Connect with us


What are the Compliance Risks in Banking & Financial Sector?



Narendra Sahoo is a director of VISTA InfoSec.



The Banking and Financial Sector is always a soft target for a cybercriminal, given the enormous amount of sensitive data that the industry deals with. For these reasons this sector always comes under the radar of various Compliance and Regulatory mandates. Due to the growing risks and sophistication of cybercrimes prevailing in the industry, compliance and regulatory mandates keep evolving rapidly.  This makes it difficult for banking and financial institutes to keep up with changing requirements and mandates.

Given the complexity of the business operations, these institutes struggle to develop, align and integrate their operations and risk management strategies with various compliance, and regulatory frameworks. Banks and Financial institutes need to proactively identify and manage not just the evolving cyber threats but also the compliance risks in the industry.

Banks and Financial Institutes are expected to keep pace with the evolving landscape and develop strategies for building effective solutions. This is to address the compliance risk in the growing diversity of the regulatory and compliance ecosystem. Covering more on this and explaining the compliance risks prevailing in the Banking and Financial sector, we have also shared some best practices for addressing such risks in the industry.

Regulatory & Compliance Requirements in Banking and Financial Industry

Regulatory Compliance has always been the top priority for financial institutions. For the sheer amount of sensitive and personal data that they deal with, they require a high level of cybersecurity. For these reasons, compliance has become an integral part of all the Banking and Financial Institutes’ security programs. Further, with the increasing threat exposure in the industry, compliance standards have been heightened dramatically over the years. This has resulted in an immense amount of pressure on banking and financial institutes that are subjected to international cybersecurity and compliance regulations.

Emerging from various national and international governing authorities, a lot of the regulatory and compliance standards are now a mandate for the industry.   Data Privacy and Data Security Standards and Regulations such as GDPR, CCPA, PCI DSS, MAS TRM, ISO27001 and RBI- Digital Payment Security Control are some of the popular and widely applicable Regulatory Compliance requirements for the Banking and Financial Industry. So, with the heightened regulatory requirements, it has now redefined the compliance and risk management process.

Today, compliance risk is a real concern for most Banking and Financial Institutes. Compliance Risk which involves non-adherence to industry regulations and standards results in organizations facing the consequences of violation including financial penalties. So, with this, the cyber risk and compliance risk go hand-in-hand, and institutes now need to appoint a compliance team, for hiring relevant compliance officers for the role. Getting into the details of it, let us today understand the various types of Compliance Risks faced by the Banking and Financial sector.

Understanding the Compliance Risk in the Industry

Compliance risk is technically a subset of an enterprise risk that relates to failure or non-compliance with regulatory and industry standards and facing consequences of it. Besides a sense of professional obligation, there are other reasons why organizations must put in their best effort to avoid falling prey to various Compliance risks. Broadly speaking compliance risks can be categorized into five common types that are listed and explained below-

  • Data Security & Data Privacy Risk

When we talk about data security and privacy risks, it implies the high-level risk of exposure to sensitive data of consumers. Non-compliance to industry standards and regulations such as PCI DSS(, GDPR, CPRA, and ISO27001 does not just result in non-compliance but may also result in unforeseen events such as data breaches and hacking. This would further result in data loss, destruction, data exposure to the public, and/or even theft of sensitive data.

  • Legal Risk-

Legal Risk is the risk arising from non-compliance to standards and having to face the consequences of legal actions. By legal actions, we mean imprisonment, penalties, cancelation of business licenses, debarment of business operations, and product seizure to name a few.

  • Financial Risk-

Financial Risks are consequences of non-compliance that result in monetary loss. The non-compliant organization may have to face stringent financial penalties as well as loss in business in terms of the drop in sales, share prices, loss of investors, or any potential future earnings due to the reputational impact of non-compliance.

  • Reputational Risk-

Non-compliance to standards and regulations has a huge impact on an organization’s reputation. Customer’s perception of an organization changes especially when they find the organization is non-compliant and has a risk of facing a data breach. The risk of reputational loss also has a huge impact on business sales due to a lack of trust and confidence among consumers in the business.

  • Business Risk-

Non-compliance can have a huge impact on business and also result in the shutdown of the business.  Based on the severity of non-compliance and its impact in terms of data breach and the magnitude of sensitive data exposure, the business may likely end up losing its license to operate and resulting in a complete shutdown.

