Companies from the financial services sector appreciate the opportunities offered by moving applications to the cloud or implementing a multi-cloud strategy. However, the European landscape of using cloud technologies is highly diversified, with the most digitally advanced economies in Northern Europe[1].
There are many reasons for this situation, most often being broadly understood security and regulatory uncertainty, which are crucial in the case of creating IT solutions on the financial market.
In this article, I will take a deep dive and demystify the process of developing a cloud-based financial application.
Building cloud-based financial software under industry laws and regulations
Modern information technologies, including cloud computing, offer great opportunities. At the same time, they create new challenges relating to the protection of customer data, transaction security and compliance with the law.
There are many regulations in the highly regulated European financial services sector. However, the obligation to use them depends on the type of business, e.g., if the company does not offer investment services on the cryptocurrency market, then the MiCA regulations will not apply to it.
The regulations that we will probably encounter when creating finance applications are:
- GDPR (General Data Protection Regulation):Imposing appropriate requirements relating to the processing and protection of customer data;
- AMLD (Anti-Money Laundering Directive):Introduces provisions to prevent money laundering and terrorist financing, including enhanced customer identification and transaction monitoring requirements;
- PSD2 (Payment Services Directive 2): Introduces EU-wide rules for electronic payments, regulating payment services, payment service providers, transaction authorization, and customer data protection;
- EMIR (European Market Infrastructure Regulation): Governs the derivatives market, including the exchange of transaction data and reporting to increase transparency and limit systemic risk;
- MiFID II/MiFIR (Markets in Financial Instruments Directive II/Markets in Financial Instruments Regulation): Relates to financial instrument markets, regulating investment firms' activities, client protection, and market transparency;
- PRIIPs (Packaged Retail and Insurance-based Investment Products) Regulation: Implements informational standards for investment products sold to retail clients to enable a better comparison of and understanding of risks;
- CRR/CRD IV (Capital Requirements Regulation/Capital Requirements Directive IV): Establish capital and liquidity requirements for financial institutions to increase their stability and resilience to financial crises;
- SFTR (Securities Financing Transactions Regulation): Regulates securities financing transactions (e.g., repurchase agreements) to enhance transparency and minimize systemic risk; and
- DORA (Digital Operational Resilience Act): A legislative framework aimed at enhancing the digital operational resilience of financial entities by establishing requirements for cybersecurity, incident reporting, and ICT risk management within the European Union. It aims to ensure the stability and security of digital systems in the financial services sector and foster trust in the digital economy.
Creating cloud-based financial software in different European countries
It is worth noting that each country that adapts to EU regulations can adjust them to its market, extend them or even tighten them. This is particularly important when the creators of a FinTech solution want to enter foreign markets, and previously they created applications in a country conducive to developing technologies based on cloud infrastructure.
For example, in Poland, in addition to the regulations mentioned above, there are also local regulations, e.g., the Act – Banking Law or the Communication from the UKNF on information processing by supervised entities using public or hybrid cloud computing services. Therefore, it is crucial to analyze the legal basis applicably locally.
Another example is the United Kingdom, where already in 2012 saw the development of G-Cloud, i.e., a set of framework agreements with cloud service providers, as well as a whole catalog of applications and services from which government organizations and offices can choose solutions that best suit their needs[2]. Such action gave a clear signal to companies that the British public sector is interested in using the potential of the public cloud. It indirectly affected the number of data centers in the UK, which numbered 456 in 2022. Thus, the UK is second in Europe and third in world leaders in this category[3].
Failure to comply with industry laws and regulations has serious legal and financial consequences, and these can be severe. The record holder from the financial services sector, which in 2021 was fined €6 million for insufficient legal basis for data processing (GDPR), is the Spanish bank CaixaBank[4].Therefore, in the case of obliged entities in the regulated market, involving the legal and compliance team as early as the design stage of the financial application makes sense.
