Top 6 Regulatory Issues of 2008 - and What's Coming NextRed Flags and Vendor Management are Big Now, But Remote Deposit and PCI Could be Among the Next Hot Topics
So, as a way to both reflect and project, we take a look at the Top 6 Regulatory Issues of 2008 - and identify the topics that may be addressed next.
#1) Identity Theft Red Flags Rule
Without a doubt, the top regulatory compliance issue for all financial institutions this year is the Identity Theft Red Flags Rule, which - among other requirements - forces financial institutions to document their identity theft prevention programs, assess accounts at risk of identity theft, and create new security awareness programs for employees and customers alike.
"It will be the number one hurdle this year for financial institutions," says Dennis Hild, Compliance, Research and Technical Communication Executive in the Risk Consulting Practice of the Financial Institutions Group at Crowe Chizek.
To meet the November 1 compliance deadline, institutions are reaching out for help from their service providers, security vendors, information security practitioners and risk assessment companies. With fewer than 90 days to go, 50% of institutions say they will struggle to meet the deadline, according the recent Identity Theft Red Flags Rule Compliance survey conducted by Information Security Media Group.
Any day now, federal regulators are expected to release their examination procedures for Identity Theft Red Flags Rule compliance - guidance that is eagerly awaited by institutions and examiners alike.
#2) Updated BSA/AML examination guidance
Despite the sharpened focus on economic pressures as a result of the credit crunch, two regulatory topics continue to garner a significant share of compliance resources: risk management and anti-money laundering. "While neither is new to institutions, both continue to carry significant consequences for non-compliance," says Eva Weber, compliance senior analyst at Aite Group, a Boston-based consultancy (See related story: BSA Violation Costs CA Bank $10 Million). "Additionally, both of these areas are constantly evolving from a risk perspective which means regulators will continue to adjust their demands and expectations," Weber notes.
Typically a low-profile activity, anti-money laundering captured major headlines earlier this year when the former governor of New York was forced to resign following a scandal revealed by Suspicious Activity Reports (SARS).
Late last year, regulators revised the Anti-Money Laundering/Bank Security Act (AML/BSA) Examination Manual to expand discussion on providing banking services to money services businesses (MSBs). Further revisions are expected later this year. (For more help see: BSA/AML issues)
#3) Vendor Management guidance
Bank and credit union examiners are scrutinizing outsourced programs in ways not previously seen. For many smaller and mid-sized financial institutions, the topic is of great concern because of their reliance on third parties to provide core services. With resource constraints and tightened budgets, there is an increased urgency to either update or rewrite existing vendor management programs it adds more to the challenge.
Ever since the passage of the Gramm-Leach-Bliley Act, institutions have been under regulatory pressure to improve vendor management. But that pressure has increased in recent times with such initiatives as the Identity Theft Red Flags Rule, and regulators have underscored the issue as one of major concern to examiners this year.
#4) OCC's Application Security letter
An area of compliance that concerns mainly midsized and smaller institutions is application security - the basic software (often web-based) that ensures accurate, timely and confidential processing of data. "It has been a major focus of examiners, but the bigger institutions are doing a better job in this area," says Steve Marchewitz, Principal at SecureState, a Cleveland, OH-based information security and risk assessment firm.
Recognizing the inherent vulnerabilities of critical applications, regulators are pressuring institutions to step up their protective measures - no matter if the applications are internally developed, vendor-acquired or contracted. The Office of the Comptroller of the Currency (OCC) sparked recent discussion of application security with its guidance on the topic.
When comparing the bigger banks versus small and medium-sized banks, "The smaller banks are way, way behind in security. They're not even close to the top 50 banks. The top 50 are way ahead of the curve when it comes to security, the rest of the banks below them fall behind," Marchewitz notes, alluding that is the reason that regulators are focusing attention on application security. (For more coverage see: Application Security)
#5) Updated Business Continuity Planning guidance
The newly updated BCP guidance issued for financial institutions was well-timed. Even though financial institutions have been expected to have a business continuity plan in place since "forever," the recent national disasters (Midwest floods, Gulf hurricanes, West Coast wildfires) have given institutional leaders a chance to consider how well they'd fare under certain conditions, and they're looking for greater assurances from these programs.
Under terms of the new guidance, spelled out in the Federal Financial Institutions Examination Council's (FFIEC) update to the "Business Continuity Planning Booklet," institutions must pay attention to enhancements to the business impact analysis and testing discussions, as well as emerging threats and lessons learned in recent years. The booklet also stresses the responsibilities of each institution's board and management to address business continuity planning with an enterprise-wide perspective by considering technology, business operations, communications and testing strategies for the entire institution. (For more coverage: Business Continuity Planning)
Hand-in-hand with Business Continuity Planning comes new emphasis on Pandemic Planning. Pandemic planning experts have already predicted that surviving a pandemic for some will depend on the size of the institution, the strength of the predicted pandemic and how well the institution is prepared to handle such an event. The national pandemic exercise in Fall 2007 (See related coverage: Pandemic Test Results: Few Firms Confident in Disaster Plans) showed that many institutions are not fully prepared to exercise their BCP/DR should a pandemic break out in their area. This "sleeping giant" may imperil many small institutions that haven't made adequate plans to operate on reduced staff and resources for extended periods of time.
As part of the update to the Business Continuity Planning Booklet in March, federal regulators specifically address pandemics. Key elements of the FFIEC's December 2007 Interagency Statement on Pandemic Planning have been added to the booklet. The methodologies provide a framework for financial institutions to develop or update their pandemic preparedness plans. (For more coverage: Pandemic Planning)
Coming Next: Remote Deposit?
Future regulatory guidance will include examination procedures for ID Theft Red Flags -- expected to be released this summer, in advance of the November 1 compliance deadline.
Also, guidance on remote deposit is also said to be in its final stages of approval by the regulators, and should "be out any day now," says one unnamed regulator.
"There is also an increasing number of banks facing executive orders - with increased scrutiny on CEOs, CFOs, chief credit officers, and even some regulatory mandates to require the banks to strengthen their leadership," says Crowe Chizek's Hild. He says also not to forget Basel II regulations.
"There are few truly new compliance initiatives," says Aite's Weber. But existing initiatives are constantly evolving and will lead to continuous guidance. "Issues around risk management and financial crime will be on the top of regulators agendas for a long time to come."
SecureState's Marchewitz sees increased focus on PCI-related compliance work at institutions and their service providers and other vendors. "We've done more assessments and remediation work on PCI-related compliance issues this year than any of the others on the list," he notes -- this after PCI security standards were formalized three years ago. Many institutions are especially slow to react to newly-issued guidance. "It takes about a year for any of the institutions to pay attention to a new regulation or guidance," he says.