Right after one of the debates I found myself knee deep in a debate about Dodd-Frank.  A close personal friend of mine, a very bright bulb who I’ve never found a reason to disagree with brought up Dodd-Frank as an example of horrible legislation that’s crippling banks and contributing to our horrible economic conditions.  Whoa, whoa, whoa…. rail against taxes, complain about government spending, assail the current administration for the dramatic escalation of our national debt.  But leave Dodd-Frank out of it because that’s not one of our bigger problems.  I can offer a five thousand word defense of the best parts of Dodd-Frank without even pausing to organize my thoughts but I don’t need to go that far.  I can sell it’s virtues in a single, simple sentence:  Any legislation that created the Consumer Financial Protection Bureau is instantly more effective than anything that’s come before it in my lifetime.

No, seriously… in my lifetime.

I’ve already screamed from the rooftops about how much I like the CFPB.  In my own geeky, nerdy way I’m proud to admit that I look forward to getting their regular updates and announcements because they always seem either ridiculously relevent or illuminate how they’re hot on the heels of yet another predatory business practice.  In barely a years time they’ve pushed deeper into the heart of the issues that crashed Wall Street in 2008 than anyone could have hoped (that’s my opinion but one I’m willing to defend).  And their examiners appear to be freaky efficient.  I’ve been hearing from our banking clients that they’re drilling in on details and covering more territory than was expected and that they’re discussing issues much closer to protecting customers (and members).   Our practice recently issued a bulletin to our clients alerting them to the fact that CFPB examiners are expecting related oversight to be pushed down to external business parters and vendors.  This is not a new consideration, it’s exactly the same as what’s supposed to happen with regards to GLBA (and one of the reasons we developed our related software and services for same) but still, we anticipated this would take several exam cycles to surface.  CFPB cut right to that chase in a heartbeat, which is stunning for such things.  It’s almost like someone told them where to look and what to look for which to a certain extent is true.

The CFPB didn’t start as most new agencies do.  They didn’t recruit green examiners and place them under the management of a few practiced hands.  What they apparently have done is to hire well seasoned examiners from related regulatory agencies (e.g. FDIC, FRB, OCC) have them contribute to creating the necessary procedures and then send them out to bring it all to life.  So on Day One they already know where the bodies are likely to be buried and what to do about it.  It’s brilliant, it’s efficient and it’s the very best example of  your government doing its job.

Here are some snippets from my in-box:

• Regarding the three main credit reporting agencies, the CFPB released a report that said “Among the key takeaways in the report, which is one of the most comprehensive studies of credit reporting to date, are that credit card history dominates the information in credit reports and that debt collection items  generate the highest rate of disputes”.  This becomes important for consumers who are trying to either establish or repair respectable credit ratings.  The news release further explained about the report that it “will help educate regulators and consumers about how this important industry works,” said CFPB Director Richard Cordray. “If consumers know how these companies handle their credit histories, they can make better decisions on how to handle their financial lives.”
• This was another headline “CONSUMER FINANCIAL PROTECTION BUREAU HALTS ALLEGED NATIONWIDE MORTGAGE LOAN MODIFICATION SCAMS”.  The news release explained that the CFPB is  “taking on schemes that prey on consumers who are struggling to pay their mortgages or facing foreclosure,” said CFPB Director Richard Cordray. “We are especially concerned with those who misrepresent government programs or websites to divert distressed homeowners from needed assistance.”
• And even still, another headline “CONSUMER FINANCIAL PROTECTION BUREAU PROPOSES ALLOWING COMPANIES TO RUN TRIAL DISCLOSURE PROGRAMS”.  And while this may seem dry to so many not close to the related issue this is signficant because right now most of us ignore all the small print.  The CFPB is trying to figure out better ways to present disclousre information so that us consumers both think to read it and, more importantly, understand what it’s telling us.  Rather than try and stuff a once-sized-fits-all solution down the industries throat they’re opening it up and authorizing institutions and lenders to explore different approaches.

And the kicker about these three items?  This was all issued this month (December 2012) and we’re not even quite halfway through it.

