Do you think cloud computing is being observed as a cybersecurity saviour or the source of failure? If the cloud was to fail, do financial institutions have plans in place? Does there need to be more regulatory oversight on this?
From a cybersecurity perspective, cloud computing is not inherently a saviour or single point of failure when managed following the required operational and security risk requirements to which all financial institutions are subject. Certainly the implementation of a cloud platform requires different tools and controls, but the approach of addressing control objectives to manage to an acceptable risk posture is a familiar one. Typically, cloud platforms are highly resilient at the component or service level, with scaling levels of fail-over up to and including backup computing centers. Depending on the technology, an financial institute may determine that it requires a failover capability to another provider. Again, this will be a familiar process to the them. Regulators have, in general, communicated their expectations that their current risk-based supervisory framework can be applied to cloud computing environments so that more oversight is not warranted.
While the financial sector is working on open banking strategies, is the industry at the right stage to implement advanced analytics to use as an investigative tool?
UK Open Banking is at the right stage to begin working on advanced analytics for investigation purposes, but there is still a major gap in the ecosystem that needs to be addressed for this effort to achieve the necessary results. The Technical Service Provider (i.e. aggregator) is not an authorised role under the PSD2 RTS or UK Open Banking. The current regulatory framework puts the responsibility of TSP oversight on the authorised firm that is using the TSP, which provides only asymmetric oversight controls, leading to inconsistent traceability and fragmented accountability upon which the liability framework rests. As such, only rudimentary and manual analytics can work through these inconsistencies – which is neither scalable nor in the best interest of the consumer.
Is there any evidence that the financial sector will start to truly understand their customers and understand their customers’ right to privacy, after years of not making use of data? What do the open banking regulations already put in place require banks to do?
Open Banking not only empowers and protects consumers as they use their data to obtain highly pesonalised financial services, it provides banks with a level playing field to engage with their customers in a broader and regulatory supported manner. For years before Open Banking, the value proposition of bank-hosted Personal Financial Management (PFM) was two-fold. For the consumer, it’s seeing all your accounts and transactions in one place to make financial choices. For the bank, it’s seeing what your customer has in their wallet that you don’t provide; and then offer them your competing products. If you don’t have a better product, build one or partner for it. We learned that for consumers, just seeing their data wasn’t helpful; it was depressing. Open Banking providers now provide real engagement, not just data, to the benefit of the consumers. We also learned that banks were wary of using their customers’ to inform their marketing or product activities. Open Banking clearly removes the uncertainty of how to engage with the consumer for these purposes. The banks that view Open Banking as the opportunity to engage their customers rather than as a compliance exercise will provide better services that also respect the intention and privacy of their customers.