BankThink

Expanding the cloud creates new compliance challenges

Financial services firms and card issuers historically shied away from allowing their data to be off the premises and in the cloud. That started shifting a bit before the pandemic as competitive pressures grew and the scalability, cost savings and agility benefits of cloud became clear.

Once COVID-19 hit, cloud infrastructure and applications became even more compelling as financial pressures grew and employees needed to work remotely and service customers online. In fact, 69% of financial companies expect to have at least 60% of their workforce working from home at least once a week going forward, compared to 29% before COVID.

Now, more and more organizations are using cloud-based, or SaaS, applications to not only manage financial data, but also run their business. For instance, Salesforce helps manage sales and customer data and enables insights for product, payments and service innovations.

As advantageous as SaaS applications are, they also introduce complications when it comes to complying with regulations, such as Gramm-Leach-Bliley Act and the SEC’s Regulation S-P, that require safeguarding sensitive data and customer information, protecting against unauthorized access and storing it securely.

There’s also the requirement to be WORM-compliant, meaning records must be “Write Once Read Many” to ensure they’re not altered or deleted.

When you use SaaS applications, your data resides in the app vendor’s infrastructure. You’re paying for access to the app and to your data. In this way, they own your data. Many organizations think SaaS vendors are therefore responsible for protecting it, but that’s not really the case.

Most vendors operate under a shared responsibility model, where they’re obligated to protect the app itself and you’re responsible for protecting the data.

You can mitigate risk and enhance compliance by bringing SaaS app data storage under your ownership – and making sure you capture and retain all changes made to the data, as well as information about who made them, where they were located, their IP address, and device used to access data.

With 69% of financial companies using Amazon AWS and 79% using Microsoft Azure – both of which have WORM-compliant offerings – prior to the pandemic, it’s extremely likely that even more use cloud storage now. To take back ownership of your data, its key to backup and archive all historical data into your cloud data lake environment, where you have control over how long it’s retained and the ability to trace who accessed it and any changes they made.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER