FDIC

Regulatory compliance bits and bytes

Many years ago I found myself in one of those awkward moments where I needed to pay for something but didn’t have enough cash on hand to cover the bill. Rather than do the smart thing and find an ATM I instead elected to rip through my car and dig up all of the change that had been accumulating over the months and miles. After about five minutes and some disturbing encounters (food can morph into some bizarre forms when left under a car seat for too long) I somehow managed to come up with enough change to cover the shortfall. It’s amazing what you can pull together when you scavenge around and piece together disparate parts into one coordinated effort.

And so it goes with this week’s post. Here are some nuggets that I’ve gathered over time:

Policy and procedure: I was talking to a client today about password reset lengths. Turns out for one of their products they changed the password frequency to expire after 1,000 days. Their logic was that it was low risk because the application didn’t store NPPI and the security was really only necessary to ensure proper segregation of duties. So I asked them if they had a password policy (they did) and if so were they in compliance with the policy (they weren’t). After a momentary silence, their quiet reply was “good point.” Being the auditor that I am I couldn’t help point out that the worst thing any institution could do was to deviate from a documented policy or procedure, regardless of the reason. Once an examiner discovers something like that, they figure it’s an indication of related issues and wind up digging a bit deeper. Document what it is you do and than make sure you’re doing it; while it may seem simple enough, you’d be surprised how many companies fail on that point.

Pandemic planning: There’s still heightened concern regarding the swine flu and my industry continues to beat the drum about needing to have a pandemic response plan in place. While it’s a valid point, I’ve been polling my clients over the past few months regarding their first hand experiences with the flu epidemic. Only a few have been confronted with any legitimate outbreaks and none of them have experienced an absentee rate that required unusual planning or intervention. While I’m not advocating that a pandemic response plan is superfluous, I am questioning my peers who are pushing this as a top of the list agenda item. For my money I’d rather spend time making sure that a properly vetted and tested business continuity plan is in place and spend less time and effort getting caught up in the hype.

SOX: Banks that are required to be SOX compliant need to take some time to make sure that they’re thinking things through. GLBA is a fairly rigorous and encompassing regulation and extends deeply into a financial institution’s infrastructure. To a certain extent, it serves to drive a bank’s general controls framework, be it informal or otherwise, and as a byproduct goes a long way towards establishing controls typically associated with SOX. So when I encounter clients who are tackling SOX as if though it’s its own separate set of requirements I throw up the caution flag and try and force a reset. While it may be true that larger institutions need to extend significantly from GLBA to controls around financial reporting within the infrastructure, that would only represent a subset. Before doing anything different, the bank should bring in someone who has experience working with both SOX and GLBA to identify the (many) commonalities and produce a consolidated framework so that efficiencies are both identified and realized.

Year-end activities: In my last post I discussed how there’s an uptick in services work this time of year when many banks and credit unions remember that they still need to conduct a wide range of audits and assessments in support of GLBA/NCUA regulations. If you spend some time reading through FFIEC guidance (seriously, it’s not nearly as dry and boring as you might think) there are multiple references to “your most recent audit or assessment.” For those of you who think that the need to conduct this work is suggested rather than required, consider how it looks to your examiner(s) when they discover that your most recent risk assessment was either conducted several years ago or not at all. Do you really think it reflects well on your institution that you haven’t taken a serious look at the myriad risk factors swirling about your infrastructure for any considerable length of time? In a day and age when new threats emerge almost daily if not hourly how can you justify neglecting such a critical task? The examiners expect a current set of reports not only because it’s required but also because it’s a clear indication of solid management and oversight activities.

And on a final note, I’d like to share this link to the FDIC website. You’ll find a video message from Chairman Bair on the current state of both the FDIC and the banking industry. It’s really more of a “happy recap” (with all due respect to Mets fans) of similar messages she’s released over the last year. But I think it’s worth your time (about four minutes total) to hear it for yourself and gain a sense of calm about the security of your own deposits. And for those of you who might think I’m keeping to some sort of schedule regarding Sheila Bair references, as long as she keeps doing the right things I’m going to keep bringing her name up.

Accountability key to banking recovery

Every day, I receive a semi-deluge of industry related emails.  Between the various agencies, media sites, organizations and associations I tend to receive more communiqués than I know what to do with.  But I developed an interesting habit last year when the banking industry first started its tailspin dive by making certain to read every single issuance from the FDIC.

Going back to at least last September I have read and saved each and every one of them (several hundred I might add).  I’m sure some of my peers will beg to differ, but for me this is where anyone in the industry should’ve been looking during the crisis for the best indicators of what’s going on.

Yesterday, I was glad for this somewhat addictive habit of mine.  For what may be the very first time since Lehman went belly-up, I may have found the first true concrete piece of evidence that we’re on the road to recovery, if only in some small way.

The FDIC agency alert yesterday announced plans to bolster the Deposit Insurance Fund (DIF) by requiring insured institutions (mostly the banks you and I know) to prepay on their quarterly premiums so that the fund remains viable and liquid through the still unfolding resolution of the banking mess.  And that’s significant because unlike a year ago, this time around the plan calls for the industry to take responsibility for itself and not go running to Capitol Hill for help, an option FDIC Chairman Sheila Bair has denounced on several occasions.

Here’s what Bair had to say in the announcement:

“The decision today is really about how and when the industry fulfills its obligation to the insurance fund. It’s clear that the American people would prefer to see an end to policies that look to the federal balance sheet as a remedy for every problem. In choosing this path, it should be clear to the public that the industry will not simply tap the shoulder of the increasingly weary taxpayer. This proposal is a vote of confidence for the banking industry’s resilience, and it will continue to recover its strength as we work through the significant challenges ahead.”

The reason for my optimism is that this action shifts control back to the banking sector to fix its own mess.  It puts greater emphasis on each individual institution to fulfill its obligations to the DIF in advance of using those same funds for more traditional activities commonly associated with generating profits.  I think accountability is necessary, if not essential, to repairing the damage inflicted on the industry and repairing its reputation with depositors, investors and borrowers (something the NCUA had figured out much sooner).  And so I’m feeling a little better about where we’re heading, economically speaking.

Oh, and Comptroller of the Currency John C. Dugan (that’s the OCC head honcho in case you didn’t recognize the handle) agrees with me.  Mr. Dugan said of the FDIC plan: “The actions we are taking today represent a balanced approach to raising needed money for the deposit insurance fund without impairing the ability of our banks and thrifts to support economic recovery.”  He added, “I think this is a very positive proposal. The staff did an excellent job, and I support the way you handled it”.

I’d like to chalk it up to “great minds think alike.”

By the way, if anyone knows of a Sheila Bair Fan Club or is thinking of starting one I’d appreciate if you would let me know.  She won my admiration last year (no surprise to my regular readers) and has routinely found ever more ways to score points with me.  She continues to step up and talk straight, smart and to the point about what’s going on with the banks and what to do about it.  I look forward to the President acting out on the banking reform plans announced earlier this year and I sincerely hope he put Bair in charge of the new entity.

For now, though, I have to go; seven more FDIC email alerts have landed in my inbox and I need to check ‘em out.

Is perspective on our regulatory landscape a blessing or a curse?

I was away from the office last week trying squeeze in a family vacation before the kids head back to school. Despite taking the occasional phone call and replying to a number of emails, there was still plenty waiting for me today when I returned to my normal schedule.

It wasn’t until somewhere mid-morning after catching up with my partner that the incongruity of my professional life was revealed in an odd pattern. I’d read about a number of bank closings having been announced on Friday (sort of becoming a weekly ritual at this point) and two new reported credit card breaches (also fast becoming a same old, same old scenario) by the time I called into the office to touch base. Turns out we had a busy week beyond what I’d already knew about and we were discussing one proposal in particular to conduct an IT general controls audit (more on that in a few weeks) when the strangeness of the morning finally dawned on me.