Create custom finance apps in cooperation with the legal and compliance department
Lawyers and compliance experts should work with the entire organization that creates financial cloud-based applications. Of course, it will mainly be a project manager with a team of developers, because they must understand the applicable law to implement IT solutions without exposing the organization to legal and financial consequences. On the other hand, employees of different departments should also be aware that they are responsible for the security of the solution being developed, and related issues should be included in the basic requirements of the application.
Therefore, the role of the legal and compliance team when creating a financial application is as follows:
Analysis of laws and regulations and precise knowledge transfer to the development team. This will enable you to identify requirements relating to data security, confidentiality protection, payment processing, etc.
Indication of risks and potential threats. These may include issues relating to personal data protection, financial reporting requirements, or auditing obligations.
Co-creation of policies and procedures. These documents should outline how the application will be managed, what controls will be implemented, and what action will be taken in case of breaches.
Monitor the changes in regulations regarding both the financial services sector and cloud applications. Thanks to this, it will be possible to adapt the application to the new requirements and avoid potential legal consequences.
Staff training. It is essential to properly train all staff responsible for operating the financial application so that they are aware of compliance and know how to act in various situations to minimize the risk of breaches and non-compliance.
"When developing applications to streamline entities' operations in a highly regulated market, it must be noticed that already at the software design stage, it must guarantee data security.
Nowadays, it is impossible to create secure software by "turning a blind eye" to security rules and regulations. Today on an unprecedented scale, data has been commoditized. Data trafficking, identity theft, and manipulation of information pose a significant risk on a global scale. Therefore, the role of those who ensure information security and legal compliance on the part of suppliers is so important and responsible. This is primarily about the trust of our partners, but also – as pathetic as it may sound – about the security of us all.
The awareness and knowledge of the people involved in software development play a crucial role in the security process," says Kinga Brzozowska, Information Compliance Officer at FINGO.
Financial apps working in the cloud. How do I choose the best cloud service provider?
Choosing the right cloud provider and regular compliance audits are critical when building modern financial applications in the cloud. Many factors should be taken into account during this process to ensure the security and efficiency of the application.
The first important aspect to consider is the location of the cloud provider's data centers. Data centers should be in the appropriate jurisdiction, considering laws and regulations regarding storing financial data.
"The financial services sector is highly regulated, so many factors can increase the risk of non-compliance. One such factor is the storage and processing of data outside the country. Therefore, when choosing an offer, banks must primarily be guided by the assessment of risks.
Therefore, when creating eON, a cloud application for regulatory reporting, we chose Google Cloud. This cloud service provider also has a datacenter in Poland, thanks to which we minimize the aforementioned risk. At the same time, in emergencies, or our expansion into foreign markets, the global availability of Google's data center enables us to move our application to another location in Europe easily," says Piotr Malczak, Co-owner and CPO at FINGO.
The choice of location may affect privacy laws, data protection, and access by regulators. Therefore, it is crucial that the provider offers datacenters by legal and regulatory requirements and industry best practices.
Create finance apps with a certified cloud provider
Another important factor is the certification of the cloud provider. Companies operating in the financial services sector must meet stringent data security and information protection requirements. Therefore, it is worth checking whether the supplier has the appropriate certifications, such as:
- ISO/IEC 27001: This certification relates to information security management systems and provides a framework for securing sensitive data and assets.
- ISO/IEC 27017: This standard focuses on the security of cloud services, addressing the specific risks and challenges associated with cloud computing.
- ISO/IEC 27018: This certification outlines guidelines for protecting personally identifiable information (PII) in cloud environments.
- ISO/IEC 22301: This standard covers business continuity management systems, ensuring that the cloud provider has robust plans in place to maintain operations during disruptions.
- SOC 2 Type II: Issued by the American Institute of Certified Public Accountants (AICPA), this report assesses the security, availability, processing integrity, confidentiality, and privacy of a cloud service.
