Financial services face copious regulations, trailing only insurance and manufacturing as the industry with the highest number of restrictions.
Famous compliance failures may evoke memories of blockbuster penalties like those surrounding the 2008 subprime mortgage crisis, more recent recurring illegal mismanagement, or Ponzi schemes. But, more often than not, the hoops that financial organizations must jump through are hidden behind the headlines.
Among increasingly challenging regulations are those surrounding network compliance. Post-pandemic work is shifting the regulatory environment to strengthen the complex networks that facilitate distributed workforces. Likewise, finance is a prime target of cyberthreats, challenging network teams to evolve their security approaches while simultaneously meeting security regulations. On top of this, organizations must retain compliance throughout periods of mergers and acquisitions that necessitate complex integrations of heterogenous networks.
In order to understand network teams’ compliance needs, it’s necessary to understand their challenges. Starting with the disruptive event of a major merger, let’s explore the immediate tasks network teams must accomplish to attain compliance, the continued work they must take to retain compliance through the business cycle, and the information they can gather to anticipate auditor expectations. In doing so, we can begin to understand how to align people, processes and tools to alleviate the burden that is financial services compliance.
Network Visibility and Remaining Compliant during M&A
A merger is an emblematic event and one of the greatest challenges a network team faces. While mergers take different forms, from a network manager’s perspective the primary goal is to assess their resources, combine the networks, and remediate violations based on established standards.
Integrating the hundreds or thousands of existing users, devices, and applications from another organization’s network is no small task. However, from an auditor’s perspective, the scale of the network team’s task does not matter. Auditors are within their authority to apply the same scrutiny to organizations on the first day after the merger as they would at any other point. Therefore, the need for speed is nearly as great as the need for consistency. Network managers must be prepared to digest and remediate the entirety of the combined network as soon as possible to ensure consistent compliance.
A central obstacle for network teams is the challenge of interpreting paper-based standards established by regulators and applying them, in practice, to existing network architecture. While it certainly can be the case that all parties involved in a merger are beholden to the same regulations, this does not mean that internal compliance procedures are the same.
Worst scenario, the presiding network manager post-merger may come to find that an acquired network is not meeting their own internal procedures let alone the previous manager’s procedures. The acquired organization may have worked with different personnel from any given auditor, focused on different regulations, applied different methods of remediation, or paid differing degrees of attention to detail. Because there will never be full transparency into each other’s network ahead of time, the scale of the integration challenge is virtually unknowable until the merger paperwork is complete.
Know Your Network and Build Defense in Depth
Organizations that establish effective systems of inventory, assessment, and observability are best equipped to answer key questions about their network and provide documentation of compliance. This is particularly useful throughout an M&A event, but it is a consistent best practice for any network team.
Inventory, assessment, and observability provide the foundation for network teams to understand the state of the network, build procedures that meet immediate regulatory concerns, provide robust information to auditors, and ultimately develop an internal review system aimed at providing defense in depth through redundant network architecture. In the case of a merger specifically, visibility is a crucial first step to cleansing and integrating the preexisting network into the managing organization’s internal standards.
Diligent and regular internal regulatory reviews are also critical to maintaining preparedness for the moment an agency comes knocking. As new regulations are added or changed, network teams must interpret these changes and apply them to their existing network. It is vital to understand the different rule changes or additions each regulatory regime is making year-to-year to inform areas of focus and plan network remediation. From here, network teams can set semiannual internal regulatory reviews to test the controls of their policies and arm themselves with information for audits.
Be Aware of Your Gaps and Bring Receipts
Combining technology to observe and remediate the network with a systematic approach to internal review can help organizations stay ahead of auditors, particularly when faced with dramatic changes like a merger. That said, this does not always align with reality. After all, network teams face a slate of regulators from the OCC, HHS, PCI-SSC and more that look at everything, including security, resiliency, processing capabilities, and even waste reduction. Ultimately, regulatory examinations end up being a whack-a-mole game. Few organizations have laser focus on network compliance, and even network teams that are on top regulatory change will have things that slip through the cracks.
This is not to say that efforts network teams make to stay ahead are not worthwhile or those that are behind are incapable of winning favor. The opposite is true. Auditors must also figure out how regulations are applied in practice. Most auditors need context on the technology as it relates to their policies. Network teams that have worked on internal compliance and have a record of their network’s capabilities and controls are well positioned to make their case and demonstrate their interpretation. This helps pass an audit or, at least, reduce the timeline for remediation. Similarly, those who are aware of their network’s compliance gaps benefit from delivering a roadmap to compliance. Information is king and the more a network team can show the stronger their position.
Aligning People, Process and Technology
Network compliance is an ongoing process and one that will only be more crucial in the immediate future. As the finance industry changes in an era of both consolidation and technological advancement, industry leaders must anticipate evolution of the regulatory environment. Complexity in regulations is only matched by complexity in the networks themselves.
To align people, processes and tools and alleviate the burden that is financial services compliance, enterprises should adopt tools that helps network teams meet the most important needs out of the box, that streamline M&A events, and that automate the more tedious aspects of ongoing compliance. Organizations should build their processes around these tools so that their people can take full advantage of the digital transformation technology offers. Organizations that act now to leverage leading technology, align incentives, and enable a network team to respond to an ever-evolving regulatory landscape, gain a lead ahead of competitors, and maintain good favor with auditors. Between mergers and evolving regulations, financial services networks face a compliance storm, but the right umbrella of preparation and technology can help them weather the regulatory rain.