Engagement overview
The Vehicle Asset Finance (VAF) business of a leading African Bank was migrating of one of its core operating platforms to a cloud-based provider. The selected third-party provider had successfully completed implementations in the UK and USA, but the Bank was the first African organisation to use this provider.
As a significant player in the overall transformation programme and having expert knowledge of the banking compliance landscape, BSG was asked to oversee and execute the compliance requirements, ensuring the customer journey on the new system remained compliant to all relevant regulations. To enable this, the compliance requirements were managed as a stream of the overall transformation programme, and compliance requirements were considered as part of the upfront requirements gathering and scope planning for each iteration of the implementation.
In 2018, the South African Reserve Bank (SARB) issued a directive (D3/2018) and guidance note (G5/2018) on cloud computing and the offshoring of data by banks. SARB expects banks to follow a risk-based approach, aligned with their risk appetite, based on the nature and size of its operations. The directive specifies banks must have a formally defined and board-approved data strategy and data governance framework in place. In addition they must ensure their Risk Appetite Framework effectively manages risks associated with cloud computing and/or the offshoring of data. When offshoring data, banks must ensure compliance with South African regulations, as well as those of the country in which their data is hosted.
The BSG team was instrumental in facilitating the completion of the third-party cloud provider’s risk assessment, used to define the Bank’s Risk Appetite Framework. The framework ensures the Bank has identified, assessed and provided effective controls to manage potential risks of a cloud-based application. The BSG team also facilitated the approvals process with SARB.
In the initial phases of the programme, the team worked with a black box version of the cloud-based application, testing features and functions. The black box used was set-up based on a US-roll-out, and the team found the legislative requirements fundamentally different to South Africa’s. To manage this, the team overlayed the requirements of the various Acts (NCA, CPA, FICA) with the system configuration to ensure compliance.
The overall transformation programme employed an agile, iterative approach. In line with this, features were prioritised based on business needs (i.e. ones that addressed specific business or customer pain points) and items considered ‘low-hanging fruit’ (i.e. ones that could be rolled out easily and with limited downstream impacts).
By being involved in the upfront requirements gathering and sprint scoping, the compliance stream was able to proactively manage compliance requirements. Prioritised features and functions were reviewed to unpack the regulations and involved. The team ensured the Bank’s policies relevant to each regulation were integrated into the requirements gathering process, and provided these reviews to the technical team responsible for implementation. The team then tested features and functions in the development environment to ensure legislative requirements were fully met.
Once the team was satisfied the Bank’s regulatory policies had been effectively implemented and the system was compliant, the Bank’s Compliance and Risk function was brought in to manage the final approvals prior to go-live. At each stage, a risk lens was also applied to ensure the business risk was fully managed in terms of, for example, customer experience and training for staff.
Making a difference
BSG oversaw and facilitated the completion of the third-party cloud provider Risk Assessment, which resulted in the Bank’s Risk Appetite Framework. In addition, the BSG team managed the approvals process of said framework with SARB. Removing this time-consuming requirement from the Bank’s internal Compliance and Risk function.
By managing the compliance requirements as a stream of the overall transformation programme, the team ensured uninterrupted regulatory compliance of a core operating platform throughout the cloud implementation. Compliance requirements formed a fundamental part of the requirements gathering process for each sprint and this ensured costly retro-fitting of compliance-enabling features was avoided. In addition to mitigating the cost of retro-fitting for compliance, by ensuring uninterrupted compliance, the programme stream mitigated the risk of costly fines for non-compliance or regulatory infringements.
By applying a risk lens in addition to a compliance lens during the requirements gathering phase of each sprint, the stream ensured that business risk was identified and assessed proactively. This also contributed to a smooth customer experience (CX) for end-users by ensuring staff were adequately trained on all the features as they were rolled out.
Benefits of the overall programme include a reduction in failed applications, resulting from system inefficiencies, reduced application turnaround times and improved CX.