Banks were hit with $10 billion in fines in the 15 months before the end of 2019, and that total is expected to increase this year, according to Fenergo. That figure isn’t as shocking as it might appear when you consider the volume of rules banks must observe.
The financial services industry is perhaps the most highly regulated in the world. In the U.S., for example, banks must comply with at least 10 major regulations at the federal level alone. Each state also has its own rules. Financial institutions that do business in multiple states or countries may literally be subject to hundreds of regulatory controls. And the rules are constantly changing.
Each regulation translates into multiple actions that financial institutions must take. The result is that a bank, for example, must complete thousands of actions per year, each fully documented, to maintain compliance. Cloud computing has actually complicated the situation by spreading responsibility for meeting regulatory goals across multiple cloud platforms and applications, not all of which the customer can control.
The total cost of non-compliance can be far greater than fines. Financial firms can face legal exposure, reputational damage and expensive remediation costs. And compliance failures are not always obvious or intentional. More often, the reason is that executives don’t know what they don’t know. Gartner has predicted that 99% of cloud security failures in the foreseeable future will be the result of human error.
Keeping up with such a complex environment is beyond the capacity of humans. Automation is needed. The solution begins with building a framework for managing security and compliance controls based on industry standards and best practices. The framework is the guide for understanding which regulations apply and what steps must be taken to satisfy them. Financial institutions need separate frameworks for security and compliance wrapped into a single view of their performance against goals.
IBM Cloud for Financial Services™
This paper explains how IBM Cloud for Financial Services can help your organization fully realize the benefits of public cloud without compromising security and regulatory compliance.
Download NowCloud platforms based on modern cloud-native technologies such as containers and application program interfaces provide an opportunity to unify compliance and security practices at the policy level. Cloud-native platforms can deliver clean and consistent interfaces that lay the foundation for processes managed by high-level policies rather than individual tools.
Not all cloud vendors have the full range of needed controls. While their services may adhere to major regulations like PCI, it is often up to the customer to determine and manage how the applications they build on top of the platform or the software-as-a-service providers they use comply with regional regulations or those that are specific to certain sectors, such as insurance or fintech, as well as to their risk mitigation policies.
The IBM Cloud Security and Compliance Center goes further in addressing this challenge. Customers manage security and compliance controls from a unified dashboard directly within the IBM Cloud for Financial Services. With the IBM Security and Compliance Center, customers can view security and compliance postures, enable configuration governance and detect vulnerabilities and threats. And it can do the same for customer workloads that run on clouds from multiple vendors, as well as the customer’s private cloud and on-premises infrastructure.
Customers also benefit from the expertise of Promontory Financial Group, which employs more than 800 regulation and risk management experts across 60 countries who design and implement client strategies for managing regulatory, operational and financial risks. Customers can have confidence that their enterprise frameworks and controls are complete and up-to-date.
A cloud platform provider that is positioned to manage mission-critical and regulated workloads should be able to deliver a single-pane-of-glass view of all relevant regulations and the customer’s progress toward meeting them. The dashboard should monitor not only all the cloud platforms the customer uses but also its on-premises systems. The security framework and compliance frameworks that are provided should encompass all aspects of the client’s IT operations, including identity and access management, databases and security controls at both the digital and physical level.
It’s a tall order—but considering the billions of dollars in penalties for non-compliance and business impact due to data loss that are at stake, due diligence pays dividends.