Truth be told, while I’ve spent somewhere near seventy-five percent of my time over the past ten years working for financial institutions I’ve also done a fair amount of work for insurance companies, mostly centered on SOX with occasional diversions into general risk assessment work.  The drivers in the insurance industry are different in terms of oversight and requirements and so the volume of work isn’t nearly the same.  But that by itself begs a question: Why isn’t the insurance industry as regulated as financial institutions?

I’ve now done major audit and assurance work for financial institutions, insurance companies and health care providers and for most of them the risk profile is almost identical in terms of non-public personal information.  So why isn’t the level of scrutiny equal across all three of them?  While some might start spouting about how it is, about how states routinely audit insurance companies and how the health care industry has to comply with HIPAA the truth is that banks and credit unions are held to a much higher degree of accountability than any other vertical.  Why is that?

I’m fond of routinely, almost incessantly beating the drum about how it’s all about the risk.  I get my initial client opportunities because I have a deep resume with relevant experience but I generate repeat business because I tend to whittle things down to what matters most both to my clients and to their oversight providers (auditors and examiners alike).  Compliance exists because risks need to be addressed – if the risks aren’t credible or likely the work should be adjusted to reflect that.  But where the risks are real they’re really real.  The type  of data shared with an insurance company is in many ways even more sensitive than anything shared with a bank and most of what’s shared with insurance companies is also shared with health care providers.  Yet there’s no true Federal oversight for the insurance industry and HIPAA is about as much of a toothless tiger as anything I’ve ever encountered.

I recently completed a boatload of documentation to get my family on a new health insurance plan.  I turned over every piece of sensitive information I have for every member of my family minus my bank account information because that’s what was required.  I had to provide all of this online and follow that up by sending them an impressive array of hard-copy documents with even more sensitive information that should never be kicking around in the public domain.   In the past I’ve also been required to provide my bank account information because one plan in particular would only provide coverage if they could automatically deduct monthly premiums via ACH drafts.  So now the insurance industry has access to it all; name, address, social security number, date-of-birth, maiden name, medical history and banking information.  And yet there’s no true oversight agency that’s responsible for making sure they’re protecting all of MY information.

To compound my frustration, of the four insurance companies I’ve conducted work for since 2006 (two of which are Fortune 5oo’s) exactly none of them have something akin to a Chief Information Security Officer.  They all have risk people focused on the business side of things (because that’s necessary to protect profitability) but that’s it.  There’s typically an information security manager who’s part of the infrastructure team but who almost never reports right into the senior-most technology person (e.g. CIO, CTO).  Any audit work that occurs is coordinated across multiple IT managers and on rare occasions there will be an audit/assurance manager.  However in the one example I personally know of where that position exists the person in the role was really just a converted IT manager who obtained a CISA designation – no fundamental audit or assessment experience.

The question has to be asked:  Why is it that banks and credit unions are heavily regulated regarding protection of non-public personal information but other industries with similar risk profiles are  not?  Why aren’t insurance companies required to comply with FFIEC-type guidance?  Why isn’t there a Federal regulatory agency that is responsible for keeping an eye on the insurance industry the way the FDIC, OCC, FRB and NCUA do so for their financial institutions?  And trust me, whatever oversight exists for the insurance and health care industry is largely ineffective.   Why is my sensitive information considered more at risk within a banking infrastructure than it is within an insurance infrastructure?  Having been on site for both and examined their internal controls  I can’t answer that question, that’s for certain.

Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

Of course the truth is much more complicated.  I don’t just focus on computers, my scope expands to include anything that involves sensitive information.  While that always includes a variety of devices it also includes paper-based and people processes as well.  I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations.  I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information.  It’s never just about computers, it is however always about information and how it needs to be protected.

Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that.  At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI).  Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop.  And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world.  Risk, risk, risk and risk.

One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based.  It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly.  But that gets much more difficult to do as the institutions grow in size and complexity.  Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine.  But while their overall size varies widely risk is still risk and that never changes.

I wish more practitioners embraced this simple concept.  While some do, many still don’t.  There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors.   Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found.   Assessing a low risk application yields little value  no matter how complete it may be.  And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.

Beware the practitioner who wields a hammer for they only know to look for nails.

Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks.  They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things.   Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution.  Then scan through your related program inventory and figure out if you’ve designed things accordingly.  Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?

For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.

