By Noah Kessler
After having evaluated the benefits, large financial institutions are embracing the cloud, resulting in its exponential growth in the industry. While the cloud delivers a raft of benefits, the pace of cloud adoption also has raised questions regarding the efficacy of risk management and compliance practices within CSPs. However, CSPs are well-positioned and highly experienced in practicing effective risk management. Mature and robust risk management practices and processes are embedded in every vertical and product line in leading CSPs.
Regulators, who regard CSPs as emerging technology organizations (in the same category as fintech and regtech companies), have been publishing guidance on the use of these various technology organizations and providers for nearly a decade. Until recently, however, the guidance has not been very detailed.
Ultimately, the burden of providing regulators with greater comfort regarding the use of CSPs rests with the regulated financial services industry. The challenge is to prove to the regulators that CSPs and the financial services firms that use them understand and have effective risk management.
As cloud adoption in the financial services industry has increased, regulators are becoming more knowledgeable about how firms are relying on CSPs without sacrificing the rigor required in risk management and compliance practices.
Financial regulators generally focus on risk issues related to the safety and soundness of an institution as well as protection for its customers. In their attention to those priorities, regulators increasingly recognize how CSPs are supporting the security controls of financial services organizations by enabling a complete, real-time inventory of assets and how they are protected.
Cloud technology directly addresses the security concerns of regulators and others while providing significant operating benefits. Moving data and services from a banks dedicated legacy infrastructure to a multi-tenant cloud environment, if properly configured, can provide additional layers of security for the institution and decrease its systemic risk.
CSPs are world-class experts in security and protection, with highly skilled teams dedicated to ensuring privacy and effective controls. Amid the surge in cyber-attacks in recent years, financial institutions understand the difficulty of achieving the scale of what CSPs are investing in security internally.
Through the greater processing capacity and power that CSPs deliver, financial services firms can release new cutting-edge technologies much faster. They can also save money by moving from a fixed-cost to a variable-cost basis.
Because they serve multiple customers, CSPs scale provides cost savings. CSPs use that scale to keep their systems on the cutting edge of technology, providing the latest in infrastructure and security. Financial services institutions, on the other hand, often are trapped in legacy architecture that can necessitate an inefficient use of computing power and data storage. Smaller banks, in particular, may lack the capacity to hire the highest-caliber technology resources or be able to convert to newer technologies.
Regulators have come to appreciate that the basket of risk for financial services organizations has shifted and, in many cases, diminished with the advent of CSP involvement. In particular, they note the benefits of end-to-end security and remain attentive to coordination of incident responses between CSPs and financial services institutions.
However, regulators have questions about the overall risk management approach and practices among CSPs, which tend to differ from that of financial institutions, with which regulators have a high level of familiarity.
Regulators and examiners need to consider whether the questions they ask of financial services institutions still make sense in the context of cloud-based services and whether they might have to modify some of these as their understanding expands.
A systemic relationship prevails between the banking community and CSPs. Just as with any third-party service provider, regulators recognize that if a CSP suffers a significant adverse event, a trickle-down effect could impact the banks.
CSPs robust risk management practices are evident when assessing them on operational resilience, risk controls, lines of defense, automation and innovation.
A critical component of risk management in financial services is operational resilience. Regulators have been very clear that operational resilience plans must account for firms material use of third-party providers.
Roles and responsibilities need to be delineated clearly between financial services institutions and the CSPs they usetypically referred to as a shared responsibility model. A clear contract that details the activities and obligations of each party is necessary. In the eyes of the regulators, any issue that arises ultimately is the responsibility of the financial institution.
CSPs cannot assess the criticality of a service for a financial institution. For example, a CSP wouldnt know if a workload is so significant that it underpins a banks payment system. The criticality rating must be relayed to the examiners by the financial institution.
Although every CSP with which a financial institution has a relationship is responsible for a piece of operational resilience, banks must apply that shared responsibility model to systems placed in the cloud. Additionally, interdependencies between services present potential risks. If there were an outage for one service, it might have downstream effects on others.
