secure cloud implementation provides a scalable, flexible architecture that optimises resource utilisation and TCO across the regulatory compliance process,” Rothrock says.
Critical security elements
Rothrock emphasises that it is crucial to consider the processes that are in place to ensure that an FI’s data is never co-mingled with that of another organisation in the cloud. AWS employs the same security isolations as would be found in a traditional data center, including physical data center security, separation of the network, isolation of the server hardware, and isolation of storage. AxiomSL secures this type of MNPI with seven more elements.
- Environment segregation: Each FI’s deployment is segregated by each running under its own Virtual Private Cloud (VPC) within client-dedicated AWS accounts with no network routes permitted between client environments.
- Hands-free: Production environments run hands-free through automation of all common administrative and support tasks. (AxiomSL has no access to client data.)
- Break-glass control processes: These govern any access that may become necessary in special or emergency situations that require approval from multiple senior managers. Access is strictly controlled and closely monitored. While senior management may grant temporary access to operational users in emergencies, all access is logged and auditable.
- DevOps framework: A DevOps framework is leveraged with sophisticated tools that manage the environment as infrastructure as code (IaC), which keeps all client environments the same. This approach maximises service quality, removes complexities and eliminates potential security concerns that come when customisations are introduced.
- Monitoring and alerts: Using monitoring that creates appropriate alerts and audit trails to manage the operation ensures adherence to the standard architecture and processes.
- Security alerts: Alerts are triggered on changes to security configuration data such as a change to a security group or a user-access assignment. Thus, any accidental or malicious security changes are immediately identified and acted upon.
- SOC2 type 2 and ISO 27001 audits: The cloud implementation undergoes annual SOC2 type 2 and ISO 27001 audits to ensure that its commitments align with actual actions, thus providing FIs with confidence that the cloud solution is delivering on its security and operations commitments.
Rothrock summarises: “These security architecture elements should be present in a cloud deployment for the FI to be confident that its data is never co-mingled with another institution’s and that its cloud deployment is highly secure.”
Data integrity driven by BCBS 239
While security processes need to be put in place, Rothrock asserts that FIs are also hyper-aware of how to address regulators’ expectations for data integrity expressed in global standards such as BCBS 239 that were born out of the financial crisis and the recognition of inadequacies in FIs’ IT and data architectures.
Today, the cloud and high-performance technology enable financial services players to aggregate risk quickly, accurately and properly. However, to achieve data quality and integrity, Rothrock thinks FIs need to work on a number of processes. He explains that there are three aspects of data integrity:
- A corporate governance structure that deals with data integrity
- A technology infrastructure that enables data integrity
- The right people in the right places at the right time to ensure the execution of data integrity standards.
“FIs adopting a well-architected, secure cloud implementation of a regulatory and risk reporting solution are better positioned to achieve the objectives for data integrity articulated by BCBS 239 principles,” Rothrock states. “In contrast,” he cautions, “attempting to maintain multiple legacy technology capabilities may cause FIs to fall behind on achieving BCBS 239 objectives.”
Rothrock says that in addition to FIs having access to “a high-performance integrated data-driven platform that continuously improves data quality process and drives successful regulatory reporting,” they also need solutions that are efficient for the “myriad regulatory mandates” and must have access to “experienced subject-matter experts who surveil and interpret regulatory change into the solutions.”
Value and innovation
The cloud is a game changer for FIs in the risk management and regulatory space. They must keep pace with the speed of regulatory change and increasing data volume – the cloud can enable FIs to achieve this alignment. However, Rothrock points out, the threat for FIs is that “regulatory change acceleration consumes speed improvements that could be used for more beneficial purposes.” He explains: “They can mitigate this effect and achieve competitive advantage by always seeking to re-use the inputs, calculations and outputs involved in regulatory reporting compliance for value-added purposes.”
The cloud has advanced beyond simple maturity and is playing a strong role in enabling innovation in risk management and regulatory reporting. It is evident that FIs can gain agility and cost optimisation, because as Rothrock explains, cloud-based solutions promise “continual innovation with the assurance of multiple layers of data redundancy and resiliency such that FIs’ proprietary data will never be lost or corrupted.”
Rothrock believes organisations must harness the power of data and smart automation to lower cost, deliver high-quality data and gain sharper insight, stating: “FIs grapple with the explosion of diverse, dispersed data and regulators’ demands for more data, more frequently. Establishing a data integrity and control platform is the foundation for facing the three Vs of data challenges: velocity, volume and veracity.”
“To succeed in a challenging environment, leaders must adroitly leverage enterprise data. They must trust the data’s veracity. To create trustworthy, transparent, auditable datasets fit for use to meet risk, regulatory and analytic objectives, FIs require a high-performance integrated data-driven platform that continuously improves data quality and drives successful regulatory reporting,” he continues.
“This requires continuous innovation. The cloud can play a key role in enabling that innovation, because it provides the flexibility, scalability and security that allows for streamlined development of new technologies on a scale not yet seen. The future is automation, Big Data and AI, all of which are quickly evolving for application in the risk data management and regulatory reporting arena due to the cloud,” Rothrock concludes.
Find out more about these issues and AxiomSL’s approach to fixing them for financial institutions in Unclouding the Risks of Cloud Implementations for Regulatory and Risk Reporting.
Part of the AWS Cloud Series: providing visionary insight and practical guidance for financial institutions moving to the cloud.