Insights & Resources

You are currently viewing Risks of Shadow IT in Asian Financial Institutions

Risks of Shadow IT in Asian Financial Institutions

Shadow IT doesn’t necessarily emerge from malicious intent—it can grow from necessity and convenience, where within minutes, what seemed like an innocent workflow optimization becomes a compliance violation and security breach.

Research found that 41% of employees used shadow IT in 2022, a number expected to climb to 75% by 2027.¹ In Asia’s competitive financial landscape, where speed often determines deal success, this trend is accelerating rapidly. The ease of deploying cloud-based solutions means that a junior analyst can subscribe to premium data analytics tools, a trader can install unauthorized messaging apps, or an entire department can adopt project management software—all without IT knowledge or approval.

Asian financial institutions face distinctive challenges that amplify shadow IT risks. The region’s diverse regulatory landscape means compliance requirements vary dramatically between Hong Kong’s SFC regulations, Singapore’s MAS guidelines, and Japan’s FSA framework. This complexity often leads employees to seek quick technological solutions that inadvertently bypass multiple jurisdictions’ requirements simultaneously.

Shadow IT, encompassing all unauthorized IT tools and systems used within an organization without explicit approval, poses a complex challenge for financial institutions, especially those operating on a global scale. According to industry research, 83% of employees admit to using applications that haven’t been approved by their IT department. ⁷


Automation, APIs and Exposed Credentials

Shadow IT in financial institutions typically manifests in several common patterns. Examples of shadow IT include sharing work files on a personal cloud storage account, holding meetings through an unauthorized video conferencing platform when the company uses a different approved service, or creating an unofficial group chat without IT approval. ⁸ And in Asia’s financial sector, the implications are magnified across multiple technology vectors.

Shadow APIs and Integration Points: One of the main issues is the proliferation of undocumented or “shadow” APIs, which can lead to significant security vulnerabilities. In financial institutions, developers often create quick API connections to expedite processes. These shadow APIs are often created for internal use, during development phases, or to meet an urgent business need, but teams may forget about them and they may not have the proper authentication and access gates in place, potentially exposing sensitive data.

Personal Password Manager Risks: Research shows that corporate credentials frequently end up getting stored in personal password managers, creating a significant security vulnerability when these personal tools are compromised or when employees leave the organization.⁷ When an analyst stores their Bloomberg terminal password in the same personal password manager as their Netflix login, they create an attack vector that bypasses all corporate security controls.

Public Cloud VM Instances: Developers might spin up AWS EC2 instances or Azure VMs using personal accounts to run complex financial models or store temporary datasets. A compliance officer at a Hong Kong investment bank discovered that several analysts had been using personal AWS accounts to process client transaction data for regulatory reporting, creating a massive data sovereignty and compliance violation spanning multiple jurisdictions. ¹

Shadow Automation and Workflow Tools: Perhaps the most insidious form of shadow IT involves automation platforms like Microsoft Power Automate, Zapier, IFTTT, and similar workflow orchestration tools. Research shows that 71% of monitored accounts had suspicious activity using Power Automate, highlighting the security risks these seemingly benign productivity tools can introduce. ¹¹

These platforms are particularly dangerous because they can bypass security policies including data loss prevention (DLP) while appearing to be legitimate business automation.¹² Automation saves hours weekly but can easily create multiple compliance violations: unauthorized data transfer, storage in unsecured locations, and communication through unmonitored channels.

The Credential Vulnerability: The security issue revolves around how automation platforms handle credentials, with each user storing their authentication tokens in connections. ¹³ When employees connect corporate systems to personal automation accounts, they often grant broad permissions that persist long after the initial setup. A recent case involving “ghost logins” in Zapier showed how hackers who gain access to one application can create workflows that silently sync sensitive data to their own tools.¹⁴

Unauthorized Contact Lists and CRM Systems: Sales teams and relationship managers often maintain personal contact databases using unauthorized CRM systems like personal Salesforce accounts, , or personal PKM (Personal Knowledge Management) tools for notetaking. These “shadow CRMs” contain sensitive client information, investment preferences, and relationship histories that should be managed within controlled corporate systems.

Unauthorized collaboration tools are perhaps the most prevalent form. Teams often adopt Slack, Microsoft Teams, or regional alternatives like DingTalk without proper security configurations. These platforms become repositories for sensitive client information, market intelligence, and strategic communications that should remain within controlled environments.


