The last 18 years have seen financial institutions (FIs) create and deploy money laundering detection and prevention defences in response to regulatory demands. The means by which FIs achieve this task have stayed the same for decades. Institutions will go to the market, scan providers with solutions, select and purchase one, deploy it on an on-premises infrastructure and then run the solution. This strategy works well and has allowed many FIs to successfully comply with regulations.
Although this approach works well, it is not perfect, leaving some institutions out of compliance, lacking in ability to detect and vulnerable to penalties. A key limitation is the deployment to on-premises infrastructure. FIs have to buy the hardware, mobilise an information technology (IT) team to set it up, deploy the software and monitor the correct execution of the solution on a daily basis. This involves installing a service desk to resolve level 1 user issues and support contracts with every vendor involved in the infrastructure (database, application server and so on), in order to correct bugs or get answers to questions.
All those activities and their subsequent costs are purely IT-related and have nothing to do with core compliance activities of FIs; they truly are a support function. Yet there are still solid reasons to stick with tradition and keep the existing target-operating model (TOM). The sensitivity of data processed, criticality of compliance activities and risk of fines if changes go wrong all represent strong incentives to maintain control with an on-premises solution, at least until recent years.
Now the pace has picked up, and the last two years have seen significant change that should give FIs reason to take a fresh look at their model. A key change is the emergence of mature public cloud providers with enhanced offerings that provide an opportunity for FIs to move from an on-premises compliance platform installation to software as a service (SaaS) hosted in a public cloud environment.
As it has happened with other, less critical applications, the benefits of moving to the cloud are starting to outweigh the potential drawbacks. The cost of failure for a compliance solution for most institutions is far more severe and far-reaching than webpage downtime or loss of web-chat customer services, yet other factors are conspiring to change the equation significantly in favour of cloud.
An important change is coming from FIs themselves as they accelerate their global digital transformation. An example of this is having the IT office able to deliver new services to the business in an agile approach and continuous basis. Compliance was initially protected from agility need, as regulations were slowly evolving. Over the last years, there has been both an increase in the number of relevant laws, such as the Fourth AML Directive, general data protection regulation (GDPR), Fifth AML Directive (implementation deadline approaching), and rapid policy and regulation changes—for example, countries being placed on or removed from sanctions lists on a more regular basis. This rapid change has created the need to improve time to market (TTM) for tools and as such, the ability to quickly deploy a new change in production—a critical need for FIs.
It is recognised that the key asset for FIs is data, and that this is a competitive advantage over their competitors
The end-to-end process to deploy in production is a change requested by the business and it is often the bottleneck of the agility expected. Public cloud providers have optimised those processes to the extreme, as it is their core business. In addition, by moving to cloud, FIs offshore the complexity of this process and put the responsibility of success outside.
The increasing volumes of financial transactions require a constant adjustment to the size of the compliance platform infrastructure sometimes just to handle a couple of moments of peak seasonal demand, such as Christmas. Distributed architecture allows for scalable infrastructure, meaning when unused, the infrastructure is allocated to other solutions. However, to ensure such scalability, there needs to be an extremely high number of servers and a solution optimised for them as well. This is perfectly possible for well-resourced FIs but it requires many IT investments. To ensure high availability and performance of the compliance solution, the IT office has no choice but to size the infrastructure on the peaks, leading to an oversized infrastructure 90 percent of the time. As a result, the direct impact of this new volumetric is a direct increase in IT costs, with little opportunity to optimise without impacting the quality of service.
Cloud providers have two competitive advantages to any IT office of FIs:
- They have farms of servers, all built in fully scalable architecture which gives them the capability to reallocate unused infrastructure to a different customer; as a result, there is no leakage due to peak activities.
- Given the number of servers, they are able to both mutualise teams and procurement and as such—for a similar infrastructure—greatly reduce the total cost of ownership.
Coupled with a “per usage” pricing model, where FIs pay the servers only if they are actually using them, cloud providers are in position to propose an extremely competitive price to FIs in order to host their compliance solution. That also changes the category of costs, moving from capital expenditure (on-premises installation), to operating expenditure (when using a cloud provider). Used the right way, this difference will benefit most companies.
It is recognised that the key asset for FIs is data, and that this is a competitive advantage over their competitors. Therefore, they have always been extremely cautious in handling and disclosing it. For years, the initial reaction was to keep data on-premises (inside the walls of the company)—a fair statement. Public cloud providers struggled to defeat this mindset by being opaque and by not communicating the geography of their data centres to European customers. This makes it difficult to build trust or even to guarantee compliance with some local regulations, not allowing data to leave the country. Yet in the last few years, public cloud providers have made large progress on this and they are now providing a clear view of their servers’ availability, zone and location. They keep increasing this offer and take the same into consideration when defining new availability zones.
Also, many large companies worldwide (not only FIs) have suffered from data breaches over the last years, resulting in reputational damage. None of the public cloud providers has ever suffered such a data breach, which could be a company-killer. It is in the interest of cloud providers to take every measure to ensure this will not happen.
FIs have been more cautious in deploying cloud solutions on uncritical activities that are outside of the compliance department
In addition, a company must have multiple intrusion scenarios and it needs to protect itself. Some of these scenarios can be an intrusion directly from the network, an intrusion from an external site and so on. For each identified risk, the company has to provide a different secure access like a virtual private network or reverse proxy and multiply the cost and complexity of maintaining a strong and resilient security policy. For a cloud provider, it is moving the cloud offshore. In addition to data breach risk, a company also needs to protect itself from natural disasters and similar events. That means setting up a disaster recovery plan with a recovery time objective and recovery point objective, which will also require investments to ensure an efficient recovery plan. This is part of the core offering of a public cloud provider.
In other regions, such as Asia and Oceania where data regulation has been much more flexible over the years, several FIs have already successfully moved to a SaaS approach. For example, they are using a full compliance solution including transaction monitoring, sanctions and politically exposed persons (PEPs) screening, and customer risk rating in SaaS mode, hosted by a well-known public cloud provider. This is working effectively and none of them are considering turning back to the on-premises hosted solutions.
In the specific context of Europe—given the much stricter regulation on data privacy highlighted by the enforcement of GDPR in May 2018—FIs have been more cautious in deploying cloud solutions on uncritical activities that are outside of the compliance department.
FIs are at a turnaround point on the market. While the red flags are being progressively removed, FIs are now having a closer look at the massive benefits they would receive from moving their compliance platform to a cloud environment. Some benefits include reduced IT costs, increased agility and TTM, and reduced IT complexity in order to focus on core business. For the last five years, compliance solutions being cloud compatible was a tick-in-the-box question. Now FIs dive deep into how they could deploy their compliance platforms in cloud environments. In an always competitive environment looking for process optimisation and cost reduction, moving to the cloud is the next step to consider.