Risk Management Within a Financial Institution

Transcription

1 Washington, DC Atlanta Brussels Denver Dubai Hong Kong London Milan New York Paris San Francisco Singapore Sydney Tokyo Toronto Compliance and Risk Essentials for Financial Services CSPs IAPP Privacy Academy and Cloud Security Alliance September 17th 19th, 2014, San Jose

2 Agenda and Takeaways Agenda I. Regulation, Regulators, and Financial Services (FS) II. III. IV. Problems Facing CSPs in the FI s Market Finding Solutions Communicating with Regulators Takeaways Understand the extraordinary regulatory pressure financial institutions and vendors are under Insight into regulators concerns and guidance Strategies to address regulator and client needs 2

3 I. Regulation, Regulators, and Financial Services (FS) Agenda Overview of Regulators The US Bank Services Act Current Regulatory Environment Vendor Selection Process at Financial Institutions Regulators Approach to Banks Use of Vendors Financial Institution s Views of Regulators and Regulations Financial Institution Governance 3

4 Overview of Regulators The US financial services industry is highly regulated by several different government agencies. Federally insured depository institutions, including state banks that are not members of the Federal Reserve System and state chartered thrift institutions Bank holding companies, savings and loan holding companies, certain state banks and U.S. branches of foreign banks National banks, U.S. federal branches of foreign banks, federally chartered savings institutions Federally chartered or insured credit unions Nonbank mortgage related firms, private student lenders, payday lenders, and consumer businesses of banks with over $10 billion in assets. 4

5 The US Bank Service Company Act The Bank Service Company Act provides statutory authority to the Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation to supervise third party servicers (or vendors) that enter into contractual agreements with their regulated financial institutions Promontory Financial Group LLC. All rights reserved. 5

6 Current Regulatory Environment The impact of the recent financial crisis has significantly changed the supervision and regulation of financial institutions. Supervisory attention on the scope and quality of third party risk management has increased (see Appendix). Recent exam activity and enforcement actions as well as updated guidance reinforce long standing supervisory expectations of sound risk management, but also introduce new expectations. Industry wide programs for third party management are undergoing revision and realignment to better meet evolving business objectives and supervisory expectations Financial Services in particular. 6

7 Vendor Selection Process at Financial Institutions Decide to Engage a Third Party or Vendor Conduct Risk Assessment Perform Due Diligence Negotiate Contract Terms Perform Ongoing Monitoring Evaluate whether the decision to hire a third party is consistent with the company s strategic direction and appropriately balances costs and benefits. Conduct a risk assessment to identify risks associated with hiring third party (operational, strategic, compliance, credit, and reputation risks). Assess whether vendor will have access to non public information. Determine whether service providers expertise, internal controls, and financial condition meet internal criteria. Ensure contract or SLA contains termination rights, audit rights to facilitate the company s oversight, and reporting obligations to enable the company to monitor performance and financial condition. After signing an agreement, the company must monitor the third party s performance, internal controls, and financial condition. 7

8 Regulators Approach to Banks Use of Vendors Banks have long outsourced technology, processing, and other operational and support functions to service providers, affiliates, and other third parties. Banking regulators have long maintained that the risks of outsourced activities remain a bank s risks with bank management and boards of directors accountable for their effective management and control. Historically, regulators have focused on management of risks to protect the interests of the bank and in particular on outsourced information technology and processing services with an emphasis on retail oriented banks. Five prongs of regulatory expectations underlie the risk management of third party relationships. 8

9 Regulators Approach to Banks Use of Vendors Business Assessment. Assessment of the strategic fit of potential outsourced activities with an organization s business model, strategy, and operational and risk management capacity; Due Diligence. Comprehensive review of the competencies and reputation of individual prospective vendors and their abilities to meet an organizations business objectives; Contracting. Written contracts identifying the roles and responsibilities of all parties in third party relationships and the consequences of contractual non performance; Ongoing Oversight. Oversight and monitoring of vendor performance, adherence to contract terms, and expectations of risk management; and Governance. Adequacy of the organization s written policies and framework, and its organization and oversight of business units and functions necessary for effective risk management. 9

