In September, data management trade association EDM Council launched Cloud Data Management Capabilities (CDMC), an assessment and certification framework that aims to develop and implement standards and best practices for handling sensitive data within cloud environments.

Developed by the EDM Council and partners such as Amazon Web Services, Google Cloud, IBM, and Microsoft, the framework has roped in other big names to the effort.

The Fintech Open Source Foundation, a Linux Foundation nonprofit that seeks to institute open standards in finance, partnered with the EDM Council in November in a bid to automate financial cloud compliance by implementing the CDMC framework via an end-to-end open-source testing and infrastructure-as-code suite. Data warehouse Snowflake announced that its Financial Services Data Cloud was the first cloud platform to be independently assessed by KPMG, an authorized CDMC partner, against the framework’s key controls.

Mike Meriton, EDM Council’s chief operating officer and co-founder, says he expects CDMC to garner full market adoption in the next three years—about half the time it took for the trade body’s Data Management Capability Assessment Model (Dcam), a framework for guiding industry participants’ data management and analytics projects, to reach industry-standard status.

A recent survey by IT management solutions company Flexera found that migrating more workloads to cloud is the top priority among financial services organizations compared to other industries, with 62% of firms surveyed indicating plans to move more workloads to the cloud in 2022. Additionally, one-third of respondents anticipate they would use a mix of on-premise, Software-as-a-Service, and cloud solutions for both consumer data and corporate financial data.

Despite that ambition, the path to full cloud adoption in finance has been murky.

Cost and security concerns have dampened some banks’ appetites for multi-cloud infrastructures, and new regulations in the UK place a heavy burden on firms who, under the new rules, will become auditors of their vendors and third parties, including cloud service providers. And in the US, banks asked regulators for greater clarity on cloud risk after the Federal Reserve, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation issued guidance making it clear that banks are ultimately responsible for the risks of operations that are outsourced to third-party providers.

Nevertheless, firms are faced with an exponentially increasing amount of data and are running out of physical places to store it.

Wes Anderson, vice president and head of enterprise data management for project contributor TD Bank, says the cloud gives banks an unlimited storage capability. “There are physical limitations we deal with when we are the owner of the data center and the on-premise solutions,” he says. “The amount of time it takes a company to expand on-premise is significant.”

In the making

EDM Council’s previous work on Dcam provided a unique starting point for the organization to form the CDMC working group in March 2020. Morgan Stanley, a member of the trade body’s board of directors, had developed on its own a list of starting principles for cloud data management and protecting sensitive data. The bank had also been in conversation with a few cloud providers and had asked how data risk controls could be managed in a multi-cloud environment.

Morgan Stanley then approached the EDM Council on the issue so that cloud providers weren’t faced with the challenge of navigating firms’ different priorities. The Council needed at least 10 companies to form a working group. By May 2020, they had nearly 100.

“This many firms involved in something is notable,” Meriton says. “All the top cloud companies that are normally arch competitors sitting at the same table—that’s highly unusual as well.” Each cloud provider sent engineers weekly to work on the initiative.

Morgan Stanley donated their starting principles focused on cataloging, accessibility, and usage, which helped jump-start the original group meetings.

IBM had 18 individuals, including regulatory consultants from IBM subsidiary Promontory, working on behalf of the company during the working group’s duration. Soren Mortenson, director of global financial markets at IBM, sees the working group as a cross-industry collaboration toward a common goal—something good for everyone. “This is about the classification, control, procedures and security,” he says.

In the end, the working group, chaired by Morgan Stanley and the London Stock Exchange Group, spent a year and a half building the framework through debates and conversation. A total of 750 meetings and 45,000 person hours derived from 300 participants became 164 pages of guidance.

Today the framework includes six core components—governance and accountability; cataloging and classification; accessibility and usage; protection and privacy; data lifecycle; and data and technical architecture—along with 37 capabilities and 14 key controls for managing sensitive data in the cloud.

“At the heart of everything is governance and accountability which means that everything inside of the cloud needs to be cataloged and classified,” Meriton says.

The 14 key controls correlate to the pre-defined components, establishing processes and methods for the handling of sensitive data. The fourth key control concerning data sovereignty and cross-border movement was added at the suggestion of a regulator and put forth that the data sovereignty and cross-border movement of sensitive data must be recorded, auditable, and controlled according to defined policy.

Other key controls stipulate that classification and cataloging must be automated for all data at the point of creation or ingestion and must always be on. In addition, entitlements and access for sensitive data must be defaulted to the creator or owner and all access of it must be tracked.

Structural issues

A May 2021 report from Firebrand Research highlighted the increasing number of partnerships between banks and major cloud providers. HSBC and Standard Chartered have partnered with AWS; Société Générale, Bank of America, and TD Bank have gone with Microsoft Azure; Deutsche Bank and Commerzbank have chosen Google Cloud; and BNP Paribas tapped IBM Cloud. Bank of America, BNY Mellon, and Standard Chartered also have multi-cloud strategies.

But for all the new partnerships inked and all the new technology capabilities that come along with them, firms’ data management proficiency is not equal across the board, particularly when it comes to unstructured data.

Sanjay Saxena, chief data and digital officer at Celebrity Financial, says its invaluable to have a framework that speaks to both structured and unstructured data. Saxena, who was previously senior vice president of enterprise data services at Northern Trust, says organizations typically have no control over their unstructured data.

“The first job is always to solve the problems surrounding the structured data. It might take years before you even get to the unstructured data,” he says. “But the reality is that firms never end up addressing the issues with unstructured data, and that’s why these problems continue to exist all around the industry.”

However, financial firms don’t have the years required to sift through all the data in their systems and rectify issues, particularly ones that operate within regions under advanced privacy regulations like the EU and California, which are under the General Data Protection Regulation and the California Consumer Privacy Act of 2018, respectively.

Mark Davies, a partner at London-based data and analytics firm Element22, which also contributed to CDMC, says the amount of data and information that financial institutions have is staggering.

“Most financial institutions have got reams and reams, terabytes of data and obligations to maintain and store that information for a long time,” he says. “A lot of it is structured data, and a lot of it is unstructured data like signed contracts and documents, emails, voice and video, all part of the same records that need to be kept.”

He says pinpointing the location of sensitive data can be nearly impossible, particularly if its unstructured like a security video. The classification and security controls outlined in the CDMC framework help remedy that problem so that whether the data in question is structured or unstructured, it’s protected at its start.

Success with CDMC can be achieved simply for firms, Meriton says. First, firms need to be ready, willing, and able to conduct informal checks on themselves, and then act upon any deficiencies found. To achieve certification, an auditor or compliance firm should be brought in to independently assess the cloud environment when the firm is confident in its capabilities.

The framework is available to download for free on the EDM Council’s website. Since the roll-out in September, the Council has embarked on the CDMC Authorized Partner Program, for which it is seeking companies who want to conduct independent assessments of their own capabilities against CDMC.