Three Keys to Compliance: Cloud in Financial Services

Three Keys to Compliance: Cloud in Financial Services

Ian Massingham

Director of Developer Technology & Evangelism at Amazon Web Services

Ian draws on over two decades of expertise in Internet technologies, technology operations leadership, architecture, and software engineering to help developers around the world, and in organizations of all sizes, from start-ups to large enterprises, apply cloud computing technologies, solve business problems, and exploit market opportunities. With has over 20 years’ experience in the IT services industry Ian has been working with cloud computing technologies since 2008. He began his career in operations at an early pioneer in the internet hosting and access services market in the UK, and has since led substantial teams focusing on managed services, software engineering, technology operations and architecture within national and multi-national telecommunications operators. Prior to joining AWS, some 5 years ago, he led systems engineering for customers in the telecommunications vertical at a large enterprise technology provider.

Views 313

Three Keys to Compliance: Cloud in Financial Services

23.05.2019 06:15 am

The global perception of “moving to the cloud” has undergone multiple shifts since its inception. What began as a leap of faith into the unknown has become a core enabler for businesses that want to experiment, innovate and grow. So much so that organisations stalling their move to the cloud are finding themselves being left behind.

The heavily regulated financial services industry was slower than many on the uptake. However, initial trepidation has given way to enthusiasm as cloud computing’s security, flexibility, and resilience credentials have been proven time and time again. In fact, high profile financial business such as Capital One, Starling Bank and Stripe are just some of the leading players using and advocating cloud computing.

With cloud becoming commonplace in the financial services sector, regulators are beginning to extend their remit to cover cloud environments. Multiple approaches being trialed; some have issued new rules and guidance tailored to the cloud while others are simply updating existing guidelines to make them more applicable for emerging technologies. Regardless of the chosen approach by regulators, a global focus on privacy and cybersecurity has led to increased scrutiny on the ways that financial institutions manage data in the cloud.

For these organisations, at AWS believe there are three common themes that frequently emerge in the regulatory landscape; data management, cybersecurity, and risk management. These must be top of the agenda for technology stakeholders looking to ensure compliance.

Data management

Companies that offer financial services harbour immense amounts of data, whether that be consumer, market or internal personnel information. The management of this data has become increasingly important with the introduction of regulations such as GDPR. To demonstrate compliance, financial institutions must implement controls and safety measures to protect the security and confidentiality of data stored in the cloud.

The first stage of managing an ever-growing pool of data is getting to grips with encryption. As a starting point, businesses must ensure that data can be overseen from a central control point. Historically, siloes have been the enemy of progress, slowing internal processes down to a snail's pace. The cloud has always posed the solution to this problem, providing a clear, unified view of where data resides and a single point for managing this data. Now, it is vital for stakeholders to manage encryption keys and define policies consistently through this single control point in order to effectively encrypt all sensitive data. 

Ultimately, data management in the cloud must be treated with a “content agnostic” approach. This involves businesses and cloud providers treating all customer data and associated assets as highly confidential by implementing sophisticated technical and physical measures against unauthorised access. This, in turn, limits loopholes and backdoors, delivering a secure environment for all assets within the infrastructure.


Financial institutions live and die through their approach to cybersecurity. Not only do financial regulators expect these businesses to maintain a strong cybersecurity posture, a breach could also cause irreparable damage to a brand’s reputation, making cybersecurity a key concern at a board level.

According to the 2018 half year fraud update compiled by researchers at UK Finance, financial services organisations experienced an increased rate of cyber attacks over the past year. Worryingly, attacks are becoming increasingly sophisticated and proving more successful, making cybersecurity a daunting prospect for these businesses.

This is where cloud providers can support financial services organisations with a shared responsibility approach to security. The cloud provider is responsible for the security of the cloud itself, providing world-class levels of protection designed for the most security-sensitive organisations. However, financial institutions must remember that they are responsible for managing security when in the cloud. From penetration testing to automated security functions, it is vital that companies are fully literate and up to date in the latest procedures, processes and tools to mitigate risk.

Penetration testing, a key requirement from financial regulators, provides a good example of how the shared responsibility model works. Cloud providers deliver the tools to perform vulnerability scans and penetration testing on their digital infrastructure, however, it is the responsibility of individual institutions to ensure these are carried out regularly in order to stay compliant.

Risk management

In any area of IT, if you can’t measure, you can’t manage. If CIOs have insufficient visibility over their IT estate it becomes almost impossible to ensure compliance. This is especially important in financial services where regulators expect robust risk management processes to be in place for any business using cloud infrastructure.

Continuous monitoring is key to ensuring that users are managing the risk of their cloud environment, ensuring they have sufficient tools in place to support governance and traceability. This is why businesses must have end-to-end monitoring in their toolkit, enabling them to monitor, analyse, and audit events that occur in their cloud environment. Once in place, executives can not only improve their own piece of mind, but provide a necessary, transparent viewpoint for industry regulators.

Ultimately, to ensure cloud adoption in this highly regulated field is successful, it is up to both cloud providers and end users to work collaboratively. Open lines of communication and a single point of truth for issues around compliance and security are critical for cloud organisations wanting to help financial institutions on their digital journey. By carefully considering the way that data is managed and secured across their environment, at AWS, we are working with businesses to ensure they can embrace the full host of benefits the cloud has to offer while remaining compliant and mitigating risk.

Latest blogs

James Petter Pure Storage

A Modern Data Platform―Cornerstone of Digital Transformation in The Banking Sector

The days of “business as usual” are over for financial institutions. Retail banks, insurers, investment firms, and wealth management companies alike are all under pressure to deploy new “anytime- anywhere” digital services. Not surprisingly, Read more »

Daniel Meere Axis Corporate

Feedback to BCR Ltd's announcement on Capability & Innovation Fund Pool D winners

Pool D, which has been awarded ahead of Pool C, has been designed to promote fintechs relevant to small and medium sized businesses.  Those who missed out of the funding will be disappointed, but it is extremely encouraging to hear BCR Ltd chairman Read more »

Aniruddha Maheshwari Icon Solutions

Open Banking: Promised land or wild west?

Open Banking began on 13 January 2018 with the launch of PSD2. Industry pundits spoke about customers walking through a promised land of meaningful financial insights and competitive products. The new rules make it easier for consumers to compare Read more »

Arnaud Crouzet FIME

Fintech’s balancing act: Key takeaways from Money 20/20 Europe

Last week saw Europe’s largest Fintech event return to Amsterdam: Money 20/20 Europe. The conference brought together all stakeholders from across the industry. It took a deep dive into the major developments shaping the world of payments as we know Read more »

Martin Linstrom IPsoft

How Digital Assistants are Transforming Banking

The banking industry has made huge strides to drive innovation by investing in new technologies over the last few decades. Commercial banks first adopted telephone banking, then came internet banking and now, for most customers, all your financial Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel