It's no secret that banks and fintech companies must meet compliance and regulatory standards that are much stricter than what traditional tech companies are forced to comply with. The question becomes: How do you meet strict regulatory and compliance standards while keeping up with the rapid pace of innovation in technology?
As the vice president of enterprise architecture and technology strategy at Discover Financial Services, I think about this question often as we work to design our tech stack. I've come to believe that technology teams in regulated industries need to move beyond DevSecOps and embrace what I’ll term DevSecRegOps.
DevSecOps refers to development, security, and operations. As a practice, DevSecOps is a way to engrain practices in your SDLC that ensures security becomes a shared responsibility throughout the IT lifecycle.
DevSecRegOps takes DevSecOps a step further by ensuring security and regulatory demands are the responsibility of every team at key development steps of the IT lifecycle. We're in the early phases of adopting this mindset at Discover, but I believe the best way to achieve it is to design with regulation in mind, automate regulatory compliance, build regulatory compliance as code, and change the culture so that everyone who works at Discover feels responsible for compliance and meeting our regulatory obligations.
Design for regulation
The architects in charge of designing a company's overarching infrastructure and applications must design for compliance up front so that teams don’t have to scramble to meet regulatory requirements at the end of a development lifecycle.
To do this, companies must ensure that architects and engineers have easy access to relevant regulatory standards, company policies, and industry best practices so they can ensure what they’re designing meets those standards from the start. Creating and enforcing these expectations across your team of architects is imperative to ensuring regulatory compliance.
Automating compliance and regulatory checks is the most effective way to ensure compliance standards are met. One way to achieve this is to build regulatory checks into your CI/CD pipeline to ensure consistent compliance with auditable trails. Ideally, ensuring these compliance checklists trigger a failure close to the beginning of the SDLC ensures you don’t get to the end and realize you’re not compliant.
Engrain DevSecRegOps into your development culture
Like many other development practices, including security and reliability, it’s imperative to shift left on DevSecRegOps, ensuring the entire organization feels responsible for meeting regulatory standards and requirements.
Creating a development culture that embraces compliance starts with executive buy-in, comprehensive training across teams, and processes and tests that assess and enforce regulatory compliance culture.
Compliance as a practice
Ensuring customers can access their finances and financial information in a secure, reliable way builds trust with our customers. Embracing regulatory compliance as part of the development lifecycle ensures that we can continue to scale our card, banking, and loan services in a way that best serves our customers.