Resilience poses further questions. Regulators may ask how the bank deploys a resilient architecture for its workloads on the CSPs infrastructure. Regulators must understand the measures that the bank has taken to protect its resilience when parts of a CSPs infrastructure are not available.
Above all, using and relying on a CSP that provides resilient and fault-tolerant infrastructure and services does not mean that the financial institution has abdicated responsibility around resilience. Regardless of what CSP an organization is using, it is the responsibility of that organization to manage its own space within the cloud. Systems in the cloud that are not architected properly will not enjoy the benefit of the CSPs resilience advantages and could raise red flags for regulators.
Leading CSPs employ robust risk management and compliance practices comparable to those of financial institutions. They just do so with a different approach and model (bottom-up and top-down, or 360 degrees) compared to financial institutions (top-down). Regulators are far more familiar with the model employed by financial institutions.
Within CSPs, a pervading culture of ownership drives risk management. Although governance reporting flows to senior leadership, as expected by regulators in terms of oversight, service and product teams still retain a high amount of accountability.
In a belt-and-suspenders approach, executive management oversees the commonalities while each service is essentially treated as its own business unit. That independence provides the flexibility to develop processes and operations that best support the needs of each service. Although the chief information security officer puts in place security guardrails, these groups are empowered to do what makes the most sense for their products.
Typical dimensions of risk mitigation differences are illustrated in the following examples:
Architecture. CSPs anticipate failure of hardware and software by building in automated resilience; financial institutions focus on resilience through traditional disaster recovery sites, requiring human intervention.
Service delivery. CSPs conduct service requests via application programming interfaces; financial institutions conduct service requests via human workflow.
Operability. CSPs programmatic and automated operations require fewer human operators as demand increases; within financial institutions, human-intensive operations grow linearly with demand.
The shared responsibility model outlines certain aspects for which the CSP is responsible and others for which their clients are. For instance, while the CSP may provide an API for a customers access to storage devices, the CSP wont be responsible for the data the customer puts there. Its controls are intended to provide only virtual segmentation of the customers data and the physical environment networking around it, as well as to prevent attackers from accessing it through the CSPs network. It remains the role of the customer to protect access to that data through proper controls and encryption.
The three lines of defense modelmanagement/business line, risk and compliance oversight, and internal auditis an accepted framework in financial services and other industries. This model defines responsibilities for management, risk oversight and independent assurance. CSPs employ the same model:
First line. Product development teams create and manage cloud services. These teams are comparable to a banks business lines and they focus on areas like security practices, capacity and availability. Each is responsible for owning its risk activities, as well as for understanding how its function interacts with other services.
Second line. Compliance or security assurance groups, comparable to the risk or compliance function in a financial institution, are in place at CSPs. The second line governance reporting oversees the enforcement of the teams risk management at a detailed level. Second line staff in a CSP, who are typically engineers and security experts, provide continuous validation checks to ensure service teams are meeting a high bar for security and operational resilience. Other formal groups conduct penetration testing, security reviews and onboard services into different client programs.
Third line. A robust internal audit function in CSPs is comparable to the internal audit department in financial firms. Large customer audit teams operate within the CSP. To a greater extent than banks, they release dozens of assurance reports on a regular basis to provide evidence of their control posture. CSPs are also heavily audited by third parties in terms of their standards, controls and processes.
CSPs use advanced automation in their risk management and compliance practices, minimizing manual controls. That helps CSPs to provide services at scale, such as detecting and alleviating security events rapidly, redirecting traffic, or load balancing.
Automated controls generate significant benefits, including improved accuracy, a clear audit trail, centralization and harmonization among organizational silos, such as finance and risk. Thus, CSPs are able to address certain technology concerns more effectively than financial institutions, including always-patched databases, deep and comprehensive logging, one-click threat analysis, and access to multiple geographic regions for resource deployment. Financial institutions benefit from CSPs automated collection of evidence and mapping.
