New regulation will fundamentally change the landscape for the biggest tech companies—particularly cloud providers, says a new paper from JWG, the London-based think tank that tracks and analyzes financial services regulation.
“Managing Digital Infrastructure Risk: A Collaborative Path to Financial Services Safety”, is available online from JWG. Its analysis, based on 287,897 pages of new rules just in 2022, is a wake-up call for firms who need to define ‘what good looks like’ before massive fines start to land.
The firm uses a natural language processor to comb through the regulations. “We have modeled all the terms we know regulators talk about and we mine for topics we don’t understand and try to get a sense of how it all fits together,” said Di Giammarino.
New regulations will cover information and communications technology (ICT) risk management, third party risk management strategy, scenario planning, operational resilience and technology governance. And, of course, the requirements will be somewhat different in the EU, UK and the U.S., not to mention Asia.
It gets very complicated, said PJ Di Giammarino, CEO of JWG. “We already have a big division between Asia, the U.S and Europe. Europe is customer-centric and regulates to protect the individual. The U.S. protects the corporation and the right to do business with a little bit of protection for people too, and China is all about state rights.”
This could add a whole new level of complexity and costs, he added.
“To sum up last 18 years of doing reg, it was all about who trades what. Now what is happening here is a whole other conversation — HOW? That is all over the place today, little bits of reg that are nibbling away at HOW. Unless you do it from top down, you will die from lots and lots of paper cuts and fines.”
Francis Gross, senior advisor to the European Central Bank, said the industry has to move quickly. “One is left with the feeling that industry and the regulators will need to learn, fast and together, what of technology is for competition and what is best for collective action, beyond today’s silos,” he said, speaking in a personal capacity.
Firms in Europe will be requested to provide the European Central Bank a full list of all outsourcing contracts including 32 fields of data for each with an additional 19 data fields for those deemed critical or important, according to the report.
“This JWG study outlines the transition our industry is undergoing with digital infrastructure risk management moving from the back office to the board room,” said Richard Harmon, VP & global head of financial services, Red Hat. “Now more than ever, the board will need to spend time understanding the interdependencies between business models, regulatory requirements, technology and the banks’ supply chain.”
Di Giammarino said financial services firms will have to move past the way they have traditional operated in silos — the regulatory demands will require a holistic approach.
“This all gets very tribal. Even within risk you have market risk and credit risk, and they might not pay attention to operational risk. And now you also have operational resilience. Most of the controls have been developed over time, kind of like the way the IT infrastructure developed. Now firms face a big housekeeping exercise around what controls do we have and are they fit for purpose for the new rules.”
Although Chris Skinner at The Finanser and author of several insightful books about digital finance, has frequently complained boards lack enough directors with strong technological knowledge, Di Giammarino thinks they are now well grounded in tech.
“These guys on the board are pretty tech savvy now,” he said. “If they are under 40, they grew up in a marketplace that was all based on tech. I think the board question isn’t so much are the people there savvy, but how that second line of defense works together. Each organization may have different people stepping up. It could be the chief administrative function which has finance, compliance and risk coming together, or a bank might just give it to risk or to ops and tech.”
JWG recommends a comprehensive risk management framework be developed based on current frameworks that are linked to regulation and standards. But it is pretty clear from the JWG paper that regulations under discussion will be broad and require an examination of existing cloud services. For example firms in the EU may have to show how to remove ICT services from an existing provider and transfer them to a different provider or bring them in-house. Regulators will get a unique picture of the supply chain interdependencies and be able to identify concentration risks for the first time, the report says.
Regulators will also look at AI to see how infrastructure, data, and apps are handled.
“While the EU has the most obligations and so is seemingly leading the charge, the UK remains close behind and collaboration with the U.S. is of high probability…Unfortunately, we find that there is not much connection between the many risk communities which should be uniting behind these initiatives. Compliance, operational risk, data and technology tribes often appear to be working in silos and though some best practices have arisen, there is no body or unified approach to holistic controls today. Overall, this is a recipe for a very complex, frustrating, and costly 3 years ahead.”
Firms that work across jurisdiction as most large FIs do, have to figure their way through overlapping regulatory regimes.
“For example, how does a U.S. financial institution certify that its credit application, hosted in the UK, serves Italian clients with AI which meets EU AI Act requirements including, design, data, testing, and controls which need to be registered with EU authorities?”
The sector has a short window to create a harmonized set of controls, the report warns.
“Implementation efforts are fragmented and require redundant mapping efforts. A massive administrative burden could increase technology cost and stifle innovation.”