New regulation will fundamentally change the landscape for the biggest tech companies – especially cloud providers – according to a new paper from JWG, the London-based think tank that tracks and analyzes financial services regulation.
“Managing Digital Infrastructure Risk: A Collaborative Path to Financial Services Safety,” is available online at JWG. His analysis, based on 287,897 pages of new regulations in 2022 alone, is a wake-up call for companies that need to define “what looks good” before massive fines are imposed.
The company uses a natural language processor to sift through the regulations. “We’ve modeled all of the terms that we know regulators are talking about and we’re looking for issues that we don’t understand and trying to get a sense of how it all fits together,” Di Giamarino said.
New regulations will cover information and communication technology (ICT) risk management, third party risk management strategy, scenario planning, operational resilience and technology governance. And of course the requirements in the EU, UK and US, not to mention Asia, will be slightly different.
It’s getting very complicated, said PJ Di Giamarino, CEO of JWG. “We already have a big divide between Asia, the US and Europe. Europe is customer-centric and regulates to protect individuals. The US protects business and the right to do business with a little protection for the people, and China is all about state rights.”
This could add a whole new level of complexity and expense, he added.
“To sum up, the last 18 years of Reg activity has been about who is trading what. What’s happening here is a whole different conversation – HOW? It’s everywhere today, small pieces of emotion that nibble on the HOW. If you don’t do it top-down, you’re going to die from many, many paper cuts and fines.
Francis Gross, senior adviser to the European Central Bank, said the industry must act quickly. “There is a sense that industry and regulators need to learn quickly and collectively what technology is best for competition and what is best for collective action, beyond today’s silos,” he said in a personal capacity.
According to the report, companies in Europe are asked to provide the European Central Bank with a full list of all outsourcing contracts, each containing 32 data fields and an additional 19 data fields for those deemed critical or important.
“This JWG study outlines the transformation our industry is undergoing, with digital infrastructure risk management moving from the back office to the boardroom,” said Richard Harmon, VP & Global Head of Financial Services, Red Hat. “Now more than ever, the board needs to take the time to understand the interactions between business models, regulatory requirements, technology and the banks’ supply chain.”
Di Giammarino said financial services firms need to move beyond the way they have traditionally operated in silos – regulatory requirements require a holistic approach.
“It’s all going to be very tribal. Even within risk, you have market and credit risk, and you may not be paying attention to operational risk. And now you have operational resilience too. Most controls have evolved over time, much like how IT infrastructure has evolved. Now companies face a major housekeeping exercise of what controls we have and whether they are fit for the new regulations.”
Although Chris Skinner of The Finanser and author of several insightful books on digital finance has often complained about boards not having enough directors with strong technology skills, Di Giammarino believes they are now well tech-savvy.
“These guys on the board are pretty tech-savvy now,” he said. “By the time they’re under 40, they’ve grown up in a market based entirely on technology. I think the board question isn’t so much whether the people there are savvy as it is how that second line of defense works together. Each organization can have different people who are promoted. It could be the core administrative function where finance, compliance and risk come together, or a bank could just delegate it to risk or operations and engineering.”
JWG recommends the development of a comprehensive risk management framework based on current frameworks linked to regulations and standards. However, it is fairly clear from the JWG paper that the regulations under discussion will be far-reaching and will require an examination of existing cloud services. For example, companies in the EU may need to show how they can remove ICT services from an existing provider and transfer them to another provider or use them internally. Regulators get a unique picture of supply chain dependencies and can identify concentration risks for the first time, the report says.
Regulators will also look at AI to see how infrastructure, data and apps are being handled.
“While the EU has most of the commitments and therefore appears to be taking the lead, the UK remains close behind and cooperation with the US is very likely… Unfortunately, we find that there are not many links between the many risk communities that are uniting should be behind these initiatives. Compliance, operational risk, data and technology trunks often seem to operate in silos, and while some best practices have emerged, there is no body or unified approach to holistic controls today. Overall this is a recipe for a very complex, frustrating and costly 3 years.”
Companies that operate across borders, like most large financial institutions, must navigate overlapping regulatory regimes.
“For example, how does a US financial institution certify that its UK-hosted lending application serves Italian customers with AI that meets the requirements of the EU AI law, including design, data, testing and controls to be registered with EU authorities have to ?”
The sector has a short window of opportunity to create a harmonized set of controls, the report warns.
“Implementation efforts are fragmented and require redundant mapping efforts. A massive administrative burden could increase technology costs and stifle innovation.”