(Original publication by Jorge Morlett on LinkedIn)
Following the financial crisis at the end of the last decade, banks have faced an arduous and constantly evolving regulatory climate. The stakes for non-compliance are significant; since 2008, global banks have paid $321B in fines and penalties, according to a recent report by Bloomberg. The scope of regulatory scrutiny, moreover, has expanded beyond major global financial institutions, and today increasingly includes smaller regional banks – which often lack the resources to support sufficient IT compliance capabilities and are therefore more likely to be vulnerable to an audit.
Banks typically approach compliance preparedness by using in-house or third-party teams equipped with spreadsheets and other manual tools to gather data on a wide range of IT assets. That data is then reviewed against metrics and regulatory guidelines to ensure the proper level of insight into servers, networks and applications. Specifically, the bank needs to demonstrate the ability to understand what transactions are occurring and with whom, and whether appropriate security tools and processes are in place.
In addition to being time-consuming and inefficient, the problem is that the data gathered provides only a historical perspective of past activity, putting the compliance team on a perpetual treadmill. Consider this scenario: a security manager preparing a report to a regulatory entity reviews his operational metrics and finds that required system updates are behind schedule. Moreover, the licenses for the tools that provide the updates have lapsed. This means the compliance manager has to chase down the procurement department to renew the licenses, deliver the updates and complete the reports. The report is delayed and up goes the regulator’s red flag, causing reputational damage or financial impact.
An alternative to this approach is emerging in the form of advanced self-assessment tools from vendors such as OpsGuard, RSA Archer, and IntelligenceBank. Easy to configure to a particular organization’s criteria, these affordable solutions leverage capabilities such as automated data collection, analysis and reporting, and in some cases provide proactive alerts on compliance requirements to all relevant parties. The tools are also equipped to stay abreast of a constantly evolving landscape – Bloomberg reports that banks are required to track an average of 200 revisions a day to existing rules and regulations.
Most importantly, rather than a historical perspective that identifies where the environment is falling short, the tools can deliver a forward-looking check-list of specific actions needed to remain compliant. For the security manager in the example cited earlier, this is a game-changer: Rather than scrambling to fix problems identified in internal reviews, and then racing the clock to meet regulators’ deadlines, the manager is notified of future expectations and actions needed to remain compliant.
The implications of this shift in mindset are enormous in terms of strategic governance maturity as well as bottom-line results (avoiding fines and penalties). For smaller, regional institutions struggling to comply with increasingly stringent regulatory oversight, the tools offer a significant opportunity to level the playing field and implementing the right tools don’t have to be a long term and expensive if it is properly tailored.
Where's your digital gap? See below 1-min video for the Banking & Financial Services Industry.