Tuesday, August 7

The moans from compliance

Here's another broadside from the compliance side of the business. A survey of audit and compliance professionals in the USA has found that they absolutely hate IT for not taking care of identity and access management. They also expressed frustration that the IT and business groups are not collaborating well with the compliance folks to implement identity and access management.

Well, this is unfortunately far too common and I have seen this at every financial institution that I have worked in or know of. Given a regulatory requirement like implementing identity or access control, compliance usually comes in with a maximalist position, business will come in with a minimalistic or frankly go away and dont bother me position and IT comes in and designs a nuclear powered paper clip. Why? Well, compliance always thinks in terms of binary positions, you are either in compliance or you are not. So they tend to er on the side of caution and ask for the most draconian setup. IT are always suffering from lack of funds and they absolutely love mandatory and compliance projects because the chances of that passing the business case investment committee is much higher! so they go away and design a nuclear power clip. And the long suffering business think that they are again getting hit by red tape, complaince and regulatory pressures. And so the whines start.

It is tough, the business is getting extremely complex and the process chain is more and more complicated. Not to mention long (not only by systems but also by geography). When you have a very long process and automated chain, then changes to even one component has got a huge upstream and downstream impact. All the SOA and middleware helps are simply lipstick on a pig in the greater scheme of things, I am afraid. That is why more often than not, people will go for a manual solution rather than automate it. And once you have few years of this, 3-10 mergers and acquisitions, rapid technology change, and you end up with a cats cradle of systems, processes and databases. If you try to throw in new regulation, it really becomes expensive to implement.

There is no solution, each regulatory change has to be evaluated hard, and existing banks are way too big and bulky to go for structural and strategic changes such as implementing huge SOA or middleware packages. It is just too expensive, I am afraid. But there you go, fun times in financial insitution land.








All this to be taken with a grain of piquant salt!!!

No comments: