bcp

Regulatory compliance bits and bytes

Many years ago I found myself in one of those awkward moments where I needed to pay for something but didn’t have enough cash on hand to cover the bill. Rather than do the smart thing and find an ATM I instead elected to rip through my car and dig up all of the change that had been accumulating over the months and miles. After about five minutes and some disturbing encounters (food can morph into some bizarre forms when left under a car seat for too long) I somehow managed to come up with enough change to cover the shortfall. It’s amazing what you can pull together when you scavenge around and piece together disparate parts into one coordinated effort.

And so it goes with this week’s post. Here are some nuggets that I’ve gathered over time:

Policy and procedure: I was talking to a client today about password reset lengths. Turns out for one of their products they changed the password frequency to expire after 1,000 days. Their logic was that it was low risk because the application didn’t store NPPI and the security was really only necessary to ensure proper segregation of duties. So I asked them if they had a password policy (they did) and if so were they in compliance with the policy (they weren’t). After a momentary silence, their quiet reply was “good point.” Being the auditor that I am I couldn’t help point out that the worst thing any institution could do was to deviate from a documented policy or procedure, regardless of the reason. Once an examiner discovers something like that, they figure it’s an indication of related issues and wind up digging a bit deeper. Document what it is you do and than make sure you’re doing it; while it may seem simple enough, you’d be surprised how many companies fail on that point.

Pandemic planning: There’s still heightened concern regarding the swine flu and my industry continues to beat the drum about needing to have a pandemic response plan in place. While it’s a valid point, I’ve been polling my clients over the past few months regarding their first hand experiences with the flu epidemic. Only a few have been confronted with any legitimate outbreaks and none of them have experienced an absentee rate that required unusual planning or intervention. While I’m not advocating that a pandemic response plan is superfluous, I am questioning my peers who are pushing this as a top of the list agenda item. For my money I’d rather spend time making sure that a properly vetted and tested business continuity plan is in place and spend less time and effort getting caught up in the hype.

SOX: Banks that are required to be SOX compliant need to take some time to make sure that they’re thinking things through. GLBA is a fairly rigorous and encompassing regulation and extends deeply into a financial institution’s infrastructure. To a certain extent, it serves to drive a bank’s general controls framework, be it informal or otherwise, and as a byproduct goes a long way towards establishing controls typically associated with SOX. So when I encounter clients who are tackling SOX as if though it’s its own separate set of requirements I throw up the caution flag and try and force a reset. While it may be true that larger institutions need to extend significantly from GLBA to controls around financial reporting within the infrastructure, that would only represent a subset. Before doing anything different, the bank should bring in someone who has experience working with both SOX and GLBA to identify the (many) commonalities and produce a consolidated framework so that efficiencies are both identified and realized.

Year-end activities: In my last post I discussed how there’s an uptick in services work this time of year when many banks and credit unions remember that they still need to conduct a wide range of audits and assessments in support of GLBA/NCUA regulations. If you spend some time reading through FFIEC guidance (seriously, it’s not nearly as dry and boring as you might think) there are multiple references to “your most recent audit or assessment.” For those of you who think that the need to conduct this work is suggested rather than required, consider how it looks to your examiner(s) when they discover that your most recent risk assessment was either conducted several years ago or not at all. Do you really think it reflects well on your institution that you haven’t taken a serious look at the myriad risk factors swirling about your infrastructure for any considerable length of time? In a day and age when new threats emerge almost daily if not hourly how can you justify neglecting such a critical task? The examiners expect a current set of reports not only because it’s required but also because it’s a clear indication of solid management and oversight activities.

And on a final note, I’d like to share this link to the FDIC website. You’ll find a video message from Chairman Bair on the current state of both the FDIC and the banking industry. It’s really more of a “happy recap” (with all due respect to Mets fans) of similar messages she’s released over the last year. But I think it’s worth your time (about four minutes total) to hear it for yourself and gain a sense of calm about the security of your own deposits. And for those of you who might think I’m keeping to some sort of schedule regarding Sheila Bair references, as long as she keeps doing the right things I’m going to keep bringing her name up.

Should bank examiners rely on audit and assessment reports?

A favorite cliché of mine is “if it wasn’t for the last minute nothing would ever get done.” Personally it’s sort of the way I’m wired and in my industry it’s an unwritten rule when it comes to many annual activities. There’s an appreciable uptick in services work each year beginning in early fourth quarter as banks and credit unions wake up to the realization that the audits and assessments they are committed to conduct have yet to be done. And examiners typically don’t pay much attention to the timing of the work; they only care that it’s done during the expected time frame, so oddly enough this approach works.

But this leads to another interesting quirk about how the examiners often operate. Generally speaking, if the reports are available, they don’t dig much (if at all) beyond the reports contents. And so the information security and IT components of many exams become more about inventorying recent reports and not much else. We see evidence of this all of the time when we conduct a first-year audit or assessment and discover gaps or issues that have been in place for years and which the exams never picked up on.

I’ve written in the past about how surprisingly few institutions maintain a current business continuity plan and even fewer properly test that plan. But what surprises me more is that these conditions have existed for years spanning many exam cycles. How is that even possible?

I’ll tell you how: There’s a documented plan that is provided upon request and by and large the examiner conducting the fieldwork checks off that they received it and voila, you have a non-issue. And because the people in the field are typically given too few hours to cover too much landscape, they don’t have enough time to dig in deeper. Sometimes it happens where an examiner happens to actually open the document and vet it for key details - every now and again we come across a DoR or an MoU where the absence of a recent business impact analysis was tagged - but that happens almost never.

I’m fond of advising clients that you conduct much of the required compliance work for one of two reasons: You do it because it’s the right way to manage your institution and reduce your risk or because you have to. Because of the approach taken by examiners, way too many institutions lean towards the latter and simply want to have a report available to hand over when asked. But is this really the right way to run a financial institution?

And when you consider that the value of the report is largely defined by its contents and the competency of the practitioners conducting the fieldwork behind it, isn’t there an increased likelihood that there are important issues that go undetected? If all you do is pay for the report (often issued by the firm submitting the lowest bid) and all the examiners do is check off that the report was available and issued during the appropriate time frame, is there any real value in even bothering with this process?

I’m a bit biased regarding the value of reports. My firm is on a constant hunt for real risk and not just simply working our way down a checklist to kick out a document and collect our money. We tend to examine our clients infrastructure as if though we have our own money deposited with them and tie what we see straight back to GLBA and NCUA requirements. The value in this approach is that we produce a report that the board of directors can relate to, not just the IT folks.

But again, if no one really even cares about the content of the report and only that it exists, why bother doing a good job?

Maybe our industry needs to adopt an approach similar to the PCI folks. Maybe the FDIC and NCUA should issue certifications to practitioners validating them as properly trained and educated experts with regards to GLBA. There would still be a variance from firm to firm to a certain degree, but at least there would be a recognized standard and an increased likelihood that if an examiner is going to rely on the competency and completeness of a report there’s some justification behind that decision.

Something’s going to have to change though and hopefully sometime soon. Because using the “last minute” logic is flawed and only serves to reinforce my own bad habits.

Pandemic Planning: a quick update.

I wanted to post a quick update regarding the looming threat of a true pandemic event courtesy of the swine flu.

In the past forty-eight hours I’ve had conversations with three separate clients in which the subject of their pandemic response plans were discussed. Mind you the initial reasons for these conversations were completely unrelated to this hot news item but its on my mind and I would be remiss to pass on the opportunity to dig a little.

