In Support of Regulatory Guardrails for Better Outcomes

With the rise of FinTech, acceleration in digital transformation and adoption of AI, the financial services industry is more dynamic than ever and undergoing rapid changes that will have significant impact for years to come. Over the last few years, I have had the privilege of being involved in some of the most inspiring and engaging work of my career.??

One of the aspects I am most encouraged by is how the entire financial services industry, from large, global institutions to regional and community banks, are coming together to learn from each other and share best practices and ideas. With the growing adoption of cloud technology and the need to modernize core business workloads, banks are faced with major challenges like concentration risk and cybersecurity that urgently need to be addressed.??

But banks and cloud service providers will not be able to solve these issues alone. We need a concerted, ecosystem effort across the entire financial services sector. In the absence of holistic, systems-thinking that balances the ambitions of individual firms with collective, societal responsibility, the promise of cloud technology risks getting lost in a quagmire of regulatory uncertainty and technical fragmentation. This is why I am such a strong advocate of initiatives that move the dial on these topics and bring us together as a community to drive better outcomes.?

The legal and regulatory landscape for cloud has been made up of a matrix of rules as wide as the scope of the technology itself, varying across geographies and increasingly complex to navigate without necessarily addressing the industry’s most critical issues. Until recently, cloud computing was typically not addressed by specific cloud policy or regulation and, by default, fell under the scope of more general IT risk management provisions.?

While cloud security has advanced significantly over the last few years, it continues to be a major concern.??And rightfully so. According to the 2022 Cost of a Data Breach Report,?45% of breaches occurred in the cloud, while 43% of organizations state they are either in the early stages or have not started applying security practices across their cloud environments.

A hybrid cloud approach can provide a smooth path to modernizing and upgrading existing implementations, ultimately allowing financial institutions to decide what environment – on prem or in the cloud, best fits specific workloads.?When done appropriately, the benefits of application modernization can lead to increased agility, on-demand scalability, and cost savings over time.?

As the regulatory scales tip from a focus on IT risk management to broader consideration of operational and digital resilience as part of systemic stability and service dependability, we're seeing a lot of rapidly emerging and changing regulation where cloud technology is front and center. For example, in June the HM Treasury published?a policy statement?about the risks for the financial services firms who rely on third parties?for technology services, including cloud.?

In this regard, the Bank of England and the Financial Conduct Authority are welcoming responses to their?Discussion Paper?that addresses how to manage the risks to supervisory authorities’ objectives including UK financial stability, from the use of third-parties by financial services and market infrastructure firms.?This important piece of legislation will ensure UK supervisors have transparency into the operations of cloud service providers, coupled with oversight and enforcement capabilities, to mitigate risks stemming from concentration in the provision of some critical third-party services.????

For global organizations active in financial services,?evolving legislation like the emerging UK framework, is a timely reminder that?forward-looking and outcome-oriented policies can help?drive the industry forward by establishing guardrails that enable cloud-native innovation and safeguard financial stability. Done intelligently, one desirable outcome does not have to come at the cost of the other.??

With increased regulations concerns, there are actions business and IT leadership should prioritize:

Partnerships:?Growing partnership across public and private sectors and convergence on common standards are the silver linings of the focus on cybersecurity.

Common Baselines:?To reduce systemic risks across the financial service industry, establish common baselines and improve capabilities for smaller players.

Reporting:?There is reason to be optimistic about the amount of global collaboration around reporting, especially at the board-level, and greater intelligence sharing from governments.

Mutualize Best-Practices:??Improving resource utilization will drive better outcomes through reduced variability in execution across the industry.

While every jurisdiction is free to pursue its own regulatory agenda, where possible we must always favor solutions that tend toward harmonization, so the industry does not have to carry the burden of global policy fragmentation.?

As customer expectations evolve and competition intensifies, financial institutions will continue to migrate applications to the cloud. It is the shared responsibility of the entire financial ecosystem – including technology providers and supervisory authorities - to ensure the right rules and regulations are in place.?