Best Practices for Compliance Risk Management

Managing compliance risk isn’t easy especially when there are multiple third-party vendors involved in the process. Ensuring Compliance can be challenging provided there is a systematic Compliance Risk Management process in place. That apart, here are some best practices that you can consider to address the compliance risk.

  • Active Involvement of the Board & Management

Active participation and involvement of the Board and Senior Management are essential for the success of any compliance program. They must make every effort to ensure they are aware and involved in all the compliance initiatives. This is to build a strong strong due diligence process for compliance risk management.

  • Develop Effective Third-party Policies & Procedures – Most businesses today depend on third-party vendors for certain services. So, businesses need to develop appropriate third-party policies and procedures in alignment with compliance requirements. This will not just ensure compliance but also make the vendors accountable for their services offered. Establishing a certain level of due diligence will help integrate and streamline compliance processes effectively.
  • Compliance Risk Assessment

For any organization to stay ahead of their compliance risk game, they need to conduct a regular assessment to identify the potential risks. Knowing what the risks are and the source of risk is crucial in the risk mitigation and risk management process. So, conducting a Compliance Risk Assessment regularly is essential. This will help organizations keep track of their current compliance posture and also help them evolve with the dynamic compliance landscape. So, organizations must consider establishing a process for conducting a regular compliance risk assessment.

  • Testing & Managing Compliance Risk

Managing compliance risks is impossible if you do not test the established security and compliance program. Moreover, the organization will not know the potential compliance risks unless its effectiveness is put to test. In short, a compliance risk management program becomes useless if it does not identify and address the right risks. For these reasons, regularly testing and managing identified risks is crucial to prevent the compliance risk and consequences of compliance failure.

  • Constant Monitoring, & Reporting

Managing compliance is a continuous process, especially in a constantly changing financial environment. Moreover, since compliance is itself a very dynamic landscape, organizations require constant monitoring of their compliance risk. Organizations need to ensure that they re-evaluate all the policies and procedures to ensure it covers all the risk factors that pose a threat to an organization. Further, they must ensure their Compliance Risk Management program is updated, relevant, and in alignment with the current security and threat landscape. This is to evaluate and regularly update their compliance efforts with the current regulatory and compliance requirements. This is an essential, ongoing process to avoid the complexity and consequences of potential compliance risk.


Managing Compliance Risks can be a daunting task given the complexity of the compliance requirements and operating procedures. However, a good start to managing Compliance Risk is by implementing measures to identify, monitor, and control potential compliance risks. This can be done by setting an automated and systematic approach to assessing, managing, and preventing Compliance Risk. Preventing the dire consequences of compliance risk requires establishing appropriate processes and also taking necessary measures to implement those processes. Further, regardless of the technique adopted, the organization must know why compliance risk and its management are essential for the organization. The team including the Board and Management needs to be aware of the potential Compliance Risk that they are exposed to, and establish policies, procedures, and appropriate processes to manage and prevent the consequences of such risk.


Digital Acceleration – the next buzzword in banking tech? Or a new era for the industry?




Ove Kreison, CTO at Tuum

McKinsey’s latest report on banking found that traditional banks are spending a whopping 85% of their tech budgets on maintaining legacy solutions, with just 15% going towards building anything new for customers.

Digital transformation’ has been the buzzword in banking technology for years, but the figures suggest there’s still a lot of ‘transforming’ left to be desired. Now we’re beginning to see the term ‘digital acceleration’ come to the fore, what does that mean for the state of banking technology? What is the difference between acceleration and transformation, and what should banks and other financial services players do to remain competitive?

Digital transformation – the second machine age which has taken an age!

The idea of ‘digital transformation’ didn’t come out of the blue. Banking – like most other industries post-WW2 – has been experiencing the ‘second machine age’ for decades, exploring how technology can digitize processes and services to make cost, operational and organisational efficiencies. All the while, this process has also made it far easier for companies to be more competitive with new digital products that are slicker, quicker and more user-friendly.

Banks have benefited from wherever they have had digital transformation to date – but it is the digital transformation of core technology stacks that is having the most impact and making banks realise operational efficiencies while making them nimbler to adapt to changing customer needs and remain relevant and competitive in a highly disrupted market.  Digital transformation to the core gives banks the ability to launch new offerings to market quicker, renovate and modernize business models, leverage and analyse data from multiple systems taking innovation of the more exciting front-end and customer centric offerings to the next level.  Faster speed to market,  highly personalised offerings, more agile, more scalable.

