A modern approach to IT compliance, processes and procedures

In conversation with Stéphane Chmielewski, CISO at Finologee

IT compliance has become central to the financial services industry. As institutions digitalise more of their operations, they are having to meet an ever-growing list of regulatory requirements. Similarly, as new technologies are introduced into workflows, and more customer data is brought online, companies within the financial industry are facing new risks and challenges in IT compliance.

Adapting to these developments can be an uphill struggle. However, by taking a modern approach to IT compliance, processes and procedures, financial institutions can not only keep pace with the new challenges but turn them to their advantage.

But what does a modern approach to IT compliance mean? In practice, it means digitalising and automating IT compliance measures as far as possible, integrating and centralising compliance operations, and building a strong culture of compliance throughout the workplace. By combining these approaches, financial institutions will quickly find that IT compliance can add value to their businesses.

What are the main IT compliance challenges within the financial industry?

Technological innovations arrive faster than the ability to keep up with them. This is particularly true in IT compliance and cyber-security, with new risks emerging almost on a monthly basis. Cyber-attacks have taken a variety of new forms over the past few years, confronting businesses with threats including ransomware, cloud-jacking and botnet attacks. At the same time, the risk of data breaches is increasing in parallel with the growth in big data, as businesses collect vaster stores of customer information.

Taken together, the combination of novel attack methods, big data and new business platforms creates new and unforeseen risks. Financial services companies often lack a practical understanding of their real risk exposure. In the face of a constantly shifting and increasingly complex risk environment, their outdated IT compliance measures put institutions, themselves and their customers in danger.

If this weren’t bad enough, new regulations continue to come into force on a regular basis, introducing additional headaches for IT compliance departments. For example, 30% of European businesses still reported that they were not compliant with the EU’s General Data Protection Regulation in 2019, a full year after it became law. The growing mix of existing and new requirements makes it all too easy to see why many companies suffer from multiple IT compliance gaps.

One of the difficulties in keeping up both with new rules and new threats is that many companies suffer from inefficiencies in the way they identify and remedy critical IT compliance issues. Too often their first and second lines of defence involve manual and highly labour-intensive processes to develop controls for each specific issue. Almost inevitably, they spend so much time on the most obvious problems that they end up neglecting subtler but no less relevent issues.

In many cases financial services companies also suffer from a lack of integration, failing to dovetail IT compliance with their wider risk management processes, as well as with other compliance areas such as third-party management. This creates inefficiencies that make it harder and more resource-intensive for each compliance department to fulfil its responsibilities.

How can IT compliance and risk and internal control frameworks become more effective and sustainable?

There are a number of strategies the financial industry can adopt to make IT compliance more cost-effective and viable.

First, a company should take steps to close the gaps between its IT operations and the wider business, to identify what is critical from an IT compliance perspective and what key assets it needs to protect. Put simply, if the core of your business is payment processing, strengthening the IT compliance of your payment services should be a priority. For this reason, there should be clear and regular communication between IT and the other key departments of the business. Otherwise the compliance strategy may fail to serve the company’s wider business goals.

More successful businesses are increasingly integrating IT compliance with unified company-wide programmes. By merging IT compliance across departments, companies are finding they can develop synergies and boost efficiency – as long as they have dedicated compliance management teams with their own resources to oversee everything. To this end, it’s imperative to employ staff with the necessary knowledge, skills and training.

Equally important is for companies to cultivate a strong culture around IT and data compliance. They need to formulate and communicate understandable principles that encourage employees to identify and manage emerging IT compliance risks proactively. These principles should be aimed at strengthening risk ownership of IT compliance among staff within the first line of defence, ensuring that compliance teams take full responsibility for their work.

Of course, handling IT compliance across the entire structure of an organisation can be a big job even for dedicated teams. That’s why companies are now turning to digital technologies in order to reduce the manual effort involved in identifying and developing compliance measures.

What role can IT play in improving the consistency and efficiency of compliance activities?

Before proceeding with any course of action, companies should first identify the business case for digitalising their IT compliance procedures. They need to determine where data analytics and automation capabilities are likely to have the biggest impact, and to devise a cost-effective programme for developing and implementing these capabilities.

While the specific application of IT and digital technologies will vary from company to company, there are various measures that will likely apply to most organisations. One is the use of data analytics, which can be harnessed to facilitate the identification of potential compliance issues where remediation may be necessary. Analytics can also be used regularly to better prevent and even predict non-compliant behaviour.

Along with analytics, automation capabilities are another key tool that can make IT compliance more efficient and comprehensive. Automation can help solve challenges such as creating and analysing complex audit trails, particularly when large quantities of data are involved.

What’s more, by automating approval mechanisms or building automated reporting, organisations can increase speed and security at the same time. For example, TD Ameritrade won a Data Company Award this year for automating its data-masking process across more than a dozen banking applications, which not only speeded up its regulatory compliance, but also reduced potential exposure in the event of a data breach.

Ultimately, the more that risk management and control frameworks are subject to automation, the greater an organisation’s ability to monitor and update its IT compliance on a continuous basis. By automating access revocation or system changes, companies will find that compliance becomes less of a struggle, and more of a route toward making their business more efficient and productive overall.