Seriously, it’s a big deal.  And so far it’s much adieu about nothing.

I don’t know what the actual hold-up has been.  A draft of the new guidance was leaked online last year (ironic, don’t you think) and heavily circulated a while back but no one in any position of authority has offered word one as to whether or not that’s close to what the official document will look like.  But here’s my question to stakeholders throughout the banking industry: Why are you waiting for the FFIEC to spell out what you need to do?

I suppose if you’re committed to doing the bare minimum expected by the examiners and not interested in extending your solutions to adequately protect your customers that’s a sound strategy.  But why do you need anyone to tell you what to do?  Shouldn’t you be continually assessing your environment, keeping current with existing and emerging threats and designing controls to reign them in?  That’s not only a solid business practice it’s also heavily implied by, wait for it, FFIEC guidance.  That’s right folks, if you’re supervised by any of the FFIEC sponsoring agencies they’re already expecting you to conduct  periodic assessments and modify your infrastructure to mitigate and manage identified risks.  But that’s really more theory than practice.  All too often management is willing to wait and see what their annual exam reveals and only address those things that the examiner cares about.  And because examiners typically operate under the constraints of limited hours they look at what they can and the rest just has to wait (and sometimes wait and wait and wait).  So while a key requirement may not be satisfied, if the examiner didn’t have time to look into it the gap remains unchanged.  Again, why does that happen?

I recently brought up this very topic during an internal meeting within my practice and one of our subject matter experts laughed at my naivete.  As he pointed out so matter of factly, the only reason most of the FFIEC-centric activities ever really happen is because financial institutions don’t want to fail an exam.  Rare is the management team that builds out their controls in an attempt to address the so-called “industry best practices” and instead does what they believe necessary to keep their examiners happy.  And so if the FFIEC doesn’t spell out minimum requirements to authenticate and protect online banking solutions there’s little chance the industry will move in the right direction.

But what if the guidance falls short of what’s necessary to get the job done?  What if it only frames the problem but doesn’t actually tell you how to solve it?  Remember, the primary purpose of guidance is to raise awareness to the issue but not necessarily how to fix it.

I offer as a for-instance the most recent publication from the PCI folks.  They just released a new document providing guidance for virtualized infrastructures (which is really a fancy term for cloud computing).  I’ve been somewhat outspoken on this very topic because I’m not confidant that in-scope infrastructures have done enough to address traditional PCI guidance in a somewhat homogeneous environment – now these same companies are chomping at the bit to move things into the Cloud.  If you couldn’t properly secure and monitor a configuration where each device could be identified and configured how are you going to be able to do it on a platform where you never really know where your information passes through?  But the leadership atop the PCI council at least decided to try and frame not only the challenge but also provide some direction on what to do about it.  And their guidance boiled down to this: No one can tell you how to secure relevant parts of the Cloud configuration so the only way to be properly compliant is to make the entire configuration compliant.  I’m sure that when the audience first downloaded the document they were hoping to find directions for a clear path to being able to leverage the latest and greatest technology without having to boil the ocean.  Instead they were told that you have to assess the environment and introduce PCI-related controls anywhere there’s a possibility in-scope data might pass.  With that one broad stroke of a digital pen they pretty much made Cloud computing a much more costly investment for those who need to comply.  Their guidance didn’t solve the problem, it just defined it more clearly and delivered the bad news that there would be no shortcuts available in effort or cost.  And while it may not be popular guidance it is, ultimately right.

As for the FFIEC guidance I’d offer this as food for thought: If you have weak or deficient controls around online authentication your examiner is not going to give you a free pass because the new guidance is delayed.  They’re not going to let you off the hook if you’re missing something significant simply because no one told you it was missing.  You’re supposed to figure these things out for yourself, they’ve told you that time and time again.  And while I won’t know for sure until I know for sure, I’m expecting their guidance will be somewhat similar to the PCI Cloud publication where they frame the problem and summarize by telling you that you need to figure things out based on your own unique infrastructure.

Seriously, don’t wait for the industry to tell you what you need to do when you should already know what that is.  As Dr. Seuss advised many years ago in the great childrens book “Oh the Places You’ll Go”; Your mountain is waiting so get on your way!

It is why when I recently heard a fellow practitioner describe a popular industry framework as a turnkey solution that I cringed. Not only can you not use a framework as is, you can’t even accurately whittle it down and right-size it until you take it out for a test drive. Life happens, the world is imperfect and things don’t always align the way they should. Which is why the banking industry really needs to adjust its approach to compliance and take advantage of one of its greatest weapons in the never ending battle to comply with the overwhelming amount of regulations – risk management.

Seriously, it amazes me how so many of my clients overlook this valuable discipline when setting out to build their controls frameworks. FFIEC guidance is very clear that every solution, every process, every procedure should be designed based on the size and complexity of your institution. What they’re telling you is that what might make sense for $500 billion bank might not make sense for a $100 million credit union; you need to determine what you should have in place, and how you determine what you need ultimately comes from conducting a variety of risk assessments.

There’s all manner of  risk (e.g. enterprise, operational, financial, information security, etc.) and an even longer list of sub-categories that belong to each of those. By identifying those myriad risk factors and assessing them properly, management is able to decide what needs to be managed, what can be mitigated, what can be eliminated and what they just don’t care about and are willing to live with. That’s how you decide what controls need to be in place and that’s when you’re ready to start leveraging the various frameworks, but that almost never happens.

Typically when an institution decides to build out a new procedure they download the appropriate framework and either try and use it as is or make what basically boils down to arbitrary decisions as to what should be included. It’s why I’ll often come across an information security policy that prohibits the use of company equipment to browse the Internet for non-business purposes despite the fact that they neither prevent it via web filtering and never enforce it. Or why policy and web-filtering both prohibit access to Facebook yet the institution has a Facebook page to support its marketing efforts. It’s how so many modest sized banks wind up having requirements to rely on a rigorous change management process despite its being a two man IT shop that is just about always out of compliance. No one bothered to determine what they really needed before committing to it. A risk assessment would have helped.

None of the requirements are intended to be literal. Your regulators want you to measure twice before cutting once. They want you to gain an understanding of where you’re at risk, where you’re not and than do something about it. Finally, they want you to periodically repeat the process. One of the sharpest people I ever worked for and who has since ascended to become the companies CIO was fond of asking “If you can’t measure it, how can you manage it” and she was right. That’s exactly what risk assessments do, they allow you to measure the problem so you can design the appropriate solutions to manage it. This is why we hear Enterprise Risk Management (ERM) used increasingly in conversation and how it’s matured from some sort of seemingly mystical voodoo magic into the boardrooms and C-suites.

Honestly, it’s difficult enough to keep up with everything these days; why do more than you need to?  Why commit to conducting work without first knowing that you need to?  The banking industry wants you to work smarter, not harder (measure twice, cut once) so why not embrace it?

Over the past few weeks I was stunned by the number of email mea culpa’s I received from a long list of companies I conduct business with and whom were affected by the recent Epsilon email breach.   For those not already in the know, Epsilon is a third-party vendor that specializes in email and digital marketing services for thousands of businesses and as a result have one of the largest collections of valid emails in the world.  At some undisclosed point last month an undisclosed number of personal accounts were breached in a, yup, you guessed it, undisclosed manner.  And because of the breach it’s quite possible that your name and email are now in the hands of someone who plans to use it for unauthorized or unwanted purposes.

I find it truly amazing how many companies I choose to conduct business with who in turn choose to conduct business with Epsilon.  The breach by itself doesn’t overly concern me as my cadre of email addresses is already in wide spread circulation and I can throttle what makes it all the way through to my in-box anyway.  What does concern me is how many companies used this one outfit and how despite having such a rich repository of personal information still allowed for conditions to develop that resulted in the loss of data.  How could this happen and why didn’t the nearly dozen companies I do business with and who were affected by the breach  make absolutely certain that my information was safe?

But here’s the bigger question: Who else are they doing business with that I need to worry about?

Seriously, think about all the information you trust to your business partners be it a credit card company, a utility company, a doctors office, your bank, your financial services firm or even your grocery store.  Think about how many times you’ve filled out forms either online or in writing and turned it over to the long list of companies you routinely engage with.  They all make a big deal about security and issue disclaimer after disclaimer about how they protect your information.  But along comes a third-party vendor that they conduct business with and you no longer get to decide how your information is used or protected,   They negotiate deals, conduct varying degrees of due diligence (and by varying it could range from almost none to remarkably extensive – but usually closer to none) and typically go with the deals that best serve their interests.  And you haven’t a clue.

