Continuous compliance in the financial sector with AWS cloud

Until now, due to their processing of sensitive data, financial sector companies had to meet a series of requirements when it came to their on-premise infrastructure in the area of encryption, business continuity plans, backups, or disaster recovery, to name but a few. Local servers were audited on a regular basis by designated inspectors. This changed with the advent of the cloud which allows for generating event reports in real time, with no physical servers, everything written in code and available via APIs.

What is continuous compliance?

With global development of cloud computing and fast-changing legal frameworks, companies from regulated sectors need to be sure that they operate in line with the law. Thanks to AWS’ automated continuous compliance approach, cloud objects and events such as servers and centrally deployed updates are being monitored in terms of changes that may potentially affect an organization's cloud compliance status.

Continuous Compliance with AWS Config

The AWS Config tool eliminates manual compliance processes and helps report any occurring changes in the AWS environment to the IT team. Cloud’s compliance can be then confirmed based on predefined account-specific requirements, or, if the alterations impact its status, subjected to remediation actions - either by inhouse admins or in cooperation with their AWS partner. Specifically defined requirements and boundary conditions on the account can also help maintain projects status in the face of changing or rotating development teams - once formulated, they stay the same.

Who sets compliance rules for financial companies in the cloud?

On a large scale, it's the European Banking Authority whose primary interest is to mitigate and prevent cloud risks in connection with governance, compliance, cybersecurity, vendor lock-in (or other monopolistic practices), loss of business continuity or system stability. These regulations are later translated to provisions enforced by local controlling bodies that monitor companies operating on their markets, i.e. The Polish Financial Supervision Authority (PL: KNF - Komisja Nadzoru Finansowego) in case of Poland. In practical terms, these companies may also use the PolishCloud 2.0 Standard which is a hands-on manual developed by The Polish Bank Association, Banking Technologies Forum and electronic Banking Chamber gathering best practices and solutions in terms of cloud migration for financial institutions in Poland.

Make sure to choose the right cloud vendor

Apart from controlling the company’s compliance status, local authorities, such as The Polish Financial Supervision Authority, have the right to audit if cloud financial institution’s developers teams (as well as their cloud vendors) have the right skills, competences and certificates to manage cloud resources in terms of processing data, or at rest and in transit encryption. Authorities may also look into contracts with cloud providers as well as their risk management strategies or documentation to assess if the company demonstrates business governance and desired compliance status - a much easier task with a trusted cloud partner.