Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) established the policy that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and protect the security and confidentiality of nonpublic personal information. The regulation's provisions became effective in July 2001 and have steered the discussion of customer information protection in banking ever since. The steady march of automation deeper and deeper into banking processes and the explosion of interconnectivity between banks, customers and service providers have made GLBA compliance requirements even more relevant than when they were first introduced.
The FDIC Financial Institution Letter FIL-68-2001 stated the objectives of the standards mandated by 501(b) are to: ensure the security and confidentiality of customer information; protect personal information against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
The FFIEC examination instructions that guide field examiners in evaluating an institutions' compliance with 501(b) emphasize five key considerations. Let's consider each of the major goals and identify current strategies for GLBA compliance to protect personal information.
Involve the board. Most banking organizations have satisfied this requirement by actively engaging the board, or the board's designate, with topics related to information protection. This includes recurring briefings at varying levels of formality. The unmistakable trend is increasing board awareness and involvement.
Assess risk. The nature and tactics associated with risk assessment for GLBA compliance were initially somewhat murky, but were illuminated in the subsequent guidance on the Information Technology Risk Management Program (IT-RMP). IT-RMP removed a great deal of ambiguity on the process elements of evaluating customer information risks and is available to all banks as a guideline for developing their own risk management processes. This area is particularly important when considering that it represents the banks' answer to the challenge of managing their unique risks. The common risks faced by all banks are addressed to a great extent within the FFIEC examination guidelines, but IT-RMP defines a bank's approach to identification and analysis of the risk elements that are unique to their own business.
Manage and control risk. The emphasis of this objective is evaluation of the bank's ability to take action following the completion of the customer information risk assessment. Specifically, the examiner is evaluating the banks' success in designing effective mitigation (i.e. control) tactics. This includes examination of personnel, process and technology aspects as well as surveying the results of tests and controls audits. Therefore, this compliance strategy should ideally be distinguished from, yet integrated, with the bank's overall IT audit approach. Some banks explicitly label relevant controls as "customer information controls," similar to identification and prioritization of key controls with Sarbanes Oxley 404 endeavors.
Oversee service providers. This area has literally exploded in importance due to the popularity of outsourcing technology and services. Banks have established competencies in vendor management and oversight, as well as recurring evaluation and certification processes. The onset of cloud computing, Software as a Service, and other service-provider models will only increase the importance of this area. They also will inevitably lead to debates as to the level of centralization of vendor management activities and ways to leverage generic controls evaluations such as SAS 70 audit reports that by nature do not address the unique risks of an organization but nonetheless provide value to the vendor oversight process.
Establish an effective process to adjust the risk management program. The final aspect to consider is the ability of an institution to modify its risk management program in response to internal and external changes. This includes changes driven by mergers, acquisitions, technology changes and the use of outsources. All banks have employed some adjustment process, although at varying levels of formality with respect to the degree of documentation and rigidity in adherence to their process. We should expect greater emphasis on documentation of changes to the program, ideally with evidence of board approval.
As we move into the second decade of managing information risks under GLBA requirements, we continue to face many of the same issues we did in 2001. Rapid technology changes will ensure that customer information protection remains a challenge.
About the author:
Paul Rohmeyer is a faculty member in the graduate school at Stevens Institute of Technology. He provides technology risk management guidance to firms in the financial services industry, and previously held management positions in the financial services, telecommunications and pharmaceutical industries.