This is not a new type of risk either.  Vendor management has long been a regulatory requirement and over the past few years has been receiving greater scrutiny from the examiners.  But you’d be amazed by how many business entities and financial institutions I’ve encountered who either don’t do enough or anything meaningful at all to address this properly.  I often encounter vendor management programs that are really just spreadsheet repositories with pitifully thin information and a lack of supporting documentation.  And the majority of financial institutions tend to focus what efforts they do make on those vendors they deem as critical – whose numbers can usually be counted on one hand.  I wonder how many of the companies affected by the Epsilon breach either had a vendor management program in place to manage that relationship or had them listed as a critical vendor.  And if they did, what information did they collect to assess the related (and required) controls and how did they arrive at the conclusion that they were properly managing sensitive data?

Remember, GLBA requires that that rules that govern how a bank manages non-public, personal information (NPPI) also extend to the vendors that bank conducts business with.  And so the Epsilon breach cannot be considered a separate and distinct breach; for those institutions that use its services they are directly responsible for what happened.  What will likely occur should the issue be pressed is that Epsilon’s business partners will wave copies of a recent SAS 70 in the air and claim they did everything reasonable to protect their customers data.  But the truth is that reports such as SAS 70′s are more subjective than we’re lead to believe and typically only prove that functioning controls are functioning – it’s rare to encounter a SAS 70 that details failed controls.  And so you have to question who your business partner is in turn doing business with because as a byproduct of that relationship you’re now also doing business with them even if you’ve never heard of them before.

Ultimately what we need is for financial institutions and Corporate America to step up and adhere to the same standards as my afore-mentioned painting contractor.  They need to offer full disclosure up front when they share your information with another business entity  (and not just via veiled references that are poorly detailed in the fine print) and need to extend protection of that information in a way that’s more explicit than tacit.  We should be able to trust that the handshakes we make and the relationships we enter into protect us in a seamless fashion.  And this shouldn’t be something that’s done simply  because a regulatory oversight agency makes them do it but rather because it’s the right way to manage their relationships.

How is it that my painting contractor understands the value of full disclosure and extending trust to every facet of his business relationships but the Ivy League-ish educated leaders of America don’t?

Japan’s tragedy will serve as a fertile source of both proving and disproving the myriad business continuity and disaster recovery techniques being used around the world today.  The most prepared and best trained companies will have very likely fared about as well as could be expected while those who weren’t, those who either had partially baked plans or no plans at all will be lucky to survive in any measurable way.  And it’s hard to imagine that most companies didn’t have plans to deal with earthquakes and tsunami’s because they’re credible and consistent threats in the region.  But after a quarter century in corporate life and little more than half those years focusing on audit and compliance I’m no longer surprised by anything I encounter.

However there was one story to emerge from Japan this week that I found to be quite shocking.  It was about how a banks vault came open during the series of events and someone stole forty million yen (about $500k USD).  It happened in the prefecture of Myagi in a town known as Kesennuma and police said that between the wave’s power and the ensuing power outages, the vault came open.  What with all the flooding and chaos it took more than a week for someone to get back into the building and discover what had happened.

For many the story seemed plausible if not mildly amusing because who wouldn’t love to wander into a bank and be able to scoop up all the cash floating around.  And because in this particular situation no one died or was hurt as a result it’s benign enough to be more entertaining than tragic.  It sort of reminded me of a scene in the movie “Ground Hog Day” where Bill Murray’s character figured out the perfect timing to be able to steal a bag of cash out of the back of an armored truck.

But I sort of have a problem with this story because I don’t think it happened the way it’s being portrayed.  My very first thought upon reading the details was that either someone left the vault door open as they were fleeing the bank or someone who knows a thing or two about how to open a vault went back in after the fact and exploited the situation to their advantage.  The odds that a vault door simply flew open due to what was really a massive flood at that point just doesn’t hold up under scrutiny.

