GLBA Report Card: Regulators Assess Institutions' ComplianceVendor Management, Business Continuity Need More Attention
It's been seven years since the Gramm-Leach-Bliley Act (GLBA) regulations first came to financial institutions and the interagency guidance was issued by the FFIEC. How far have banks come in meeting it, especially where GLBA 501(b) is concerned?
We asked banking regulators for their insight on what progress has been made, some of the common mistakes they see in examinations and the more commonly asked questions they hear about GLBA.
The three agencies that responded to our queries have mixed responses to the level of GLBA compliance they see.
The Office of the Comptroller of the Currency's (OCC) says its banks are doing "very well" in overall compliance with GLBA. "It's been a progressive learning curve for banks," says the OCC representative (who declined to be identified in this story).
Initially, the OCC and other agencies took a "see how things progress" approach to the first round of GLBA examinations. "We wanted to see what problems they were having, but we weren't doing major criticisms because it would take time to evaluate the full implementation," the OCC rep says.
In the second round of exams, the agencies say there were some institutions that had non-compliance issues. "In some institutions, we may be in our third round of examinations for GLBA compliance; not necessarily be because of non-compliance, but because of the types of risk the institution may have," the OCC rep says.
The Federal Depository Insurance Corp. (FDIC) says most of its banks have much more comprehensive information security programs in place since GLBA was enacted. "They are better thought-out and better implemented than back in the beginning," says Jeff Kopchik, a FDIC Senior Policy Analyst in the Technology Supervision Branch, Division of Supervision and Consumer Protection (DSC).
"The bottom line is: The banking agencies have seen significant improvement since 2001 in how depository institutions have complied with GLBA. I think everyone has learned a lot, both bankers and regulators," Kopchik says.
The Office of Thrift Supervision (OTS) says its thrifts overall "have shown some level of compliance with GLBA. However, it can also be said that practically 100% of the institutions we have examined have some area of non-compliance with GLBA," says. William Henley, Director, IT Risk Management.
During a GLBA examination, institutions can expect to have several areas scrutinized for compliance. Following are some of the areas where regulators say they're seeing mistakes made.
Vendor Management -- "I still hear from examiners that vendor management is a particularly hard area for small banks and community banks that do not sometimes have the vendor oversight they need to have," Kopchik says.
Often when an institution outsources a service, "They figure they don't have to worry about it and take the stand 'I've paid them to take care of it,'" Kopchik says. "But in the case of an institution, they don't outsource the responsibility. They have to make sure that the vendor is operating exactly as the institution would."
He also believes small banks aren't looking at vendors as closely as they should. "It's harder for small banks because they don't have the financial influence over large vendors, 'the money muscle,' to make them do things the way the bank needs to do," Kopchik notes. While they may not have the attention of large vendors, smaller institutions banding together in user groups to influence the vendor have had more impact than each bank trying to make the vendor change. Kopchik and other banking regulators suggest this is a way to get a message to the vendor.
Business Continuity Planning -- The other area where examiners have seen problems is BCP, although Kopchik notes they've seen a significant improvement by banks since the BCP IT booklet was issued several years ago. "It is the 'roadmap' that many institutions are using to build their plans," he says. What he's hearing from examiners, though, is not that the plans aren't good, but they aren't tested as thoroughly or as often as they should be. "This is the most common difficulty our examiners are finding. A bank may schedule a tabletop exercise, but will find it hard to do a more full-blown test," Kopchik says. "But if they don't test it, they never know how good their plan is."
One fortunate by-product of some very unfortunate events is that the banks in the southeast that have experienced hurricanes, or the banks in the New York area affected by 9-11, have learned a vast amount from those experiences. Examiners who have gone in two years after a major calamity such as those see the improvement based on their experiences. They learned by implementing their plans what worked and didn't work, Kopchik observes.
Risk Assessment -- Some of the common or generic mistakes OCC examiners are finding as they examine for GLBA compliance is that institutions are not doing the risk assessment on a periodic basis, or when they add a new product or service line. "When a new service or product is added there is potential risk to customer information. It's not that the bank has to do a whole new risk assessment of the entire institution, but at least the new service or added product," the OCC rep says.
Henley of OTS agrees with the risk assessment deficiency, and also cites:
The larger thrifts are getting close to full compliance, Henley says. The smaller thrifts seem to limit their compliance efforts for GLBA to IT-specific risks and forget that data is at risk throughout the thrift -- and in many forms, including hard copy or screen images.
Among the common questions that GLBA exams produce are:
Future GLBA Examinations While GLBA examinations remain on the regulatory review cycle, as more institutions become compliant, the regulation will become embedded in everyday operations. "The industry won't ever say 'thank you' to the regulators for doing this, but the customers certainly will," says the OCC. Even though institutions aren't coming out and saying it publicly, "They are benefiting from it as well."
With the high reputational risk involved with customer information, the GLBA exam "will always be based on the risk," says the OCC. GLBA raised institutions' awareness of the need to protect customer information, and the need to protect the bank's own information. "The benefits to being proactive rather than later being reactive are clear," says the OCC.
Institutions can expect a continual evolution of GLBA examinations and compliance. There won't be any change in the rules, but rather in industry standards, best-practices, and what examiners will expect to see from institutions. "Because what was good security last year isn't necessarily good security this year," Kopchik says. "It will continually evolve, and the bar will keep going up."