March 3, 2023 By Tony Erwin
Erick de Carty
5 min read

See how the unique industry-specific capabilities of IBM Cloud for Financial Services are designed to help you reduce risk and accelerate cloud adoption.

Are you responsible for developing, deploying or managing applications and data in the financial services industry? Do you spend a lot of time worrying about all the associated risks, compliance standards and regulatory requirements? Would you rather spend more time focused on how to deliver value to your clients? If so, keep reading to learn how IBM Cloud for Financial Services® can help you mitigate risk and accelerate your adoption of the cloud.

IBM Cloud® is well-suited for regulated workloads with its end-to-end cloud security capabilities and support for a wide-range of compliance programs. IBM Cloud for Financial Services extends the capabilities of IBM Cloud to provide an industry-driven cloud platform that supports the unique requirements of the financial services industry. It hosts a rich ecosystem of IBM Cloud and partner services that makes it easier to achieve and demonstrate regulatory compliance postures for your financial services workloads.

In addition, the IBM Cloud Framework for Financial Services provides the following accelerators to help you effectively use IBM Cloud for Financial Services to host even your most sensitive and mission-critical workloads:

  • A comprehensive, first-of-its-kind set of control requirements designed to help address the security and regulatory compliance obligations of financial institutions.
  • Detailed implementation guidance for each control requirement to go hand-in-hand with detailed reference architectures.
  • Automation to make it easier to deploy and configure the reference architectures.
  • Tools that enable you to efficiently and effectively monitor compliance, remediate issues and generate evidence of compliance.

Learn more about each accelerator in the sections that follow.

Industry-specific control requirements

The framework’s 565 control requirements serve as the foundation for the IBM Cloud  for Financial Services, and they cover administrative, technical and physical concerns common across the financial services industry. The control requirements were initially based on NIST 800-53 and have been enhanced significantly based on collaboration with major financial institutions around the world. As the regulatory landscape changes, we continue to update the framework based on evolving industry standards and feedback from our partners. In addition, we have partnered with organizations like the Cloud Security Alliance (CSA) to map the control requirements to the CSA’s Cloud Controls Matrix (CCM), a cybersecurity control framework for cloud computing that helps to address third- and fourth-party risk in the cloud.

IBM Cloud provides a rich set of data centers, infrastructure and services which have evidenced compliance to the control requirements and have been designated as IBM Cloud for Financial Services Validated. This means you can use these components for your financial services workloads knowing that the control requirements are integrated into the technology stack. And keep in mind that all IBM Cloud services are designed with security in mind, and many are certified with other compliance programs, such as ISO, SOC, etc. So, even cloud services that are not yet Financial Services Validated may be considered for use in your solutions depending on your use case, sensitivity of data, etc.

Furthermore, we have a growing partner ecosystem of services and software that have received the Financial Services Validated designation. This means you may use these offerings within your solutions and spend less time and effort vetting third-party risk and compliance.

Guidance and reference architectures

The framework also provides detailed implementation and evidence guidance for each control requirement. The guidance provides the information you need to design, develop, deploy and manage your applications in a way that meets the security and regulatory requirements defined by the control requirements. Along with the extensive deployment and configuration guidance that takes advantage of a shared responsibility model, three pre-defined reference architectures (shown below) are provided. These architectures demonstrate how to stitch together Financial Services Validated ecosystem components and serve as a secure basis for running your own financial services workloads on IBM Cloud:

Automated deployable architectures

The framework also provides Infrastructure as Code (IaC) using Terraform—a declarative open-source tool for provisioning and infrastructure orchestration—to automate deployment of the VPC reference architecture on IBM Cloud. This enables you to deploy a reference architecture with greater speed, less risk and reduced cost.

The automation can be run as an IBM Cloud project to help you build out a secure software development lifecycle (SDLC). When using a project, Code Risk Analyzer is added to your workflow to provide for code and security scanning. This is an example of “shift left” (DevSecOps) where security and vulnerability checks are added earlier in the development lifecycle. In this case, Code Risk Analyzer will analyze your Terraform against a set of compliance checks mapped to a subset of control requirements. If any of them fail, your Terraform is not executed. This helps to ensure your deployments are secure by default.

Visit VPC landing zone deployable architectures to try it out.

Continuous compliance monitoring

Once you’ve deployed your solution, it’s very important to ensure your continued compliance against the control requirements and associated guidance. With IBM Cloud® Security and Compliance Center, you can integrate daily, automatic compliance checks into your SDLC to monitor for possible security flaws and changes in baseline configurations that need corrective action. Unlike Code Risk Analyzer, Security and Compliance Center runs its tests against a live system.

Security and Compliance Center includes a pre-defined IBM Cloud for Financial Services profile that offers a set of automated tests appropriate for the VPC reference architecture. These tests are mapped to a growing subset of control requirements. While a successful scan does not ensure overall regulatory compliance, it provides a powerful point-in-time statement of your current posture against the control requirements for a specific group of resources against a robust set of baseline tests.


This post shows how the unique industry-specific capabilities of IBM Cloud for Financial Services are designed to help you reduce risk and accelerate cloud adoption.  You’ve also seen how the resources in the IBM Cloud Framework for Financial Services—control requirements, implementation guidance, reference architectures, automated deployments and continuous compliance monitoring—allow you to make the IBM Cloud for Financial Services work for you as you build your own financial services applications. Our goal for these resources and tools is to free up your resources so that you can focus on core competencies and drive innovation for yourself and your clients.

If you’re ready to discuss and align your strategic initiatives, assess your cloud risk or leverage IBM Cloud for Financial Services as a force multiplier, connect with an IBM Cloud expert. In addition, if you represent a financial institution and want to collaborate on reducing the risk of cloud consumption across the financial services industry, we invite you to become a member of the Financial Services Cloud Community.

Was this article helpful?

More from Cloud

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters