Right after one of the debates I found myself knee deep in a debate about Dodd-Frank.  A close personal friend of mine, a very bright bulb who I’ve never found a reason to disagree with brought up Dodd-Frank as an example of horrible legislation that’s crippling banks and contributing to our horrible economic conditions.  Whoa, whoa, whoa…. rail against taxes, complain about government spending, assail the current administration for the dramatic escalation of our national debt.  But leave Dodd-Frank out of it because that’s not one of our bigger problems.  I can offer a five thousand word defense of the best parts of Dodd-Frank without even pausing to organize my thoughts but I don’t need to go that far.  I can sell it’s virtues in a single, simple sentence:  Any legislation that created the Consumer Financial Protection Bureau is instantly more effective than anything that’s come before it in my lifetime.

No, seriously… in my lifetime.

I’ve already screamed from the rooftops about how much I like the CFPB.  In my own geeky, nerdy way I’m proud to admit that I look forward to getting their regular updates and announcements because they always seem either ridiculously relevent or illuminate how they’re hot on the heels of yet another predatory business practice.  In barely a years time they’ve pushed deeper into the heart of the issues that crashed Wall Street in 2008 than anyone could have hoped (that’s my opinion but one I’m willing to defend).  And their examiners appear to be freaky efficient.  I’ve been hearing from our banking clients that they’re drilling in on details and covering more territory than was expected and that they’re discussing issues much closer to protecting customers (and members).   Our practice recently issued a bulletin to our clients alerting them to the fact that CFPB examiners are expecting related oversight to be pushed down to external business parters and vendors.  This is not a new consideration, it’s exactly the same as what’s supposed to happen with regards to GLBA (and one of the reasons we developed our related software and services for same) but still, we anticipated this would take several exam cycles to surface.  CFPB cut right to that chase in a heartbeat, which is stunning for such things.  It’s almost like someone told them where to look and what to look for which to a certain extent is true.

The CFPB didn’t start as most new agencies do.  They didn’t recruit green examiners and place them under the management of a few practiced hands.  What they apparently have done is to hire well seasoned examiners from related regulatory agencies (e.g. FDIC, FRB, OCC) have them contribute to creating the necessary procedures and then send them out to bring it all to life.  So on Day One they already know where the bodies are likely to be buried and what to do about it.  It’s brilliant, it’s efficient and it’s the very best example of  your government doing its job.

Here are some snippets from my in-box:

• Regarding the three main credit reporting agencies, the CFPB released a report that said “Among the key takeaways in the report, which is one of the most comprehensive studies of credit reporting to date, are that credit card history dominates the information in credit reports and that debt collection items  generate the highest rate of disputes”.  This becomes important for consumers who are trying to either establish or repair respectable credit ratings.  The news release further explained about the report that it “will help educate regulators and consumers about how this important industry works,” said CFPB Director Richard Cordray. “If consumers know how these companies handle their credit histories, they can make better decisions on how to handle their financial lives.”
• This was another headline “CONSUMER FINANCIAL PROTECTION BUREAU HALTS ALLEGED NATIONWIDE MORTGAGE LOAN MODIFICATION SCAMS”.  The news release explained that the CFPB is  “taking on schemes that prey on consumers who are struggling to pay their mortgages or facing foreclosure,” said CFPB Director Richard Cordray. “We are especially concerned with those who misrepresent government programs or websites to divert distressed homeowners from needed assistance.”
• And even still, another headline “CONSUMER FINANCIAL PROTECTION BUREAU PROPOSES ALLOWING COMPANIES TO RUN TRIAL DISCLOSURE PROGRAMS”.  And while this may seem dry to so many not close to the related issue this is signficant because right now most of us ignore all the small print.  The CFPB is trying to figure out better ways to present disclousre information so that us consumers both think to read it and, more importantly, understand what it’s telling us.  Rather than try and stuff a once-sized-fits-all solution down the industries throat they’re opening it up and authorizing institutions and lenders to explore different approaches.

And the kicker about these three items?  This was all issued this month (December 2012) and we’re not even quite halfway through it.

Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

Of course the truth is much more complicated.  I don’t just focus on computers, my scope expands to include anything that involves sensitive information.  While that always includes a variety of devices it also includes paper-based and people processes as well.  I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations.  I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information.  It’s never just about computers, it is however always about information and how it needs to be protected.

Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that.  At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI).  Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop.  And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world.  Risk, risk, risk and risk.

One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based.  It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly.  But that gets much more difficult to do as the institutions grow in size and complexity.  Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine.  But while their overall size varies widely risk is still risk and that never changes.

I wish more practitioners embraced this simple concept.  While some do, many still don’t.  There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors.   Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found.   Assessing a low risk application yields little value  no matter how complete it may be.  And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.

Beware the practitioner who wields a hammer for they only know to look for nails.

Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks.  They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things.   Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution.  Then scan through your related program inventory and figure out if you’ve designed things accordingly.  Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?

For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.

My first thought was that it was just like what drug dealers do – they give you free product until you’re hopelessly addicted and then start making you pay to feed that addiction.  My second thought was that I couldn’t imagine anyone actually wanting to pay for the content.  While it’s better than nothing as a framework it’s not that much better.  I’m sure there are certain pockets in the GRC industry who think that the Shared Assessment is to vendor management what COBIT is to IT governance but I certainly don’t.

Since first encountering the Shared Assessment a few years back I’ve always thought of it as bloated, difficult to effectively apply and all at once redundant and oddly vague.  The very first time I reviewed the content I immediately thought that whoever was behind creating it must be people who get paid by the hour because any attempt at relying on it was going to be major league time consuming.  And of course once I started investigating the companies behind developing the questionnaire(s) I realized I was spot on.  I once commented to a colleague that the questionnaire looked as if though the purpose of the collective assignment was to think of every possible question you might ever want to ask a vendor, throw it into a spreadsheet and then try and organize it after the fact.  If I’ve ever truly liked it in any meaningful way it’s as a reference source when considering questions to include in customized questionnaires and assessment.

The folks running the show have made strides to truly make the questionnaire into a framework with accompanying methodology but in my experiences most companies simply want to leverage the content of the questionnaires and use it how they see fit.  Some have made the effort to dig through the massive pile of questions and whittle it down to something more manageable while others pretty much ship it out as is to their vendors including both the lite and full versions.  As someone whose practice often has to complete due diligence questionnaires I have to tell you that if we needed to fill out even the lite version it might be a deal breaker due to time constraints.

As I alluded to earlier, I think many practitioners who use the Shared Assessment think of it as being something more like COBIT.  I know COBIT and you sir are no COBIT.  It’s really intended to be used by large vendors who provide services to multiple clients as something akin to a SAS 70/SSAE 16 report.  They pay someone to complete it for them and sign off on it and when their customers look for annual proof that they’re properly controlled they can send along a copy of the completed questionnaire with managements approval stamped on the cover.  In theory it’s a good idea but I’d still prefer a proper audit instead.

And it’s heavily geared towards technology vendors and to a lesser extent those who host services.  When you try and use the Shared Assessment for non-technology vendors it becomes that much more difficult to apply and sort of forces your hand into coming up with something else.  Trying to whittle 900+ questions down to something smaller only to discover you need to write a bunch of new questions on top of that has to be something between depressing and outrageous I would think.

What I really don’t understand is why this was even needed to begin with.  My vendor management experience goes back several years and I’ve always been satisfied working with content from existing sources.  I think that when you combine content from COBIT and FFIEC you can adequately  cover what needs to be covered to assess vendors.  I would go so far as to say that most examiners would agree with me based mostly on the fact that there are more than 100 institutions using some version of a vendor management program my practice has designed and they always do well on that front, always.

For those of you who are going to stay the course, cough up the money and continue along with the Shared Assessment I wish you good luck.  I hope you’re able to glean something meaningful from the process and I pray you never wind up working for a vendor that needs to complete one of the resulting questionnaires.

Does anyone know why vendor management is such a big issue for banking regulators?  I mean, I’ve long advocated that most of what GLBA covers makes sense and should be part of a healthy business strategy anyway.  But when working with clients I’m often surprised to discover that they just see it as another something they have to do and don’t fully appreciate why that is.  So does anyone know?

One of the basic tenets of GLBA, perhaps the MOST basic goal is to protect customers sensitive data.  Sure you can make the argument that it has hooks into disaster recovery and business continuity planning, both also covered by regulatory requirements.  And you can also claim it has to do with service level agreements and gauging the vendors performance.  But really in the end the primary driver behind why your regulator wants you to do a better job of managing your vendors is to make sure they’re protecting your customers where applicable.  Think about it, it’s so simple it’s almost too simple.

Which is why I’m always amazed how so many institutions fail to not only figure out what they need to do but also never really seem to get where they need to be.  It so often becomes about the document collecting game; do they have a SAS 70?  Do they have an Information Security Program?  Who cares?  That’s not what vendor management is intended to address.  What you’re really supposed to do is step back and assess the nature of the relationship, the types of products and/or services the vendor provides and try and identify where threats to your customers sensitive information may exist.  Vendor management is seldom a thinking exercise but rather an attempt to standardize on what artifacts are required in order to prove compliance with the program.  It blows me away how this important activity gets boiled down to something little better than a baseball card collection.

I offer for example my favorite blind spot in every vendor management program I’ve ever conducted a first ti me review of.  Where’s the information for the vendor who cleans the facilities? It’s almost always contracted out and the vendor who owns the contract is responsible for staffing the work.  Where’s proof that they properly screen the people they’re sending into your allegedly secure facilities to make sure they’re not convicted felons?  Where’s proof that they properly police their crews to make sure they’re not behaving in a reckless manner and perhaps letting their friends and family into your secured facilities to drop off dinner or stop by and say “hello”?  When I challenge the clients on this relationship they look at me like I’m nuts.  Almost all of them fail to even include that particular vendor (and those who do tend to include every single vendor they’ve ever done any business with – another big issue).  But all you’ll ever need to do in order to see why this is a potentially huge threat is to walk around the office after hours and see what’s been left out on desks, in printer and fax queues and examine what sort of documentation has been tossed in with the regular trash.

And because vendor management is never truly approached from the right angle it fails to address the very spirit of the exercise and why the three senators who authored GLBA wanted you to pay more attention to it.  But it really reveals a fundamentally bigger issue with most of the compliance domain – no one really approaches most of the work with a true risk oriented perspective.  Compliance isn’t simply about creating checklists and ticking off all the to-do’s – it’s about really trying to identify relevant risks and make sure your institution has controls in place to manage them properly.  And I know for those of you who read my blog with any regularity you’re thinking I’ve written about this before.   That’s true, I bring this up every chance I get because it’s still a huge issue and those of us who have any practitioners attention need to constantly bang on this particular drum.

This is one of the reasons why whenever I’m given a chance to discuss how any of my clients approaches vendor management I try never to tell them what they need to do but rather try and instead have a conversation about what they think they should be doing.  The back-and-forth often helps them expand on their thinking and come up with better, more effective ways in which they can properly categorize and assess their business relationships.

Oh and as for my “Who cares” comment about collecting documentation, there’s a place for that to be sure.  But when you tell your examiner or auditor that you’re OK because the vendor provided a recent SAS 70 and can’t really discuss any of the details you’ve fallen way short of what you needed to do.  Waving documentation in my face never convinces me you’ve done your job and it absolutely never proves that your customers sensitive information is protected.  Remember, SAS 70′s (and now SSAE 16) are subjective and what each one covers can vary wildly from one to another.  And it absolutely does not prove that they’ve successfully addressed all the items in your checklist either.  One of my favorite cut-through-the-weeds tricks is to pick a single checklist item and ask the person waving the report to show me where that’s addressed in the report.  I’ve met a few who could do it and prove to me they’ve actually read the thing but most just start flipping through pages like a poorly prepared student during an open book exam.

Why is this so hard for so many to do a reasonable job on?