Everyone is still working on trying to keep up with their regulatory compliance obligations, companies that participate in credit card processing are still pushing to obtain/maintain PCI compliance, and it just doesn’t seem to be making much of a difference. Despite our practice being busier than ever and there being a heightened sense of regulatory awareness out on the street there’s a general lack of evidence that it’s making a difference.

I’ve already beaten the PCI horse to death with regards to how the PCI-DSS by itself does not really go far enough (nor was it intended to be an be-all to end-all solution). I’ve long griped about how so much of what matters is missed by regulators due to too few budgeted hours available and lack of appropriately skilled and trained resources. So really nothing new about any of this.

But still, with a reasonably fresh perspective and clear head on this, my first day back to reality, it all seems that much more, I’m not sure what the right word would be…. depressing, frustrating, baffling?

How important can GLBA compliance be to a bank that’s just about out of financial options and on the verge of closing? And really, how much money should a company spend to be PCI compliant if that compliance doesn’t go far enough to actually mitigate the associated risks? I was just reading a story about how Intel turned things around in the 1980’s because their two senior most executives (Andy Grove and Gordon Moore) got together and stepped outside of their roles and imagined what someone new, with a fresh perspective would do with their company to address increasing competition and decreasing market share. Forcing themselves to obtain that perspective lead the way to a change in direction that would transform not only Intel’s fortunes but drive an entire industry into the future. So why can’t we do something similar for our financial institutions?

The short answer is that we can but it would require an act of bipartisan politics typically only observed during a true crisis such as acts of war and natural disasters. Of course it wouldn’t be too hard to make the argument that our banking crisis is a disaster, man-made or otherwise, but somehow when one party can blame the other there’s little chance of forging a common peace even if it benefits the citizens.

I’ll likely lose this perspective as the week moves ahead and get back to less of the “Big Picture” thinking and more of the nuts and bolts focus typically required of me, but still, I’m hoping someone, somewhere is reading this and thinking I’m right.

Let the FDIC lead the way!

I can’t think of any more telling comment about where I am in my professional life than what I’m about to offer:

Sheila Bair rocks!

If you don’t know who she is, well, shame on you.  Because over the past year or so as the banking world has been in a near free-falling, tail-spinning heap of confusion, the chairman of the Federal Deposit Insurance Corporation (FDIC) remains perhaps the only reason why we haven’t been experiencing pure panic in the banking sector.  We’ve all watched as she calmly navigates from bank failure to bank failure, never losing her composure or allowing the dire circumstances to consume her or the FDIC.  She routinely offers sound and sensible insight and perspective, framing what’s happening in the banking world and making sure that everyone knows that the FDIC continues to have our back.   From the very first publicized collapse last year (IndyMac) straight through to last week’s speech before the Senate Committee on Banking, she has proven that there’s no substitute for having the right person in the right job.

As to why I’m waving my Sheila Bair banner so vigorously this week you need only read the transcripts from her aforementioned Senate testimony last week.

She was among the very first and remains one of the very few industry leaders to rail against the idea that any financial institution is “too big to fail.”  Last week, she expanded on that considerably.  She discussed how the “notion of too big to fail creates a vicious circle that needs to be broken” or rather, “we need to end too big to fail.”  She highlighted how so much of what’s caused this nightmare stems from “the presence of significant regulatory gaps with the financial system” and followed that up by suggesting that “we need to develop a resolution regime that provides for the orderly wind-down of large, systemically important financial firms, without imposing large costs to the taxpayers.”

Wow!  I mean, like, wow!

So really what she’s saying is that if you’re, say Citigroup or Bank of America, and you’ve managed to paint your institution into a financial corner from which you can’t legitimately escape, the only thing to do is go out of business.  Y’know, sort of like the core principles of a free market economy would dictate, or so we all believed until this past year.  None of this government bailout activity would be allowed that essentially transferred risk from for-profit institutions to us, the taxpayers.  You mismanage your bank, you run out of options, you close; simple and fair.

