In early June, Europe’s financial markets watchdog issued draft guidelines for those outsourcing part of their technology infrastructure to cloud service providers. While acknowledging the benefits of cloud computing – “reduced costs and enhanced operational efficiency and flexibility” – the European Securities and Market Authority cautioned against over reliance.
According to the report, cloud “raises challenges in terms of data protection and information security. Concentration risk can also arise, as a result of many firms using the same large cloud service providers, with potential negative outcomes for financial stability.” Not just a concentration risk, the report explicitly called out the “lock-in risk”.
Banks, insurance firms and other financial services organizations, take note.
Compliance and risk management have never been more complex. Not only are regulators more activist in nature, the regulations introduced in the last few years are making new demands of financial services. For example, the 2018 EU General Data Protection Regulation (GDPR) didn’t simply seek greater protection for personally identifiable information, it mandated the transfer and removal of data on request. This in turn required a degree of agility that many organizations found challenging. Similarly, the second Payment Services Directive (PSDII) necessitated data portability at a scale that would pave the way to open banking.
For banks habituated to taking ultimate control over their data – think the non-returnable disk – these changes have been game changing; not just a case of adapting to new technology solutions and business processes but invoking a new organizational culture, too.
There is another reason for added complexity and that’s the increasingly diverse make-up of most organizations’ IT estate. Today, cloud is just one part of a hybrid infrastructure.
None of this is insurmountable. Nor should it deter firms from adopting cloud. It does, however, require a fresh look at the people, processes and technology fuelling access, management, and control of the data you hold. To that end, it is worth looking at compliance and risk management through the following three dimensions: