But every now and again I find a situation that makes me think that maybe, just maybe, an exception can be made.
In working with a client on implementing a compliance program, it became apparent that by adhering to the exact letter of the law specified within the documentation, they’d immediately be out of compliance on day one in a very large, obvious way. Typically when dealing with such a situation, I advise the client to develop a schedule indicating the dates by which they expect to get all their work done and be fully compliant. For vendor management, I usually recommend twelve months, for Red Flags it’s usually six months and for security awareness it’s three months. As long as the plan and related schedule is documented and you can prove that you’re adhering to it, examiners and auditors alike will usually give you a free pass until the next time around.
Even so, in this instance nearly half of all the in-scope work would be displayed as overdue right up front. No one wants to see that on a screen or in a report, no one wants to risk having senior management see that information and absolutely no one ever wants to explain to an examiner/auditor why they have so much work still to do (even with a solid explanation and plan).
And so I blinked. I considered in this instance a way to introduce a new rule that would allow the client to theoretically use my approach of scheduling all the work to be completed within a set time frame (twelve months in this case) but wouldn’t have to show anything as being overdue. It didn’t seem so much like the right thing as much as the kind thing to do. I even went so far as to scope out my idea in writing and share it with my fellow compliance experts in our practice.
As it turns out, I apparently have had an influence in how all of us view such matters because the first question I was asked was what would I do if I was managing the program. I wouldn’t come up with any special rules to avoid being accurate and honest, that’s for certain; it is what it is. I was then asked if I was willing to bend the rules in other projects, say like an audit for example. Well considering I’ve excused myself from audits in the past because management (at previous companies) elected to remove findings or soften them in order to keep the clients happy I knew the answer was a resounding “no.” So I was asked why I was looking to bend the rules now. Good point.
What audit and compliance practitioners have to do is often unpopular and sometimes very difficult. We’re often perceived as inflexible or unreasonable. But the truth is that your compliance and/or controls framework is only as effective as its weakest link; if you start making exceptions in one area it quickly becomes expected in others. Once one control is weakened in exchange for making things easier or more palatable, the integrity of the whole enchilada suffers.
Compliance requires hard decisions, thick skin and consistency. If you’re more inclined to be affected by acceptance rather than respect, it may not be the right line of work for you. Or as I’m fond of saying, it requires that you’d rather be right than popular.]]>
It’s important to develop a relatively thick skin when participating in the sales cycle because an unfortunate part of its process is rejection. Despite the fact that we’ve built a successful practice during arguably the worst economy any of us working folk can ever recall, we still don’t close every deal we pursue. But every now and again I hear something new as a reason why we lost out on a deal that just flat out catches me off guard and knocks me for a loop. Last week was one of those times.
We’ve been enjoying a great deal of success over the past year in selling an automated vendor management product that aligns quite nicely against both FDIC and NCUA requirements. Along the way just about every client and prospective client we’ve talked to has shared their concerns and frustrations in struggling to come up with something that would satisfy their examiners but not add considerably to their workload. In the end, their decision to purchase or not purchase has fallen into somewhat traditional categories until last week when someone threw us a curve ball.
We had followed up with a prospective client that recently demoed the software and indicated interest in proceeding with us. They told us that they’ve decided to delay doing anything with vendor management at this time.
Was it because of financial constraints on their part? No. Was it because of resource constraints on their end? No. Was it because they were going to develop something internally? Again, no.
Their reason for not proceeding with us came down to this very simple and scary fact: They had just completed an exam with their regulator and vendor management wasn’t covered during the fieldwork.
Their management had made a conscious decision that if the examiners aren’t looking at something they’re required to do they’re simply not going to do it; just like that.
First of all, does that logic freak you out anywhere nearly as much as it does me? Is this really how a financial institution being trusted with people’s money is conducting business? My first thought was “what else aren’t they doing because their examiner ran out of hours and never looked into it?”