Chairman Bair further expanded on her proposal by explaining that with a resolution regime “losses would be borne by the stockholders and bondholders of the holding company, and senior management would be replaced.”  Or rather in my own words, accountability would be enforced; those who made the decisions that caused the problem would be forced out and those that were banking on a windfall that until now was almost guaranteed would have to accept the unfortunate risk-side of their investment (no more “sure things”).  And towards that end, she suggested that “each bank holding company with subsidiaries engaged in non-banking financial activities would be required to have, under rules established by the FDIC, a resolution plan that would be annually updated and published for the benefit of market participants and other customers.”   This I’ve come to think of this as a disaster recovery plan of an entirely different nature.

Think about what’s being proposed: accountability, acceptance of risk and the need to plan for all potential outcomes, favorable or otherwise.  What a concept!  And what a breath of fresh air!

Chairman Bair also offered the concept of forming a Financial Services Oversight Council that effectively “should be able to harmonize rules regarding systemic risks to serve as a floor that could be met or exceeded, as appropriate, by the primary prudential regulator.”  But wait, there’s more.  Of the council she also suggested that “primary regulators would be charged with enforcing the requirements set by the Council. However, if the primary regulators fail to act, the Council should have the authority to do so.”  This would eliminate the current design restrictions in which individual oversight agencies could only pursue punitive and/or corrective actions to a point but once their jurisdiction ended so too would their ability to take additional and often necessary steps to address the issues at hand.  Generally speaking, this would eliminate a number of loopholes that currently exist in the system.

I find all of this remarkably refreshing.  It’s so simple and straightforward, it’s all but impossible to reject or ignore (but I’m sure our politicians will try just the same).  And to a very large degree, these proposed changes would work, maybe not completely but certainly enough so that it would be worth our time to at least attempt implementing them.

But does everyone think so highly of Ms. Bair and her proposal?  It’s received pitiful little coverage in the press (I couldn’t find anything on two of the major news sites and on the third it was skewered to look like partisan politics) and none of my contemporaries were even aware that she had spoken.  Frankly, I don’t understand why.

I’ll put it out there right now: If I have a vote that can be cast in support of her plan it’s hers; there’s no need to ask me twice.  And if I need to poke a senator or two from my home state to help inspire them to support her plan, someone only has to let me know and I’ll happily go call on them (at home or in DC, it’s close enough to drive).

IT Security: Something has to give.

My practice has been busy lately helping a number of clients catch up on required tasks before their scheduled exams (it’s a case of the old “if it wasn’t for the last minute nothing would ever happen” philosophy).  And in authoring some of our reports we’re identifying issues and gaps that are in some cases minor but in others are big enough to drive a car through.  This is nothing new.

What is new is the ambivalence we’re experiencing from management.  It seems that a little known byproduct of our currently sad economic state is that keeping the doors open seems to be the only goal that really matters.  Management is not particularly concerned with much else, or so it would seem.  Not that this by itself is a new phenomenon either but there’s almost a reckless undertone emerging.

We’ve encountered some glaring issues recently that underscore a fundamental problem that I’ve struggled with for a long time: The FDIC and NCUA examiners just don’t pay enough attention to IT-based risks.  In some instances they touch on high-level issues and in rare instances can get a bit more granular, but we’ve collected empirical evidence that an in-depth review hasn’t been conducted for the vast majority of institutions that we’ve worked with.

Forget about industry best practices and forget about the fact that financial institutions are required by law to implement and maintain certain basic safeguards.  We live in an age where identify theft and credit card fraud are rampant.  Every day we are presented with more stories, more guidance and more information about how the criminal element is finding newer and more insidious ways to get at our money and credit.  My senior citizen mother and my grade-school aged children are all aware of the term phishing, have all been coached as to which email is safe to open versus which isn’t and know not to share personal information.  If I can convince them of the threats out there in the great digital void you have to think it’s fairly obvious, right?

