Aiven Blog

Apr 5, 2024

The Top Two Misconceptions as FSI Compliance Requirements Tighten

With Basel 3.1 aligned frameworks, governments worldwide are increasingly emphasising the need for financial institutions to maintain operational continuity.

Michael Coates

Michael Coates

|RSS Feed

Senior Solution Architect

With compliance and risk management regulations set to tighten globally, many financial services organisations are working extremely hard to identify and close gaps in their existing risk management and compliance strategies. What’s more, finding previously unidentified gaps or vulnerabilities is becoming increasingly common, especially when assessing existing frameworks against these new industry requirements.

At Aiven we talk with financial services customers every day about organisational risk and compliance and the ways that technology can help address and close these gaps. With APRA’s operational resilience framework comprised of CPS 230 & 234 coming into effect in Australia and other Basel 3.1 aligned frameworks within Asia Pacific, Europe, the UK, and the United States, it’s clear that many FSI organisations are facing similar challenges.

Two of the biggest areas of vulnerability for financial services organisations right now are: running outdated or unsupported software, and single supplier failure or vendor lock-in.

A lens on regulation changes and challenges in APAC

A myriad of global changes are impacting the financial services industry (FSI), including increased geopolitical tension, economic turmoil, consumer demand, ESG considerations and reporting, the rise of digital assets, and the accelerating digitalisation of finance, not to mention growing complexities of financial crime and operational resilience.

It’s no surprise then, that governments are taking an active role in trying to increase resilience. As one example, in Australia, CPS 230 & 234, scheduled to take effect from 1 July 2025, will apply to all Australian Prudential Regulation Authority (APRA) regulated entities in banking, insurance, and superannuation, introducing new requirements for operational risk management, service provider risk management, and business continuity planning. As such, APRA-regulated entities must prepare to implement substantial changes to their governance structures, compliance protocols, contractual frameworks, and incident response mechanisms to meet changing demands.

To pave the way for future growth and navigate an increasingly intricate regulatory landscape, firms must strategically invest in technology solutions that support governance, risk, and compliance - understanding their biggest pitfalls and areas of opportunity. Leveraging solutions and powerful vendor partnerships will go a long way in the management of regulatory obligations, reporting requirements, and internal policies and procedures.

Misconception #1: Running outdated or unsupported software isn’t a big deal

A recurring pain point we hear all the time with FSI organisations is running outdated software systems. A surprising number of businesses are running outdated software even now, and for a variety of seemingly valid reasons.

For instance, an IT lead may have lapsed on updates to reduce downtime and resigned from an organisations before rectifying the situation, or an organisation may have invested in software that reached its end of life and now have neither the time nor resources to either change or update the software.

We know unsupported software leads to several issues, such as compatibility issues or a breach of security policies, and that updates are heavily encouraged to remove this risk. However, updates often require outages and a significant depth of knowledge, which can too easily be touted as valid rationale to postpone them. Organisations are more likely to run the risk of outdated software rather than inconveniencing their customers with a potential downtime period.

This issue not only creates operational hurdles but also has significant reputational and compliance consequences, especially as regulations become stricter. Under the new regulations, actions like this would be a breach, especially around technology refresh management. An unpatched system is an insecure system, which fails to meet regulatory requirements for Information Security. We also know that with the right vendor and technology partner, downtime doesn’t have to be a given and can be greatly minimised or removed entirely.

Misconception #2: Vendor lock-in and single supplier failure won’t happen to me

One of the requirements for regulatory compliance is for organisations to protect themselves against single-supplier failure. Whether storing critical, business-critical, or any consumer data, financial institutions must have more than one copy of data in different locations, that can easily move in and out of supplier arrangements.

If an organisation is locked into a single-supplier arrangement, it becomes harder to leave and costs can increase.

There are various reasons why an FSI may end up in a vendor lock-in. In some cases, FSIs will try to lessen the number of vendors they engage with to reduce complexity, specialized skills requirements, negotiating time for multiple contracts and not act as a system integrator. But it’s a double-edged sword as by putting all your eggs in one basket, you open yourself up to risk as well. This can be not just from a region going offline, but also from losing pricing leverage, the ability to make a deal, and once you are locked in, the cost to move can far outweigh the benefit of doing so.

As regulations change, this is further incentive to choose technologies that aren’t vendor specific, that are easy to resource, and ensuring the resourcing for technologies also isn’t coming from single providers. Open-source software presents a compelling argument for both operational efficiencies and to protect against vendor lock-in, so data can flow freely and ensure compliance requirements are adhered to.

We’ve found when FSI organisations are not using open-source software it’s generally because they don’t have a defined support path or have fears around security and updates. However, with the right vendor, open-source can be a powerful ally in staying up to date with compliance needs, and offering greater support to improve business outcomes.

As an example, the Aiven managed platform leverages open-source technologies and takes care of automated maintenance and updates on a weekly basis, so organisations are always running supported and up-to-date software. For major updates, depending on the product and the open-source project, Aiven highlights to customers when version End of Life (EoL) is approaching, and supports an upgrade process which is automated and well-proven. Near-zero-downtime upgrades for your open-source software are now a reality with Aiven.

On top of this, when it comes to single supplier failure, Aiven steps into these supplier arrangements to run across multiple clouds – in line with financial regulations – so organisations can easily migrate data between their service providers, be that AWS, Google, MS Azure, Oracle, or others, in a matter of minutes. In these circumstances, Aiven becomes a supplier as well, but being open -source, Aiven’s arrangements are simplified and transparent.

Top tier management solutions for a changing regulatory world

Aiven’s cloud-agnostic, unified platform provides best-in-class open-source solutions to address operational and compliance needs to help FSIs stay focused on delivering business value. IDC’s recent report highlights how open-source through Aiven enables a move away from building and maintaining on-premises infrastructure, thereby avoiding the human resource and competency costs that organisations otherwise had to absorb, and ensuring productivity and risk mitigation benefits.

Overall, IDC found that Aiven customers achieved strong ROI value by ensuring more efficient and effective use of data-related solutions core to their business operations:

  • 37% lower three-year cost of operations
  • 81% faster to create and deploy a new database
  • 29% more efficient IT infrastructure and security teams.

Using Aiven, organisations also were able to boost their net revenue per year, while also managing tightening restrictions and compliance regulations with embedded and automated data management.

Get in touch with Aiven to see how you can maximise your tech spend.

Related resources