Reimagining The Tech Stack For A Fragmented World

From conflicting data privacy laws and increasing cybersecurity concerns to rapidly evolving AI governance and trade disruption, technology procurement has never been so complex

Over the past few decades, the force of globalisation has fuelled more liberalised cross-border trade, integrated supply chains and the harmonisation of some regulatory frameworks.

However, in recent years we have seen a slowing or in some cases even a reversal of this trend, with greater economic fragmentation arising from geopolitical tensions, nationalism, and protectionist policies.

In this context, the financial services sector, and in particular those working in tech procurement, face increasingly challenging regulatory divergence. From conflicting data localisation laws and intensifying cybersecurity concerns, to rapidly evolving AI governance frameworks and more general trade restrictions, the global tech procurement landscape has never been so complex.

In this article, we explore (i) key trends arising from an increasingly fragmented and uncertain global landscape and their impact on financial institutions' technology procurement, (ii) how financial institutions are adapting and responding to these challenges and (iii) some practical tips for managing compliance issues.

An overview of major trends

Digital sovereignty and data localisation

We see regulatory movements towards digital sovereignty and data politicisation. As a result, financial institutions now face a patchwork of restrictions on cross-border data transfer and localisation requirements (ie, rules limiting the processing, transfer or use of specified data outside national borders).

Other than data localisation requirements, regulators are also keen to understand what data arrangements financial institutions have in place with overseas technology providers. This is demonstrated through notifications and other regulatory requirements. For example, financial institutions in Australia that are subject to the Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 230 Operational Risk Management (CPS 230) are required to notify APRA in certain circumstances relating to material offshoring arrangements (a key touch point being where data or personnel relevant to the service being provided will be located offshore).

Operational resilience

Operational resilience has been a key focus for regulators over recent years in a highly-connected but shifting geopolitical environment. Regulators in some jurisdictions have been stepping up their focus on understanding how economic and non-economic global shocks, geopolitical risks, supply chain risks (including vulnerabilities in relying on internationally-based third-party service providers to deliver essential services and reliance on 'fourth parties') and other risks may impact the financial system, and whether or not financial institutions are resilient to such operational risks.

Examples of regulations that address operational resilience include (i) the APRA Prudential Standard CPS 230 in Australia; (ii) the Guidelines on Business Continuity Management and the Guidelines on Risk Management Practices – Operational Risk issued by the Monetary Authority of Singapore (MAS Guideline"); (iii) DORA in the European Union; and (iv) the EU Cyber Resilience Act (EU CRA).

National security concerns

National security is now a heightened priority for countries worldwide. Geopolitical turmoil, rising numbers of state-affiliated cyberattacks, new and emerging national security threats (including pre-positioning attacks), re-emergence of distributed denial of service (DDoS) attacks mounted by politically motivated groups and high-profile data breaches are spurring stricter cybersecurity laws worldwide.

Regulatory bodies are testing the ability of financial institutions to safeguard sensitive data and respond effectively to cyber incidents. Pressures to prioritise national resilience are also driving developments in sanctions regimes and approvals of foreign investments into critical asset classes and businesses such as banking, superannuation, insurance and financial markets infrastructure (for example, through FIRB in Australia). In turn, financial institutions must adapt their frameworks and operations, such as the location of their digital infrastructure in some cases, to align with updated requirements.

Artificial Intelligence

The rise in artificial intelligence (AI) across economies has also sparked sovereignty debates. Many foundational AI models are developed overseas, with opaque data handling processes, "black box" internal workings that even providers may struggle to fully explain, and priorities that may not align with local needs. This has led to calls for governments to build and invest in domestic AI capability, infrastructure, and expertise. For financial institutions in particular, the risks are twofold: reliance on offshore models raises sovereignty and resilience concerns, while responsible AI use requires addressing issues such as transparency, explainability, and avoiding discriminatory outcomes (eg ensuring algorithms used in credit assessments do not unfairly disadvantage certain groups).

Mounting trade restrictions

An increasingly protectionist trade climate is disrupting ICT supply chains in the finance industry. Banks and other financial institutions rely heavily on ICT suppliers to provide digital services and store sensitive corporate and customer data. ICT-related trade restrictions are impacting costs at source, creating ripple effects for financial institutions. For example, mounting tariffs on hardware manufacturing hubs like Taiwan, South Korea and Malaysia make components such as chips, servers and cooling systems more expensive and lead to more limited supply. As a result, banks and other financial institutions are having to find ways to mitigate the cumulative effect of trade barriers (ie the incremental costs of tariffs applying each time a component crosses a border along the supply chain).

How financial institutions are navigating a fragmented world

Turning to the sovereign cloud

In light of more stringent local law developments and cybersecurity requirements, in some cases financial institutions have stepped back from centralised, globally connected data centres at the heart of traditional cloud services and have been turning to "sovereign clouds".

Sovereign clouds are architectures for customising and isolating cloud systems to specific jurisdictions. They offer financial institutions several use cases including (i) guaranteed data storage within a country's borders, (ii) enhanced cybersecurity (as sovereign clouds segregate data from other cloud tenants by design) and (iii) a risk mitigant against retaliatory trade measures by pegging stored data to neutral jurisdictions. The downside is typically higher unit cost and potential impacts on redundancy (though the latter element can be mitigated through primary and secondary cloud arrangements).

Localising digital infrastructure

We expect to see financial institutions continue to hedge against rising pass-through costs, national security concerns and AI capability by considering options to decentralise and onshore digital infrastructure operations to either the home territory (onshoring) or more local, favourable territories (nearshoring).

For instance, booming investor appetite for data centre development in APAC in recent years means financial institutions now have more optionality when it comes to localising data centre operations within a region. In turn, this reduces compounding costs by bringing data centre value chains closer to hardware manufacturing hubs. It is no surprise that Malaysia, known for its semiconductor and electronics production capacities, is currently the fastest growing data centre market in APAC. It is also the case that hyperscale cloud operators, responding to calls from regulated customers, are also increasingly providing regionalised infrastructure services. Rocky customer sentiment and/or political and media scrutiny over national security concerns may also be feeding this localisation movement. By shifting data processing and storage closer to customers, financial institutions can improve customer confidence and reduce supply chain exposure.

Investing in local partnerships

Financial institutions are increasingly partnering with local providers to regionalise their operations in more cost-effective ways and minimise exposure to shifting patterns of trade. Local providers can offer more flexibility when it comes to dealing with and understanding local law requirements – an advantage over other providers who operate at a global scale and do not do a lot of work in the region.

Practical tips for navigating geopolitical fragmentation

To effectively adapt to a fragmented global landscape, financial institutions should consider the following:

1 Map your data flows and identify relevant assets

• Identify where customer, operational and transactional data is stored and processed, and classify such data in accordance with data classification processes adopted by your organisation.
• Identify which data sets (and if relevant, non-data ICT infrastructure components or systems) are subject to which regulatory regimes. Use this map to identify what your key obligations are with respect to each regulatory regime (eg regulatory notification requirements) as well as assess exposure under emerging or divergent laws and operational risks.

2 Reassess operational risks

• Evaluate current and proposed cloud (and other) third party providers for local compliance readiness (such as data sovereignty features).
• Map third party dependencies to identify and address potential supply chain risks.
• Revisit and stress test previous risk analyses, risk management approaches and third party provider arrangements periodically to ensure that they remain current.
• Revisit and review data governance and other policies in light of your organisation's AI use and emerging laws.
• Consider if operational risk management testing processes can be strengthened and improved (eg through using severe multi-event scenarios that may impact essential financial services at the same time and adopting learnings from the same).

3 Embed compliance into ICT procurement

• Security and sanctions obligations should be incorporated into standard procurement terms. Consider how to incorporate localisation requirements.
• In jurisdictions where data localisation is not mandated, consider if provisions around data location and approval should be included in the procurement terms (this may depend on factors such as data classification and risks associated with the arrangement).
• Plan for enhanced audit rights, exit strategies and operational controls to meet evolving legal standards (eg under DORA in Europe, CPS 230 in Australia and the MAS Guidelines in Singapore). Consider how your organisation will utilise such rights, strategies and controls in the context of ICT procurement, including where there are any dependencies as noted above.

4 Build local partnerships and engage with providers

• Explore regional providers with a deep understanding of local compliance environments.
• Engage proactively with key ICT providers to discuss and resolve issues or risks as they arise, whether through formal / contractual governance channels or informal means.
• Strengthen relationships with regulators where laws are still in flux.

5 Stay ahead of the curve

• Monitor legal developments (eg, EU-US Privacy Framework challenges, Australian privacy reforms, APAC data security and technology laws and regulations) and trade developments.
• Join industry groups or task forces advocating for interoperable regulatory frameworks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.