The Hidden Compliance Risks of Digital Change in Financial Services

The finance industry has felt the impact of a dramatic shift in recent years. Financial services organisations are placing heightened focus on new tech and on digitising legacy processes.

According to a recent survey, 3/4 banks have launched a digital transformation initiative, with an additional 15% developing a digital transformation strategy in 2022. What digital risks do businesses need to be aware of when carrying out their change strategies? Let’s explore why financial organisations must keep compliance front-of-mind when undergoing digital transformation.

The current state of play

The pandemic has been a driving force behind rapid digitalisation, pushing businesses to adapt existing processes and implement new technology. While digital tools undoubtedly enable connectivity in a Covid-19 world of isolated individuals, making businesses more agile, efficient, and customer-centric, they also exacerbate certain risks, with regualatory compliance a top concern.

Businesses who fail to comply with regulations and maintain the privacy and protection of personal information can face drastic consequences, including reputational damage, decreased market share and hefty fines. Financial organisations, with the level of financial and personal data they store and process, are at more risk than most. Now, as they consider GDPR, KYC, AML and ESG directives in the new digital landscape, financial services companies are beginning to realise that pre-existing compliance management operations are not sufficient to meet growing regulatory demands.

“As organisations pivot to increase the level of digital access offered to consumers and workforce members involving personal and business-oriented information, it creates entirely new forms of risk that must be mitigated compared to traditional ways of conducting business”
- Ryan Smith, CIO at healthcare provider Intermountain Healthcare.

How a lack of compliance facilitates cybercrime

When it comes to digital risk, compliance and cybersecurity often go hand in hand. According to recent studies, 85% of CISOs feel that security issues have had a somewhat to extremely large impact on their business during digital transformation, with the majority experiencing an attack or breach that resulted in data loss or compliance issues. When asked why this was, 71% of C-level respondents stated that their organisation was more vulnerable to security incidents during periods of digital change.

The 4 main digital change techs where risk is introduced

1. Multi-cloud or hybrid cloud infrastructures:

Including software-as-a-service (SaaS) and platform-as-a-service (PaaS) models, hybrid or cloud infrastructures host data outside of an organisation’s defensive perimeter. With important data starting to move from legacy systems into mission-critical cloud apps, it can complicate regulatory compliance. While financial organisations may own the data within these platforms, they don’t have the ability to maintain strict control over it. This introduces the potential risks of having data lost or stolen, alongside issues with data privacy.

2. Automation and analytics:

Carried out through techs such as AI and robotic process automation (RPA), analytics and automation capabilities are growing significantly throughout the financial industry. However, RPA bots that are not implemented and ‘hardened’ appropriately with sufficient logic to run reliably allow room for compliance risk and error. On the other hand, this same technology can be used for regulatory mapping, allowing firms to monitor changes that impact their operations.

3. Digital supply chains and sales channels:

Although digitisation of channels can offer increased efficiency and reduced costs, it can also introduce significant compliance risks. This includes aspects such as corruption, fraud, ESG requirements, labour law compliance and health and safety laws.

4. Internet of Things (IoT):

IoT is being deployed across FS to help identify customer needs and the value chain. However, by introducing a network of interconnected devices, IoT has dramatically increased the attack surface of an organisation’s system. By offering multiple, connected entry points for cyber threat to access, IoT can place an organisation's data, and therefore their compliance, at risk.

Sources: Pinsent Masons, CIO and ISG

Next steps for financial organisations

Remaining compliant with complex and evolving policies will never be an easy task. However, by taking the time to adjust perspectives, it is possible to allocate cyber resources to not only achieve security but meet compliance requirements.

Research by Mckinsey has found that the most successful companies have established strong collaboration between risk, security, IT, and business units. However, a survey has revealed that 29% of surveyed businesses are yet to take the appropriate steps to address technology disruption, suggesting that they are underestimating critical compliance and cyber risks to their organisation.

It is imperative to establish both a suitable cyber resilience strategy and a risk management framework for managing associated threats and staying on top of changing regulations. Below we have briefly outlined some of the necessary next steps for companies when ensuring compliance and security during periods of digital change:

Create clear policies

Implementing internal policies and processes to align with overarching regulations will ensure everyone in your company is working towards the same goal. These policies should be applied from the top down and communicated out clearly, ensuring that everyone adheres to them. Reviews should also be conducted regularly.

“Effective financial policies and procedures can help provide efficient financial management, risk mitigation, and the alignment of financial operations with the overall mission of the organization.”
- Joe Purvis, CPA at Clark Nuber

Carry out training

Firms must ensure that staff have the correct analytical skillsets and up-to-date knowledge to understand the compliance risks associated with transformation. Providing regular training and awareness initiatives to cement learning will help staff uphold key responsibilities.

“The accumulation of data that accompanies digital transformation initiatives, be that external or internal data, means that all stakeholders must be adequately trained not just on internal processes, but on basic privacy principles.”
- Brian Kane, co-founder and COO of Sourcepoint

Conduct risk assessments

Carrying out risk analysis at opportune times will help businesses to avoid costly delays or compliance issues. Early-stage involvement will accelerate efficiencies, providing larger scope to adapt projects compared to identifying issues in late stages.

“The starting point for all compliance programs is knowing what areas have the highest potential for violations of law. You need to ferret out and prevent the most serious types of risk for your organization. That means you need a solid understanding of the environment you are operating in.”
- Tim Cercelle, director, Deloitte Advisory, Deloitte & Touche LLP

Utilise Cybersecurity Software

Security software allows you to manage data privacy obligations and meet compliance objectives in a cost-efficient manner. Solutions such as Unipass Mailock are specifically designed to protect the data included in outbound messages with encryption and authentication technology, securing your organisation from data breaches and regulatory risk.

“Cybersecurity software is critical to organisational resilience, helping businesses to align with data protection legislation. Both the FCA and ICO advise financial firms to encrypt their communication channels when transmitting sensitive information, ensuring that customer data is protected from unauthorised third parties”

- Anthony Rafferty, CEO of Origo Services.