The intensifying regulation of cloud services has become a major threat to financial institutions’ growth and innovation. An overwhelming number of regional and jurisdictional mandates aimed at ensuring cloud security, data protection and privacy are consuming company resources. Compliance with these evolving and often conflicting regulatory demands has proven complicated and costly.
These cloud compliance concerns have led many firms to hire large staffs to do little other than monitor the internet for new regulations, then assess the impact and implement changes to internal controls and security frameworks. These processes are extremely labor-intensive, largely because they are handled manually. Understandably, firms have grown desperate for a better way — as have cloud service providers (CSPs), who now find themselves just as encumbered by new regulatory demands.
Developing an Industry Standard for Compliance
Every time a regulation changes or a new regulation is introduced, both CSPs and the firms that use their services have to figure out the corporate implications. Both need to ensure that they are compliant and that regulators’ security, privacy and resiliency requirements are being met, especially when noncompliance can result in hefty fines.
Today, it’s not surprising that financial services firms, CSPs and regulators share a common objective when it comes to the cloud. All want simpler, more streamlined governance, and all recognize that the answer lies in standardizing the current surplus of regulatory requirements and controls and then automating compliance.
To that end, IBM launched a groundbreaking initiative in May 2017 to build an industry-standard cloud control framework for financial services. The idea was to put together a working group of financial services stakeholders to establish standard cloud controls and requirements for each jurisdiction and use case. As of this writing, 30 financial institutions have agreed to participate in the project.
This strong show of force is indicative of the industry’s frustration with regulatory compliance and the urgent need for a solution. In fact, all but two of these firms have identified regulatory compliance as their No. 1 obstacle to cloud adoption. All want to take greater advantage of public cloud solutions but worry that any economic gains will be negated by the high cost of compliance.
Automating Cloud Compliance
IBM’s new white paper, “Turning the Regulatory Challenges of Cloud Into Competitive Advantage,” explains the opportunity in front of financial services to solve the regulatory compliance dilemma. It makes the case for an industry-standard framework and control library as the essential foundation for simplifying and automating compliance. It also predicts that advances in cognitive computing, artificial intelligence and analytics will provide the technology to enable this framework. Using these technologies, it is already possible to update industry-standard frameworks and controls automatically and to notify firms when regulatory changes occur.
Cognitive technologies have the potential to manage financial firms’ cloud compliance dynamically, updating internal frameworks, policies and controls in near-real time in response to changes from regulators. Firms will be able to access the industry-standard framework and control library as a utility service as needed to dynamically adapt to and consume updates without compromising their own proprietary frameworks and control libraries.
These capabilities, which have collectively come to be known as cognitive regulatory compliance, enable financial services to continuously align with regulators and the controls they are enforcing. They allow firms to stay on top of regulatory changes through rigorous monitoring and automatic notifications. Cognitive regulatory compliance does away with the manual processes and procedures that impede cloud adoption. It also allows financial services firms to monitor the cloud ecosystem end to end, which is vital for widespread adoption.
Financial institutions have an opportunity to lessen the compliance burden of cloud by working more closely with regulators and CSPs. Those that do will be in the best position to affect how regulators understand and legislate cloud services.