I had the great pleasure to participate in an international roundtable in Singapore last week with Shared Assessments. The event was hosted by Deutsche Bank and was well attended with banking, service providers, and local regulatory members in attendance. Prevalent and Protiviti, both members of the Shared Assessments Steering Committee, made the trip to support the Santa Fe team. Local Shared Assessments members included JPMC and Deutsche Bank. The conversation was extremely robust with a few key discussion areas that I would like to highlight.
- Firms are looking for a better way to comply and reduce risk in real-time.
- Asian regulatory requirements are more fractured and extremely regionalized, but are informed globally.
- Privacy and data sovereignty continues to be a significant regulatory and technical hurdle, especially given new technologies.
These themes seem to come together in interesting ways. First, the participating firms agreed that some of the manual, custom models currently in use need to be reviewed. They agreed that standardization of content as well as new assessment methodologies for getting the visibility they needed prior to contracting was necessary, but many agreed that it is hard to do this. We discussed the need for proper scoping, automation, and vendor threat monitoring as mechanisms to help deal with many of these inefficiencies. Shared Assessments and Prevalent both play a big role here. There was significant conversation about real-time risk models and how to effectively perform this in practice.
Second, the regulatory environment was a significant part of the conversation. There are over 16 countries and over 100 regulatory bodies represented in the Asian market. This patchwork creates a highly fractured regulatory landscape with different regional regulatory hurdles and political issues. It was discussed that the primary focus of Shared Assessments’ efforts should be initially on Singapore, Hong Kong, Japan, Korea, China, and India. The Shared Assessments team had performed mapping to the primary third-party risk guidance from the Monetary Authority of Singapore (MAS) with the Shared Assessment program tools prior to the event and identified that most of the guidance control areas were covered well with the existing tools. Part of the discussion was to get better validation. In fact, several MAS members were in attendance and able to offer additional commentary around the need for each bank to meet the MAS guidance independent of any other requirements. It was noted that some of the requirements were also more prescriptive than their US counterparts. However, MAS regulators are communicating with other regional and global regulators. Being able to support the requirements in a standardized, sharable framework was highly desired. Of particular interest was support for collaborative assessment.
Third, privacy and data sovereignty was a large part of the discussion, especially given new technologies like cloud and blockchain. The regulations to support the needs of data and IT ownership were significantly different across the region. While the use of cloud continued to be discussed, most agreed that additional cost and complexity might be introduced due to regional data sovereignty requirements, and that this was the cost of doing business. Having a model and guidance from the Shared Assessments program including education, certification, and tools to help with scoping, pre-assessment, contracting, and support for new technological advances was discussed.
Lastly, the conversation went much deeper than anyone expected as many of the issues facing US banks is being similarly felt, in some ways with more complexity in the Asian markets. The three topics above started to come together as the discussion moved specifically on how to deal with these issues operationally. The needs of the firms to support multiple markets with significantly differing regulatory issues while managing technology changes posed implementation challenges and additional costs. Additionally, the ability for service providers to comply with requests and prepare for assessments could be fostered through the use of standardized content from Shared Assessments.
The hope from this effort is that a local Shared Assessments community will be able to help inform the needs of the program tools, as well as provide education that can be tailored to the needs of the region. However, it might require supplemental or different tools. The next steps are to help get additional feedback and create a strong nucleus in Singapore that can help support the firms in attendance as well as others facing similar challenges. It seems that the market is prime for this type of support from Shared Assessments.