So why is it that the examiners aren’t paying more attention to the IT infrastructure?  I had a chance to ask someone from the NCUA office a few months back that very question and while I didn’t like his answer, it made sense particularly considering the more pressing issues banks and credit unions are currently dealing with.  It comes down to resource availability.  Only so many hours are allocated to an exam  based on their size.  And so for the smaller institutions, the examiners prioritize the work based on risk.  Can anyone argue that scrutinizing the books is less important than auditing the IT infrastructure?

Even so, some of the institutions we’ve worked with and which I’ve personally reviewed have had issues for what has to be several years.  How is it possible that in the past five years not one examiner has ever noticed the absence of a business continuity plan?  Or any form of security around the firewall (and an unusually permissive firewall at that)?  Or the lack of strong (or even reasonable)  password controls?

Something has to give.  When you combine the lack of proper examiner supervision with a less than concerned management mindset the potential for serious issues becomes much greater (and likely).  Somehow the various entities that are responsible for providing oversight for those places we trust with our money need to figure out a way to provide reasonable assurances that at least the bare minimums are being met when it comes to IT controls.  With all the money being spent to keep the banking industry afloat can’t someone figure out a way to slice off a little bit in order to hire enough IT people to conduct the necessary examinations?  Congressman?  Senator?  Mr. President?  Anyone?

FDIC: More than just a sticker on the bank’s door.

I opened my front door last week and found my industry waiting for me on my very own doorstep, seriously.

The Raleigh News and Observer had a story on page one about how U.S. Senator Richard Burr called his family during the early days of the banking crisis last Fall and instructed them to withdraw as much money as they could from their bank accounts via ATM in reaction to the onset of the economic crisis.  Apparently what he heard during closed door sessions with our government leaders scared him so much that he was willing to be amongst the first to start a run on our banks.  And the amazing part of the story is that he’s been fond of sharing this story during speeches in the time since as a way of underscoring how dire things were.

From the cheap seats where I write, I would have to say that the only thing the story itself and the retelling of it time and again underscores is that being a U.S. Senator does not indicate any particular ability to comprehend or apply information.  It also serves as a reminder that despite being presented with evidence to the contrary, people believe what they hear ahead of what they read.  Because every time you’ve been in an FDIC insured bank there are signs all over the place that clearly state that “Each depositor [is] insured to at least to $100,000″.

I recall earlier in 2008 when the first set of banks went under due to worsening market conditions Sheila Bair, the person running the FDIC, stated loud and clear that all depositors money was safe up to the $100k limit.  She calmly and rationally explained how things were going to work, how each depositor would have unrestricted and uninterrupted access to their money as if though nothing had happened and that there was absolutely no reason to panic.  And she was right.  In the months since that first time (with IndyMac) she’s had plenty of chances to hone her “all is well” mantra as one bank after another simply reached the end of their useful lives.

When people started questioning what would happen if they had more than the covered amount, Ms. Bair worked with the various financial leaders in our government to have that amount temporarily increased to $250,000 (good through at least year end, 2009) thus assuaging the concerns of that very small percentage of people who might have such worries.  But at no time since this nightmare began to firm up nearly a year ago has anyone even remotely paying attention been presented with any evidence whatsoever that there are legitimate concerns as to the viability of the FDIC.

As matter of fact (and of interest), the FDIC has always fulfilled its promise in any situation during which it was required to do so… always. Senator Burr should have known that all along.

Sadly in the time since the story broke Senator Burr has been doing a little two-step trying to soften the absurdity of his statements saying that he “did what many people did.” Well, no, not really. He acted based on privileged information and made certain to take immediate steps to protect his constituents, except it was limited to those living in his home rather than his home state. But he didn’t think to warn me, or you or anyone else trusting their leadership to look after their best interests. His assertion that other people did exactly the same thing, particularly those from North Carolina, doesn’t hold up under scrutiny either. I’ve asked at least a half-dozen friends (and fellow Tar Heels) over the past week or so if they ever thought to run to the bank last Fall and horde cash; none did. They all wondered why I was asking and I was all too happy to share with them the story of their Senator, Bank-run Burr (kudos to MSNBC’s Rachel Maddow for that clever nickname).

