How Financial Institutions are Grappling with Compliance in the Modern Cloud Compute Era

Jan 2023 | Interview | Micheal Gerstner

Michael Gerstner

Sr. Consultant, Product Perfect

Senior Level Business Systems Analyst and Product Management Consultant with 20 years of developing large-scale and proprietary initiatives for the largest financial firms in the United States.

Where are the large financial institutions at right now?

Micheal Gerstner: 

They are in a state of legacy. They have been operating in their realm back since the '50s and '60s. One of those regulations is the Gramm-Leach-Bliley Act, and that's stated that financial institutions need to make sure they're harnessing their PII, need to make sure that they're keeping their consumer's data secure and that it doesn't fall into the wrong hands.

What are they doing about it? Are they stuck?

Micheal Gerstner: 

The CTOs these days really have a lot of trouble trying to make headway in today's environment. That environment is being driven by a lot of the governances that are being passed down by acts such as the Gramm-Leach-Bliley Act, the Dodd Frank Act that is being overseen by the CFPB. And that bureau is very much trying to protect the consumers' data. However, it sort of pigeonholes a CTO in trying to get off of a mainframe.

And really, it's a combination of 2 key elements: technical debt - being on a mainframe - and secondly it's compliance. The latter affected by the former. That is - being on the mainframe with all of its headaches is more than just a legacy cost and a tech debt issue. It's also literally a compliance bomb just waiting to go off. The mainframe is not always storing data in ways that our laws or our compliance policies are happy with.

Surely there are internal folks who can help. All your key personnel, the "indispensables" we call them, those folks that have been there since the mainframe was originated, those folks, they know where all the bodies are buried. They know where the keys to the safe are. They have that intrinsic knowledge that you can't bring in from an outside party, that you really only have that intellectual brain trust internally to the company. Who are the key people in the IT department that can help IT leadership put a plan together to solve the compliance and tech-debt issues? 

Micheal Gerstner: 

Right. Exactly. Currently, 92% of financial companies are on mainframes. The worst part about that is about 71% of those needed to be changed out decades ago. And they don't know what to do. And some of it is because they don't know how to handle it in cost. They are sitting in a situation that they want to grow, they want to expand, have a seat at the table. All of that comes into play right back to, how do we fill our regulations? How do we not get fined? Because to a large company, like Bank of America, who may get fined by the CFPB for a violation, maybe able to handle it. A smaller institution gets a fined by the CFPB, they may go completely under their own. What is it that we can do to help their job be better, help them make it easier, and listen to what they had to say? And in doing that, we were able to drive the solution.

There are a lot of mortgage companies that have been on old antiquated systems. They've been around for many, many, many years. And then there's some newcomers that have come into this space. One of the number one keys when it comes to the loan origination software and understanding is being able to really do one of two things: number one, being fast and efficient. And number two, being compliant. Usually being compliant also means you're accurate. So the data integrity result is overlapped with the data compliance in most cases.

What are some of the unexpected developments in technology we’ve seen in the modern compute era? And how have traditional financial institutions reacted?

Micheal Gerstner: 

Besides, for the Blockchain, of course, I think you could say the speed of change and velocity of impact. Things are moving in faster, iterations now, especially with the advent of artificial intelligence tools like chatGPT. Figuring out new algorithms for stock trading, building online banking systems, layer upon layer, these are things that we only talked about 10 or 15 years ago and now they’re becoming mainstream. So I think it’s unexpected in one sense, but I think it’s also expected in another, because the technology enablement has always been a factor. Compliance is always difficult because you’re always dealing with data and you’re always dealing with insecure software or insecure networking challenges. Every time a company requires another company you have an entire truckload of systems and servers that have to be reevaluated and locked down. Where is the data being stored? Who has access to that data? What applications are quiring that database? How is the data leak configured? What snapshots of three dimensional slices of data in that data warehouse are exposed to which customers and why? All of these questions have to be answered, and they have to be answered in a legal and accountable way. This is why you see chief data officers and chief financial officers resigning, because they just simply can’t certify their databases and data footprints.   And Congress has done their best to try to hold people, accountable, and rightly so… But the challenge is enormous. So compliance is going to be one of those areas that we grapple with potentially for decades to come, and the best possible solution might be closer aligned with simplicity over complexity as a general philosophical principle.  That is to say, for every one unit of complexity, added to an overall IT footprint, or infrastructure, it compounds and magnifies to potentially 5 to 10 units of complexity for every acquisition or merger that the company experiences. So things get complicated. But that doesn’t mean they have to be stuck in that mud. It just takes an extremely meticulous and strategic IT leadership team, to thread the needle and find their way through the forest. Obviously, that’s where consultants will help you, but not everyone is aware or open minded to outside help. 

What compliance “lift” does the cloud bring with it automatically?

Micheal Gerstner: 

Well, you definitely get a lot of the encryption benefits and depending on how you set it up, a lot of that is done for you if you just follow the prescribed path by one of the major cloud providers like Microsoft or AWS or Google. These companies offer a menu of services like infrastructure as a service, platform as a service, software as a service, etc., and have ways of packaging their offerings nicely so that will help automate the compliance process a bit. But still, you’re dealing with a computer and data and the internet, so there’s just a billion ways it can start off in a great set of configurations and heavily locked down, and then with just a few turns of the right wrench, the entire infrastructure can be vulnerable again. So it’s ongoing. 