Success and progress to date, however, has been slow. Traditional banks especially are lumbered with highly complex and costly core technology stacks. Digital transformation and upgrading these core stacks still remains a priority, but the next wave of digital acceleration is now an urgent priority on the c-suite agenda to ensure banks compete and survive in a rapidly evolving industry.

Digital Acceleration vs Digital Transformation

Digital transformation at its core takes the existing ways companies have run their business and applies new technologies to digitize them – for example, taking a paper-based application process and making it online.

Digital acceleration is different. Here, digital becomes the very core of the business model, creating further new digital processes. It gives the power to not just make existing processes digital but to reimagine how those processes impact and improve the business. Some of the most forward-thinking banks are already doing this. BBVA, the second biggest bank in Spain, is actively and openly seeking to become a software company in the future and has digital at the heart of its offering. It embraced open innovation and new technologies to better serve its customers – for example, it launched an app-based money transfer offering, Tuyyo, in 2017. It’s also exploring how technologies like blockchain can be used to transform fundamental banking services such as loan origination, with the aim of improving the way it runs its businesses.

Co-Value Creation – Going it Alone isn’t an Option

A core facet of digital acceleration – especially in a highly mature and saturated market like banking – will be how banks, fintechs, enterprises and others collaborate to mobilise these more diverse capabilities and expertise, bringing mutual benefits to all parties.

The pace of technological change is so hypercompetitive to the point now where organisations cannot always sustain their competitive advantage or ‘do it all’. Constantly updating your offering to maintain market share and react to new demands has become a necessity for banks, but it is exhausting. More and more banks and FS providers are realising that the strategic resources and capabilities needed to deliver these innovative services lie outside of their business, and given the fast pace of change, developing everything in-house is unrealistic given the skills gap, time and cost constraints. Moreover, tech advances around integration and APIs mean collaborating with third-party experts has never been easier or more effective to bring capabilities that, combined with their own core offerings and customer data, provide an important competitive advantage and valuable proposition for customers.

One brilliant example of this is ING. Recognising the struggles associated with traditionally manual and paper-intensive trade finance processes, it launched a blockchain-based commodities financing platfrom Komgo in 2018 with a consortium of other banks and corporates like Société Général, Citi, and Mercuria. In an age of hypercompetition – mutually beneficial collaboration is the answer.

Transform, accelerate, create

Ultimately, banks can continue to digitally transform while also looking to digitally accelerate. In fact, the two go hand in hand; in order to reap the benefits and be able to consider platform co-creation and digital acceleration, banks need to transform their tech stacks from the core to have the capability and agility to think beyond the realms of their own core business and their own technology. Those that get it right by driving innovation from the core, are reimagining their business models for the digital age, tapping into new revenue streams and becoming more customer-centric are not only more relevant now but future proofed for digital acceleration of the future.

Continue Reading


Banking on legacy – The risks posed by ‘stone age’ banking infrastructure



By Andreas Wuchner, Angel Investor of Venari Security



If you consider the most significant motivating factors behind cyber-attacks – the promise of large financial reward and the opportunity to cause maximum business and social disruption – it’s little wonder that banks and financial institutions are amongst the most inviting targets for would-be cyber criminals. In fact, according to IBM’s recent report, ‘banking and finance’ was the most attacked industry for the five years between 2015 and 2020 – surpassed only by threats to critical infrastructure in recent years. Successful attacks can provide aggressors with a mass of sensitive personal and financial information, and even access to people’s money itself. Furthermore, a suspension of withdrawals and deposits can cause huge social disruption and reputational damage. 

As banks have reacted to years of new regulation and emerging technologies, they often operate with a hugely complicated and disparate technology estates. This provides malicious actors with a wealth of potential attack vectors. A small breach from anywhere in this network can have enormous consequences, and lead to entire systems being overrun. As such, it’s crucial that security teams operate with the highest-grade security possible, including ensuring the strongest level of encryption standards. Banks need to look beyond regulatory tick-box commitments and ensure they are taking proactive and preventative steps to monitor and combat malicious attacks across their entire network.