Have you ever actually seen what a door on a bank vault looks like?  I have and I’ve probably seen about three dozen or more since I started working in the banking sector and I couldn’t think of how any one of them, if closed properly would ever just come open due to rushing water for a relatively short period of time.  First of all they’re all seated within a metal frame and so for the rods or pistons that create the seal to come undone the metal itself would need to have been bent or twisted.  Second, they weigh a ton (not as much of an exaggeration as you might think).  Even the weakest vaults I’ve encountered have doors that have some serious density to them and would not likely bend under most natural forces.  I would sooner believe that the walls that the door and its frame were attached to failed then believe that the door simply “flew open”.

If I had to put on my most skeptical mindset to use I would venture a guess that the person responsible for making sure the vault was properly closed before safely exiting the building rushed through the procedure, didn’t properly lock the vault and in their heightened state of panic just didn’t think about it.  While that’s the most likely scenario the second most likely version is that someone who knows how to open the vault door and who knew after a day or so that no one would ever be concerned with theft while there were still lives to save made their way into the crippled building with its security systems down and manually opened the door and had at it.  But under either scenario it’s almost entirely likely that the person(s) who stole the money had an idea about what to do and took advantage of the situation.  I mean, they obviously entered the bank after the disasters struck and they weren’t likely looking for survivors if they were of a mindset to grab what had to be a sizable physical haul.

And the thing is that there’s no viable lesson to be learned from a story such as this.  I’m certain the bank had a procedure in place that specified how all cash drawers were to be placed in the vault and that the vault itself should be locked upon exiting during a disaster.  While in certain physical disaster scenarios it’s possible to install an individual to monitor the facility during and after the event this wasn’t one of those times as everyone needed to flee the area.  And having someone come back the next day to keep an eye on things was probably the last thing anyone associated with the bank was concerned with (and rightfully so) as they had lives to save and keep safe.

So no usable lesson to learn and probably no way to ever find out what really happened.  For my money I hope they find the people behind this because it makes me angry to think that while so many people struggled to search for survivors or to recover bodies there were people looking to profit from the situation.

And if there’s anything for the BCP community to glean from this story it’s that no plan can truly account for every possible scenario.  It’s a hard lesson to learn but perhaps one that serves a purpose if for no other reason than to underscore the need for adequate insurance coverage.

It started me to thinking about how that sort of thing seems to have tapered off lately. I went back and searched my inbox for all FDIC correspondence over the past three months and I’m fairly confident it revealed a trend that such activities slowed down. Then I remembered a story I read today about how the bigger banks (e.g. Citigroup, Bank of America, etc.) are expecting to restore the issuance of dividends sometime this year for the first time in nearly three years. Fewer bank closures plus healthier balance sheets has to equal the end of the crisis, right? I mean, what other indicators are you going to look for to prove such a theory?  Bigger banks are generating profits, surviving banks are managing to keep their balance sheets sufficiently above water, so now we can all breath a collective sigh of relief, finally.  What a great way to end the week and sail off into a three-day weekend, right?

But then I remembered another story I’ve been tracking, the one about how analysts expect 2011 to set all kinds of ugly records for foreclosures of private residences.  One expert estimated that nationwide 1 in 50 homes will experience some form of foreclosure activity and that 1.2 millions homes will actually be repossessed by the banks.  That’s a lot of housing inventory about to be added back to the books, a bundle of legal expenses about to be incurred and a tremendous hit to any banks balance sheet.  So in addition to not receiving the anticipated revenue from the lost loans, the banks now have to face the harsh reality that much of the real estate coming back onto their books isn’t worth quite what they appraised it for when the loan was issued. It makes me think that while the rate of closings might be slowing, it’s nowhere near the end.  Plus as I’ve shared with you in the past, banking industry insiders that I’ve talked to are firm in their belief that until the commercial real estate market experiences a serious correction, the bleeding can’t end and the healing can’t begin.

If you want to gain a visual understanding of the enormity of the foreclosure crisis beyond just numbers, check out the Google Maps real estate feature which allows you to display foreclosed properties in any view. I played with it a bit and was stunned by how much of just about any geographic area I have connections to was covered in little red dots.  Seriously, seeing it in front of me like that was shocking despite my being intimately aware of the numbers.

