A-Team Insight Blogs

DTCC Details Lessons Learnt and Best Practice Approaches Resulting from its Cloud Adoption Journey

Share article

DTCC has highlighted the challenges and opportunities of its cloud adoption journey in a white paper published today and designed to help financial institutions take best practice approaches to cloud implementation.

The paper, Cloud Technology: Powerful and Evolving, is authored by the company and recognises financial firms’ ongoing move to the cloud in search of efficiencies and business benefits. Its timing reflects an acceleration to cloud computing as a result of the coronavirus pandemic, although it also notes a change in the cloud proposition stating: “Initial enthusiasm for large scale transitions of entire application portfolios to the public cloud has subsided to a more practical pace amid deeper consideration of the specific requirements for individual business solutions.”

Business and regulatory issues to consider before embarking on a cloud adoption journey include:

  • State and cost of an existing solution
  • Appropriateness of cloud technology for business purposes
  • Ongoing support for data security and privacy
  • Ability of cloud technology to meet clients’ resiliency and performance demands

From a data and data management perspective, governance is key. Robert Palatnick, managing director and global head of technology research and innovation at DTCC, says: “At DTCC, any move to the cloud starts with governance processes. These are a key enabler to the cloud journey.” He notes that governance is not usually an IT responsibility, and is more likely to be the remit of control roles in areas such as risk, audit, compliance and legal.

Talking about the DTCC’s cloud adoption, Palatnick says: “We evaluated every app and associated data for cloud worthiness and whether cloud technology could support our data ratings and tier ratings for apps.”

The company’s data rating puts personal data and immediate trading data in the top tier of ‘red data’, above other ratings such as internal memos and, finally, public data. Palatnick says: “There are shades of red depending on how old data is, whether it is used in an app or archived, and how it is encrypted. This is all part of data governance.”

Classification of apps is made on the basis of how critical they are, recovery time and recovery objectives, issues that are often both business and regulatory requirements. The top tier of apps are those requiring the shortest time to recovery with as little data loss as possible. In lower tiers are processes and development environments with a longer time to recovery, but no impact on customers.

“We assess data and apps very carefully, and have moved app by app,” says Palatnick. “We have not yet moved our most critical processing, real-time clearing and settlement, to the cloud, but we are making progress.” Lessons learnt from DTCC’s cloud journey include the importance of governance and the need to engineer security as cloud vendors offer security capabilities but they must be customised to meet specific requirements.

Summing up elements of best practice, the DTCC report lists:

  • Regulated entity obligations: cloud strategy, cloud governance, proactive security controls oversight, exit strategy
  • Foundational technology capabilities: architecture, automation, on-premises cloud options, lift and shift vs. design for cloud
  • Resilience and resilience verification capabilities: failover and disaster recovery, resilience, and chaos engineering
  • Cloud vendor obligations: contractual agreement considerations, security considerations, evidence of available capacity, data localisation and privacy

As DTCC continues its cloud journey, further consideration will be given to developing applications using only cloud-ready technologies and approaches, and automation and layering of technologies to leverage cloud-hosted applications. Alerting and monitoring will continue to be core elements of resilient and secure operations, while the establishment of a principles-based, harmonised regulatory framework should better support further adoption of cloud services. Finally, the report parallels industry interest in a common lexicon of cloud terminology that could foster effective, cross-sector communication and increased understanding of regulatory requirements.

Related content

WEBINAR

Recorded Webinar: Address Emerging Operational Risk and Alleviating Data Blind Spots with AI Powered Risk Management

The digitalisation of financial services is in full flight, as financial institutions strive to offer the same levels of service and improved customer experience that consumer markets have enjoyed for some time. This digitalisation – providing seamless access to appropriate services on demand – requires great emphasis on client data. This changing digital landscape, and...

BLOG

Why the Reality of Third-Country Regulatory Reporting is About to Bite!

By Volker Lainer, Vice-President of Product Management at GoldenSource. Just two months until the end of the transition period, ESMA’s latest report brings home the stark reality of what third-country status means for UK financial institutions from a regulatory reporting perspective. Regardless of whether or not a trade agreement between the EU and the UK...

EVENT

TradingTech Summit London

The TradingTech Summit in London brings together European senior-level decision makers in trading technology, electronic execution and trading architecture to discuss how firms can use high performance technologies to optimise trading in the new regulatory environment.

GUIDE

Regulatory Data Handbook 2020/2021 – Eighth Edition

This eighth edition of A-Team Group’s Regulatory Data Handbook is a ‘must-have’ for capital markets participants during this period of unprecedented change. Available free of charge, it profiles every regulation that impacts capital markets data management practices giving you: A detailed overview of each regulation with key dates, data and data management implications, links to...