Using DevSecOps to Meet Regulatory Challenges in Investment Banking
What does DevOps have to do with regulatory compliance in the investment banking industry? Your first thought might be "not much."
In fact, however, DevOps—and DevSecOps, the DevOps offshoot that focuses on security—is a crucial tool for investment banks seeking to keep ahead of today's increasingly complex regulatory challenges. In a world where agencies are introducing new regulations all the time, and existing policies are superseded by new ones at a dizzying pace, doing DevSecOps is the only way to assure that you can stay on top of it all.
It's no secret that these are challenging times for investment banks when it comes to regulation. Not only is there more regulation than ever in the wake of the financial crisis, but understanding regulatory policies, and the procedures necessary to adhere to them, has also become very difficult because policies change frequently.
For example, take the MiFiD law in the European Union. You may have been compliant with MiFiD I when it debuted in 2007, but the introduction of MiFiD II and MiFIR in 2014 changed the stakes and procedures required to stay compliant.
Also challenging, of course, is the fact that regulatory policies vary between different jurisdictions. If your bank operates in multiple countries, you have to juggle multiple sets of regulatory requirements, each of them changing constantly. Or maybe your jurisdiction itself changes, a challenge that UK-based banks, with Brexit, are preparing to live through. Big changes in political administrations, like that which recently took place following Trump’s inauguration in the U.S., also tend to breed significant changes in regulation for the banking industry, albeit in ways that can be hard to predict.
The costs of not complying with changing policies can be very steep. Lack of compliance can lead to huge regulatory fines—like the $180m fine that New York regulators imposed on Taiwan’s Mega Bank in 2016. And fines are only part of the cost of non-compliance. Banks have lost market value in excess of $2bn as a result of revelations about compliance failures. On top of all of this, there is the loss of reputation and customer trust that comes with devastating regulatory failures.
DevSecOps and Regulatory Compliance
How do you ensure that you remain compliant with the letter of the law when you have to operate in such a bewildering regulatory landscape? And how do you stay compliant in a cost-efficient way?
Part of the answer, of course, is to do the usual stuff: pay close attention to changes in regulatory law. Make sure you have the legal expertise on hand to help you interpret the reams of new regulatory information that are released whenever a new policy is introduced. This is all important.
But if you want to stay ahead of your competition, save money and mitigate your risk of making a regulatory mistake, you should also include DevSecOps within your arsenal of resources that help you stay ahead of the regulatory curve.
Why? To explain, let’s first define what DevSecOps means. Put simply, DevSecOps is the integration of the development, IT operations and security and compliance parts of your organisation. It extends the core principles of DevOps (which emphasise constant collaboration between developers and IT operations admins) to include the cybersecurity and compliance team, too.
The goal of DevSecOps is to assure that your organisation’s security experts are constantly plugged into everything else that is happening in your business. It minimises barriers to communication and maximises opportunities to share ideas and collaborate in solving problems related to compliance security that could exist at any part of your software delivery chain.
When it comes to meeting regulatory challenges, DevSecOps can help you in several ways. These include:
- Maximising the number of eyes on regulatory challenges. Your developers and ITOps folks probably don’t pay a lot of attention to regulatory policies. It’s just not part of their job. But if they’re in constant communication with the security and compliance team, they’ll be in a position to be educated about new regulatory issues and make changes to software delivery workflows accordingly.
- Ensuring that software coming down the pipeline is ready to meet new regulatory requirements. The apps or features that you designed a week or a year ago may no longer meet compliance requirements. You don’t want to wait for your new software to be released before someone on your security and compliance team tells you about the issue. DevSecOps helps you avoid that situation by ensuring that compliance challenges are a part of the thought process at an early stage in the delivery pipeline.
- Baking compliance into IT policies. At the heart of DevSecOps is the idea that security and compliance should not exist in a silo. Instead, they should be integrated into IT operations across the entire organisation. Doing this makes concern for compliance a regular, consistent practice that becomes the default. That’s much safer than treating compliance as something that you tack onto your IT processes by allowing compliance experts to review software after it is complete.
- Making sure nothing is missed. Regulatory failures could result from something as simple as not updating disclosure statements within an app when a compliance policy changes. Including compliance experts within the software delivery process helps prevent you from overlooking the easy-to-miss, nuanced parts of your software that could trigger regulatory problems.
- Saving time and money. Integrating compliance review directly into your software delivery process saves everyone time. If compliance reviews take place on a continuous basis as software is updated, compliance experts can deliver value in real time. Working closely with software teams also helps to translate new regulatory needs into action quickly, which also saves time. And with more efficient use of time, of course, comes monetary savings, too.
I’m not suggesting that DevSecOps is the only thing needed to ensure compliance. But in the face of ever-changing regulatory challenges that are only poised to become more complex as governments around the world maintain their intense focus on banks, DevSecOps is a crucial line of defense against regulatory mistakes that could cost you billions in fines, lost market value, and lost customers. DevSecOps helps keep banks as compliant as possible—with as much cost-efficiency as possible.