Automated services continuously collect and organize IT configuration and logs in a streamlined fashion, which can then be delivered to the banks risk management group.
Another great power of the cloud is automated compliance. Rather than standard on-premise practice of a manual process that an infrastructure team must configure, CSPs use code to automate compliance controls, guaranteeing consistency and comprehensiveness.
Cloud service providers are among the top innovators in the world. They continuously use leading-edge technologies to drive effective risk management. Century-old financial institutions may be slowed by a legacy organizational structure based around risk and control. CSPs, which dont have legacy debt or business incentives to keep over time, are willing to build more efficiently from scratch and remain more efficient over the long run. The CSP, armed with new ideas, can deliver its products much faster than traditional banks can.
Since the onset of the COVID-19 global pandemic, financial institutions have accelerated their use of cloud capabilities, to support remote work, customer service and higher transaction volume. Meanwhile, regulators have become more cognizant of how CSPs work and more comfortable with their risk management practices.
When it comes to risk management, one of the stark differences between a CSP and a financial institution is that a CSP has the ability to empower its employees to be innovative in terms of managing risk.
The overarching goal of the regulators remains the safety and soundness of their supervised financial institution, along with the protection of the end customer. As regulators grow increasingly familiar with the new efficiencies and culture of the cloud service provider industry, there should be increasing customization in their oversight of CSPs.
Noah Kessler, managing director at Protiviti, can be reached at noah.kessler@protiviti.com.
Go here to see the original:
- Financial Independence [Last Updated On: June 12th, 2016] [Originally Added On: June 12th, 2016]
- The One-Page Guide to Financial Independence [Last Updated On: June 16th, 2016] [Originally Added On: June 16th, 2016]
- 3 Ways to Achieve Financial Independence - wikiHow [Last Updated On: June 16th, 2016] [Originally Added On: June 16th, 2016]
- Eight Secrets to Achieving Financial Independence [Last Updated On: June 16th, 2016] [Originally Added On: June 16th, 2016]
- Success! - How to get Financial Independence and Help For Real [Last Updated On: June 16th, 2016] [Originally Added On: June 16th, 2016]
- Financial Independence: The Final Stage of Money Management [Last Updated On: June 21st, 2016] [Originally Added On: June 21st, 2016]
- The Four Stages of Financial Independence - The Simple Dollar [Last Updated On: June 27th, 2016] [Originally Added On: June 27th, 2016]
- 21 Experts Chatting About Financial Independence | Cash ... [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- 21 Experts Chatting About Financial Independence | Cash ... [Last Updated On: July 5th, 2016] [Originally Added On: July 5th, 2016]
- Welcome - Reach Financial Independence [Last Updated On: July 8th, 2016] [Originally Added On: July 8th, 2016]
- Prepping 101: Financial Independence | Suburban Steader [Last Updated On: July 9th, 2016] [Originally Added On: July 9th, 2016]
- 7 Ways To Declare Financial Independence | Bankrate.com [Last Updated On: July 10th, 2016] [Originally Added On: July 10th, 2016]
- financial independence / early retirement - reddit [Last Updated On: July 12th, 2016] [Originally Added On: July 12th, 2016]
- Prepping 101: Financial Independence | Suburban Steader [Last Updated On: July 14th, 2016] [Originally Added On: July 14th, 2016]
- How to Declare Your Financial Independence - Next Avenue [Last Updated On: July 23rd, 2016] [Originally Added On: July 23rd, 2016]
- Financial Independence: The New and Improved Retirement [Last Updated On: July 27th, 2016] [Originally Added On: July 27th, 2016]
- FMO & IMO | Financial Independence Group, Inc [Last Updated On: July 29th, 2016] [Originally Added On: July 29th, 2016]
- 8 Secrets to Achieving Financial Independence [Last Updated On: October 4th, 2016] [Originally Added On: October 4th, 2016]
- Financial Independence Academy - Sign Up Today! [Last Updated On: November 12th, 2016] [Originally Added On: November 12th, 2016]
