Fintech Cloud Risks and Regulatory When Deploying Fintech in a Public Cloud
Updated 30 Mar 2022
In this article, we give a brief, high-level overview of regulatory and security challenges you need to address when deploying a fintech service in a public cloud.
The Benefits of Fintech in a Public Cloud
In some ways, fintech is like any other technology. The faster you move, the more competitive you’ll be, and there’s no faster way to get a fintech service up and running than deploying it in a public cloud. You don’t have to wait for hardware to arrive—you just click and go. You can be up and running in a matter of hours.
Since you’re not purchasing any hardware or software, public clouds also require less cash upfront. That’s especially valuable in the start-up phase where money is tight. It’s difficult to reproduce the redundancy and scalability of the public cloud with so little capital. If you’re launching a SaaS fintech, there simply isn’t a more cost-effective way to do it.
Perhaps the best reason to deploy your fintech service in a public cloud is the wide array of available turn-key services. Every service available from a public cloud service providers (CSP) is one less service you have to develop. These include basic services like computing, storage, encryption, and identity & access management (IAM).
Public clouds have become very sophisticated and go way beyond just basic services. Today, many offer options specifically useful for fintech companies, such as machine learning (ML) and artificial intelligence (AI) services, as well as one-click security and regulatory compliance.
But just because public clouds come with quick-to-deploy security and regulatory solutions, that doesn’t mean your job is done. You still have some important decisions to make there, regardless of your CSP.
Regulatory and Security Risks in a Public Cloud
Even though there may be one-button compliance, you still need to know which button to press. In other words, you are still responsible for compliance, which means you need to be up to speed on all your security and compliance requirements.
The same holds true for cyber security risk. Does PCI-DSS apply to your fintech application? How about HIPAA, FedRAMP, GDPR, or FIPS 140-2? Unfortunately, you can’t always get the answer to these questions from your CSP.
To make matters even more complicated, you cannot be sure you are compliant even if your CSP claims you are. A good example of this is data storage location.
When deploying in a public cloud, you often have the option of where on the globe to store your data. Companies will frequently choose different regions to store and backup their data to ensure geographic diversity. What you may not realize, however, is that your compliance requirements are determined by where your data resides. Therefore, it’s entirely possible that the compliance requirements for the data in those two locations are completely different. Will your fintech service be compliant in both?
Regardless of how many tools are available from your CSP, at the end of the day, both security and compliance requirements in a public cloud are your responsibility.
Fintech Companies in a Public Cloud
As challenging as deploying a fintech saas solution in the public cloud is, those challenges are not insurmountable, judging by the number of fintech saas companies who have deployed there.
Here is just a partial list of financial services firms that have built on AWS. Notice that these are some of the top fintech saas companies in the world:
- Allianz
- Barclays
- Capital One
- Coinbase
- FINRA
- Liberty Mutual
- NASDAQ
- Robinhood
- Stripe
Here is a list of firms built on Azure:
- BCI
- Manulife
- HSBC
- US Bank
- BNY Mellon
Here is a list built on Google Cloud Platform (GCP):
- Revolut
- Goldman Sachs
- PayPal
- Bloomberg
- Equifax
- Blackrock
- Citi
- Charles Schwab
As you prepare to deal with regulatory and security risks, like the fintech companies above have done, you can break down the challenge into three phases. The first is preparation. Here, you’ll access vulnerabilities, develop security and compliance programs, and appoint dedicated staff.
Next, you’ll implement the measures. These include things like due diligence, sanction screening, suspicious activity reporting, and transaction monitoring.
Finally, you’ll need to have continuous monitoring for security and risk compliance in place. This includes things like employee training, automating processes, and scaling programs.
Summary
If time-to-market is one of your critical metrics and/or cash is in short supply, deploying your fintech service in a public cloud is your best option. But beware, there are security and compliance challenges ahead, which we will discuss in more detail in the next article: The Price of Success.