So I’m thinking that until the concept of foreclosure returns to its previous status as rare and uncommon, the banking crisis is not quite over. Until the value of a banks portfolio is solid and reliable, the bank itself cannot be.  It’s just plain common sense. I’m no economist and I’m no real estate expert but I can’t figure out how anyone can legitimately declare the crisis over until the underlying cause is satisfactorily addressed. Plus I still know way too many people who are out of work or who are certain they’re about to be; what’s going to happen when they run out of savings?

I want this to be over as much as anyone (probably more considering too many of our clients are still worried on keeping their doors open and not so much on standard compliance issues).  But I’m not going to believe we’ve turned any corner in a meaningful way until those Friday FDIC bank closing emails return to their previous status of being rare and unusual.

I’ve been working on BCP’s since the late 90′s, cutting my teeth on a plan for the technology business unit I worked in at Citigroup and have continued working with clients on their plans in a variety of business verticals in the years since.  Whether the client is a multi-billion dollar enterprise or a single branch bank, there remain commonalities that defy the entities complexity. On one hand it’s difficult to compare the plan I worked on at Citigroup to one I recently reviewed at a banking client with a single physical location (everything was quite literally under one roof) but on the other hand, the key elements were exactly the same.

Ask questions about who is responsible for activating the plan, who has copies and where are they located and you’d get similar replies (mostly shoulder shrugs, lots of “um’s” and finger tapping).  Select a sampling of employees and ask them what they’d do in the event of a business disruption and you’ll get a wide range of answers that are typically intelligent and sensible but have nothing to do with what’s documented in the plan. Review the plan and conduct a logical walk through to determine if someone without intimate knowledge of the various sections could rely on it in order to help navigate through a disruption and you’re likely going to have a list of questions longer than your own arm. Of course one of my favorite measures of a plans effectiveness is to gauge its overall size and complexity relative to the entity it’s supporting. The single branch banking client had a binder filled with a plan that was nearly twice the size of the one I worked on at Citigroup.  Despite the fact that the Citigroup entity clearly dwarfed the small banking client, you couldn’t tell from the plan.  I’m not suggesting there’s a size rule to apply but typically the thicker the plan the less effective it becomes after a certain point.

However, the reason we’re talking business continuity to kick-off the new year isn’t so I can rant but rather to illuminate an important aspect of a BCP (and perhaps any of your regulatory activities as well).  Your business environment is dynamic, it’s ever-changing with new considerations, concerns and risks emerging almost daily.  Employees come and go, business needs change to keep pace with the economy and your physical and logical infrastructure changes to accommodate both.  It’s just about impossible that any plan you developed last year remains relevant this year.  Thus the reason why the FFIEC guidance hammers home the point about conducting frequent risk assessments and conducting periodic reviews of your key compliance activities.  You simply cannot rely upon any documented procedure that hasn’t been reviewed recently and assessed for accuracy and relevance.

In terms of a BCP, you need to conduct an annual business impact analysis to determine if each critical area of the institution is properly factored into the plan, if the area’s needs have changed since the last update and if the current set of procedures adequately support its needs. You need to update your contact lists, inventories and your escalation plans.  You need to reissue the updated plan and make sure that all stakeholders are aware of it’s changes and have access to the new version readily available. Perhaps the  most important recurring activity is to conduct a basic test of the BCP to ensure that it will work and that your staff knows how and when to rely on it.

As for the client for whom the report was issued, they’re in good shape.  The test revealed some common issues (e.g. critical stakeholders answers were often extemporaneous and did not come from the plan itself, many in the room did not think to bring a copy of the BCP) but by and large they did well. They did well because the plan had been updated earlier in 2010 and reflected on what they knew had to be done in the event of a disruption. Although they didn’t rely upon the actual document, they didn’t need to because they were the ones who contributed to its content and were able to react rather than read. Unfortunately they’re part of the minority because typically the plans I review are detached from reality to the point where they’re almost fictional and almost completely useless as written.

Like all compliance requirements there’s real value to be derived from addressing them properly and you shouldn’t need an examiner, an auditor or a blogger to point that out. It’s the first week of the first month of a new year; is there a better time to plan reviews of your key procedures and activities?