Unclouding the Risks of Cloud Implementations for Regulatory and Risk Reporting

09/24/2018 –

Unlikely as it may seem, financial institutions (FIs) are now uttering “cloud” and “regulatory reporting” in the same breath. Driven by today’s rapid velocity of regulatory change and ever-increasing data volumes, FIs are understandably tempted to marry these two concepts as they seek scale and automation benefits. In fact, regulators and FIs alike increasingly view cloud as a viable technology infrastructure — so long as appropriate risk-mitigation capabilities are in place.

However, with material non-public information (MNPI) at stake, risks loom very large. How then might the FI go about unclouding the risks of cloud implementations for regulatory reporting?

As the global leader in risk-data management and regulatory-reporting solutions, AxiomSL has studied this issue carefully during its more than two years’ toil developing a set of technical and operational capabilities it has dubbed the “MNPI Vault.”

Here are a few thoughts to help uncloud the business, implementation and operational aspects of the cloud risk-stack, along with some interesting questions FIs may want to use to uncover risk-mitigating factors.

Business Risks

The business-risks element in the cloud risk-stack is primarily associated with the protection and management of the FI’s MNPI on the cloud, and covers many interrelated areas including access, confidentiality, integrity, sovereignty, recoverability, traceability and segregation. Asking the following questions can help an FI to determine the robustness of a regulatory-reporting platform operating on the cloud:

  • What risk-management processes are in place?
  • How does the regulatory-reporting platform leverage risk-management processes and security certifications for the FI’s benefit?
  • What security certifications are in place or already embedded in the cloud service provider’s certification roadmap?
  • What security certifications has the cloud service provider obtained in order to satisfy a specific regulator’s cloud-implementation requirements?
  • How does the cloud-based regulatory- and risk-reporting platform manage the transportation and ingestion of the FI’s data?
  • What processes, procedures and architectures are in place to ensure that the FI’s data is never comingled with that of another organization on the cloud computing infrastructure?
  • What does the provider recommend as best practice for handling and/or converting any compliance data that may be managed manually?
  • Does the platform provider have a track record in creating precisely traceable metadata from ingested data, and accurately and automatically managing the data’s lineage?

Implementation Risks

Initial implementation risks and subsequent change-management risks stem from a lack of appropriate expertise, discipline and processes for onboarding regulatory and risk reporting on cloud-computing resources. Posing questions similar to those suggested below may help the FI develop an informed point of view on how well prepared a provider is to deliver a successful, efficient cloud implementation.

  • How does the platform provider develop and maintain the specifications and/or tailored data dictionary for a given regulatory filing on a continuous basis?
  • How does the platform provider monitor and interpret changes in regulations and non-disruptively implement them into production?
  • What tests and checklists does the provider’s cloud-operations team employ to assure that the FI’s implementation is ready to be put into production?
  • What is the platform provider’s process to ascertain the velocity and volume of data in order to provision appropriate cloud-computing resources for a given regulatory solution?

Operational Risks

The operational-risks level of the stack is associated with the provider’s ability to support the continuous operation of the reporting solution while protecting the FI’s MNPI. The following questions can help the FI gain perspective on the operational readiness of a regulatory- and risk-platform provider.

  • How does the platform provider protect access to the FI’s MNPI?
  • How does the platform provider’s team continuously monitor network, computing and storage capacity on the cloud in order to deliver the agreed-upon service levels?
  • Can the provider execute, monitor, and manage the entire front-to-back operation?

Unclouding The Cloud

The regulatory dimension is unique, and going to the cloud poses very real risks, especially concerning the protection of the FI’s MNPI. Asking the right questions will go a long way to unclouding the risks of cloud implementations.

AxiomSL’s “MNPI Vault” Cloud Solution offers FIs carefully conceived technical and operational capabilities to securely manage MNPI within a client-dedicated virtual private cloud, positioning FIs to efficiently address today’s velocity of change and ever-increasing data volumes.

AxiomSL uses Amazon Web Services (AWS) Well-Architected Framework to provide a consistent approach to evaluating architectures and implementing scalable solutions. Its state-of-the-art DevOps frameworks leverage sophisticated tools to build infrastructure as code (IaC) in order to quickly provision the entire VPC environment. AxiomSL’s data integrity and control platform has been enhanced to take full advantage of AWS’ sophisticated security features. AxiomSL’s MNPI Vault risk and regulatory reporting capability is supported by its dedicated cloud-operations team, as per industry best practices.

About AxiomSL

Leveraging its more than 25 years’ experience, AxiomSL combines deep industry expertise with an intelligent data-management platform to deliver solutions around regulatory and risk requirements, with on-premises or cloud-based implementations. Its global footprint spans a client base of regional and global financial institutions with more than $39 trillion in total assets and covers more than 70 regulators, 50 jurisdictions and 4,000 regulatory reports.

For more information, contact our Global Head of Cloud Solutions here.