Financial regulatory compliance has always been a moving target for financial-sector CIOs. They must cope not only with new regulations, but also with auditors' changing interpretations of existing guidelines. Emerging technologies and scandals in the business world introduce new risks that must be taken into account in the ongoing work of hammering out an effective compliance strategy.
Keeping up is not easy. Here are some best practices and tips on how CIOs can best address today's regulatory environment and prepare to meet the developments and changes that may be coming in the near future.
New technology, new risks
Deploying new technologies, however useful, often introduces new security risks and financial regulatory compliance issues, experts warn. "One of the biggest challenges is the explosion of the ways we communicate, and the devices we use to always stay 'on,'" said Diana Kelley, a partner at consulting firm SecurityCurve in Amherst, N.H. Cell phones and personal digital assistants, useful as they are, have introduced security vulnerabilities that companies must address, federal regulations state with increasing precision.
In recent years, several major investment firms paid fines totaling tens of millions of dollars for failing to protect instant messaging (IM) content adequately. Regulations now require that IM content be archived in secure and searchable formats, and that IM communication channels be "monitored for correct usage, integrity, security," Kelley noted.
Trying to prohibit the use of a technology such as IM is often worse than useless, because it simply drives usage underground. Better to allow IM under controlled conditions, over secure channels, Kelley advised.
Know your current business events
Technical decision makers need to think creatively about how events in the business world may affect the financial regulatory environment. In response to the recent subprime mortgage uproar, auditors are starting to demand that firms retain, secure and readily provide complete data on the financial risk posed by investment vehicles, Kelley reported.
Furthermore, post-9/11 and Hurricane Katrina, auditors want proof that a firm's IT infrastructure can withstand specific disasters and security events, noted Norbert Nowicki, systems and technology practice leader at auditing firm Accume Partners.
"They are asking, 'Are you prepared for a pandemic? Can you continue doing business if the Exchange goes down?'" No longer satisfied with penetration tests that simulate attacks, "They want to know, 'Where are your hot sites? How are they secured? What controls are in place?'" Nowicki said.
Keep an eye on Basel II
While it's still too early to determine all its implications, Basel II will definitely affect IT compliance efforts, according to Richard E. Mackey Jr., vice president of consulting at SystemExperts Corp. in Sudbury, Mass.
The recently created international business standard requires that large financial institutions have enough cash on hand to cover all potential risks. This means companies will need to prove to auditors and regulators that systems used to calculate financial risk are tamper-proof, and that the data is secure, Mackey said.
Watch your partner's back
The Graham-Leach-Bliley Act and various privacy laws now require financial firms to make sure their business partners take the same security measures as they do. "If doing business with a partner results in loss or damage to your data, or a customer's data or assets, you are also accountable," Kelley warned.
The same goes for vendors to whom you have outsourced backup and storage or financial applications or Web hosting. "If your disks get lost off the back of a vendor's truck," you're still liable, Kelley said.
Performing security reviews of dozens or perhaps hundreds of partners can be cost-prohibitive for large financial firms, Mackey noted. Try limiting the amount and type of information shared with partners, he advised. For example, avoid sharing Social Security numbers, and send only the information a partner needs -- not an entire file.
Don't overdo it
In recent years, the Securities and Exchange Commission has significantly clarified what companies need to focus on to comply. Even so, companies spent $6 billion on Sarbanes-Oxley Act compliance in 2007, according to AMR Research Inc. in Boston.
A large portion of those expenditures were not necessary, according to Accume's Nowicki. Companies should not attempt to address every single process and system, but rather focus on key processes and business critical elements within the IT infrastructure, he advised.
The good news is, as financial regulations mature, regulators are clarifying and even easing some compliance requirements. For example, regulators initially required financial institutions to hand out a physical device, such as a token, as well as a password, to any customer who wanted to access their systems via the Web. Regulators eventually realized this was impractical and backed off.
If only all compliance requirements were so reasonable.
Elizabeth Horwitt is a contributing writer based in Waban, Mass.
This was first published in February 2008