The good news is that the FDIC has all of our backs, unlike Senator Burr. The better news is that I’m registered to vote in North Carolina and will have the privilege to let the Senator know first hand whether or not I have his back come Election Day 2010.

What vendor management is really all about

I received an email from a colleague last week in regards to my recent post about the BITS Shared Assessments Program.  In the entry I offered my high opinion of the framework but went out of my way to point out that by itself the assessment is not a vendor management program.  The subject line for the email was “Why not?”.

Semantics aside, there’s an important distinction between assessing and managing.  Assessing how a vendor conducts business within their own infrastructure is not the same as monitoring contractual obligations and service-level agreements that govern your relationship with that vendor.  That the vendor has an information security program is a good thing, that the vendors information security program supports what regulations require you to do is a better thing.

The Shared Assessments Program does a great job of providing a consistent set of measurements by which every vendor can be assessed.  But it does not offer a determination as to whether or not what the vendor does is sufficient for your own needs or purposes.  It’s still incumbent upon your institution to form that opinion and act accordingly.  And even so, that’s still just one piece of the vendor management puzzle.

FFIEC guidance breaks out vendor management into several separate and distinct parts with the assessment piece only being one element of the ongoing monitoring phase.  Assuming you’ve conducted the necessary and expected steps to enter into a contract with a vendor you still need to review their performance against specific contractual obligations and measure them against the various elements of the service level agreement.  And this needs to occur annually with a determination formed as to whether or not the contract is being adhered to and if not, what remedial steps are required to continue forward with the vendor.  The Shared Assessments Program doesn’t do that for you.

One of my reasons for beating this drum is because of the popular misconceptions circulating out in the market place as to what’s needed to address vendor management.  There are people I’ve worked with who offer themselves as industry experts pushing the Shared Assessments approach on even the smallest financial institutions trying to convince them that they need to have one completed for all of their high risk vendors in order to appease the examiners.  This is simply not true and is really, in my opinion, just a ploy to try and generate revenue within an industry that’s hyper-sensitive to regulatory scrutiny.  Basically what’s required is that the vendor, where applicable, provides its customers with something akin to a SAS70 report in which they demonstrate that their infrastructure is properly secured and managed.   And that’s the point where I’m predicting that the Shared Assessments framework will become the standard, that it will replace SAS70’s and generic audit/assessment programs as the truest way to measure a technology service provider.  And again, this represents only a portion of the work required to address vendor management.  But rest assured, if all you have to show your examiner/regulator/auditor next time they ask to see your vendor management program is a few recently completed shared assessment reports you’re asking  for trouble.

Which leads to another reason for my beating this drum.  There are only a small percentage of vendors for whom the Shared Assessments Program even applies.  When reviewing my clients’ vendor management programs I’m often confronted with the “high risk vendor” logic in which some arbitrary algorithm is applied to determine which vendors are included and which are excluded from the program.  There’s almost no evidence of this assessment having been conducted and it never holds up under scrutiny.  But with regards to which vendor would/should be required to provide an external and independent assessment of their infrastructure I could easily make the case for limiting it to only “high risk vendors.”  As a matter of fact I can even offer a viable rule by which to make that determination.  Does the vendor process, store or transmit non-public, personal information (NPPI) within their infrastructure?  If the answer is “yes,” demand a SAS70 or equivalent.  Otherwise you’re free to decide your threshold for pain and make the rules accordingly.  But rest assured, if you have recently completed shared assessment reports for your high risk vendors  to show your examiner/regulator/auditor as part of your vendor management program the next time they ask, you’re in  for a lot less trouble.