Risk and Regulation in Financial Services

Data Protection

In BigIDeas on the Go, Omkhar Arasaratnam, the Engineering Director of Cloud Security at Google, shares insights from his career in security and financial services, talks about the interplay between privacy and protection, and offers his thoughts on cloud migration in financial services.

Bitten by the “Security Bug”

Arasaratnam describes his career as “a tech sandwich” that took him from IBM, where he was a penetration tester, to the financial sector, and back to tech again at Google, where he currently builds software controls for customers using the Google Cloud Platform (GCP). In the middle, he headed up security engineering teams at TD Bank, Deutsche Bank, Credit Suisse, and JP Morgan.

Regulations in FinServ — An Evolution of Rights

Early in Arasaratnam’s career, companies’ responses to regulations like the Gramm-Leach-Bliley Act (GLBA) and Sarbanes–Oxley Act (SOX) centered around “the integrity of controls when it comes to financial reporting … and, because of that, a lot of the accountability rolled up to the CFO.”

Arasaratnam saw a different picture while working in the European banking system. “They took a bit of a different turn toward the end of the 2010s and focused a lot more on privacy. The financial sector started to care a lot more about how the PII of their customers and employees were handled.”

Now, years later, the evolving state of data rights is further influencing banks and other organizations in financial services. “Domestically, we’re all waiting to see how the new administration may consider a federal level of privacy protection — and we’re already seeing a lot of changes being made with regard to CCPA [the California Consumer Privacy Act],” says Arasaratnam.

“It’s really changing the view of the financial sector in terms of how that PII is handled. We almost took it as a default that certain kinds of information … could be used within the financial sector to improve marketing, improve targeting, and things of that nature. Due to regulations like GDPR, like CCPA, the attitude on that is changing a lot.”

The Intersection Between Data Protection and Data Privacy

Data protection efforts from masking data to restricting access increasingly need to work hand-in-hand with data privacy principles like do not sell and do not transfer — and that alignment can present a complicated interplay.

“More and more,” says Arasaratnam, “we’re going to have to rely on technology to do it. It’s not going to be a person or a fleet of people making these decisions.” The emerging reality is “that people’s choice — the autonomy that people want in having the say over what occurs with their PII — is really what embodies a lot of the privacy legislation we’re seeing today.”

Citing wisdom from Dr. Ann Cavoukian – the creator of Privacy by design – Arasaratnam describes privacy as “you, the individual, having the autonomy to provide informed consent as to what you want done with your PII.” Confidentiality, on the other hand, “ends up being the protections or controls that we put in place, should you not wish to disclose that.”

For example, Arasaratnam offers, “if I were to willfully disclose to you and the listeners of this podcast that I had asthma, that would be my choice. However, I wouldn’t want that choice being made on my behalf.”

In this day and age, there are a lot of businesses “that have been built around the idea that we can perform better ad targeting, we can provide consumers more tailored content based on what we’ve been able to infer about their preferences through processing PII. I think that is going to get more and more interesting as time goes on. As there’s more and more informed consent, people’s patterns might change slightly, which from a financial sector perspective, also means some of the areas that were previously being monetized … might start to change along with that.”

Opportunities for Migrating to the Cloud in FinServ

While financial services are typically thought of as being hesitant to migrate their data to the cloud, Arasaratnam has a different interpretation.

“I think a lot of financial sector companies are actually viewing [cloud migration] as an opportunity. It’s very easy to jump on a parallel change agent. So if I want to refactor my application, a great opportunity to do that is through a move to the cloud. And if I want to refactor my application in such a way that it allows better privacy controls, that’s a path that a lot of financial sector companies are taking.”

From Arasaratnam’s perspective, it’s a matter of Darwinian logic and survival of the fittest. “Those that evolve quicker and those that adapt to this new change and impetus — and perhaps those that even find other ways of differentiating their brand through improved privacy, through giving the customer more autonomy — are going to be the ones that end up being leaders in the market.”

Listen to the full podcast to find out how Arasaratnam thinks financial organizations will continue evolving to accommodate emerging regulations — as well as the unique way he’s teaching his digitally native kids the importance of data privacy and security literacy.