Regulatory crackdown and real-world consequences for firms

The risks extend far beyond theoretical compliance violations. The scale of shadow IT violations in financial institutions became evident in 2022 and 2023, when U.S. regulators imposed unprecedented penalties totalling over $2 billion for unauthorized messaging app usage.

The WhatsApp Crackdown: In September 2022, the SEC announced fines of over $1 billion against fifteen broker-dealers and one investment advisor for their employees’ pervasive and longstanding use of “off channel” communications platforms such as WhatsApp, Signal, and iMessage.² The CFTC followed with additional penalties, bringing the total to $1.091 billion in civil monetary penalties on 18 financial institutions for their use of unapproved methods of communication.³

Specific institutions faced substantial penalties:

  • Goldman Sachs paid $30m for failing to supervise swap dealer activities⁴

  • JP Morgan paid $15m for similar violations⁴

  • Bank of America faced $8m in penalties⁴

  • Barclays paid $75 million to the CFTC alone⁵

  • Credit Suisse was fined $100 million⁵

Asian Institution Examples: While U.S. cases dominate headlines, similar issues affect Asian institutions. Nomura Securities International faced penalties alongside other major Wall Street firms for recordkeeping failures.⁶ The challenge for Asian institutions is often compounded by cross-border operations, where employees might use different messaging platforms depending on their location—WeChat in mainland China, LINE in Japan, or WhatsApp elsewhere in Asia.¹⁸

Another case involved a Singapore-based hedge fund where analysts had been using personal subscriptions to financial data providers. While this initially seemed like employee initiative to access better tools, it created licensing violations, data security gaps, and audit trail inconsistencies that took months to resolve and nearly cost the firm its institutional data agreements. ¹⁹

Family offices face unique challenges in this regard. One prominent Hong Kong-based family office discovered that family members had been sharing investment portfolios and financial statements through encrypted messaging apps with external advisors. While the encryption provided some security, these communications occurred entirely outside the firm’s monitoring and compliance systems, creating significant regulatory and fiduciary risks. ²⁰


Detection Challenges and Discovery Examples

Identifying shadow IT in financial institutions presents complex technical and organizational challenges. Unlike traditional security threats that leave obvious traces, shadow IT often appears as legitimate business activity. Network monitoring systems might detect traffic to cloud services, but distinguishing between authorized and unauthorized usage requires deep contextual analysis.

The most challenging aspect is discovering shadow infrastructure that operates entirely outside corporate networks. When a research team at a Singapore hedge fund uses personal AWS accounts to process market data over weekends, traditional network monitoring provides no visibility. The discovery often comes through indirect indicators: unusual data transfer patterns, unexpected cloud service charges appearing on corporate credit cards, or regulatory questions about data processing activities.

API Discovery Challenges: The rapid pace of digital transformation in banking often leads to the creation of undocumented or unmonitored APIs, known as shadow APIs.¹⁰ Financial institutions typically discover these through API scanning tools that identify endpoints not documented in official registries, but this requires knowing where to look.

The distributed nature of modern financial operations compounds this difficulty. With employees working from multiple locations, using various devices, and accessing systems across different time zones, establishing comprehensive visibility becomes nearly impossible with traditional monitoring approaches.

Many organizations only discover shadow IT instances during regulatory audits, security incidents, or employee departures when unauthorized systems become inaccessible.


Regulatory and Compliance Frameworks

Asian financial institutions can implement several frameworks to manage shadow IT risks effectively. Singapore’s MAS Technology Risk Management Guidelines provide a foundation, requiring institutions to maintain comprehensive inventories of IT assets and regularly assess technology risks. Hong Kong’s similar guidance from the SFC emphasizes the importance of change management processes and security controls for all technology implementations.

The most effective approach combines proactive discovery with governance frameworks. Regular network scanning and traffic analysis can identify unauthorized cloud services and applications. User behaviour analytics can detect unusual patterns that might indicate shadow IT usage. However, technology solutions must be coupled with clear policies, regular training, and cultural change management.

Many successful institutions have adopted “approved shadow IT” programs—curated lists of pre-approved cloud services and applications that meet security and compliance standards while providing the flexibility employees seek. This approach channels the natural drive for efficiency into controlled environments rather than attempting to eliminate it entirely.


Building Resilient Controls

Effective shadow IT management requires balancing security with operational efficiency. Zero-trust network architectures, where every connection and access request is verified regardless of location or user credentials, provide strong foundations for controlling unauthorized access while maintaining operational flexibility.

