Banking and financial services are undoubtedly among the most heavily regulated sectors to work in -and for good reason. Companies in these sectors frequently handle the data of millions of consumers, not to mention businesses and even governments. From the new Second Payment Services Directive (PSD2) and the even newer EU General Data Protection Regulation (GDPR), to the Financial Services and Markets Act 2000 (FSMA) and the Payment Card Industry Data Security Standard (PCI DSS) there are many rules, regulations and directives with which organisations must comply. Some of them even appear to contradict one another.
The key to compliance generally lies in a mixture of procedures, policies and data management, which in almost all cases can improved and simplified by the application of technology. Below are some guidelines which will help.
Leave data on the mainframe
PSD2, also known as the “open banking” regulation, requires banks to make some of their customer data available to other financial sector organisations. The legislation stipulates that payment account transaction and balance data, credit transfer initiation and account identity verification data must be made available to third parties. Sharing data, however, is difficult to do without compromising its security or integrity.
Transferring data from mainframes, which are used by the majority of banks, to either the cloud or a new digital server is fraught with risk, as TSB recently found out when migrating to a new system. As one IT professional from Lloyds pointed out in the wake of the TSB crisis, “the level of care required to migrate a bank onto different systems is perhaps almost uneconomic to perform in a way that keeps the risk small enough.”
By using APIs instead, modern digital applications can run using existing mainframe databases, while also ensuring that the data can remain in place, where it can be secured at source. APIs are already used to connect mobile and online banking services to a variety of customer databases and can be applied in a similar fashion to enable third parties to access information in accordance with PSD2.
Another option is using data virtualisation tools. These tools can enable the analysis of data “virtually,” while leaving the original records undisturbed in the database. Not only this, but you can also extract data from unstructured data sources in “green screen” terminal-based applications, by emulating the terminal data querying, in an automated process that accesses data and then encrypts it as it is transferred to a new system.
This approach also addresses many of the issues thrown up by the EU GDPR, which insists on the privacy and protection of personal information – a requirement that at first glance appears to be in direct contradiction with PSD2. By keeping only one version of each record on a database and avoiding duplication, it is much easier for banks to ensure the security of customer information. It also simplifies the process of deletion if a customer chooses to exercise their GDPR “right to be forgotten”.
Finally, keeping data on the mainframe helps with compliance with the element of the GDPR stipulating that banks must keep detailed records of which third parties they share customer data with and why. Banks must complete full audits of their Open Banking practices, a lengthy and costly process, especially given that most organisations already spend 20 to 30 per cent of their IT budgets on audit reporting and preparation. By keeping the data in place and creating a secure gateway through which third parties can access it, banks can remain compliant with both the PSD2 and the EU GDPR.
Automate to stay great
Any organisations handling credit or debit card data have to comply with the PCI DSS. PCI DSS states that the development of internal and external software applications, must be completely secure, based on industry standards and best practices. In the fast-moving financial services sector, new software applications, or significant upgrades to existing ones, are taking place constantly. Financial sector organisations handling card data must therefore incorporate security measures throughout the software development lifecycle and ensure that this is documented fully in order to satisfy auditors. Any changes to software that handles user IDs, passwords and other personal information must be treated with particular care.
Once again, technology is the answer to this compliance headache. Application development can now be automated by application lifecycle management (ALM) systems. These programmes systematically record and document all actions taken by developers, including when and why these actions were taken. This makes life much easier for auditors, as all records are automated, kept in one secure location and saved in the same format. ALM automation therefore results in faster - and cheaper - audits. Some banks have even found that once auditors are told that they’ve implemented ALM automation, they can quickly tick things off their list and avoid further investigation of systems.
There are other benefits, too
Naturally investing in new technologies will have other benefits. The Financial Times stated recently that a new wave of M&As has hit the banking world, with the chief reason being that banks are ‘crying out’ for technology investment. Automating your ALM system will make it easier in a merger, as it’ll make future application development easier to control, provide you with visibility, and make banks more agile.
Not only this, but with Fintech companies beginning to profit from access to customer data under PSD2, banks must innovate quickly and develop competitive digital products. This is why the Competition and Markets Authority introduced PSD2 in the first place.
With ALM automation, developers no longer need to spend time filling out these tedious reports of their daily activities; instead these reports are generated automatically. Removing these administrative distractions results in a more efficient development team – this can reduce the time spent by developers doing non-development, administrative tasks by up to 80 per cent. As ALM systems store all records on a shared digital database, everyone is kept informed of any changes that have been made to a project, reducing the likelihood of errors, bugs and product failures; this ensure that the principle of “least privilege” is followed, providing access only when an individual absolutely needs it and revoking it by default after a set period of time.
Overall, they allow a bank to stay competitive through freeing up their developers, while also having systems that help comply with PSD2, PCI DSS and GDPR – all while keeping their auditing and administrative costs to a minimum.
Avoid that compliance headache
In many ways, banks still have a long way to go before they can ensure compliance with this long list of stringent regulations. GDPR and PSD2 are still two very new pieces of legislation and it may take a while before the world of financial services finds its feet with them. However, existing technology is the key that will bridge the gap, not only between banks and the auditors and regulators, but also with customers. As IBM stated last year, trust is the currency of the new digital economy; and if banks make sure they’re putting in place solutions which help them stay compliant, regulators and customers alike can rest easy.
Guy Tweedale is regional VP at Rocket Software
Image source: Shutterstock/MaximP