Rules for fintechs using the cloud
/Adopting cloud-based operations presents a new set of regulations and compliance mechanisms that fintechs and banks have to respect. From data-structuring requirements to cybersecurity imperatives, product and ops teams have to solve for a range of priorities across the development and implementation stages.
Cybersecurity
Fintechs and banks’ core competency shouldn’t be server management—from the security protocols required to protect a physical plant to ensuring proper data storage, internal server usage is more of an operational distraction, rather than a benefit.
While migrating to the cloud does export a range of these responsibilities onto a specialized entity, fintechs and banks—in conjunction with their cloud computing service—still have to ensure stringent cybersecurity practices.
For one, teams have to ensure that their configurations are secure. “Common misconfigurations vary but may include: publicly exposed cloud data and resources, unrestricted access to outbound/ inbound traffic, or data encryption not being applied. Misconfigurations can result from anything from low awareness of security responsibilities to lack of proper controls and oversight to simple insider negligence and speak to the need for well-designed policies, layers of security controls and mechanisms for monitoring potential breaches,” according to FINRA’s white paper on cloud computing for the securities industry.
Access controls matter as well, pushing the need for two-factor authentication, client authentication, and other security tools to prevent account takeovers and fraudulent activity.
Data privacy
Cloud-adapting fintechs and banks have to ensure that they remain compliant with industry- and geography-specific data privacy regulations, such as the EU’s GDPR statute. Relevant US-based entities are also subject to the SEC’s Regulation S-P, which calls upon companies subject to its rules to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."
Changes to computing and data storage processes may also compel fintechs and banks to update or replace vendors to ensure continued compliance while using new technologies.
Compliance in name
Moving to the cloud requires that fintechs maintain compliance with major protocols such as PCI DSS and ISO/IEC 27001:2013. While customers are unlikely to find compliance with these protocols as a particular unique selling point—especially since they’re requirements for fintechs and banks—foregrounding compliance with these standards in addition to new technological processes can be a useful recruitment tool for hiring cutting-edge engineers and operations staff.