Truth be told, while I’ve spent somewhere near seventy-five percent of my time over the past ten years working for financial institutions I’ve also done a fair amount of work for insurance companies, mostly centered on SOX with occasional diversions into general risk assessment work.  The drivers in the insurance industry are different in terms of oversight and requirements and so the volume of work isn’t nearly the same.  But that by itself begs a question: Why isn’t the insurance industry as regulated as financial institutions?

I’ve now done major audit and assurance work for financial institutions, insurance companies and health care providers and for most of them the risk profile is almost identical in terms of non-public personal information.  So why isn’t the level of scrutiny equal across all three of them?  While some might start spouting about how it is, about how states routinely audit insurance companies and how the health care industry has to comply with HIPAA the truth is that banks and credit unions are held to a much higher degree of accountability than any other vertical.  Why is that?

I’m fond of routinely, almost incessantly beating the drum about how it’s all about the risk.  I get my initial client opportunities because I have a deep resume with relevant experience but I generate repeat business because I tend to whittle things down to what matters most both to my clients and to their oversight providers (auditors and examiners alike).  Compliance exists because risks need to be addressed – if the risks aren’t credible or likely the work should be adjusted to reflect that.  But where the risks are real they’re really real.  The type  of data shared with an insurance company is in many ways even more sensitive than anything shared with a bank and most of what’s shared with insurance companies is also shared with health care providers.  Yet there’s no true Federal oversight for the insurance industry and HIPAA is about as much of a toothless tiger as anything I’ve ever encountered.

I recently completed a boatload of documentation to get my family on a new health insurance plan.  I turned over every piece of sensitive information I have for every member of my family minus my bank account information because that’s what was required.  I had to provide all of this online and follow that up by sending them an impressive array of hard-copy documents with even more sensitive information that should never be kicking around in the public domain.   In the past I’ve also been required to provide my bank account information because one plan in particular would only provide coverage if they could automatically deduct monthly premiums via ACH drafts.  So now the insurance industry has access to it all; name, address, social security number, date-of-birth, maiden name, medical history and banking information.  And yet there’s no true oversight agency that’s responsible for making sure they’re protecting all of MY information.

To compound my frustration, of the four insurance companies I’ve conducted work for since 2006 (two of which are Fortune 5oo’s) exactly none of them have something akin to a Chief Information Security Officer.  They all have risk people focused on the business side of things (because that’s necessary to protect profitability) but that’s it.  There’s typically an information security manager who’s part of the infrastructure team but who almost never reports right into the senior-most technology person (e.g. CIO, CTO).  Any audit work that occurs is coordinated across multiple IT managers and on rare occasions there will be an audit/assurance manager.  However in the one example I personally know of where that position exists the person in the role was really just a converted IT manager who obtained a CISA designation – no fundamental audit or assessment experience.

The question has to be asked:  Why is it that banks and credit unions are heavily regulated regarding protection of non-public personal information but other industries with similar risk profiles are  not?  Why aren’t insurance companies required to comply with FFIEC-type guidance?  Why isn’t there a Federal regulatory agency that is responsible for keeping an eye on the insurance industry the way the FDIC, OCC, FRB and NCUA do so for their financial institutions?  And trust me, whatever oversight exists for the insurance and health care industry is largely ineffective.   Why is my sensitive information considered more at risk within a banking infrastructure than it is within an insurance infrastructure?  Having been on site for both and examined their internal controls  I can’t answer that question, that’s for certain.

Which is why I don’t much care for any manner of compliance-based assessments that are self-administered.

Companies have had this crazy notion for more than a decade now that the best way to identify and address risks inherent within the infrastructure is to ask key stakeholders a somewhat generic set of questions and use their responses to figure out what’s what.  Most of the time the people driving these initiatives are either information security professionals or corporate compliance people who either believe they already know where the problems are or are looking for the simplest and easiest way to satisfy some requirement.  But what they often fail to grasp is that it’s almost impossible to draft a common set of questions that either apply to the vast majority or worse, will be interpreted consistently across the stakeholder population.  Plus the perceived benefit of using a self-assessment approach to reduce effort and required support resources is almost always an illusion.  Most of the time saved in not having someone ask the questions and record the answers is instead consumed by needing to explain the format, explain the questions or trying to clarify and clean up the responses.  While supporting one such program recently each assessment required a kick-off meeting, a follow-up meeting to review the status of the assessment, a third meeting to review the initial draft of the questionnaire, a fourth meeting to review the resulting report(s) and a largely untracked number of hours to help generate all of the related support documentation.  Regardless of the size of the entity being assessed each one consumed somewhere close to eight hours.  While that might seem like a scary large number, the really scary part was that based on which risk analyst was responsible for the assessment and the personality/mindset of the stakeholder completing it the results looked very different from one another.  It was almost impossible to generate meaningful metrics across the assessment population because a “Yes” answer for one question might mean the same as an “N/A” in another; there was no way to know that.

Another issue I’ve always had with the self-assessment approach is that while some stakeholders take it seriously and do a remarkably thorough job, others race through it with little hesitation just to fill in the blanks and get it off their desk.  Sometimes you can detect which is which, sometimes you can’t.  Plus the approach fails to capture much of the rich and relevant information related to each question and the underlying risk behind it.  I recall conducting a team-driven risk assessment years ago where one stakeholder after the next covering a very broad sampling of the infrastructure kept lamenting on the lack of a proper disaster recovery plan.  They had something to show auditors/examiners but to a person no one believed it was a truly viable plan.  All but the CIO brought it up as a concern and when pressed a bit about why that was they all shared a common concern: If their main office was closed unexpectedly for twenty-four hours, regardless of the reason, they were likely out of business.  A related self-assessment question would ask “Do you have a current and recently tested DR plan?” – most respondents on that engagement would simply have selected “Yes” and moved on to the next question without ever being challenged to share their concerns.  Where’s the value in having a repository of questions and answers when it fails to capture the true essence or dimension of risk? 

And the biggest issue I’ve always had with self-assessment questionnaires and their related templates is that they’re so often poorly designed.  I can guarantee you that each of them has at least one question which makes zero sense to anyone who reads it.  They either answer it based on what they think it’s asking, answer with an “N/A” or require follow-up with the people managing the process to have it explained.  And you’d be amazed how many times even the author is challenged to provide a meaningful answer (including this guy).  One thing’s for certain, a self-anything needs to be designed and written so that everyone understands what they need to do without having their hand held.  Plus it’s rare that questionnaires are customized so that each stakeholder is only asked those questions that truly make sense.  An application owner should never be asked if their anti-virus solution is current and up-to-date.  A business process owner should never be asked about software change management.  Yet seldom have I encountered a self-assessment process which does anything like this and so the audience is burdened with time consuming yet unnecessary questions.

Really though in the end my overriding problem with the self-assessment approach is that it fails to capture the expertise and guiding hand of true risk and assurance people.  The process is often supported by analysts who don’t really have a feel for conducting assessments and are satisfied that all of the blanks are filled in.  I have a nose for when there’s something beyond a simple answer and know when to scratch at the surface to bring it to light.  By not allowing expert hands to guide the process potentially huge amounts of valuable and possibly critical details are being missed thus undermining any perceived value of the process.  When you consider that all tolled and tallied the self-assessment approach versus the guided assessment approach doesn’t really save you much time (if any) and that it results in a weaker finished product, why would you elect to use it?   One answer is that regulators push for it because perhaps it’s better than nothing (I can’t get any of those I know to comment).  Another is that the people sponsoring these initiatives lack the fundamental comprehension to understand their options and chose what they perceive as the less complicated approach (again, I don’t know for sure it’s just a theory).  What I do know is that when done right a risk assessment is managements best friend, a fundamental belief behind the recent spike in ERM activity.

While recently having my car serviced the mechanic discovered a nest of some sort in the engine block, he thinks it was probably squirrels.  Because of this discovery he went searching for all the wired connections to make sure they weren’t chewed up and destroyed, quite a few were as it turns out (the car had been idle for several months).  The bill only added the cost of the replacement wires but nothing significant for the time it took to first find which were affected and then replace them.  Had I attempted the repair myself I might have noticed the nest and likely would’ve cleared it but know for certain I never would’ve thought to check the wires, where to look for them or what to look for.  I was smart enough to rely on a professional with a nose for that sort of thing and it saved me time, money and best of all the aggravation of having the car break down somewhere unexpectedly.  Good thing I didn’t go the self-repair route.

Here’s the sequence of events:

Wednesday morning I received an email alert from a company I use that my automatic monthly payment was declined.  Knowing full well it wasn’t a balance issue I assumed correctly that my bank had cancelled the card.  As I travel extensively and rely on the card exclusively I made my way to a local branch later that morning.  Along the way I called into the service center and confirmed my suspicions, that Visa informed the bank that my card was part of a range of numbers that was possibly exposed via a breach.  I asked if it was possible to learn the name of the offending vendor and was told (same as last time) that Visa doesn’t share that information.  As I am now a two-time victim it’s easy to spot the trend and hard to ignore the possibility that it might have involved the same vendor both times.  It wound up taking three visits to a branch to straighten me out and actually get a functioning card in my wallet.  The inconvenience is more than benign as I use the card in several places and will now need to make manual, one-off payments with the temporary card while awaiting the permanent card so that I can update the affected accounts.  By the time this is all said and done it will have resulted in my exhausting more than a half day of billable time trying to fix a problem I didn’t create.

A few things need to change.

• First, as part of the breach notification the card issuer needs to share with the cardholder the source of said breach.  I’ve been hit twice in six months, there’s a better than even chance that it involved the same vendor and/or processor and I deserve to know if that’s true.
• Second, affected cardholders should receive status updates providing details about the breach including the suspected source, the techniques potentially used and a description of any follow-up actions including investigative and (hopefully) criminal prosecution.
• Third, issuers need to have a better system in place to address breaches.  The fact that I have to overtly take action in order to replace the card is a joke.  I’m a billable resource and taking time out to wait to talk to a customer service representative results in loss of income; I’m being punished twice as a result.  I should have been offered the option to have a card overnighted to me or have been able to receive a card at any teller window and have it activated right there and then (I had to first activate at an ATM before I could use the temporary plastic).  The card replacement process needs to be streamlined.

We collectively as an industry and a society need to accept that both identity and card theft is a mainstream occurrence and adjust accordingly.  Legislation is needed to further insulate the victims (like me) from any extended damage or inconvenience and ensure as smooth a process as possible to allow us to continue living our lives.  Because right now I don’t just feel like a victim, I feel like I’m being punished for being one and treated like I simply don’t matter.

Hey Washington, make the industry tell us what’s going on and to treat the consumers better!

Oh, and PCI Security Standards Council, how’s that framework working out for you?  I’m thinking the only one benefiting from your content are the practitioners making money by supporting it.

Seriously, something needs to change.

Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

Here’s my reply:

“It’s no longer even a matter of whether or not your institution has time to track the various activities and statuses, it’s quickly becoming a measurable practice of its own within the oversight circles. We’ve recently encountered several exam comments addressing the concept of compliance management which focuses on how an institution demonstrates a working knowledge of and compliance with the broad spectrum of requirements.

I think the days of last minute program (policy and procedure) updates and testing in the days leading up to an exam are near an end; the examiners are quickly losing their appetite to allow such flexibility and are expecting management to clearly establish that they’re taking compliance seriously.”

I’m sharing this exchange with you for a couple of reasons.  First, my reply was one of four and quite literally each answer seemed to be addressing four separate questions which I found both curious and concerning.  One person interpreted the question to be about keeping up with newly emerging and changing laws, one person replied as if though it was about keeping track of what needs to be done internally and one person thought it was more about governance and engaging stakeholders.  And while I’m not sure which, if any of us answered the question correctly I am certain that all four brought out into the open the bigger issue which is how does anyone keep up with the speed at which compliance is evolving?

Which brings me to my second reason for bringing up the exchange.  Are you prepared to demonstrate to an examiner how you manage all of your compliance initiatives?  If not you’d better get busy because it’s something you’re likely going to need to do in the near future.  There have been at least two clients my practice works with that have recently shared with us that their examiners have been slicing off time reviewing what’s being called “compliance management”.  Simply put it’s the overall approach an institution takes to tracking the various regulations and ensures that they’re complying where applicable.

What that means to you is that it’s no longer enough to present the various program artifacts upon request to the examiner, you now have to demonstrate how you track each of those elements and determine their status.  It also means that you have to demonstrate an awareness of new and/or changing requirements and maintain some measure of program change management.  Gone are the days of pulling a new program together in the days leading up to the exam just so you have something to show for it.  Gone too are the days of scrambling to bring everything up-to-date via herculean efforts by logging long nights and weekends in the weeks leading up to the kick-off meeting.

I remember how when Red Flags was about to go live back in 2008 I asked an audience I was presenting to how many had their programs board approved and in-place with only a few hands going up.  I asked how many expected to have their program at least finalized by the go-live date and again only a few hands went up.  But when I asked how many planned to wait until two weeks before their next exam to get around to designing something almost the entire room laughed and then sadly raised their hand.  But those days are about to come to an end.

Ultimately what I’m thinking is going to happen is that this import shift in oversight strategy is going to accelerate the adoption of the principles of GRC.  I’ve been beating that drum quite a bit lately (even more than usual) and am all the more confidant that my thinking is right.  An important element of GRC is the ongoing monitoring (governance) of the various risk and compliance activities and that’s what your examiners are going to be looking for.  My best guess is that we’re about a decade away from widespread acceptance and that GRC will follow a growth curve similar to that recently charted by ERM.    Right now GRC seems a bit exotic to senior management and more theoretical than practical but that will continue to change.  As more practitioners incorporate elements of the methodology into how they meet the various challenges it will become increasingly common-place.  And when the economy finally starts to rebound and funding isn’t as hard to come by institutions will accelerate the pace and GRC will become  part of the every day vernacular for compliance professionals and their management.

For now though practitioners like me will simply have to keep introducing elements of GRC into the solutions we develop for our clients without identifying it as such.  For those of us fortunate enough to know there’s a better way there’s no reason to wait and it’s a win-win for the institutions we work with.  As I recently advised a client in regards to an upcoming exam, have a plan, collect evidence that the plan is being followed and prove that there’s a process to periodically assess the plan for accuracy, viability and relevance.  That they liked but had I introduced it as a component of GRC I wonder if it would have appealed to them as much.

How else can you keep pace with compliance?

Whenever I’ve been engaged by a banking client to help them resolve findings surfaced during an exam, my first question almost always is “What did the examiner suggest you do about this?” which is usually met with a blank stare. When new or modified regulations are issued and go into effect, I’m fond of recommending to my clients that they contact their examiner for guidance on how best to address it. Again, the typical response is either a strange look or they pretend I didn’t say anything at all. Why is it that financial institutions are so reluctant to engage in dialogue with their examiners?

That was the spirit of the FDIC FIL. It was titled “Reminder on FDIC Examination Findings” and it was intended to remind their member institutions to work with them when dealing with findings and establish a dialogue. It pointed out that “an open dialog with bank management is critical to ensuring the supervisory process is effective in promoting an institution’s strong financial condition and safe-and-sound operation.” It further went on to point out that “if an institution disagrees with examination findings, it should address those concerns through communication with the examiner, field office management, or the appropriate regional office staff.” Good advice, but likely words falling on deaf ears (or blind eyes).

I’ve only conducted audits in my career, as I’ve never been an examiner for any of the oversight bodies. But one thing I can tell you is that when I detail a finding in an audit report it’s always accompanied by recommendations for remediation along with suggestions on how best to approach managing the work. I would never write up anyone or something where I didn’t have a clear idea about how it should be working along with a solid approach for getting there. I can assure you that by and large the same is true for your examiners. They are not only experts on measuring and assessing procedures and controls, but because they see such a wide range of solutions during their travels, they are uniquely positioned to provide guidance on how you should be doing things.

If you disagree with a finding, you need to let your examiner know. But you will need to qualify your position and articulate it in such a way so that they can consider compensating factors that they might have missed.

A few years back I coined the following definitions: an auditor is someone who knows if your answer addresses the question, a good auditor is someone who knows if you gave the right answer to the question and a great auditor is someone who knows if you offered your best answer to the question. I’m always amazed by how many findings I’ve encountered in my career where there were clear compensating controls in place to mitigate the associated risk that no one ever took into consideration. I’m also often amazed how despite a clients being aware that an examination finding doesn’t hold up under scrutiny, for similar reasons makes no attempt to discuss it with their examiner. It’s almost as if though they’re afraid to engage them in conversation lest they find even more issues to report.

The problem I suspect is rooted in the basic fear that the examiners are looking for something to write about in their reports and so the less attention you bring upon yourself or your institution the better off you are. The reason so few institutions dispute what they consider questionable findings is that no one wants to anger the person writing the report, lest they seek revenge the next time around. Of course that’s all remarkably flawed logic.

Let me share a secret with you; my favorite audits are those where I find a cooperative staff and a management team committed to running things right. It sort of inspires me to do my best work and only present them with findings that are relevant and which will help them strengthen their infrastructure in a meaningful way; and I’m certain a vast majority of examiners for the FDIC and their oversight partners are the same exact way (in large part because I know a few of them).  If you seek to forge a partnership with them you’ll find a productive relationship that winds up benefiting both sides. However, if you continue to perceive the relationship as somewhat adversarial, that’s what you’ll be burdened with.

The examination process and the people who staff the function play an important role in helping keep the industry running right. At a minimum they’re there to measure and assess their member institutions to identify issues before they grow into problems. What they’re really there to do is help you figure out how to manage things more effectively to protect depositors that fall under their jurisdiction. Fundamentally that’s what you’re supposed to be doing and so it only makes sense that you work together.

Am I advocating that “examiners are your friends, don’t be afraid?” No. I am recommending that you engage their knowledge and expertise and trust that they want to work with you. Odds are quite high that it will result in a less painful examination process and one where everyone comes out ahead. Oh and one more thought, if they recommend you manage something a certain way, it’s almost a guaranteed pass on the exam because they’re likely to think what you did was pure genius.