- COLUMN-Millennial parents still like to tap the Bank of Mom & Dad - Thomson Reuters Foundation [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Speaking of Women...Are We Really More Financially Independent Now? - Investopedia [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Millennial parents still like to tap the Bank of Mom & Dad - One America News Network (press release) [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- House Dems: Trump wants to put Wall Street first - The Hill [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- 3 insider tips for achieving financial independence | The Motley Fool ... - Motley Fool UK [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- The power of financial independence - KXAN.com [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Republicans Move on Financial Deregulation; Fed Finalizes Stress Test Guidance - Lexology (registration) [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Find out if you qualify for free tax preparation and financial advice - wtvr.com [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Getting To Know You Tuesday: Elliot Dole - Forbes [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- How to Prioritize Financial Goals When You Can't Do It All - Inside Higher Ed (blog) [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Millennial Parents Still Like to Tap the Bank of Mom & Dad - WealthManagement.com [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Days May Be Numbered for the Consumer Complaint Database - ConsumerReports.org [Last Updated On: February 11th, 2017] [Originally Added On: February 11th, 2017]
- Early Retirement & Financial Independence Community [Last Updated On: February 11th, 2017] [Originally Added On: February 11th, 2017]
- How Much Financial Help Do You Expect From Your Parents in the Future? - New York Times [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- Court Rejects Order Forcing Parents to Pay Tuition - Inside Higher Ed [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- Congress could limit the Fed's independence and hurt the US economy - Washington Post [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- Syrian refugee families achieve financial independence in Alliston - Simcoe.com [Last Updated On: February 14th, 2017] [Originally Added On: February 14th, 2017]
- Seattle Metropolitan Credit Union serves and empowers Latino consumers with Juntos Avanzamos program - CUinsight.com (press release) [Last Updated On: February 15th, 2017] [Originally Added On: February 15th, 2017]
- Consumers in cross-hairs with Dodd-Frank repeal - mySanAntonio.com [Last Updated On: February 15th, 2017] [Originally Added On: February 15th, 2017]
- Sheroes Founder Sairee Chahal ventures for Women's Financial Independence in India's sometimes Suffocating ... - Plunge Daily [Last Updated On: February 17th, 2017] [Originally Added On: February 17th, 2017]
- Surviving widowhood: Five tips to avoid financial hardship - Cincinnati.com [Last Updated On: February 17th, 2017] [Originally Added On: February 17th, 2017]
- Advocates say more women need financial independence: 'We really do need that extra leg up' - Globalnews.ca [Last Updated On: February 17th, 2017] [Originally Added On: February 17th, 2017]
- Q & A with Sr. Maureen Gallagher, setting up financial independence paths for women in Mexico - Global Sisters Report (blog) [Last Updated On: February 17th, 2017] [Originally Added On: February 17th, 2017]
- The road to financial freedom - ABS-CBN News [Last Updated On: February 18th, 2017] [Originally Added On: February 18th, 2017]
- Independence Financial Partners - SPECIALIZING IN [Last Updated On: February 19th, 2017] [Originally Added On: February 19th, 2017]
- IDS celebrates 150 years of newswriting | Indiana Daily Student - Indiana Daily Student [Last Updated On: February 22nd, 2017] [Originally Added On: February 22nd, 2017]
- International Financial Reporting Standards - Wikipedia [Last Updated On: February 22nd, 2017] [Originally Added On: February 22nd, 2017]
- Retiring in their 30s. Yep, they're doing it. - Crain's Chicago Business [Last Updated On: February 23rd, 2017] [Originally Added On: February 23rd, 2017]
- Opinion: Young adults need an easier path to financial independence - LSU Now [Last Updated On: February 23rd, 2017] [Originally Added On: February 23rd, 2017]
- Successful Boomer Women Offer Financial Advice to Younger ... - Fox Business [Last Updated On: February 24th, 2017] [Originally Added On: February 24th, 2017]
