For financial institutions, compliance with the Sarbanes-Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS) is critical. Banks must maintain data integrity, security, reliability, and auditability to meet regulatory requirements. However, many bank branches still rely on unreliable, non-guaranteed asymmetrical broadband connections, which pose serious risks to SOX and PCI compliance, as well as operational stability.
For example, as cybersecurity threats continue to rise, regulators have placed increasing emphasis on network reliability. A single breach or failure can result in significant fines, reputational damage, and loss of customer trust. Network infrastructure for the financial sector is held to some of the highest security and compliance standards, making it essential for banks to adopt enterprise-grade network solutions. But of course, the challenge is often how to architect the right infrastructure while being mindful of both capital and operational budgets.
This article explores why legacy broadband network connectivity is inadequate for banks and outlines a SOX- and PCI-compliant networking strategy to ensure secure, reliable, and auditable connectivity, while considering alternative levels of budget impact to bank operations.
The Risks of No-SLA, Asymmetrical Broadband for Banks
Some financial institutions attempt to cut costs by using inexpensive broadband circuits, such as cable internet or telephone company digital subscriber line (DSL). While this may seem like a budget-friendly option, it introduces major compliance, security, and operational risks.
1. Unreliable Uptime & No Performance Guarantees (SOX §404, PCI DSS 12.1.3)
A traditional cable or phone company’s broadband service is a “best effort” basic internet connection – it does not come with a service level agreement (SLA) and does not guarantee uptime, latency, performance, or time-to-repair.
Both SOX and PCI DSS require high availability of financial and transaction systems. Any downtime can disrupt operations, delay financial reporting, and increase the risk of non-compliance.
● SOX section 404 requires internal controls to ensure the reliability of financial reporting. An unstable internet connection can jeopardize real-time reporting and audits.
● PCI DSS requirement 12.1.3 mandates business continuity planning for financial data security, including network redundancy.
Even a few minutes of downtime can lead to major transaction failures, frustrating customers and creating costly disruptions. In high-transaction environments, such as bank branches, unreliable internet connections are simply not an option.
2. Asymmetrical Speeds Reduce Operational Efficiency
Broadband connections are typically asymmetrical, meaning higher download speeds but significantly lower upload speeds. In some cases, this asymmetry can be as high as 10:1 – a cable internet service advertised with 300 Mbps download speeds may only support 30-35 Mbps uploads. This configuration is fine for residential services, where most bandwidth is used for video consumption, but is problematic for businesses like banks needing reliably high upload speeds to support critical operations:
- Real-time financial transactions
- Data synchronization with HQ and cloud systems
- Credit card transaction processing (required for PCI DSS compliance)
From an operational perspective, secure video conferencing and VoIP – both increasingly used to support internal activities and remote customer interactions – rely heavily on upload speeds, making asymmetric services unsuitable for a modern financial institution.
3. Shared Bandwidth Risks Recurring Performance Issues
Even so-called “business-grade” broadband is not a dedicated connection to the backbone of the internet. All customers on the network use the same facilities and connections, and all internet traffic contends for shared bandwidth. This means other users in the area can slow down speeds, affecting real-time transaction processing. For example, a bank branch located in a busy downtown area may see its internet speed significantly reduced during the daily lunch rush as neighboring restaurants see an influx of customers and a spike in internet usage. This slow-down can impact real-time transaction processing and teller terminal performance, upset data synchronization and backup activity, and impair voice and video quality.
4. Business Continuity & Disaster Recovery (SOX §302, §409, PCI DSS 12.1.3)
Both SOX and PCI DSS impose significant business continuity and disaster recovery obligations on financial institutions.
● SOX section 302 & 409 mandates financial data preservation and real-time reporting of material changes.
● PCI DSS requirement 12.1.3 requires a business continuity plan for secure financial transactions.
If a bank branch loses connectivity, it must have a failover solution in place to maintain compliance. Broadband lacks redundancy, which means a single failure could disrupt critical financial services and violate key compliance obligations. A well-designed disaster recovery
plan ensures that banks can restore critical operations within milliseconds, seconds or minutes rather than hours or days, minimizing financial and reputational damage.
SOX- & PCI-Compliant Internet & Network Setup for a Bank Branch
To meet SOX and PCI DSS compliance, a bank must implement an enterprise-grade internet infrastructure.
1. Service Level Agreements
A core element of a SOX- and PCI DSS-compliant infrastructure is the SLA on the connectivity service. The SLA both reflects the service provider’s ability to guarantee the availability and performance of the circuit, and provides financial incentives for them to adhere to those commitments.
Modern SLAs typically cover the following key areas:
- Availability. The percentage of time during a period the service was available for use. Depending on the diversity and redundancy of the design (see below), availability SLAs for individual circuits may range from 99.9% to 99.999% in a month.
- Latency. The number of milliseconds (ms) required for traffic to reach its destination. Latency SLAs can vary depending on the traffic destination covered and the provider’s definition of its network reach.
- Time-to-Repair. Measured against a target for each individual outage of a circuit, representing the provider’s urgency and ability to restore service. When offered, they may range from 4, to 8, or even 24 hours.
Financial institutions must prioritize internet connectivity that supports these SLAs to have confidence in their ability to operate their business and comply with SOX and PCI DSS.
2. Symmetrical Bandwidth
As discussed earlier, unlike residential users, business customers require high-performing internet connectivity for both uploads and downloads, in order to process real-time transactions in both directions, support secure video conferencing and VoIP calls, and maintain precise data synchronization and cloud backups.
Financial institutions should be on the lookout for internet services offering symmetrical bandwidth – internet speeds the same in both directions – rather than the asymmetrical services offered by most broadband providers. In addition, they should look for services with a committed information rate (CIR) that guarantees the bandwidth they are purchasing will be available. This will prevent the slowdowns and outages that are inherent with shared bandwidth broadband connections.
3. Diverse & Redundant Connectivity
For critical locations and services, financial institutions must consider diverse and redundant connectivity that will enable them to stay up and compliant even when one circuit has an outage.
As an example of Dual Path Connectivity (DPC), consider:
Path 1:
Fiber-based Ethernet access with either a dedicated or shared symmetrical path to the backbone of the internet, with a guaranteed SLA.
Virtually all ISPs and access providers offer Dedicated Internet Access (DIA) with SLAs. However, few telephone and cable companies offer any service guarantees on their lower-cost broadband services. There are some nimble, customer-oriented providers that have begun to offer these types of SLAs on all their connectivity options, giving banks the option to match their SLA with their budget, while still being SOX and PCI compliant.
Path 2:
As physically diverse a back-up connection as can be built/procured. Depending on budget, banks can mirror their primary connections in terms of the level of private, dedicated connection, or utilize alternative back-up strategies which slightly increases risk, but also reduces costs. Options include physically diverse fiber, copper or coaxial broadband, or even fixed wireless (4G/5G/LTE) or satellite (Starlink) connections.
Conclusion
A telco or cable broadband connection with no SLA is NOT SOX- or PCI DSS-compliant due to:
● No guaranteed uptime
● Asymmetrical speeds, which are not suitable for symmetrical business applications
● Uncertain performance due to shared bandwidth
● Lack of redundancy
For a SOX- and PCI-compliant bank branch network, financial institutions must use SLA-based, symmetrical enterprise fiber-based network solutions, such as DIA, modern broadband services (with SLA), private WAN services such as EPL/MPLS/VPLS, or SD-WAN.
As regulatory scrutiny continues to tighten and cyber threats grow more sophisticated, financial institutions cannot afford to take shortcuts on network infrastructure. An enterprise-grade network not only mitigates risks but also enhances operational efficiency, improves customer trust, and future-proofs financial institutions against evolving compliance mandates.
By investing in SLA-backed, symmetrical fiber solutions banks can ensure business continuity, seamless financial transactions, and compliance peace of mind.
If you are a bank or financial institution and would like a complimentary analysis of how to have a customized SOX- and PCI-compliant network solution for your financial institution, please contact us today to discuss the best options for your bank branch network