“Regulatory procedures no roadblock to innovation”

Banks undergo a transformative journey as they move away from an account-centric focus and adopt a customer centricity approach. The Holy Grail is the “customer of one” proposition which requires banks to have a strong technological infrastructure with a clear alignment of channel, product and customer analytics. Very few banks in the world boast this level of sophistication, with many still struggling to replace outdated systems, manage cost efficiencies, or come to terms with their respective regulatory requirements, whilst attempting to deliver products and services that meet customer expectations.

As financial institutions (FIs) increasingly rely on complex IT systems to cope with the myriad of daily functions, they are rendered vulnerable to threats such as cyber-attacks and system disruptions. With this in mind, FIs are expected to continue to deepen their technology risk management capabilities to better respond to IT security issues or system failures.

The Monetary Authority of Singapore (MAS), for one, revised its Internet Banking and Technology Risk Management (TRM) Guidelines in June 2013 to provide better guidance, whilst addressing existing and emerging technology risks confronting FIs in the city state.

According to Kris Kumar, senior vice president and regional head, Asia Pacific, at global data centre solutions and colocation provider Digital Realty, adoption of online and mobile technologies for core banking systems, as well as consolidation and virtualisation of hardware in the financial services industry has seen rapid increase over the past few years. The rapid evolution of technology has resulted in faster provision of new banking services. Kumar believes that “the use of technology can be considered as a competitive advantage to service customers better”.

With the cost of leasing data centre space rising – with FIs’ preference to keep their data nearby – Kumar identified “a move towards consolidation of legacy data centres”. By assessing their current and future needs, while putting in place a data centre strategy, FIs will be able to rely on better support.

Kumar also discussed about the more complex aspects of MAS’ revised TRM framework, shedding light on the need for board level involvement in a bank’s IT strategy, whilst touching on other issues including IT outsourcing, and security concerns.

TRM framework

Currently, the framework suggests a uni-linear approach (Identification – Assessment – Treatment – Monitoring – Reporting). This approach has been used before in other situations and offers, in terms of flexibility, a stronger discipline to identifying and managing technology risk, while bringing technology adoption and management in line with regulatory framework for banking systems, Kumar said.

A parallel could be drawn between the uni-linear approach and the Six Sigma DMAIC (define, measure, analyse, improve and control); both methods tackle each point through clear identification, before a solution is sought to increase performance. The MAS framework will eventually allow for better fraud control, and disaster recovery of systems when under security threat.

Impact of the TRM framework on transparency and innovation

Over the past few years, regulatory bodies such as MAS have steadily increased pressure on FIs on a number of fronts. We have seen global initiatives, like Basel III, and regional policies, such as buffer capital requirements in the Philippines, focusing on financial risk and increasing ownership and responsibility by involving both higher management and the board.

On the technology front, MAS’ TRM guidelines have set similar standards, with a bank’s senior management and board required to oversee establishment of IT policies, standards, and procedures. “This will result in better governance and structure to technology initiative management,” Kumar said.

Indeed, the TRM guidelines are designed to ensure that all FI initiatives are aligned with the overall regulatory framework, in a bid to more effectively protect against security threats and disruptions to systems, as well as discourage the circumventing of banking policies and guidelines that have taken place over the past few years. Kumar believes that the regulatory procedure in place is not a roadblock to innovation; it is an avenue of constant encouragement for data centre providers to maintain their competitive edge in the market by offering FIs more than just the base of secure, reliable facilities.

IT outsourcing

FIs are expected to perform proper due diligence activities on service providers to assess their ability to provide viable and reliable services. Performance targets, service levels, security and contingency planning are some of the key factors considered in FIs’ technology partnership decision.

For data centre providers, these elements are measured by availability and resiliency of the design, as well as operational availability through the term of the contract. “Power, temperature, humidity and Power Usage Effectiveness (PUE) are some of the measures that govern Service Level Agreements (SLA) between FIs and data centre providers,” Kumar said. These factors determine how the technology risk is managed during the operational phase of the facility.

Security

FIs that decide to outsource their data centres are naturally exposed to various risks inherent to data management. In this regard, MAS’ TRM framework encourages greater transparency between data centre providers and their customers, and ensures that data centre providers are consistently put through rigorous assessment. Kumar emphasised this point, pointing out that Digital Realty undergoes a Threat Vulnerability Assessment every two to three years.

“As a data center solutions provider, this assessment includes physical security assessment of the facility, and operational and preventative maintenance procedure audits every year,” Kumar said. This regular assessment ensures that data availability, resiliency and security are kept to the standards of the agreed SLAs. Data centre providers do not manage data for FIs but focus on ensuring that the physical security of the data centre is maintained to the highest level possible. Their primary concern is with ensuring that no harm comes to FIs’ server hardware or networking equipment.