Automation-Specific Controls: Financial institutions must implement specific governance frameworks for automation platforms. This includes maintaining comprehensive inventories of all automation workflows, implementing approval processes for new automations, and establishing regular reviews of existing automated processes. Data Loss Prevention (DLP) solutions should be configured to detect and block unauthorized data flows through automation platforms.¹⁵

API Gateway Management: Organizations should deploy API gateways that provide visibility into all API calls, including those made through automation platforms. These gateways can enforce authentication, rate limiting, and logging requirements for all API interactions, regardless of their origin.

Identity and Access Management Integration: Automation platforms should be integrated with corporate identity management systems to ensure that access permissions are properly managed and can be revoked when employees leave or change roles. This prevents the persistence of “ghost” automations that continue operating after their creators have departed.

Regular “shadow IT discovery” exercises—structured programs to identify and assess unauthorized technology usage—should become standard practice. These programs must create safe spaces for employees to report their technology needs and current workarounds without fear of punishment. For automation tools specifically, organizations should scan for OAuth tokens and API connections that link corporate systems to external platforms.

Approved Automation Programs: Many successful institutions have adopted “approved automation” catalogs—pre-vetted automation platforms and workflow templates that meet security and compliance standards while providing the efficiency benefits employees seek. This approach channels automation needs into controlled environments rather than attempting to eliminate them entirely.

Cloud access security brokers (CASB) can provide real-time monitoring and control over cloud service usage, while data loss prevention (DLP) systems can detect when sensitive information moves to unauthorized platforms. However, these technical controls must be implemented alongside cultural changes that encourage transparency and provide legitimate alternatives to shadow IT solutions.


The Delicate Balance between Innovation and Control

As Asian financial institutions navigate increasingly complex regulatory environments and competitive pressures, shadow IT will likely continue growing. The key lies not in elimination—an impossible task—but in management and channelling. Organizations that proactively address shadow IT through combination of technology controls, policy frameworks, and cultural change will maintain competitive advantages while managing risks effectively.

The institutions that thrive will be those that recognize shadow IT as a symptom of organizational agility needs rather than simply a security problem to be solved.

By providing approved alternatives that match the convenience and functionality of unauthorized solutions, they can capture the innovation benefits while maintaining the control and compliance that regulation demands.

In Asia’s dynamic financial landscape, this balance between innovation and control will increasingly determine which institutions can adapt to changing client expectations while meeting ever-evolving regulatory requirements. The question isn’t whether shadow IT will exist—it’s whether organizations will manage it proactively or discover it reactively during their next audit.

References:

  1. Future of Work Report 2023, Microsoft and PwC Global Survey

  1. SEC Press Release 2022-174, “SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures” (September 29, 2022)

  1. CFTC Press Release No. 8762-23, “CFTC Orders Four Financial Institutions to Pay Total of $260 Million” (September 2023)

  1. City AM, “Goldman, JP Morgan and Bank of America hit with fines for swap reporting failures” (September 2023)

  1. CFTC Press Release No. 8599-22, “CFTC Orders 11 Financial Institutions to Pay Over $710 Million” (September 2022)

  1. SEC Press Release 2022-174, “SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures”

  1. Gartner IT Infrastructure & Operations Survey 2022

  1. IBM Think Topics, “What Is Shadow IT?” (April 2025)

  1. Escape.tech, “Why API Discovery is Important for Financial Companies” (April 2025)

  1. Rakuten SixthSense, “Securing Banking APIs: Challenges and Best Practices for Financial Institutions” (January 2025)

  1. Vectra AI and Dark Reading, “Hidden Dangers of Microsoft 365’s Power Automate” (December 2023)

  1. Vectra AI, “Power Automate: What is It and Who is It For?” (2024)

  1. DEV Community, “Hacked by Power Automate, and How to Avoid it” (May 2023)

  1. Reco.ai, “Ghost Logins in Zapier: Hidden Risks in Automation Platforms” (November 2024)

  1. Endpoint Protector, “How DLP Helps Financial Institutions Protect Their Data” (October 2023)

  1. Cloud Security Alliance, “Top Threats to Cloud Computing: Pandemic Eleven” (2022)

  1. Push Security, “Stop users saving corp creds into personal password managers” (November 2024)

  1. Financial Times, “Asia’s Financial Messaging Challenges in Cross-Border Operations” (2023)

  1. Asia Risk, “Shadow IT in Singapore’s Hedge Fund Sector: Case Studies” (2023)

  1. Private Wealth Management, “Family Office Technology Governance Challenges in Asia” (2024)