Tip

Financial regulatory compliance best practices, tips

Financial regulatory compliance has always been a moving target for financial-sector CIOs. They must cope not only with new regulations, but also with auditors' changing interpretations of existing guidelines. Emerging technologies and scandals in the business world introduce new risks that must be taken into account in the ongoing work of hammering out an effective compliance strategy.

Keeping up is not easy. Here are some best practices and tips on how CIOs can best address today's regulatory environment and prepare to meet the developments and changes that may be coming in the near future.

    Requires Free Membership to View

New technology, new risks

Deploying new technologies, however useful, often introduces new security risks and financial regulatory compliance issues, experts warn. "One of the biggest challenges is the explosion of the ways we communicate, and the devices we use to always stay 'on,'" said Diana Kelley, a partner at consulting firm SecurityCurve in Amherst, N.H. Cell phones and personal digital assistants, useful as they are, have introduced security vulnerabilities that companies must address, federal regulations state with increasing precision.

More on compliance
Regulatory compliance for the enterprise

E-discovery and litigation for CIOs

 In recent years, several major investment firms paid fines totaling tens of millions of dollars for failing to protect instant messaging (IM) content adequately. Regulations now require that IM content be archived in secure and searchable formats, and that IM communication channels be "monitored for correct usage, integrity, security," Kelley noted.

Trying to prohibit the use of a technology such as IM is often worse than useless, because it simply drives usage underground. Better to allow IM under controlled conditions, over secure channels, Kelley advised.

Know your current business events

Technical decision makers need to think creatively about how events in the business world may affect the financial regulatory environment. In response to the recent subprime mortgage uproar, auditors are starting to demand that firms retain, secure and readily provide complete data on the financial risk posed by investment vehicles, Kelley reported.

Furthermore, post-9/11 and Hurricane Katrina, auditors want proof that a firm's IT infrastructure can withstand specific disasters and security events, noted Norbert Nowicki, systems and technology practice leader at auditing firm Accume Partners.

"They are asking, 'Are you prepared for a pandemic? Can you continue doing business if the Exchange goes down?'" No longer satisfied with penetration tests that simulate attacks, "They want to know, 'Where are your hot sites? How are they secured? What controls are in place?'" Nowicki said.

Keep an eye on Basel II

While it's still too early to determine all its implications, Basel II will definitely affect IT compliance efforts, according to Richard E. Mackey Jr., vice president of consulting at SystemExperts Corp. in Sudbury, Mass.

The recently created international business standard requires that large financial institutions have enough cash on hand to cover all potential risks. This means companies will need to prove to auditors and regulators that systems used to calculate financial risk are tamper-proof, and that the data is secure, Mackey said.

Watch your partner's back

The Graham-Leach-Bliley Act and various privacy laws now require financial firms to make sure their business partners take the same security measures as they do. "If doing business with a partner results in loss or damage to your data, or a customer's data or assets, you are also accountable," Kelley warned.

One of the biggest challenges is the explosion
of the ways we communicate, and the devices we use
to always
stay 'on.'

Diana Kelley
partnerSecurityCurve

 The same goes for vendors to whom you have outsourced backup and storage or financial applications or Web hosting. "If your disks get lost off the back of a vendor's truck," you're still liable, Kelley said.

Performing security reviews of dozens or perhaps hundreds of partners can be cost-prohibitive for large financial firms, Mackey noted. Try limiting the amount and type of information shared with partners, he advised. For example, avoid sharing Social Security numbers, and send only the information a partner needs -- not an entire file.

Don't overdo it

In recent years, the Securities and Exchange Commission has significantly clarified what companies need to focus on to comply. Even so, companies spent $6 billion on Sarbanes-Oxley Act compliance in 2007, according to AMR Research Inc. in Boston.

A large portion of those expenditures were not necessary, according to Accume's Nowicki. Companies should not attempt to address every single process and system, but rather focus on key processes and business critical elements within the IT infrastructure, he advised.

The good news is, as financial regulations mature, regulators are clarifying and even easing some compliance requirements. For example, regulators initially required financial institutions to hand out a physical device, such as a token, as well as a password, to any customer who wanted to access their systems via the Web. Regulators eventually realized this was impractical and backed off.

If only all compliance requirements were so reasonable.

Elizabeth Horwitt is a contributing writer based in Waban, Mass.


This was first published in February 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.