How evolving and changing are the regulatory requirements?

Micheal Gerstner: 

Right so you definitely have some developments taking place in this area. Just a couple of years ago, we had the consumer privacy act in California called the CCPA. This law basically gave every California resident a handful of rights over their personal data, which put them in the driver seat for a while until big tech sort of caught up with it. Well, they haven’t fully caught up to it, but they’re coming up with other ways of moving date around and staying compliant while still making money off of the data. But this law allowed users to demand what types of information is being captured, and stored about them, and then they had the right to demand that any, and all of it can be deleted. So this was sort of a big deal regionally, but it hasn’t transferred over to the federal government level yet. Congress has been mulling over this other data privacy law, called the privacy bill of rights, but no one‘s really sure if it’s gonna pass or exactly what’s going to be in it. But the market is definitely been put on notice, and so the whole fundamental aspect of a persons data being theirs to control  is now almost within reach I think. 

Do big banks even have software and a tech footprint that is ready to shift into the cloud? 

Micheal Gerstner: 

Well actually, for the most part, yes. Many large banks do have a significant software and technology footprint, and some have already begun to shift software and operations into the cloud. But the process of migrating can be complicated and take years. A lot of banks may still be in the early stages of this transition or just trying to plan it because it takes so long and has so many aspects that could be seen as a risk to stability for their infrastructure. But they also have some old skeletons in the closet. Some of their software is very old, and really, it’s just - too dependent on some other random software or database that isn’t very suitable for the cloud. So not everything likes going into the cloud. Some software will literally just not work at all when you try to migrate. It’s a bit of a trial and error process for some applications. 

I know there are probably more than a handful of laws, but what are the most difficult compliance laws that it executives are facing right now?

Micheal Gerstner: 

Sure, so yes - there are really a number of compliance challenges that IT executives are facing at the moment, and all of them are daunting to be honest. But the biggest ones are these data privacy regulations such as the GDPR and CCPA. With the amount of personal data being collected, stored, and shared by literally every single organization that makes its way into the top 5000 companies in the USA, it's becoming increasingly important for IT executives to ensure that their organization is compliant with these regulations and of course that this very personal data is being handled securely.

What about cybersecurity in these compliance conversations?

Micheal Gerstner: 

Ya that’s a huge issue. It’s a major concern around compliance because cybersecurity is universally existential. With these times we’re living in, the growing number of cyber-attacks, our IT executive partners and friends really must ensure that their organization's data and systems are completely secure, and that they can deploy seasoned resources and specialized tools to make sure that they are in compliance with regulations like PCI and HIPAA and a few we’ve already covered. And cybersecurity in cloud computing is also becoming a compliance nightmare and it’s becoming increasingly painful- partly expected because as more and more organizations are moving their data and applications to the cloud they just stumble their way through it. So these IT executives are in the driver's seat and fully on the hook. They have to spend spend spend to keep up and ensure compliance with regulations and standards that are written now much more specifically calibrated to cloud computing, which dovetail laws such as SOC 2, ISO 27001, and I think also something called FedRAMP. So ya keeping on that security thread, another area of concern is supply chain security. Ensuring the security of the supply chain is becoming a major concern for IT executives, particularly in light of recent high-profile breaches caused by some third-party vendors.

And what about artificial intelligence and compliance?

Micheal Gerstner: 

Ya I knew we would end up talking about this. You know, AI and ML are obviously becoming more widely adopted, with ChatGPT completely blowing up, IT executives are going to soon have new compliance requirements regulations around the use of these technologies. And actually, I think they will start referencing existing compliance laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), because these already have language that points to the nuances of AI, and I don’t think there’s a really great argument to discredit the applicability there. 

What court cases stand out to you around compliance?

Micheal Gerstner: 

Sure, so as I recall there have been a number of high-profile cases in recent years. One of the most notable ones was the Facebook Cambridge Analytica scandal where Facebook was basically  accused of complete negligence and mishandling user data and allowing it to be used for political advertising. I think they ended up settling with the Federal Trade Commission for something around $5 billion but could be wrong. 

Another one I remember was Google Street View case where Google was accused of collecting personal data from unsecured wireless networks while they were collecting images for their Street View feature. They ended up settling with the Federal Communications Commission for between I don’t know maybe $10 to $13 million.

So it’s these types of payouts that send a signal or a reminder that tech companies - and really all companies - need to be even more responsible and vigilant about how they handle personal data, and be, though they may not want to be, far more transparent about their practices. The federal and European regulators are trying to create a culture of agents and investigators that are taking data privacy seriously and organizations can be heavily fined for non-compliance.

Other interviews with consultants and industry experts

Engaging discussions with our consultants, partners, and clients on key industry trends and developments.

Get Interviewed by Product Perfect

Studio interviews are a great way to promote your organization online, recruit talent, and increase brand awareness. Our team conducts interviews in cities across the country on a schedule and can include you in the next one.

Thank you. We will add you to the list and reach out soon.
Oops! Something went wrong while submitting the form.
Interview Me

Connect with our team for a focused, collaborative session.

Schedule Call

Discovery Call

Senior consultants with previous experience with these types of projects can set the stage for a well-framed engagement.

Discovery Call Details

Product Deep-Dive

A focused session on your specific software applications, platforms, or projects. Typically this includes technical resources from both sides.

Deep Dive Call Details