- Payment Card Industry Data Security Standard(PCI DSS): Required if the cloud service processes, stores, or transmits credit card data for financial applications.
- Cloud Security Alliance (CSA) STAR: While not a certification, the CSA Security, Trust, Assurance, and Risk (STAR) registry provides self-assessment reports regarding cloud service providers' security practices.
The supplier's experience in the financial sphere is another criterion worthy of attention. A supplier experienced in financial services will be more aware of this sector's specific requirements and challenges. This may include understanding financial regulations, reporting requirements, or the need to meet the requirements of financial institutions.
It is also essential that the cloud provider has effective compliance audit mechanisms. Regular external audits enable you to monitor and confirm that the supplier continues to meet regulatory requirements and safety standards. Thanks to audits, potential security vulnerabilities can be identified, and appropriate actions can be taken to fix them, which enables you to maintain a high level of financial data security.
Data security and privacy protection in cloud-based financial software
Data security and user privacy protection are fundamental for a cloud-based financial app. This is especially so, since the number of cloud-based network cyberattacks is growing yearly – a 50% increase in Europe in 2022, compared with 2021[5]. However, this should not be surprising – after all, the popularity of using the cloud by organizations is also growing. That is why it is so important to implement preventive measures. Here are a few of them:
Data encryption. Encryption is essential to securing data stored in the cloud. During transmission and storage, data should be encrypted using strong cryptographic algorithms. The use of technologies such as Transport Layer Security (TLS) for network communication and AES (Advanced Encryption Standard) for data storage will provide an additional layer of protection.
Access control. It's important to control access to data in your financial application. This means that each user should be assigned the appropriate permissions for the operations they can perform on data. Identity and access management mechanisms such as Single Sign-On (SSO) and Identity and Access Management (IAM) enable precise control over who can access specific data.
Two-factor authentication. Implementing two-factor authentication (2FA) further strengthens the security of the finance software. In addition to the traditional password, the user must confirm his identity through a second, independent channel, for example, a code sent to a mobile phone. This makes unauthorized access much more difficult, even when the access password is hacked.
User behavior monitoring and analysis. This enables early detection of irregularities. Systems can analyze user activity to detect potential threats or unusual behavioral patterns that may indicate attempted security breaches.
Audits and regular security reviews. These are crucial in maintaining a high level of data protection. Security reviews should be performed periodically to identify and fix any security vulnerabilities.
Automate incident response. In the event of suspicious activity, modern finance apps should have mechanisms for automated incident response. This will enable quick identification and isolation of potential threats.
Easier to build modern finance apps with the right people
Undoubtedly, the public cloud is a solution that supports innovation, including the creation of new products and services or the use of market opportunities. Nevertheless, when creating feature-rich finance apps in the cloud, it must be done by the law in force in a particular jurisdiction. Therefore, precise planning, risk assessment, solid security measures, constant monitoring, and periodic audits are crucial here, as is working with experienced development teams. How to choose one? You can read more in the following article: FinTech software development: How to choose the right software house?
Sources:
[1] McKinsey& Company, Chmura 2030 Jak wykorzystać potencjał technologii chmurowej i przyśpieszyć wzrost w Polsce. https://www.mckinsey.com/pl/~/media/mckinsey/locations/europe%20and%20middle%20east/polska/raporty/chmura%202030/chmura%202030%20raport%20mckinsey.pdf
[2] Advice Cloud, The Ultimate Guide to G-Cloud, https://advice-cloud.co.uk/knowledge-hub/ultimate-guide-to-g-cloud/
[3] Statista, Data centers by country in Europe 2022, https://www.statista.com/statistics/878621/european-data-centers-by-country/
[4] GDPR Enforcement Tracker - list of GDPR fines, https://www.enforcementtracker.com/
[5] Digit News, Cloud-based Cyber-attacks Increased by 48% in 2022, https://www.digit.fyi/cloud-based-cyber-attacks-increased-by-48-in-2022/