APAC regulators up risk for banks

The existence of many regulators and changing regulations in the Asia-Pacific region is a key security audit, risk and governance trend in financial institutions, along with cloud outsourcing and the changing role of the IT representative, according to members of non-profit organization, Information Systems Audit and Control Association (ISACA). The executives also advised that best practices include improving employees' security awareness and technical skills and having "good business sense".

While the financial sectors in the United States and United Kingdom are mature and have relatively few regulatory issues, those in Asia-Pacific countries are "still maturing", Boris Link, vice president of ISACA Singapore, told ZDNet Asia Thursday in an interview. ISACA is a global non-profit organization involved in IT governance and IT certifications. 

Banks in the Asia-Pacific, he said, have to undertake more effort to comply with changing and "heterogeneous" regulations in the region due to the need for approval from numerous regulators and to adapt to different regulations.

Concurring, Daryl Pereira, president of ISACA Singapore observed that there are some 50 regulators in Asia, an average of one to five per country. In contrast, the United States--for such a large economy--has two or three national regulators including the US Fed and the Securities & Exchange Commission, said Pereira who is the director of management consulting at KPMG. 

Pereira noted that when the large number of regulators "compete" with each other to demonstrate that their financial markets are the safest, it is more difficult for banks and financial institutions to "keep up" as they will be "inundated with the volume and complexity of regulatory changes", especially in Asia-Pacific which has a large number of regulatory jurisdictions. He cited the recent renewal of IT outsourcing guidelines by Singapore's Monetary Authority of Singapore (MAS), and the upcoming Basel III capital adequacy guidelines.

Emil D'Angelo, Past International President of ISACA, noted that IT outsourcing is also a topic of "heavy" debate in banks, particularly the use of cloud services.  

"There can be high risks attached with IT outsourcing--allowing third parties to manage applications or bank's customer and transaction information without the ability to control what happens to it," said D'Angelo, who is managing director of Bank of Tokyo Mitsubishi. "Banks are aware that customers and regulators will want to know where their data is stored and who has access to it."

D'Angelo noted that cloud computing is the "repacking of technology outsourcing" and has become an "item of interest" for banks. The cloud has created new and additional set of risks in various forms, especially its use for business applications and vendor management teams in banks are also realizing that "[they] cannot outsource risk", he added. 

Concurring, Pereira said that the public cloud is "like outsourcing your data to unknown parties located in unknown places with unknown intentions". Banks are hesitant to utilize the technology despite recognizing its potential, and have always been "conservative" about using new technology due to the risks of being an early adopter, Pereira explained.

Best practices for financial institutions
At a general level, banks should have good security strategies and policies, awareness programs for educating employees and processes to guide employees on technicalities such as how systems are developed or processed, D'Angelo said.

Link stressed people are "the weakest link in every company". "This is why it is necessary to have good policies, ensure that people understand them with continuous education and intensive training," he said.

It is also necessary to have "good business sense", D'Angelo added, explaining that if "something went wrong" such as a breach or outage, banks should "take the blame", explain the situation to customers and put in place measures or controls to ensure the incident does not happen again.

Pereira shared that banks need to focus on four aspects--people, processes, operations and finance--using a balanced scorecard approach.

According to him, performance management reporting, which provides structured information (business intelligence) about how technology is being used as well as how the technology can be used to gain competitive advantage, is a should-have for banks.

Additional best practices for the banking industry include regular audits of risks, measuring IT project benefits and alignment with business strategy, certification of employees to upgrade their skills, as well as "business-centric mobility" for employees, Pereira added, such as enabling IT employees to spend a year working in the business operations of their company.