GLBA Report Card: Regulators Assess Institutions' Compliance

Vendor Management, Business Continuity Need More Attention
GLBA Report Card: Regulators Assess Institutions' Compliance
Editor's Note: This is the third in a series of stories that will appear throughout July, focusing on GLBA compliance. Future installments will showcase GLBA compliance elements such as Board of Director education, Information Security programs, GLBA privacy decisions, Incident response plans, and vendor management programs.

It's been seven years since the Gramm-Leach-Bliley Act (GLBA) regulations first came to financial institutions and the interagency guidance was issued by the FFIEC. How far have banks come in meeting it, especially where GLBA 501(b) is concerned?

We asked banking regulators for their insight on what progress has been made, some of the common mistakes they see in examinations and the more commonly asked questions they hear about GLBA.

The three agencies that responded to our queries have mixed responses to the level of GLBA compliance they see.

'Learning Curve'
The Office of the Comptroller of the Currency's (OCC) says its banks are doing "very well" in overall compliance with GLBA. "It's been a progressive learning curve for banks," says the OCC representative (who declined to be identified in this story).

Initially, the OCC and other agencies took a "see how things progress" approach to the first round of GLBA examinations. "We wanted to see what problems they were having, but we weren't doing major criticisms because it would take time to evaluate the full implementation," the OCC rep says.

In the second round of exams, the agencies say there were some institutions that had non-compliance issues. "In some institutions, we may be in our third round of examinations for GLBA compliance; not necessarily be because of non-compliance, but because of the types of risk the institution may have," the OCC rep says.

The Federal Depository Insurance Corp. (FDIC) says most of its banks have much more comprehensive information security programs in place since GLBA was enacted. "They are better thought-out and better implemented than back in the beginning," says Jeff Kopchik, a FDIC Senior Policy Analyst in the Technology Supervision Branch, Division of Supervision and Consumer Protection (DSC).

"The bottom line is: The banking agencies have seen significant improvement since 2001 in how depository institutions have complied with GLBA. I think everyone has learned a lot, both bankers and regulators," Kopchik says.

The Office of Thrift Supervision (OTS) says its thrifts overall "have shown some level of compliance with GLBA. However, it can also be said that practically 100% of the institutions we have examined have some area of non-compliance with GLBA," says. William Henley, Director, IT Risk Management.

Common Mistakes
During a GLBA examination, institutions can expect to have several areas scrutinized for compliance. Following are some of the areas where regulators say they're seeing mistakes made.

Vendor Management -- "I still hear from examiners that vendor management is a particularly hard area for small banks and community banks that do not sometimes have the vendor oversight they need to have," Kopchik says.

Often when an institution outsources a service, "They figure they don't have to worry about it and take the stand 'I've paid them to take care of it,'" Kopchik says. "But in the case of an institution, they don't outsource the responsibility. They have to make sure that the vendor is operating exactly as the institution would."

He also believes small banks aren't looking at vendors as closely as they should. "It's harder for small banks because they don't have the financial influence over large vendors, 'the money muscle,' to make them do things the way the bank needs to do," Kopchik notes. While they may not have the attention of large vendors, smaller institutions banding together in user groups to influence the vendor have had more impact than each bank trying to make the vendor change. Kopchik and other banking regulators suggest this is a way to get a message to the vendor.

Business Continuity Planning -- The other area where examiners have seen problems is BCP, although Kopchik notes they've seen a significant improvement by banks since the BCP IT booklet was issued several years ago. "It is the 'roadmap' that many institutions are using to build their plans," he says. What he's hearing from examiners, though, is not that the plans aren't good, but they aren't tested as thoroughly or as often as they should be. "This is the most common difficulty our examiners are finding. A bank may schedule a tabletop exercise, but will find it hard to do a more full-blown test," Kopchik says. "But if they don't test it, they never know how good their plan is."

One fortunate by-product of some very unfortunate events is that the banks in the southeast that have experienced hurricanes, or the banks in the New York area affected by 9-11, have learned a vast amount from those experiences. Examiners who have gone in two years after a major calamity such as those see the improvement based on their experiences. They learned by implementing their plans what worked and didn't work, Kopchik observes.

Risk Assessment -- Some of the common or generic mistakes OCC examiners are finding as they examine for GLBA compliance is that institutions are not doing the risk assessment on a periodic basis, or when they add a new product or service line. "When a new service or product is added there is potential risk to customer information. It's not that the bank has to do a whole new risk assessment of the entire institution, but at least the new service or added product," the OCC rep says.

Henley of OTS agrees with the risk assessment deficiency, and also cites:

Board reporting being insufficient or non-existent;
Notification process at OTS-regulated institutions. "Some thrifts are not certain as to which incidents should be reported, how frequently; and to whom at OTS should they report," Henley notes.

The larger thrifts are getting close to full compliance, Henley says. The smaller thrifts seem to limit their compliance efforts for GLBA to IT-specific risks and forget that data is at risk throughout the thrift -- and in many forms, including hard copy or screen images.

Common Questions
Among the common questions that GLBA exams produce are:

Is Encryption Mandated? -- While encryption is not mandatory, the OCC spokesman notes, "If a bank lost a data tape that was not encrypted and the information was leaked, after first having them notify the customers, my next question would be: Would the data be better protected if it was encrypted?"
How Does ACH Risk Affect Compliance? -- FDIC's Kopchik says examiners are hearing questions that address ACH (Automated Clearing House) risk and how it affects GLBA compliance. He speculates on how aware banks are of the different types of ACH risk are out there. "This is an area that if a bank is involved in, they must know the types of risk to the bank and to its customers."
What About Remote Deposit? -- "This has also been a hot topic for FDIC examiners." Kopchik says, adding that institutions should expect some guidance from the regulators soon.

Future GLBA Examinations While GLBA examinations remain on the regulatory review cycle, as more institutions become compliant, the regulation will become embedded in everyday operations. "The industry won't ever say 'thank you' to the regulators for doing this, but the customers certainly will," says the OCC. Even though institutions aren't coming out and saying it publicly, "They are benefiting from it as well."

With the high reputational risk involved with customer information, the GLBA exam "will always be based on the risk," says the OCC. GLBA raised institutions' awareness of the need to protect customer information, and the need to protect the bank's own information. "The benefits to being proactive rather than later being reactive are clear," says the OCC.

Institutions can expect a continual evolution of GLBA examinations and compliance. There won't be any change in the rules, but rather in industry standards, best-practices, and what examiners will expect to see from institutions. "Because what was good security last year isn't necessarily good security this year," Kopchik says. "It will continually evolve, and the bar will keep going up."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.