Jan 2023 | Interview | Micheal Gerstner
They are in a state of legacy. They have been operating in their realm back since the '50s and '60s. One of those regulations is the Gramm-Leach-Bliley Act, and that's stated that financial institutions need to make sure they're harnessing their PII, need to make sure that they're keeping their consumer's data secure and that it doesn't fall into the wrong hands.
The CTOs these days really have a lot of trouble trying to make headway in today's environment. That environment is being driven by a lot of the governances that are being passed down by acts such as the Gramm-Leach-Bliley Act, the Dodd Frank Act that is being overseen by the CFPB. And that bureau is very much trying to protect the consumers' data. However, it sort of pigeonholes a CTO in trying to get off of a mainframe.
And really, it's a combination of 2 key elements: technical debt - being on a mainframe - and secondly it's compliance. The latter affected by the former. That is - being on the mainframe with all of its headaches is more than just a legacy cost and a tech debt issue. It's also literally a compliance bomb just waiting to go off. The mainframe is not always storing data in ways that our laws or our compliance policies are happy with.
Right. Exactly. Currently, 92% of financial companies are on mainframes. The worst part about that is about 71% of those needed to be changed out decades ago. And they don't know what to do. And some of it is because they don't know how to handle it in cost. They are sitting in a situation that they want to grow, they want to expand, have a seat at the table. All of that comes into play right back to, how do we fill our regulations? How do we not get fined? Because to a large company, like Bank of America, who may get fined by the CFPB for a violation, maybe able to handle it. A smaller institution gets a fined by the CFPB, they may go completely under their own. What is it that we can do to help their job be better, help them make it easier, and listen to what they had to say? And in doing that, we were able to drive the solution.
There are a lot of mortgage companies that have been on old antiquated systems. They've been around for many, many, many years. And then there's some newcomers that have come into this space. One of the number one keys when it comes to the loan origination software and understanding is being able to really do one of two things: number one, being fast and efficient. And number two, being compliant. Usually being compliant also means you're accurate. So the data integrity result is overlapped with the data compliance in most cases.
Besides, for the Blockchain, of course, I think you could say the speed of change and velocity of impact. Things are moving in faster, iterations now, especially with the advent of artificial intelligence tools like chatGPT. Figuring out new algorithms for stock trading, building online banking systems, layer upon layer, these are things that we only talked about 10 or 15 years ago and now they’re becoming mainstream. So I think it’s unexpected in one sense, but I think it’s also expected in another, because the technology enablement has always been a factor. Compliance is always difficult because you’re always dealing with data and you’re always dealing with insecure software or insecure networking challenges. Every time a company requires another company you have an entire truckload of systems and servers that have to be reevaluated and locked down. Where is the data being stored? Who has access to that data? What applications are quiring that database? How is the data leak configured? What snapshots of three dimensional slices of data in that data warehouse are exposed to which customers and why? All of these questions have to be answered, and they have to be answered in a legal and accountable way. This is why you see chief data officers and chief financial officers resigning, because they just simply can’t certify their databases and data footprints. And Congress has done their best to try to hold people, accountable, and rightly so… But the challenge is enormous. So compliance is going to be one of those areas that we grapple with potentially for decades to come, and the best possible solution might be closer aligned with simplicity over complexity as a general philosophical principle. That is to say, for every one unit of complexity, added to an overall IT footprint, or infrastructure, it compounds and magnifies to potentially 5 to 10 units of complexity for every acquisition or merger that the company experiences. So things get complicated. But that doesn’t mean they have to be stuck in that mud. It just takes an extremely meticulous and strategic IT leadership team, to thread the needle and find their way through the forest. Obviously, that’s where consultants will help you, but not everyone is aware or open minded to outside help.
Well, you definitely get a lot of the encryption benefits and depending on how you set it up, a lot of that is done for you if you just follow the prescribed path by one of the major cloud providers like Microsoft or AWS or Google. These companies offer a menu of services like infrastructure as a service, platform as a service, software as a service, etc., and have ways of packaging their offerings nicely so that will help automate the compliance process a bit. But still, you’re dealing with a computer and data and the internet, so there’s just a billion ways it can start off in a great set of configurations and heavily locked down, and then with just a few turns of the right wrench, the entire infrastructure can be vulnerable again. So it’s ongoing.
