The Hidden Compliance Risks Of Digital Change In Financial Services

The financial services industry has experienced a significant shift in recent years, with organisations increasingly focusing on new technologies and digitising legacy processes. This rapid pace of change raises questions about our ability to comply with regulations that protect our customers.

According to a recent survey, 3/4 banks have launched a digital transformation initiative.

What digital risks do businesses need to be aware of when carrying out their change strategies?

Let’s explore why financial organisations must keep compliance front-of-mind through digital transformation.

The State Of Play

The pandemic has been a driving force behind rapid digitalisation, pushing businesses to adapt existing processes and implement new technology.

While digital tools enable connectivity in a COVID-19 world of isolated individuals, making businesses more agile, efficient, and customer-centric, they also exacerbate risks, with regulatory compliance a key concern.

Businesses who fail to comply with regulations and maintain the privacy and protection of personal information can face drastic consequences, including reputational damage, decreased market share and hefty fines.

Financial organisations, with the level of financial and personal data they store and process, are more at risk than most.

“As organisations pivot to increase the level of digital access offered to consumers and workforce members involving personal and business-oriented information, it creates entirely new forms of risk that must be mitigated compared to traditional ways of conducting business.”

— Ryan Smith, CIO, Intermountain Healthcare

Now, as they consider GDPR, KYC, AML and ESG directives in the new digital landscape, financial services companies are beginning to realise that pre-existing compliance management operations are not sufficient to meet growing regulatory demands.

How A Lack Of Compliance Facilitates Cybercrime

In digital risk, compliance and cybersecurity often go hand in hand.

According to recent studies, 85% of CISOs feel that security issues have had a somewhat to extremely large impact on their business during digital transformation, with the majority experiencing an attack or breach that resulted in data loss or compliance issues.

When asked why this was, 71% of C-level respondents stated that their organisation was more vulnerable to security incidents during periods of digital change.

The 4 Main Digital Change Technology Categories Where Risk Is Introduced

There are four key categories of technologies in digital change that introduce key risks to an organisation's infrastructure.

1. Multi-Cloud Or Hybrid Cloud Infrastructures

Hybrid or cloud infrastructures host data outside of an organisation’s defensive perimeter, including software-as-a-service (SaaS) and platform-as-a-service (PaaS) models.

Moving important data from legacy systems into mission-critical cloud apps can complicate regulatory compliance.

While financial organisations may own the data within these platforms, they don’t have the ability to maintain strict control over it.

This introduces the potential risks of having data lost or stolen, alongside issues with data privacy.

2. Automation And Analytics

Carried out through technologies such as AI and robotic process automation (RPA), analytics and automation capabilities are growing significantly throughout the financial industry.

However, RPA bots that are not implemented and ‘hardened’ appropriately with sufficient logic to run reliably can allow room for compliance risk and error. This same technology can be used for regulatory mapping, allowing firms to monitor changes that impact their operations.

3. Digital Supply Chains And Sales Channels

Although digitisation of channels can offer increased efficiency and reduced costs, it can also introduce significant compliance risks.

This includes aspects such as corruption, fraud, ESG requirements, labour law compliance and health and safety laws.

4. Internet Of Things (IoT)

IoT is being deployed across financial services to help identify customer needs and the value chain.

However, by introducing a network of interconnected devices, IoT has dramatically increased the attack surface of an organisation.

By offering multiple, connected entry points for cyber threat to access, IoT can place an organisation's data, and therefore their compliance, at risk.

Sources: Pinsent Masons, CIO and ISG

Next Steps For Financial Organisations

Remaining compliant with complex and evolving policies will never be an easy task. However, by taking the time to adjust perspectives, it is possible to allocate cyber resources to not only achieve security but meet compliance requirements.

Research by Mckinsey found that the most successful companies have established strong collaboration between risk, security, IT, and business units.

However, a survey revealed that 29% of businesses are yet to take the appropriate steps to address technology disruption, suggesting that they are underestimating critical risks to their organisation.

It is imperative to establish both a suitable cyber resilience strategy and a risk management framework for managing associated threats and staying on top of changing regulations.

Below, we outline some of the necessary next steps for companies when ensuring compliance and security during periods of digital change:

 Create Clear Policies

Implementing internal policies and processes to align with overarching regulations will ensure everyone in your company is working towards the same goal.

These policies should be applied from the top down and communicated clearly, ensuring that everyone adheres to them. Reviews should also be conducted regularly.

“Effective financial policies and procedures can help provide efficient financial management, risk mitigation, and the alignment of financial operations with the overall mission of the organisation.”

- Joe Purvis, CPA at Clark Nuber

 Carry Out Training

Firms must ensure that staff have the correct analytical skillsets and up-to-date knowledge to understand the compliance risks associated with transformation.

Providing regular training and awareness initiatives to cement learning will help staff uphold key responsibilities.

“The accumulation of data that accompanies digital transformation initiatives, be that external or internal data, means that all stakeholders must be adequately trained not just on internal processes, but on basic privacy principles.”

- Brian Kane, co-founder and COO of Sourcepoint

 Conduct Risk Assessments

Carrying out risk analysis at opportune times will help businesses to avoid costly delays or compliance issues.

Early-stage involvement will accelerate efficiencies, providing larger scope to adapt projects compared to identifying issues in late stages.

“The starting point for all compliance programs is knowing what areas have the highest potential for violations of law. You need to ferret out and prevent the most serious types of risk for your organisation. That means you need a solid understanding of the environment you are operating in.”

- Tim Cercelle, director, Deloitte Advisory, Deloitte & Touche LLP

 Utilise Cybersecurity Software

Security software allows you to manage data privacy obligations and meet compliance objectives in a cost-efficient manner.

Solutions such as Mailock are designed to protect the data included in outbound messages with encryption and authentication technology, securing your organisation from data breaches and regulatory risk.

Further Reading

• Financial Services Email Compliance: The Checklist
• GDPR And Secure Email: Keeping Financial Comms Compliant
• What Is Personally Identifiable Data? Risks and Vulnerabilities