Managing compliance in an age of innovation

The financial industry has, and is, experiencing a huge technology overhaul. Banks have committed millions in projects to digitise their operations, and in the current climate of lockdown where profits have more heavily relied on digital channels, these projects have been pushed even higher up on the agenda.

But as financial institutions innovate with new technologies, they cannot ignore the compliance requirements and risks which come with them.

Ruby Hinchliffe, reporter at FinTech Futures, sat down with Dell Technologies’ chief technology officer (CTO), Arash Ghazanfari, and World Wide Technology’s (WWT) CTO for EMEA, Dave Locke. The two companies have been working together for more than 25 years, helping banks execute their digital transformations by integrating IT infrastructure, digital workforce and security solutions.

FIs face a choice – do they become the liquidity provider behind technology companies, or do they become the technology platform themselves?

We explored what sorts of challenges FIs come up against in their innovation journeys, how they can overcome them, and what sorts of risks they will have to consider as they implement these new technologies.

Challenges

Locke sets the scene for these challenges, citing the “large legacy estates” in dire need of modernisation, the resource management which comes with developing competitive new products, and the complex regulatory and compliance roads which FIs must stick to.

One of the biggest challenges is what Ghazanfari calls “technical debt”. He explains that many incumbent firms have acquired this over time because “they tend to sweat their assets by creating built-to-last environments rather than creating architectures that are built-for-change”.

Many of these institutions have invested in cloud technologies. But as Ghazanfari points out, they have done so “without fully appreciating where the providers’ regulatory and security responsibilities end and where theirs begin”. There is no standardised framework in place for cloud providers to follow when it comes to legal liabilities, which leads to big risk considerations for FIs.

Knowing which technology to commit time and money to can be a hard decision

As financial institutions navigate their transformation projects, they face a choice – do they become the liquidity provider behind technology companies, or do they become the technology platform themselves? “There is no right answer,” says Ghazanfari. “[But] we are increasingly seeing organisations shifting towards becoming technology companies in order to build a strong digital future.”

As well as raising questions of ownership, implementing new technologies also raises questions around resources. Locke says that because financial services firms are looking to solve these challenges internally, they will come up against resource barriers – particularly time constraints. Banks have long struggled to crack the code which, if solved, would see them able to run current operations, whilst simultaneously changing their agendas for the future.

But knowing which technology to commit to can be a hard decision too, as its scalability will inevitably impact budgets, workloads and capacity. “Some workloads operationally and economically scale very well in cloud environments, while other workloads might be easy to start in the cloud, but scaling in the cloud might not be economically viable beyond a certain point,” says Ghazanfari, highlighting the steep increases in price as banks continue to scale their architectures. “Our customers are starting to realise that no matter what cloud platform you buy into, you should always have an exit strategy.”

For chief information officers (CIOs), security is just as important as scalability. But firms often struggle to align these new technologies with what are often already very overcrowded security systems. “The cybersecurity market is intensely fragmented,” Ghazanfari explains, which equals to “a multitude of disjointed security controls”. This “create[s] a noisy environment” where building intelligence on attacks is “impossible”.

Solutions

For solutions to work in big institutions, a balance has to be met

Many banks have partnered with or acquired fintech firms to help modernise their operations. Whilst fintechs secure the stability of large banks, those same banks can capitalise on newfound agility to drive their legacy system modernisations forward. This makes fintechs more than just drivers for product innovation, Locke points out.

“Differences in corporate culture can sometimes be a problem, with fintechs wanting to move fast and banks exerting a more cautious approach,” says Locke, before adding that finding the right balance of pace can lead to “great benefits”.

But whilst fintechs can be a force for good, they can also seriously hamper digital ecosystems in the traditional finance sector. This is why Ghazanfari says firms “must protect themselves against disruptive forces […] particularly in our current multi-cloud reality”.

To do this, he says firms need to adopt “software-defined declarative and policy-driven architectures built on open standards”, so enterprises can “declare” what good looks like. “Technology should essentially work for the business,” says Ghazanfari.

But for these solutions to work in big institutions, a balance has to be met. Asked how firms can walk the tightrope between compliance and innovation, Locke says the firms getting it right are the ones “using a combination of internal resources and external support”. By deploying both, these firms can operate environments which allow testing and certification to happen “in a much more agile fashion”, says Locke.

WWT can help facilitate this approach in two ways. Firstly, by getting things right in the current estate. It can certify and test version control as organisations look to update their environments by providing a lab environment which takes the burden off of the organisation internally, and provide access to the technology and people to run that certification process.

And secondly, WWT can create consistent architectures with pre-defined components which can be built and deployed in an easy-button mode. When an organisation wants to implement new technology, it is already approved and certified meaning it’s ready to be rolled out and deployed into the data centre. It is this external help, that compliments and supports internal resources, which allows financial institutions to focus on innovation whilst the business as usual activity is handed over to the partner community.

Security

With the pressure on incumbent firms to come up with new, more competitive products, firms have to make sure these will work in their current estate. Locke says firms need to understand the “risk domains” of new technologies before moving towards them, rather than assessing them retroactively.

“Cyber recovery is not the same as back-up or disaster recovery,” says Ghazanfari

Firms can do this by using replica labs to emulate the environment and test upgrades and fixes, whilst also using these lab facilities to validate, compare and certify the new technologies. Locke swears by five key areas when it comes to security: visibility, patching, tools rationalisation, resources, and segmentation.

To be reactive to the risk they assess, firms also need to build architectures which are malleable. Ghazanfari says firms need to be flexible and reactive in their operational resiliency, coming back to his point on creating systems which are built for change and not built to last.

“Intrinsic security and an overall context-centric secure by default application delivery model must be central to every CIO’s priority in the coming decade to build on operational agility,” he says, adding that financial institutions must have a clear and real-time view of their critical assets.

And whilst firms must monitor and prevent attacks, they also need to be prepared for the aftermath. “Cyber recovery is not the same as back-up or disaster recovery,” says Ghazanfari. This is because the operational aspects of cyber recovery require additional considerations.

“In a post-breach situation, before any cyber recovery is invoked, the organisation must first establish what assets can be trusted and exactly what systems have been affected,” the CTO adds. “Unlike disaster recovery measures, the business has to acknowledge that not everything can be protected. This is essential to maintaining a sustainable resilience strategy.”

Conclusions

So, there is a lot for financial services to consider. The technical debt institutions are saddled with has to go, but to tackle it firms’ IT transformations have to take into consideration the scalability, liability and resource management which comes with new technologies. In an age of fintech disruption, embracing modern applications has become more urgent, but innovation must happen at a pace which allows for cyber resiliency to be done properly, avoiding the current fragmented landscape many firms face.

Dell Technologies and WWT recently held a free webinar, Balancing the IT Compliance and Innovation Agendas in Financial Services, which is now available on demand. Click here to listen to the webinar.