I mean, there’s a reason why the FDIC and NCUA came up with a set of rules by which you’re supposed to comply if you’re a bank or credit union. These are things that are intended to protect the depositors who trust you with their money and personal information. I’ve yet to come across anything a banking client is required to do that I thought of as being “made work.” One of the simplest reasons I moved exclusively into the banking sector was because after several years of working on SOX projects I wanted to focus on something where the required activities actually made sense.
I’m not naive, far from it as a matter of fact. I know that our clients activity is driven in large part by what they’re expecting their examiners to be most interested in during the next exam. But even though money will be spent accordingly, each client typically makes an attempt to address all of the key compliance requirements. For example, not everyone has the time or bandwidth to test their business continuity plan but they all make sure they have something in place and try to update it with some frequency. I can’t think of even one client who knew they had a deficiency in a key area and decided to leave it alone until the examiners made them do so. Quite frankly it’s a horrible strategy.
In an ideal world you have all of your required controls in place, functioning and routinely tested. However in the real world that’s not always possible. And so I advise my clients that they need to at least have a plan in place on how and when they’ll be in compliance; don’t ever let an examiner find a deficiency on their own, it’s just a bad, bad idea.
So I wonder what this one institution will have to say next year when their examiner rolls around again and they still don’t have a vendor management program in place. Because rest assured, if they avoided discussing it this year it’s not likely it will be missed the next time around (vendor management is about as hot a topic with the examiners as there is). I can only hope that they come to their senses along the way and realize there’s a reason these things are called “requirements.”]]>
Ms. Keen was kind enough to share her story with me so that I in turn could share it with you.
Her bad day started with the most basic error in judgement: She responded to a Yahoo-branded email requesting that she confirm her account information or else her account would be closed. She said that “despite my initial instincts, I fell for it.” It’s not hard to understand why. Like most parents with school-age children, she has too much going on, depends on email to keep things moving and if she is anything like my wife, is of a mind to address things as they arise; she was a perfect target for a hacker.
Ms. Keen first became aware that she was about to have a bad day when she received an early morning phone call from a friend indicating they’d received an email from her asking for help. She attempted to sign on to her Yahoo account to see what was going on but the hackers had changed her password and she was locked out. She explained what happened next:
“I had to wait for Yahoo to open at 9:00am to resolve the issue and regain access to my account. Yahoo was extremely helpful and we were able to take the account back quite easily. The representative I spoke with knew to advise me to confirm if any of my personal information had been changed, which it had. An alternate email address had been added by the hacker as a way to retain control of my account even after I had gotten back in. And my understanding is this is how they would continue to log in and check to see if anyone was actually trying to send me money. If I did not know to delete this alternate email, the hackers could continue to monitor the account and target anyone asking me where to send the money.”
I asked her if anyone actually attempted to send money or respond favorably to the hacker’s phishing attempt and fortunately no one had. While she did receive a few calls and/or emails trying to confirm if the request was legitimate, because as Ms. Keen explained, “They did indeed want to help me if I really needed it,” no one actually took further action. Apparently the majority of people who received the phishing attempt knew it was a hoax and ignored it (score one for security awareness in the private sector).
Was there a lesson learned from all of this for Ms. Keen to share?
“Do not respond to emails requesting personal account information, no matter how reputable they may seem,” she said. ”As Yahoo explained, they would never request that sort of account information from me (they already have it and there is no need for it to be confirmed).”
To which I would add that you could easily replace the Yahoo name with literally any reputable business with which you have an online account. I would also recommend that you print Rebecca Keen’s advice and tape it to your monitors and keyboards at both work and home for all to see. Because whether it be the result of a successful phishing attempt, poor judgment or sloppy controls (e.g. sticky notes under the keyboard/phone/stapler, etc.) the number one entry point used by hackers to gain access to sensitive information remains password sharing.
Check back here next week. I have an interesting (if not scary) story to share about how some financial institutions are (mis)managing regulatory requirements.]]>