The new regulation will fundamentally change the landscape for the biggest technology companies – especially cloud service providers, says a new paper from JWG, the London-based think tank that tracks and analyzes financial services regulation.

Digital Infrastructure Risk Management: A Shared Path to Financial Services Safety is available online from JWG. His analysis, based on 287,897 pages of new rules in 2022 alone, is a wake-up call for businesses that need to define “what good looks like” before huge fines start being imposed.

The firm uses a natural language processor to research regulations. “We’ve modeled all the terms that we know regulators talk about, and we’re digging for topics that we don’t understand and trying to figure out how it all fits together,” DiGiammarino said.

The new regulations will cover information and communication technology (ICT) risk management, third party risk management strategy, scenario planning, operational resilience and technology management. And of course the requirements will be slightly different in the EU, UK and US, not to mention Asia.

It gets very complicated, said PJ Di Giammarino, CEO of JWG. “We already have a big divide between Asia, the US and Europe. Europe is customer-centric and regulates to protect the individual. The US protects the corporation and the right to do business with few protections for the people as well, and China is all about states rights.

That could add a whole new level of complexity and cost, he added.

“To sum up the last 18 years of doing reg, it’s all been about who trades what. Now what is happening here is a whole other conversation — HOW? It’s everywhere today, little bits of reg that bite at the HOW. Unless you do it top down, you will die from many, many cuts and fines.

Francis Gross, a senior adviser at the European Central Bank, said the industry needed to move quickly. “One is left with the sense that industry and regulators will need to learn, quickly and together, which technologies are for competition and which are best for collective action, outside of today’s silos,” he said, speaking in a personal capacity.

Businesses in Europe will be asked to provide the European Central Bank with a full list of all outsourcing contracts, including 32 data fields for each with an additional 19 data fields for those deemed critical or important, according to the report.

“This JWG study outlines the transition our industry is undergoing as digital infrastructure risk management moves from the back office to the boardroom,” said Richard Harmon, vice president and global head of financial services, Red Hat. “Now more than ever, the board will need to spend time understanding the interdependencies between banks’ business models, regulatory requirements, technology and supply chain.”

Di Giammarino said financial services firms will need to overcome the way they have traditionally operated in silos – regulatory requirements will require a holistic approach.

“This is all getting very tribal. Even within risk, you have market risk and credit risk, and they may not address operational risk. And now you also have operational resilience. Most of the controls have been developed over time, sort of like how IT infrastructure evolves. Firms now face a major housekeeping exercise about what controls we have in place and whether they are fit for purpose under the new rules.

Although Chris Skinner of The Finanser and author of several insightful books on digital finance has often complained that boards don’t have enough directors with strong tech skills, DiGiamarino believes they are already tech-savvy.

“These guys on the board are pretty tech savvy now,” he said. “If they’re under 40, they’ve grown up in a market that’s completely technology-based. I think the question on the board is not so much whether people there understand, but how that second line of defense works together. Every organization can have different people who step up. It may be the main administrative function that brings together finance, compliance and risk, or a bank may simply give it to risk or to operations and technology.”

The JWG recommends developing a comprehensive risk management framework based on current frameworks that are linked to regulations and standards. But the JWG document makes it pretty clear that the regulations under discussion will be broad and require a review of existing cloud services. For example, EU firms may need to show how to remove ICT services from an existing provider and transfer them to another provider or bring them in-house. Regulators will gain a unique picture of supply chain interdependencies and be able to identify concentration risks for the first time, the report said.

Regulators will also look at AI to see how infrastructure, data and applications are handled.

“Although the EU has the most obligations and therefore appears to be leading the charge, the UK is closely behind and cooperation with the US is highly likely… Unfortunately, we find that there is little connection between the many risk communities that should be rallying behind these initiatives. Compliance, operational risk, data and technology tribes often seem to operate in silos, and although some best practices have emerged, there is no comprehensive or unified approach to holistic controls today. All in all, this is a recipe for a very complicated, frustrating and expensive 3 years ahead.”

Firms that operate in different jurisdictions, as most large financial institutions do, must navigate overlapping regulatory regimes.

“For example, how does a US financial institution certify that its UK-hosted credit application serves Italian customers with AI that meets the requirements of the EU AI Act, including the design, data, testing and controls that must be registered with the EU authorities?’

The sector has a short window to create a harmonized set of controls, the report warns.

“Implementation efforts are fragmented and require redundant mapping efforts. A huge administrative burden can increase the cost of technology and stifle innovation.