Working across the financial services and insurance industry, we’ve seen how quickly organisations have had to react and shift to remote working and remote selling. For organisations, it’s changed the expectations of your customers, employees, and even your own value chain. This evolution is set against the backdrop of a changing regulatory and security landscape for the sector. This holds significant importance for financial service institutions. Especially as they embrace the use of new technologies, like cloud technologies, to meet these changing market demands.
Indeed, in a recent report, the Financial Stability Board highlighted “the importance of understanding the ability and capacity of third parties (and the capacity, availability and resilience of third-party technology) to remain resilient in challenging economic and operational environments and continue to adequately provide or support critical functions in FIs.”
Furthermore, a 2020 PwC survey found that 75 percent of finance leaders were planning on creating more agile business environments going forward. And that was reflected in business spend. Cloud spending rose 37 percent to $29 billion during the first quarter of 2020. Cloud technologies enable the financial services industry to unlock insights to deliver better customer experiences and bring more customer value. How to stay compliant and secure when you move your workloads from on premise onto a third-party provider is a threshold criterion for financial services. We are supporting this conversation across the industry, including by engagement with financial services regulators.
Recently, we held a regulatory briefing for the sector to share some of our approaches and current observations. In this briefing, we consider the structural changes, how organisations are adapting to these circumstances and how they remain agile in continuing to meet key regulatory requirements. These observations are timely as well. They come on the heels of the Bank of England’s newly issued Supervisory Statement on Outsourcing and Third Party Risk Management, which aims to “facilitate greater resilience and adoption of the cloud and other new technologies.” We share some of these observations below.
1. Data governance, innovation and agility in the cloud
Both regulators and organisations recognise the benefits that the cloud gives to protect against cyber risk and improve operational resiliency. They also recognise that, with cloud technologies, organisations gain the ability to manage risk at scale. At the same time, organisations can take advantage of innovation and agility to further drive business goals or differentiate themselves in a competitive market.
Microsoft provides a rich set of tools to help customers manage governance, such as Compliance Manager. This provides a list of recommended actions and detailed guidance to improve controls and capabilities. This can help organisations meet regulatory requirements for areas they are responsible for. Microsoft Secure Score measures an organisation’s security posture and provides actions to help improve an organisation’s security posture. Microsoft continues to invest in helping customers manage risk, providing transparency and assurance, to help meet their regulatory requirements.
Further, the cloud can help drive innovation through automation, such as AI and machine learning. With hyperscale computing, you can build agility by gaining more computing power when you need it. This helps you quickly respond to external and internal changes, driving employee productivity from anywhere and creating personalised customer experiences.
2. Mitigate and manage concentration risks in the cloud
As adoption of cloud technologies becomes more prevalent, so does the conversation around concentration risk. We have had considerable engagement with regulators and customers to understand such concerns. At the bottom, this is focussed on concerns about a ‘single point of failure’, and how to manage and mitigate against such risks. Of course, the risk itself is not new with cloud technologies. Legacy systems – particularly the mainframe – present such risks in current environments. Indeed, cloud technologies can help unlock value by removing lock-in with legacy systems in favour of more agile and resilient hyperscale cloud systems. Such strategies include availing use of availability zones and regional pairing of distributed regions to provide for high-resiliency and data replication. Even in the case of ‘black swan’ events, these strategies can mitigate against such catastrophic occurrences.
In addition, firms should have in place business continuity and exit plans as part of any overall outsourcing strategy. We have created an Exit Planning for Microsoft Cloud Services Whitepaper to help assist organisations. With such governance and strategies in place, firms may opt for a primary cloud vendor without the need to multi-source. A multi-source approach can add complexity and additional risk. There is no one-size-fits-all approach. However, our experience shows such risks can be managed, consistent with regulator expectations. Of course, this is only if a firm’s governance posture is soundly organised to measure and mitigate against such risks.
3. Working together to improve assurance and enable regulatory compliance
At Microsoft, we’ve been engaging with regulators in key capital markets since 2012. We have continued to share perspectives about how to modernise and adapt regulations to account for permissibility of cloud technologies. This is while helping financial institutions operate in a safe and sound manner and stay consistent with regulatory objectives of managing risk. Thus, a centrepiece to our strategy is to provide for continuous engagement with key stakeholders – financial organisations and regulators alike. Through this feedback loop, we can constantly share perspectives, learn from each other, and drive towards mutually shared objectives of facilitating innovation. Ultimately, this will help manage risk, and ensure the financial ecosystem remains vibrant, secure, and resilient.
In addition, our innovative Financial Services Compliance Program allows organisations to engage directly with Microsoft engineers. This program focusses on cloud risk, cybersecurity, regulatory compliance, data privacy and risk monitoring to help them get the most out of their cloud strategy.
As we come around from the events of the last year, we know this journey is not over. Nor is it just beginning. We are excited about the future. We see huge promise to help the industry move forward during these rapidly changing times. Our role is to help firms innovate. To help firms meet their regulatory compliance needs. And in this opportunity is our responsibility to remain a trusted partner to the financial services industry, to drive change in a safe and sound manner, just as regulators expect, and our customer’s demand.
Find out more
About the authors
Craig Wellman leads the Microsoft UK Financial Services business, serving its largest clients in the industry. He is responsible for the full breadth of Microsoft’s offering to the sector across solution, service and support. His ambition is to partner with the industry to build trust with customers, transform working practises and maximise the digital opportunity. Financial Services is at a tipping point of change. Financial inclusion, data security, regulatory pressure, rapidly evolving customer expectation and financial crime are all at the heart of every board room. As one of Microsoft’s globally nominated investment industries and a major global financial centre, the UK is home to many of the world’s marquee brands. This includes retail and investment banks, insurance institutions, through to fintech and challenger banks.
Prior to joining Microsoft, Craig held senior leadership roles in a number of organisations including Legal and General, Vodafone and Virgin Group. Craig is married, has three children and lives in the Newbury area.
Dave Dadoun is Managing Director, Global Regulatory Compliance for the Worldwide Financial Services Industry Team. As Managing Director, he leads Microsoft’s regulatory strategy in the financial services industry globally. He is responsible for driving Microsoft’s engagement with financial services regulators. He also helps financial institutions meet their regulatory compliance needs. Working with engineering, sales and legal teams worldwide, he has helped craft a unique compliance program exclusively for financial institutions to help meet the appropriate level of supervision needed. He also has developed unique commercial terms to meet regulatory requirements for financial services customers and provide examination rights to regulators.
Prior to his current role, he served as the lead lawyer for Microsoft’s Financial Services Industry. He was also previously a general counsel for Microsoft’s Small Midmarket Solutions and Partner organisation. From 2001-2010 served as competition counsel for Microsoft, working on the U.S. Department of Justice antitrust case and follow-on European Commission case. During that time, he was appointed by the Microsoft Board to serve as the compliance officer under a federally mandated consent decree from 2002-2006. From 2006-2010, Dave led antitrust counselling and defended the company in numerous competition investigations in Europe.