- Another way to measure retirement readiness: Your 'Power Percentage' - USA TODAY [Last Updated On: February 25th, 2017] [Originally Added On: February 25th, 2017]
- 'Thousands' of cancer sufferers forced to borrow money from parents because of financial difficulties caused by illness - The Independent [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Column: Financially surviving widowhood - Cincinnati.com [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Oran Hall | Young cop seeks financial independence | Business ... - Jamaica Gleaner [Last Updated On: March 5th, 2017] [Originally Added On: March 5th, 2017]
- 'Game of Thrones' gave financial independence to Conleth Hill ... - Business Standard [Last Updated On: March 7th, 2017] [Originally Added On: March 7th, 2017]
- International Women's Day - Investing for financial independence - Simple Landlords Insurance (press release) (blog) [Last Updated On: March 8th, 2017] [Originally Added On: March 8th, 2017]
- Game of Thrones gave financial independence to actor Conleth Hill - Bollywood Life [Last Updated On: March 8th, 2017] [Originally Added On: March 8th, 2017]
- A Struggle Back to Financial Independence After a Brain Injury - The Good Men Project (blog) [Last Updated On: March 10th, 2017] [Originally Added On: March 10th, 2017]
- Financial Adviser | Oran Hall | Young cop seeks financial ... - Jamaica Gleaner [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- theFIREstarter - Financial Independence. Retire Early [Last Updated On: March 17th, 2017] [Originally Added On: March 17th, 2017]
- Linda Leitz: Women, divorce and money: Financial independence is best whenever possible - Colorado Springs Gazette [Last Updated On: March 19th, 2017] [Originally Added On: March 19th, 2017]
- Linda Leitz: Women, divorce and money: Financial independence is ... - Colorado Springs Gazette [Last Updated On: March 19th, 2017] [Originally Added On: March 19th, 2017]
- Italian millennials 'won't reach financial independence until age 50 ... - The Local Italy [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- NBA ex-president seeks financial independence for judiciary - Guardian [Last Updated On: March 27th, 2017] [Originally Added On: March 27th, 2017]
- Priceless financial tips from 'Billionaire Cab Driver' money guru - WND.com [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- NOEM: Fighting for financial independence - Rapid City Journal [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- 5 Action Strategies for Financial Independence - Kiplinger - Kiplinger Personal Finance [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- NOEM: Fighting for financial independence - Daily Republic [Last Updated On: March 31st, 2017] [Originally Added On: March 31st, 2017]
- AnuOluwapo Adelakun: Of Epic Twitter Comebacks & the Importance of Financial Independence for Women - Bella Naija [Last Updated On: April 3rd, 2017] [Originally Added On: April 3rd, 2017]
- The Struggle For Financial Independence - The Korea Times US [Last Updated On: April 3rd, 2017] [Originally Added On: April 3rd, 2017]
- Regulatory reform leads to financial independence - Argus Leader - Sioux Falls Argus Leader [Last Updated On: April 5th, 2017] [Originally Added On: April 5th, 2017]
- The Financial Lesson in a $1 Hot Dog - Barron's [Last Updated On: April 7th, 2017] [Originally Added On: April 7th, 2017]
- Five facts about financial independence - finder.com.au [Last Updated On: April 7th, 2017] [Originally Added On: April 7th, 2017]
- Income-producing assets pave the way to financial independence - Moneyweb.co.za [Last Updated On: April 10th, 2017] [Originally Added On: April 10th, 2017]
- 3 Things the Financial Independence Equation Teaches Us - Huffington Post [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Living a FI | A Geek's Guide to Financial Independence [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- levels of financial independence - Radical Personal Finance [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- A business owner's path to financial independence - BizTimes.com (Milwaukee) [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]
- Independence Financial Group [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]
- Calculating Your "Magic Number" -A Fool's Errand - Forbes [Last Updated On: April 17th, 2017] [Originally Added On: April 17th, 2017]
- How to win the endgame of financial independence - MoneySense - MoneySense [Last Updated On: April 17th, 2017] [Originally Added On: April 17th, 2017]