All three clients, all three, had no idea if their pandemic plan would work (one wasn’t even sure they had one). Two of them discussed how they had a mobile work force to begin with and it wouldn’t be a big problem to have everyone dialing in. To which I asked if they had ever tested their networks capabilities to handle everyone dialing in literally at the same time; the answer was no. Then I asked about some of their critical business functions that couldn’t be managed remotely, how would that be addressed if a general quarantine is declared; they weren’t sure. The third client had a very small remote work force where more than eighty-percent of their users relied on desktops during the business day. If their employees couldn’t make it to the office due to a pandemic event they pretty much were shut down for the duration. And in their industry that’s just simply not allowed. Their strategy has always been that only senior management and technology team members required a laptop and could manage issues remotely should they occur. But they never anticipated having an issue like this.

One of the clients was dismissive of my concerns that a general quarantine could be declared; “never happen” was the comment. So when I awoke this morning to news that President Obama is alerting schools to prepare for the possibility that classes will be suspended during this event I cringed. Typically I indulge in a bit of smugness when I’m right but not so much this time. This time I’m feeling a knot in my stomach.

I have concerns that in general our infrastructure is ill-prepared to handle a sudden and dramatic rush to using our telecom capabilities to run America remotely. I have further concerns that too many companies are going to be figuring out what to do by the seat of their pants. Some are small enough where that’s possible but many are way too big and would require advanced planning which now appears to be near impossible to get done.

I’m still not convinced that this threat is any greater than any other flu outbreak we’ve seen but I am concerned how we’re going to be able to respond (or rather not respond).

And as if though this isn’t a juicy enough story for me, the first confirmed fatality in the US from the swine flu was announced today. A toddler from Mexico was found to have had the swine flu; he passed away in a hospital in Houston. Guess where I am this week?

How’s your Pandemic Response Plan looking today?

I started my day yesterday by finding my 12-year-old sitting with his eyes riveted on the laptop screen reading what I figured was something either on Facebook or a sports related website.  I only wish.  Turns out he was fixated on the breaking news covering the swine flu.

Much like his father, my son suffers from a very fertile imagination and can quickly move from Point A to Point Z without so much  as a blink of an eye.  He was already busy trying to figure out how bad this was going to be and because he had no context for something like this had no boundaries to keep him in check.  Suffice to say he was at least a little concerned.

I explained to him that the hysteria he was exposed to was more the result of near real-time media capabilities that span the globe rather than something worth losing sleep over.  While there was something to be concerned about it was no likely greater than anything we’ve already dealt with and that he should relax, wash his hands frequently and go on with his life.  And of course I immediately hid my copy of Stephen King’s “The Stand.”

I’m not really sure how large of a threat the swine flu represents, I only know that it serves as yet another reminder as to why it’s important that all financial institutions (as well as many other industries) have in place a functioning and well-designed pandemic response plan.

I recall how the guidance first emerged a few years back, largely in response to the avian flu that seemed so threatening at the time.  The FFIEC issued a number of documents to raise awareness within the banking industry so that the covered institutions had ample warning that they needed to develop and implement a viable plan.  Most did but largely to appease the examiners.  Of the dozens I’ve reviewed through the years, I encountered only a handful that presented anything close to something that would work.  Most of them consisted of background documentation explaining what a pandemic was and provided some specifications about personal hygiene.  But very few of them provided clear, concise steps as to how they were going to manage through such an event.

I’m concerned that this blind-spot in business continuity planning is about to be brought to light in a very bad, ugly way.

What’s going on in the media now is a bit alarming (and I realize the irony of me, a blogger, stating as such); the swine flu is being tracked much like a hurricane barreling towards the mainland.  President Obama commented on this earlier today, which validates that this is a major news item.  And when considering the aggressive steps Mexico is taking to slow the spread of the virus I can see where for the first time in my lifetime some form of government intervention may occur.

So here’s a question for all the banks and credit unions out there: Can you manage through a quarantine with a dispersed and restricted work force?  Do your employees even have a copy of the plan available to them and if so do they know how to use it and what their role is within it?  Because this is a lousy time to be asking yourselves these very same questions.