Andreas Wuchner

However, the ability to react to cyber-threats across a vast estate requires speed and flexibility to quickly react and update security protocols. The sheer volume of legacy infrastructure slows this process down considerably leaving many security teams in a vicious cycle. 


The threat of legacy infrastructure

A sizeable proportion of the banking industry still maintains a reliance on systems first developed more than 40 years ago. In fact, many ‘core banking’ systems, like payments, loans, mortgages and the associated technologies, are still coded using COBOL (Common Business-Orientated Language), an otherwise defunct programming language that is older than the internet itself. In the UK and Europe, COBOL remains the ‘backbone of banking services,’ while in the USA, as much as 43% of banking systems are built on COBOL, meaning it underpins much of our financial system.

This presents a huge security risk. While code has been regularly updated over the years, these systems were built when security threats were far less sophisticated, less well-financed and the burden of data was far less pronounced. For several years, governments have pointed towards legacy systems, built using COBOL, as a major cybersecurity threat, incompatible with modern security best practices and solutions, including multi-factor authentication. For example, data from Kaspersky found that businesses with outdated technology are much more likely to have suffered a data breach (65%) than those who keep their technology updated (29%).

A further security consideration is the diminishing number of people who are trained in maintaining COBOL systems. Every year, experienced professionals exit the industry, making it increasingly difficult to service legacy technologies and creating significant delays in patching threats once they’re identified. This lack of supply of sufficiently trained experts, and the demand they face, makes any updates extremely expensive and time consuming.

Furthermore, legacy infrastructure is preventing the secure application of encryption, posing its own distinct cybersecurity and regulatory risks. Encryption is often heralded as a silver bullet solution for data privacy and has been a continuing area of focus for regulatory bodies in recent years. However, banks remain guilty of poor deployment, maintenance and management of encryption – using outdated protocols and inefficient methods of analysing and understanding network traffic. This, coupled with legacy ‘core banking’ systems that are incompatible with modern encryption techniques, equates to a regulatory and security headache for security teams.


Adopting a new mindset  

The risks posed by legacy systems and the volume of cybersecurity threats facing banks, mean a concentrated re-think of overall cybersecurity strategy is needed to prevent breaches and ensure data is protected long-term. Traditionally, banks have taken an ‘outside-in’ view – dedicating capacity, finances and knowledge to dealing with threats that are existing, known and well publicised. However, to aid long-term security, this should be superseded by an ‘inside-out’ proactive approach, whereby security teams are cognisant of their own internal systems and where the key vulnerabilities are found. Once banks have a detailed view of the security risks posed by their legacy systems, and specifically what data is threatened, they can address flaws, update these systems and build a stronger overall security posture.


The secure path ahead

Many of our successful high-street banks today have centuries of experience in dealing with social, economic and regulatory upheaval. However, the rapid development and deployment of technology continues to present a unique challenge. Many ‘traditional’ banks have built a complex technology infrastructure through decades of adjustment to new legislation and emerging technologies. While serviceable in the past, fintech start-ups are pushing the long-term viability of these systems to the limit.

Challenger banks have the luxury of being built from the ground-up, prioritising convenient digital services and features, and modern security processes. As the user base of these banks increase, customers are increasingly expecting these features and security from their existing banks, meaning even more complexity added to legacy infrastructures. As outlined by Deloitte, existing firms simply aren’t positioned to support the rising expectation of the market, exposing banks to additional risk and liability.

What’s more, it’s estimated that banks spend as much as 80% of their yearly IT budgets on the maintenance of legacy systems. While an immediate switch away from these systems is unrealistic, there is an opportunity to reduce wasted spend and divert spend towards modernisation efforts. However, while traditional banks may want to adapt quicker to technological advancements, they need to do so while continuing to minimise cyber risk and without jeopardising the security of their data or systems. This means placing cybersecurity at the heart of any modernisation efforts and maintaining a steady rate of change. As more of the technology estate begins to be modernised, the potential risks of regulatory non-compliance will also reduce.


Legacy systems need a considered update

Banking systems have heavily relied on legacy infrastructure for too long now, bringing difficulties in maintaining the highest-grade cybersecurity and in facilitating innovation. The risks presented by novel cybersecurity attack vectors and competition from new and emerging digital services offered by challenger banks are exacerbating these issues. As such, legacy systems need a managed modernisation in the long-term, facilitated in part by a managed redistribution of existing IT spend. However, to ensure long-term security overall, cybersecurity needs to be central to be at the very heart of modernisation efforts.


