Compliance in the Financial Sector: Driving Transformational Change From the Inside Out

Gerry Gebel   ·   Wednesday, April 13th, 2016

It’s no secret that dealing with compliance is becoming more complex and costly. In 2013, Thomas Reuters reported that there were 110 new regulatory announcements every day. They didn’t report how many of these involve the financial sector, but from conversations with our customers, we know many of them have a direct impact on global financial institutions.

The speed and sheer number of regulations means that banks and other financial firms that don’t have processes in place for dealing with evolving regulations can be forced into drastic action. In some cases merging or being acquired is the only way forward; alternatively, selling off business units is the best option to counter excessive regulation requirements.

In the 2015 report: Evolving Banking Regulation, KPMG argues that wholesale transformational change is required in the financial sector. They state “…firms must move towards an integrated and strategic approach, and develop an operating model for regulatory change that will centrally drive the key changes and tactical activities across their business units and geographical locations.” Of course this is easier said than done; although not impossible, particularly if you have a solution that enables central management, implementation, and enforcement of key regulatory changes.

Let’s talk about the complexity of compliance in all its manifestations across the organization – one of the tenets at the core of compliance is safeguarding data and ensuring access control is in line with the regulations. Which is where Attribute Based Access Control (ABAC) comes into play. An ABAC approach to access control can streamline implementation and enforcement of regulations across the organization, as well as address specific regulatory requirements at a specific location, such as at a branch, state, or country level. In fact in my view, ABAC is instrumental for any financial institution looking to use regulatory change as a driving force in its tactical activities.

For those of you who are regular readers of the Axiomatics blog, or are familiar with the ABAC model, you will know that one major benefit of ABAC is its ability to take the context of an access request into consideration. So no matter how complex a regulations is, a business policy can be written to reflect and enforce this. A typical example of this would be “a customer’s transactional data; can only be viewed via a secure device; at the bank’s corporate headquarters; by an accredited auditor; who is from the same country of origin as the customer.”

Centralization of management is a key benefit in using ABAC, in that you only need one tool to manage multiple regulation frameworks. Furthermore, regulation changes can be implemented centrally and driven across the enterprise. For example, when Safe Harbor was recently deemed invalid, and employees in the US were no longer able to view European citizens’ private data, an authorization rule enforcing this only needed to be written once, centrally, before being rolled out throughout Europe and the US.

The same model can be applied to any jurisdiction that is able to dictate the regulations for its geography – changing user permissions at the application, database or API level, is a thing of the past. The ability to coordinate complex compliance scenarios with central management is the future. Imagine how much time and money that could save your organization.

Add to this Axiomatics’ unique ABAC auditing and reporting tools, and you get a system that not only enforces regulations, but also proves to auditors that your firm is compliant from a data- and user-centric perspective.

Unfortunately, ABAC can’t help with corporate culture and the way compliance is perceived –it’s not that kind of a miracle worker. However Axiomatics is well-versed in helping organizations through the non-technical challenges of moving to a policy-based approach. And we work with great partners to help speed the necessary cultural shifts and implementation challenges.

Ultimately, ABAC is about protecting your information assets in accordance with regulations in the most cost-effective way. And if you’re planning on wholesale transformation change, you will want the most capable tool for the job. To handle modern data scenarios – and tomorrow’s compliance regulations – you need a modern solution, like ABAC.

Transformation change is depicted in the KPMG diagram, and it’s in steps two and three, that I believe Attribute Based Access Control (ABAC) can play a key role, helping financial institutions achieve a competitive advantage.