Right so you definitely have some developments taking place in this area. Just a couple of years ago, we had the consumer privacy act in California called the CCPA. This law basically gave every California resident a handful of rights over their personal data, which put them in the driver seat for a while until big tech sort of caught up with it. Well, they haven’t fully caught up to it, but they’re coming up with other ways of moving date around and staying compliant while still making money off of the data. But this law allowed users to demand what types of information is being captured, and stored about them, and then they had the right to demand that any, and all of it can be deleted. So this was sort of a big deal regionally, but it hasn’t transferred over to the federal government level yet. Congress has been mulling over this other data privacy law, called the privacy bill of rights, but no one‘s really sure if it’s gonna pass or exactly what’s going to be in it. But the market is definitely been put on notice, and so the whole fundamental aspect of a persons data being theirs to control is now almost within reach I think.
Well actually, for the most part, yes. Many large banks do have a significant software and technology footprint, and some have already begun to shift software and operations into the cloud. But the process of migrating can be complicated and take years. A lot of banks may still be in the early stages of this transition or just trying to plan it because it takes so long and has so many aspects that could be seen as a risk to stability for their infrastructure. But they also have some old skeletons in the closet. Some of their software is very old, and really, it’s just - too dependent on some other random software or database that isn’t very suitable for the cloud. So not everything likes going into the cloud. Some software will literally just not work at all when you try to migrate. It’s a bit of a trial and error process for some applications.
Sure, so yes - there are really a number of compliance challenges that IT executives are facing at the moment, and all of them are daunting to be honest. But the biggest ones are these data privacy regulations such as the GDPR and CCPA. With the amount of personal data being collected, stored, and shared by literally every single organization that makes its way into the top 5000 companies in the USA, it's becoming increasingly important for IT executives to ensure that their organization is compliant with these regulations and of course that this very personal data is being handled securely.
Ya that’s a huge issue. It’s a major concern around compliance because cybersecurity is universally existential. With these times we’re living in, the growing number of cyber-attacks, our IT executive partners and friends really must ensure that their organization's data and systems are completely secure, and that they can deploy seasoned resources and specialized tools to make sure that they are in compliance with regulations like PCI and HIPAA and a few we’ve already covered. And cybersecurity in cloud computing is also becoming a compliance nightmare and it’s becoming increasingly painful- partly expected because as more and more organizations are moving their data and applications to the cloud they just stumble their way through it. So these IT executives are in the driver's seat and fully on the hook. They have to spend spend spend to keep up and ensure compliance with regulations and standards that are written now much more specifically calibrated to cloud computing, which dovetail laws such as SOC 2, ISO 27001, and I think also something called FedRAMP. So ya keeping on that security thread, another area of concern is supply chain security. Ensuring the security of the supply chain is becoming a major concern for IT executives, particularly in light of recent high-profile breaches caused by some third-party vendors.
Ya I knew we would end up talking about this. You know, AI and ML are obviously becoming more widely adopted, with ChatGPT completely blowing up, IT executives are going to soon have new compliance requirements regulations around the use of these technologies. And actually, I think they will start referencing existing compliance laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), because these already have language that points to the nuances of AI, and I don’t think there’s a really great argument to discredit the applicability there.
Sure, so as I recall there have been a number of high-profile cases in recent years. One of the most notable ones was the Facebook Cambridge Analytica scandal where Facebook was basically accused of complete negligence and mishandling user data and allowing it to be used for political advertising. I think they ended up settling with the Federal Trade Commission for something around $5 billion but could be wrong.
Another one I remember was Google Street View case where Google was accused of collecting personal data from unsecured wireless networks while they were collecting images for their Street View feature. They ended up settling with the Federal Communications Commission for between I don’t know maybe $10 to $13 million.
So it’s these types of payouts that send a signal or a reminder that tech companies - and really all companies - need to be even more responsible and vigilant about how they handle personal data, and be, though they may not want to be, far more transparent about their practices. The federal and European regulators are trying to create a culture of agents and investigators that are taking data privacy seriously and organizations can be heavily fined for non-compliance.
Engaging discussions with our consultants, partners, and clients on key industry trends and developments.
Modernization and the psychological barriers for C-level executives
Jan, 2023 | Interview| Shawn Livermore
How Financial Institutions are Grappling with Compliance in the Modern Cloud Compute Era
Jan 2023 | Interview | Micheal Gerstner
Senior consultants with previous experience with these types of projects can set the stage for a well-framed engagement.
A focused session on your specific software applications, platforms, or projects. Typically this includes technical resources from both sides.