Continue Reading



Business3 days ago

Enhancing cybersecurity in investment firms as new regulations come into force

Christian Scott, COO/CISO at Gotham Security, an Abacus Group Company   The alternative investment industry is a prime target for...

Technology3 days ago

How to think like an attacker & why it might be critical to your security strategy

Kam Karaji, Global Head of Information Security for Bibby Financial Services, argues at DTX Manchester that the most successful way...

Business3 days ago

Building a sustainable future – what’s on your agenda for 2023?

The most successful and progressive leaders are embracing ESG or Environmental, Social and Governance principles throughout their businesses, but how...

Banking3 days ago

Digital Acceleration – the next buzzword in banking tech? Or a new era for the industry?

Ove Kreison, CTO at Tuum McKinsey’s latest report on banking found that traditional banks are spending a whopping 85% of their...

Business3 days ago

One year until EMIR Refit: how can firms prepare? 

Leo Labeis, CEO at REGnosys, discusses everything that financial institutions need to know about EMIR Refit and how they can...

Business3 days ago

In the Name of the Family! Firms with CEOs under clan culture influence are much more likely to be internationally focused

In an increasingly globalised world, it is incredibly rare that a firm can expect to grow in the long-term unless...

Finance3 days ago

Regulations, RegTech and CBDCs – Fintech’s Next Chapter 

Teresa Cameron, Finance Director at Clear Junction    Over the last decade, the UK has embraced the fintech revolution with...

Business4 days ago

Gearing up for growth amid economic pressure: 10 top tips for maintaining control of IT costs

  By Dirk Martin, CEO and Founder of Serviceware   Three years on from the pandemic and economic pressure is...

News4 days ago

Find Your Tribe With Content Marketing

Ian is the CMO at Spotler Group   Seth Godin, a writer, speaker, marketing expert, and influencer, describes audiences as tribes,...

Finance4 days ago

The formula for success: delivering total experience in financial services

  Monica Hovsepian, Global Industry Strategist, OpenText   The tumult of the last few years has thrown many challenges at...

Finance4 days ago

How financial organisations can ensure their data is protected in a SaaS world 

Mark Molyneux, EMEA CTO at Cohesity   The rapid expansion of Software as a Service (SaaS) has changed how we...

Business4 days ago

How freelancers can support the flexible future of the workplace

By Charlotte Gregson, Country Head UK at Malt   The concept of the workplace is changing and not just in...

Banking5 days ago

Banking on legacy – The risks posed by ‘stone age’ banking infrastructure

By Andreas Wuchner, Angel Investor of Venari Security   Introduction If you consider the most significant motivating factors behind cyber-attacks...

Business5 days ago

Beyond the Plastic Era: How Virtual Payments and Digital Wallets are Changing the Way We Pay

Nick Holt, Senior Director Solutions Engineering at Marqeta   In 2017, debit cards overtook cash as the most frequently used...

News5 days ago

Mambu and Mia-FinTech announce collaboration to accelerate introduction of digital finance solutions

Mia-FinTech, the fintech startup that enables banking and financial institutions to evolve towards open finance, and Mambu, a leading cloud...

Finance6 days ago

GDPR – the benchmark for a global privacy framework

by Alasdair Anderson, VP EMEA, Protegrity On the 5th anniversary of GDPR, the regulation continues to be a game-changer, setting the...

Finance6 days ago

Why real-time data remains a top priority for treasurers

Real-time data is vital for treasury teams, and this will continue as currency markets remain volatile and other crises threaten....

Finance6 days ago

Cross border payments: fact or friction?

Tom Scampion, CEO of Global Screening Services (GSS)   10 years ago, the fastest way to transfer money from country...

Business6 days ago

Compliance and customer experience: It’s not a trade-off

Tage Borg, CTO, Scrive Consumers today are used to smooth, instant transactions made in real time and free from the...

News6 days ago

Dubai Traders Summit 2023 concludes with great success

The Forex Traders Summit Dubai 2023 – Third Edition, a two-day event held on May 17-18, 2023, at The Ritz-Carlton,...