The sprawling conditions of the new Basel Capital Accord – Basel 2 – present no small challenge for Information Technology (IT) managers of banks, insurers and other financial-services providers across the European Union. But don’t overlook the business opportunity of Basel 2.
Take banks in the United Kingdom as an example. We are seeing many locating data centers outside central London. Once separated by no more than 10 kilometers, innovations in secure, high-speed optical networking now allow a given bank’s data centers to be deployed 40 to 80 kilometers apart. The driver behind the banks’ decision appears to be of parts both regulatory concern and economics. Putting different data centers on different electricity grids improves the bank’s likelihood of maintaining operations in the event of a disaster – and that’s critical to achieving compliance with Basel 2 and other regulations being adopted across the European Union financial-services industry. But, in addition to its improving risk assessment, the bank deploys personnel and equipment in less-expensive office space outside the downtown financial district.
It’s an IT solution to a regulatory challenge that delivers substantial business benefit.
The IT Ramifications of Basel 2
Infractions against Basel 2’s requirements for operational risk containment hurt a financial-services provider’s credit rating and, therefore, credit line. In this way, taking data-security risks can prove costly even if no breaches occur. But certainly, in the case of breaches, a financial-services provider will weaken trust with customers and experience lost revenues – in addition to regulatory penalties.
Making strategic investments to comply with Basel 2 guidelines is, however, tricky. There does not exist a single, transparent set of criteria against which a bank or insurer can grade the security of its data, IT systems and services. For example, separating data centers with redundant system components is one of the fundamental rules of deploying disaster-recovery capabilities. Basel 2, however, does not specify a required distance between facilities. As mentioned before, we are seeing UK banks frequently locate data centers 40 to 80 kilometers apart, and UK telco providers have been prompted to support services over distances up to 100 kilometers. How far is far enough to separate data centers? Different distances will deliver levels of protection in different areas of the world. An enterprise must take into account factors such as the likelihood of earthquakes and flooding in its given area to ensure appropriate distances.
Furthermore, Basel 2 requirements are sweeping. It would be easy to pay too much attention to one area, not enough in another. A financial-services provider might operate high-availability mainframes in a modern, high-security facility that is fully protected against various physical and logical risks – but fail to go far enough in ensuring security of data in transit between geographically separated data centers.
Defining and Supporting RTOs and RPOs
The first step in building a disaster-recovery solution that lives up to Basel 2’s broad standards is completing an RTO/RPO analysis per service or system in use. RTO (recovery time objective) defines how long the financial-services provider can go without availability of a particular service or system. RPO (recovery point objective) indicates the time to be allowed between the point data is backed up and a service or system fails.