Do UK regulators approve of cloud technology for financial services? That question might be difficult to answer given the UK regulatory regime is a ‘principles’-based environment. This means regulators provide general principles by which organizations should govern themselves, but ultimately, they will not tell a regulated entity what their policy needs to be. This, of course, applies to the use of the public cloud as well: There are no detailed guidelines.
The ‘principles’ approach, instead, gives businesses the flexibility to adopt cloud technology in a manner that suits their business so long as they can clearly convince regulators that (a) they’ve fully understood the risks associated with doing so, and (b) can show a clear audit trail for the key decisions involved in their mitigation.
The reality is that cloud-based solutions are the future for many finance businesses.
This can be hard for new entrants to wrap their heads around and might make it difficult to determine how to approach new, cutting-edge technologies. However, if businesses develop a cohesive risk management framework that illustrates their understanding of the risks associated with a new innovation, this ‘principles’ approach means that implementation can be swifter and smoother than expected.
The reality is that cloud-based solutions are the future for many finance businesses. They offer a scalable and resilient platform with a more acceptable cost of ownership model and with none of the obsolescence plaguing existing systems.
However, as with any innovation in a regulated industry, the challenge lies in demonstrating to the regulator that the business has fully grasped the new risks this technology introduces as well as those it makes redundant. This is when it becomes increasingly important for a regulated entity to clearly demonstrate that the senior management team has fully assessed the risk environment and has sufficient controls in place to mitigate them. But it is not enough to simply provide a finished risk assessment. The regulator will want to see the discussions and decision-making processes that went into compiling this and an ongoing plan for maintaining it.
The challenge lies in demonstrating to the regulator that the business has fully grasped the new risks this technology introduces as well as those it makes redundant
The approach Mambu has taken with our cloud platform is to devise an intuitive and efficient process that enables a customer to identify and assess the risks associated with their implementation alongside those factors that minimize these risks.
Drawing on existing research, such as Citihub Consulting’s How To approach Regulatory Compliance with Public Cloud Services, we have identified key risk areas such as transparency, data co-mingling, portability, governance, service management, integration/engagement, rapid application development, concentration risk and more.
Mambu then created a standard assessment template using
CoralRisk to capture relevant risks for Mambu’s customers. We built up a library with the existing controls that have to be performed to ensure the risks are suitably mitigated, and we identified new controls that would need to be developed where risks remain outside of the appetite of the firm. We see this as a resource we can continue to evolve for our customers.
Regulatory compliance does not have to be a daunting process or a barrier to innovation
Once the risk model is customized, this assessment can simply be exported into an easily digestible PDF for the regulator to consume, and also provides access to the audit trail that illustrates the thought processes and discussions associated with the decisions when creating it.
Regulatory compliance does not have to be a daunting process or a barrier to innovation. If financial institutions work in a pragmatic and logical manner and ensure they have an audit trail of their decision-making process around risks considered and addressed throughout their processes, they will build regulators’ confidence and unlock the opportunity for new technology innovation.
About Courtenay Brammar:
Courtenay spent the past 11 years as professional risk manager working for some of the largest financial institutions in both London and New York. Last year she co-founded a tech start-up called CoralRisk to help new and existing businesses capture, maintain and analyse the qualitative risk information required to meet regulatory compliance. Courtenay has been working with Mambu to help some of their customers better understand the changes to their risk environment associated with adopting the new wave of finance technology solutions like Mambu that are hosted and maintained in the cloud.