With the move to cloud for so many other services relating to finance, will cloud compliance become mainstream? Can you move your KYC & AML/CTF processes and data offsite? Pros Cons? Is cloud the future of #regtech and #fintech and will financial services companies finally embrace everything-as-a-service?
1. There is always a trade-off
If you ask a cyber security expert to secure your enterprise environment, they may not allow anyone to login or
access email remotely and would request that you use passwords such
as s23r8@#$23nr2345$%^456324k2345!#3 and request that you change them to something just as confusing every
7 days. This quickly gets in the way of people doing their job. There has to be trade-off. But is this really a risk vs
reward scenario or can there be a happy (and secure) medium?
Link.
+852 8203 2066 | info@hifromlink.com | www.hifromlink.com
Compliance in the cloud?
1
We see something similar with software solutions that are hosted onsite (your IT manages it) vs cloud solutions (the
vendor manages it). The latter is often referred to as SaaS (Software as a Service). Normally to get new software
installed, which in turn provides a service to the business, there are a number of hurdles to get over. Those hurdles
predominantly involve time and money when the outcome you want is really the service the software provides. In the
argument of software onsite vs cloud services, what are you really risking?
Financial services software either makes you money, saves you money or reduces your risk. Some do all 3.
2. Link.
+852 8203 2066 | info@hifromlink.com | www.hifromlink.com
2
Compliance in the cloud?
Your data, at someone else’s house
As the world of technology moves away from high upfront software and hardware costs towards
subscription based services or cloud offerings, the questions heard from the market and businesses looking
to make this move are:
Is all my data secure?
Is my client’s personal and/or company data secure?
These questions are valid and businesses should definitely be asking them. The reality is, SaaS or cloud
providers have the exact same concerns. Their businesses depend on their client’s and the data they hold
for them. They are responsible for their client’s data and need to make every effort to ensure it’s security.
The cornerstone of any SaaS or cloud provider’s business is data security. If they were to be hacked and
have data leaked, this could be potentially very damaging to their business, and for some companies this
would put them out of business entirely.
3. Link.
+852 8203 2066 | info@hifromlink.com | www.hifromlink.com
3
The original (in)famous Salesforce Logo
Compliance in the cloud?
Strap in
The move to the cloud is happening fast and it’s no longer a
matter of if or when. If you look at the largest cloud provider on
the planet, Amazon Web Services (AWS), you’ll see they are
growing at a rapid rate. Many companies are not buying servers
anymore and hosting themselves, they are leveraging the power
and scale of cloud providers. Oracle and Microsoft have
effectively become cloud companies and are actively promoting
this.
Microsoft Office 365 Cloud now hosts all email data for insurance
giant Metlife, with 64,000+ staff on their platform. Monthly active
users of Office 365 commercial now number over 85 million, up
more than 37% year over year. The SaaS CRM behemoth,
Salesforce, now has a market cap of US$58.25B(at time of
writing) and is a 100% cloud company. You cannot install their
software onsite.
Is cybersecurity and its effects on compliance something you discuss at management meetings?
4. Link.
+852 8203 2066 | info@hifromlink.com | www.hifromlink.com
4
Salesforce now boasts such clients as Barclays, American Express, GE, Unilever and more. These companies all trust
their data with a cloud software provider. Not just any data; but sensitive data such as their client lists, prospects, partners
etc. All on Salesforce cloud. Even UBS has moved compliance functions to Microsoft Azure cloud and DTCC are moving
to the cloud “to reduce risk and cost and improve the resiliency and security of DTCC’s systems”.
These vendors, large or small, are all too aware of the kind of scrutiny placed on cloud or SaaS providers. To do business
with big companies, you need to pass through vetting processes and lengthy due diligence questionnaires. Ever seen
these kind of questions below asked of your business?
Compliance in the cloud?
Who in the organization is the owner for the Information Security program?
Does the organization encrypt data at-rest?
Does the organization multi-tenant data or processing on the same system? If so, how is confidential client data kept secure?
5. Link.
+852 8203 2066 | info@hifromlink.com | www.hifromlink.com
5
Compliance in the cloud?
100% cloud is not always the only option
Before cloud or SaaS vendors make any changes to their offerings, they think of data and application security. The cost of
getting this wrong far outweighs the efforts involved of getting it right. Some companies will offer a number of ways to deploy
their software, including: Public Cloud, Private Cloud and onsite/Hybrid solutions.
It’s by far easier to manage a shared service/public cloud offering as they only need to manage a group of scalable servers that
they have control over. If deploying their offering onsite, they need to engage with IT teams, security teams, operational
infrastructure teams etc. This presents some challenges and certainly adds to the hurdles.
Decision makers are often caught in a tough position when exploring cloud or SaaS as a viable alternative to traditional
infrastructure and application service methods. Fear of data leak and location is the primary concern. But does the cost savings
outweigh the perceived risk?
The financial argument
From a purely financial standpoint, many decision makers are not entirely aware of the true cost of operating their
environments. Expenses relating to a facility and infrastructure often are hidden in other budgets, so their view of operational
cost is limited to staff, hardware purchases, maintenance agreements and software licensing. Overlooked expenses often
include the impact of business damaging downtime and the cost of capital that could be more efficiently used in generating
income. On the whole, the cloud or SaaS initial outlay and ongoing costs have proven to be more cost effective than going with
onsite. However not everyone is ready for the cloud.
6. Evaluating business needs
Research shows that cost is seldom the primary driver toward cloud services. Instead, improved service levels, infrastructure
agility and increased security ranks as the top three drivers. Overburdened infrastructure or small IT teams often cannot cope
with the rate of change and demand, and desperately need to empower business units to provision services that add value,
fast.
If the goal of a business is to move more quickly than their competition, the platforms on which they innovate and operate must
keep up with these requirements. If they cannot, then irrespective of the cost of a cloud solution, they are simply not performing
a business enablement role.
So where are we now?
The question of whether cloud is a viable alternative to the existing methods of deployment is not a comparison of apples to
apples. An organisation needs to determine accurately what it’s objectives and goals are at a business level, understand
whether they can afford to divert much-needed capital into a non-core activity such as operating IT infrastructure and then
consider whether a scalable, flexible and cost-efficient solution will serve their original goals more effectively. And most
importantly, securely.
For many providers, time will tell and the market will drive them in the direction it sees fit. At this point, there is a definite
increased interest in cloud and SaaS but some companies are reluctant the be the first movers, but don’t the first movers often
get the advantage?
Link.
+852 8203 2066 | info@hifromlink.com | www.hifromlink.com
6
Link.
Digital & Automated Client Onboarding
Compliance in the cloud?