Principles of compliance in the financial services industry
Compliance in financial services can appear a staggeringly complex web of laws and regulations, but some key principles apply, says Mathieu Gorge of Vigitrust
The financial services sector is subject to multiple and complex legal and regulatory compliance requirements that span international boundaries - all of which have implications for storage, backup and the security and integrity of data.
So, what are the key principles that guide compliance in the financial sector?
In this podcast interview, Computer Weekly storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about the type of regulations that affect the industry, the key principles of data retention in the financial sector and the implications for storage and backup.
Computer Weekly: What compliance requirements does the financial industry face?
Mathieu Gorge: The financial services industry is, unfortunately, subject to one of the most complex regulatory that applies to businesses worldwide. The best way to look at it is to try and look at the type of regulations and industry standards that apply, and the type of regulations that apply per territory.
What I mean by that is if you look at the fact that financial services is regulated for anti-money laundering with European directives and international directives, the same for fraud; if you then consider MIFID, SEPA (Single Euro Payments Area), ISAE3402 and industry standards like PCI-DSS, local regulations in the UK like the Data Protection Act and the regulation from the FSA around maintaining proper records and potentially keeping for a certain amount of time, you can already see that it’s becoming quite complex.
If you then look at the fact that we live in a global economy and you consider the provisions of data protection for transfer of data outside the EU, within the EU, from the EU to the US and from the EU to other territories you can see that it’s getting quite complex.
So, the risks we are trying to address stem from lessons learned from financial failures over the last eight to 10 years.
Listen to the full interview
And what we’re trying to achieve here for the financial industry systems of compliance is that the right controls are in place, that there’s a formal report on the design, implementation and effectiveness of those controls to protect the data, but also that you retain the right data securely so that if there’s a problem or if a specific problem needs to be investigated you can go back to that data and make sure the data is accurate, it has been kept the right way, hasn’t been tampered with and you can analyse it.
Finally, one of the other key challenges for compliance requirements in the financial industry is the fact that there’s a lack of understanding, awareness and commitment from C-level folk and board levels, including non-executive directors as to their compliance obligations.
So, the market needs to educate them and one of the key things to do here is to link the long-term impact of non-compliance with the impact of the overall profit and loss of the financial services organisation, both in terms of short-term consequences but also the three-to-five year outlook.
CW: What are the implications of these issues for storage and backup?
Gorge: So, if we zoom in on storage and backup and we go back to trying to maintain the confidentiality, integrity and availability of the financial services data, the first thing to make sure is that you can map out your ecosystem and the data that is flowing from one business entity to the other, either within the financial services organisation you’re part of or in a wider ecosystem.
If you look at retaining data in particular, which is a requirement under the Data Protection Act and the FCA in the UK, you are asked to be able to classify your data, to identify what could be a risk to individuals if that data was to get out, to map that data and to protect it.
Read more on legal and regulatory compliance
- Podcast: Demystifying big data storage for the board
- Podcast: What’s new in PCI-DSS and PA-DSS version 3.0?
- Big data security: getting a grip on multiple data sources
- Data classification policy: What it is and how to do it
- Podcast: Why HIPAA compliance provides a storage template for all
- Podcast: Why you need a cloud storage compliance audit
Best practice in the industry is to provide strong authentication that allows you to identify anybody that performs a transaction so that you can say at any given time, “Yes, it was X that authorised that financial services transaction on our systems on 27 May 2014 and we know that because he authenticated using two-factor authentication and we can trace it back.”
Once the data is in the systems we need to make sure it is stored for the right amount of time on the right security credentials.
That’s where encryption comes in. So, encryption of data at rest is really important but equally encryption of data in use is where the market is going for financial services.
And that’s very important in terms of making sure that when you access data that’s been stored to perform an e-discovery request, for example, you need to make sure that that transaction is encrypted and fully traceable with strong authentication.
So, the key thing is data classification, data encryption, authentication of users and from the backup perspective making sure you apply third-party assurance to whichever party is managing your backup, as most of the backup is now done in the cloud.
So, the same test of operations effectiveness that you perform for your own network needs to be performed on the cloud provider to make sure that the control considerations are kept at the same level.
And really this is intended to be able to prove that if there is an independent investigation you have retained the right data at the right time and protected it the right way so you can access it for compliance reasons very quickly, cost effectively and without jeopardising the security of that data.