Data access
Data dependencies and access requirements are two important factors to consider in any cloud migration. Organizations might have to anticipate losing direct access to specific data, such as customer risk profiles and alerts, generated by anti-money laundering (AML) systems. Access might be lost because the financial crime application databases are not on-premises. Instead, they are kept with the cloud vendor. This data is critical for multiple Bank Secrecy Act (BSA)/AML reports and analytics, and organizations should critically evaluate the need for frequent access because the vendor might provide it based only on a predefined schedule.
Access to data generated by financial crime applications is required for several key processes, such as business-as-usual reporting, model validation, system parallel testing, audits, and model tuning. Reconciliation between records sent by an organization’s source systems and records processed by a vendor’s cloud solution also relies on this data access.
Even when the cloud vendor provides data extracts, organizations should consider the impact on IT teams that would need to store the data in an internal data warehouse and process it for use cases such as BSA/AML reports and dashboards.
Existing customizations and user experience
Vendors are introducing cloud-based solutions that offer customizations beyond out-of-the-box options. However, the extent to which these customizations are allowed can vary between vendors and their products. Added flexibility also has an attached cost component. Organizations should critically assess the complexity of offered customizations and the necessity of porting them to their cloud solution.
User experience is another key consideration for cloud migration. Organizations often modify existing on-premises solutions to enhance user experience and efficiency. An example of such a modification is to allow navigation from the financial crime application to other applications hosted within the organization’s network. Supporting such links could be challenging when the cloud solution and internal applications are hosted across different domains.
Security, privacy, and business continuity plans
The constant threat of security breaches is another critical factor in cloud migration evaluations. Security breaches have plagued providers of cloud-based solutions despite the strong security features typically embedded in their products.
Financial services organizations must collect personally identifiable information (PII) to remain compliant with financial crime regulations. A breach of PII can have significant consequences both for the organization and any people tied to that data.
The organization’s information security team should evaluate the threats presented in periodic vulnerability reports issued by the vendors. Threats posed by known and open vulnerabilities are a key criterion when deciding if a cloud-based solution is the right approach.
Further, a financial services organization that has decided to migrate to cloud services should evaluate the vendor’s business continuity support. Support should confirm that operations can be executed without interruption and that required disaster recovery controls are in place to restore the primary site after a failure.
Flexibility
Cloud-based solutions can free financial services organizations from the complexity of performing updates to the code base. Updates such as editing alert workflows, creating or modifying alert views, and other configurations are usually addressed by managed services or the vendor’s customer support team.
Although shifting responsibilities allows financial services organizations to allocate their IT resources to other critical tasks, the turnaround time of vendor updates might be higher compared to performing the changes in house. Furthermore, depending on the nature of the licensing agreement, the vendor might limit the number of changes within a period. Potential costs associated with each additional change could also offset part of any potential cost benefits.
Processing
Another key benefit of cloud migration is the ability to outsource to the cloud vendor various AML processes, such as customer risk profiling, transaction monitoring, and sanctions screening. However, financial services organizations should consider the flexibility needed in the execution schedule of these AML processes.
Flexibility is often required when addressing scenarios that include delayed data processing, ad hoc suspicious activity report filings close to deadlines, transaction rollbacks, and reprocessing. Migrating to a cloud solution could reduce flexibility because the vendor might have to adhere to a standard execution schedule that supports multiple clients on the same cloud infrastructure. As such, financial services organizations should consider the impact of flexibility loss on their overall financial crime compliance program and whether the mitigation provided by a vendor’s standard execution schedule is adequate.
Cost
The rising expenses of running in-house financial crime applications have caused some organizations to consider shifting to cloud-based solutions. Key cost savings associated with cloud environments include personnel costs, infrastructure and hardware costs, and, in some cases, a lower licensing fee.
However, financial services organizations might not always gain the full economic benefits they expect when moving to cloud-based solutions. Factors such as the complexity or customizations in the current on-premises solution, data availability, and the nature of the organization’s business model can affect the bottom line, especially when the organization is spread across multiple regions.
Although licensing and upkeep costs for cloud-based financial crime technologies are typically lower than on-premises solutions, other potential expenses could offset cost-saving benefits if they are not appropriately factored. The vendor selection process should consider annual fees and periodic maintenance costs associated with ad hoc data requests, enhancements, and customizations. Higher turnaround times for operational issue resolutions could also lead to significant resource downtime. The cost of migrating from an on-premises solution to a cloud solution, although a one-time activity, could also chip away at savings if inefficiently managed.
A thoughtful approach to cloud-based solutions
The decision to migrate financial crime technology to a cloud-based solution is a complex one, particularly regarding maintaining compliance with BSA/AML requirements. Financial services organizations should carefully evaluate their specific needs with the appropriate internal stakeholders, including technology and security management groups, to decide if cloud migration is the right path for their organization.
