Threading a needle of strategy, technology, and compliance
A historied bank makes a bold, go-slow-to-go-fast decision: All in on net-new, cloud-native technology
CUSTOMERS EXPECT SIMPLICITY; REGULATORS EXPECT COMPLIANCE. IT’S COMPLICATED.
THE SITUATION
If you’ve ever looked for a new place to live, you may have come across these two types of homes: the one the landlord’s repainted so many times that the windows barely open, and the one that still smells like new carpet.
It’s unlikely that this is what leaders at a 100+ year-old global bank were thinking about when they decided to expand their offerings into digital services, but it is likely they sorted through similar considerations: Build on top of legacy infrastructure, or create something net-new?
The bankers wanted, specifically, to provide their customers with a retail banking experience for mobile devices. They’d successfully deployed the product in Europe and now wanted to bring this tested solution to their branches in other countries. The thinking went like this: If they started with a mature and comprehensive regulatory environment like the United States, then they’d be well prepared to handle regulatory challenges in Latin America and beyond.
Sounds simple enough. But to do so, bank leaders would need to thread a needle—give their US customers the simple, useful mobile experience they expected while, on the back end, navigating that thicket of requirements. Requirements like those set by the Federal Reserve, the Securities and Exchange Commission (SEC), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).
Requirements, such as complying with the Dodd-Frank Act, the Bank Secrecy Act, and the Gramm-Leach-Bliley Act, which presume a thorough understanding of data privacy and localization, anti-money laundering (AML) practices, and consumer protection regulations, as well as technical considerations like robust cybersecurity measures to manage and protect sensitive financial data.
(But wait! For a foreign solution expanding into new markets, there were also more garden-variety considerations, like support for multiple languages, and adapting the product to local market practices and customer expectations, including the ability to download the offering as a mobile application or through a browser link.)
Complicated? You bet. And in the face of this, the bank leaders made a bold choice: opting to build their digital solution on a net-new, cloud-native platform—one they’d build and launch first in the United States, then roll out to other territories.
It was a bold choice because what the bankers were avoiding in ongoing legacy technology headaches, they were front-loading with a digital transformation. The choice meant significant challenges and layers of complexity that together could make the deployment both resource-intensive and time-consuming.
So, confident as they were in the path they’d chosen, the leaders were just as confident that they’d need an assist to get it all done. And not just in one area (like technology), but several (like strategy, policy, and compliance too). To make their vision a reality—and thread that needle—they called Deloitte.
STRATEGIC, SCALABLE, AND SECURE—COLOR THIS BANK FUTURE-READY
THE SOLVE
Why Deloitte? Because Deloitte specializes in just such complex, interdisciplinary projects. In this case, Deloitte team leaders proposed an Advise-Implement-Operate model whereby the firm would bring in Risk & Financial Advisory professionals in Strategic Risk and Cybersecurity, Consulting and Engineering specialists in Core Business Operations (including Cloud Engineering) as well as Human Capital practitioners. These wraparound services, taken together, would span the multiple workstreams the bank needed to align business priorities, cloud technology adoption, and regulatory compliance.
The project would unfold over three phases: strategy, implementation, and operations. Jointly, the combined bank and Deloitte teams got underway.
The focus of the first phase was to define the bank’s cloud strategy—while backing a business case—along with a new operating model. Baked into the model: compliance programs designed to proactively manage regulatory obligations, as well as a new organization design that extended beyond the United States to all the bank’s North American entities and third-party vendors. (For a sense of scale, the matrix defining team member roles and responsibilities encompassed more than 50 affected parties over nearly 400 roles and responsibility line items). This org design established an independent operating model within the bank’s IT group to manage new cloud capabilities (like the mobile app) and included team and role profiles backstopped with workforce plans for both transitioning existing talent and activating new teams.
Also baked into the model: details for a US “landing zone”—the in-country, technical infrastructure supporting cloud applications, providing high resiliency and disaster recovery capabilities, and, not least, ensuring that the applications met all those banking requirements.
By the end of this first phase, teams had settled on a landing zone in the form of a novel Amazon Web Services (AWS)-enabled cloud solution, an approach that could both support the cloud-native approach the bank required (with all the benefits of cloud technology it brought, like the ability to quickly bring new countries online later) while sidestepping the need for onsite hardware.
Foundations established, the next project phase was about turning plans into realities—implementing target states, kick-starting operations, and ensuring security and compliance. To this end, Deloitte Governance, Risk and Compliance (GRC) professionals ported bank and industry requirements to the new cloud solution, modified process maps accordingly, then created and applied a Risk and Control Self-Assessment (RCSA) to identify and assess both operational risks and the effectiveness of the new controls in place to address them.
Deloitte Cybersecurity specialists reinforced these efforts, helping implement cloud security measures like logging, monitoring, and threat detection systems, as well as information security controls. Human Capital practitioners, meanwhile, worked with their bank counterparts on the workforce upskilling, training, and recruiting defined by the new operating model.
Did the teams encounter any challenges along the way? Of course! Chief among them, balancing the innovative aspects of a new, cloud-native capability with the need to meet proven standards; adapting to the seemingly constant bank audits that made project adjustments and spot compliance attestations necessary; managing the organizational and technical churn brought on by multiple vendors; and a midstream, return-to-office policy. Yet despite complexity, despite scale, each challenge—as met with agility and team collaboration—was ultimately overcome.
Within a year, the combined teams had completed a subset of the technical implementations and controls and successfully delivered an early version of the cloud solution. A year later, and the US cloud platform was fully deployed, with a nationwide rollout to North America planned soon after that, and phase three of the Advise-Implement-Operate model underway.
For this phase, one Deloitte team brought cloud financial reporting and forecasting capabilities online, while another kept both technical innovation and the bank’s business priorities front and center by activating round-the-clock cloud advisory and support services. Meanwhile, the Governance, Risk and Compliance team ran solutions to help keep compliance in check, assist the bank in preparing documentation for regulator exams, help manage costs and improve the GRC process over time—and yet another team supported the cybersecurity applications by providing 24/7 risk coverage.
Bank leaders’ vision of open banking had become a reality: a compliant, mobile banking application was live in the United States; a new, cloud-native banking platform was running in multiple countries; and member banks could communicate in more efficient ways than ever before, facilitating secure, compliant transactions between different regions.
No new-carpet smell, maybe, but the needle had been threaded.
THE IMPACT
The cloud-native digital retail banking solution—free from legacy technology—marked a significant milestone in the bank’s storied history. And while the benefits of leaders’ strategic choices will play out for years, the impacts of these choices are already being felt. To wit:
Better customer experience: The cloud-native solution powers a high-quality, user-friendly mobile banking experience that has seen a surge in transaction volumes, attracted new depositors, and significantly boosted satisfaction and retention rates among existing customers.
Strategic IT realignment: Identifying new roles and skill sets to focus on the cloud-native solution created new business agility and a platform for innovation unencumbered by previous technology limitations. The choice ultimately facilitated a successful US launch and streamlined both US regulatory compliance and landing zone efforts.
Global scalability: The project’s success in the United States set the stage for a broader global rollout, with the solution’s US regulatory compliance, scalability, and robustness already delivering continued growth, consistent service quality, and compliance across regions.
Operational efficiencies: The transition to a cloud-native infrastructure has reduced dependency on physical data centers, resulting in lower operational costs and increased flexibility to scale resources as needed.
Ryan Lockard
