According to a new paper from JWG, the London-based think tank that tracks and analyzes financial services regulation, new regulation will fundamentally change the landscape for the biggest tech companies, especially cloud providers.
“Managing Digital Infrastructure Risk: A Collaborative Path to Financial Services Safety,” is available online from JWG. His analysis, based on 287,897 pages of new rules in 2022 alone, is a wake-up call for companies that need to define “what good looks like” before massive fines start rolling in.
The company uses a natural language processor to browse the regulations. “We’ve modeled all the terms we know regulators talk about and we’re looking for topics we don’t understand and trying to get a sense of how it all fits together,” Di Giammarino said.
The new regulations will cover information and communications technology (ICT) risk management, third-party risk management strategy, scenario planning, operational resilience and technology governance. And, of course, the requirements will be somewhat different in the EU, UK and US, not to mention Asia.
It gets very complicated, said PJ Di Giammarino, CEO of JWG. “We already have a big divide between Asia, the United States and Europe. Europe is customer-centric and regulates to protect the individual. The United States protects the company and the right to do business with a bit of protection for the people too, and China is all about the rights of the state.
This could add a whole new level of complexity and cost, he added.
“To sum up the last 18 years of reg, it was all about who trades what. Now, what happens here is a whole other conversation – HOW? It’s everywhere today, little bits of reg that nibble HOW. Unless you do it from top to bottom, you will die from many, many paper cuts and fines.
Francis Gross, senior adviser at the European Central Bank, said the industry needed to act quickly. “We feel that industry and regulators will need to learn, quickly and together, what technology is for competition and what is best for collective action, beyond the silos of today,” he said, speaking on a personal basis.
Businesses in Europe will be asked to provide the European Central Bank with a comprehensive list of all outsourcing contracts comprising 32 data fields for each with an additional 19 data fields for those deemed critical or important, according to the report.
“This JWG study describes the transition our industry is experiencing as digital infrastructure risk management moves from the back office to the boardroom,” said Richard Harmon, vice president and chief Financial Services Global at Red Hat. “Now more than ever, the board will need to spend time understanding the interdependencies between business models, regulatory requirements, technology and the banks’ supply chain.”
Di Giammarino said financial services firms will need to move beyond their traditional way of operating in silos – regulatory requirements will require a holistic approach.
“It all gets very tribal. Even under risk, you have market risk and credit risk, and they might not pay attention to operational risk. And now you also have operational resilience. Most controls have been developed over time, much like how the IT infrastructure has developed. Companies are now facing a big internal management exercise regarding the controls we have and are they suitable for the new rules.
Although Chris Skinner of The Finanser, and author of several insightful books on digital finance, has often complained that corporate boards lack directors with strong tech savvy, Di Giammarino believes they are now firmly entrenched in the technology.
“Those guys on the board are pretty tech-savvy now,” he said. “If they’re under 40, they’ve grown up in a completely tech-based market. I think the question for the board isn’t so much whether the people there are savvy, but how that second line defense works together. Each organization may have different people involved. It may be the main administrative function which brings together finance, compliance and risk, or a bank may simply put them in risk or operations and technology. ”
The JWG recommends that a comprehensive risk management framework be developed based on current frameworks that are linked to regulations and standards. But it’s pretty clear from the JWG paper that the regulations being discussed will be broad and require a review of existing cloud services. For example, EU companies may need to show how to remove ICT services from an existing supplier and transfer them to another supplier or integrate them in-house. Regulators will get a single picture of supply chain interdependencies and be able to identify concentration risks for the first time, the report says.
Regulators will also look at AI to see how infrastructure, data and applications are managed.
“While the EU has the most obligations and therefore seems to be leading the charge, the UK remains close behind and collaboration with the US is very likely… Unfortunately, we find that there is no There aren’t many connections between the many risky communities that should unite behind these initiatives.The tribes of compliance, operational risk, data and technology often seem to work in silos and although some best practices have seen the Today, there is no global or unified approach to holistic controls.Overall, this is a very complex, frustrating and costly recipe for the next 3 years.
Companies that operate in multiple jurisdictions, as most large FIs do, must navigate their way through overlapping regulatory regimes.
“For example, how does a US financial institution certify that its credit application, hosted in the UK, is serving Italian customers with an AI that meets the requirements of EU AI law, including the design , data, tests and controls that need to be registered with EU authorities??
The sector has a short window to create a harmonized set of controls, the report warns.
“Implementation efforts are fragmented and require redundant mapping efforts. A heavy administrative burden could increase the cost of technology and stifle innovation.