10 Financial Institution s Views of Regulators and Regulations Regulators will expect you to abide by their guidance absent a good reason Number and depth of regulatory examinations are increasing as are financial and cost pressures Regulatory findings must be avoided or impact could be severe Examination guidance and regulation can be contradictory and ambiguous Relationship with regulators and examiners is critical Inconsistent regulator technical and information security sophistication 10

11 Financial Institution Governance COSO s Internal Control Integrated Framework An internal control is a process, effected by an entityʼs board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in: 1) the effectiveness and efficiency of operations, 2) reliability of reporting, and 3) compliance with applicable laws and regulations. think of it in terms of Accuracy, Integrity, and Completeness 11

12 Financial Institution Governance Types of Controls I. Preventive Controls applied before an activity occurs to provide reasonable assurance that only valid transactions are recognized, approved, and submitted II. Detective Controls performed after an activity occurs to provide reasonable assurance that errors or irregularities are discovered and corrected on a timely basis III. Hard Controls tangible controls such as policies and procedures, segregation of duties, authorizations, etc. 12

13 Financial Institution Governance Types of Controls IV. Soft Controls intangible controls associated with corporate culture such as shared values, ethics, etc. V. Automated Controls associated with IT Controls suitable for high volume or recurring activities VI. Manual Controls performed by people and are more suitable when judgment and discretion are required 13

14 Financial Institution Governance First Line Management and Internal Controls Controls designed into systems and processes, implemented through cascading responsibility structure Responsible for maintaining effective internal controls from day to day Second Line Risk and Compliance Functions Offer guidance on internal control requirements, conduct or oversee risk assessments, and evaluate adherence to defined standards Ensure the first line is working effectively Third Line Internal and External Audit Independently assesses and reports on internal control and recommends corrective actions or enhancements for management consideration and implementation Provides assurance regarding effectiveness of both the first and second lines of defense 14

15 Financial Institution Governance Three Lines of Defense Governing Body / Board / Audit Committee Senior Management 1 st Line of Defense 2 nd Line of Defense Financial Control Security 3 rd Line of Defense External Audit Regulator Management Controls Internal Controls Risk Management Quality Internal Audit Inspection Compliance Source: Institute of Internal Auditors, Position Paper: The Three Lines of Defense in Effective Risk Management and Control, January

16 Financial Institution Governance I. Enterprise Risk Management is designed to help management and boards of directors answer these relevant business questions: A. What are all the risks to our business strategy and operations (coverage)? B. How much risk are we willing to take (risk appetite)? C. How do we govern risk taking (culture, governance, and policies)? D. How do we capture the information we need to manage these risks (risk data and infrastructure)? E. How do we control the risks (control environment)? F. How do we know the size of the various risks (measurement and evaluation)? G. What are we doing about these risks (response)? H. What possible scenarios could hurt us (stress testing)? I. How are various risks interrelated (stress testing)? (Risk Management Association, 2012) 16

17 II. Problems Facing CSPs in the FI s Market Agenda It s complicated... Increased risk (perceived by regulators and FI risk teams) Cloud can be a bad word Cloud has reputational risk Comingled data and services may be considered unreasonable risks Meeting multiple FIs and regulators requirements 17

18 It s complicated... Regulatory requirements Little actual guidance or lots of ambiguity Responsibility is unclear Non compliance impact unclear Who wrote this &#$^? How should risk of cloud use be measured Gap analysis Remediation 18

19 Increased risk (perceived by regulators and FI risk teams) Enforcement action for customer non compliance Customer no longer allowed to use CSP CSP named in enforcement action, but not a party Examination What is a First Day Letter? Enforcement Incidents At your organization Another CSP 19

20 Cloud can be a bad word Regulators dislike Lack of risk transparency Unknown data and processing location Unknown data deletion, security, isolation Client security teams Prefer in house solutions they can review Have blocked or are blocking public cloud use Snowden fallout 20

21 Meeting multiple FIs and regulators requirements Cloud services will need to comply with various interpretations of risk and guidance Ambiguity in guidance will make for ambiguous client requirements CSPs may have hundreds of security questions from some FIs and most will be different from other FIs Cost and resource impacts will grow given the need to develop additional controls and work with FIs vendor management teams 21

22 III. Finding Solutions Agenda Practical Suggestions Sample Control Review 22

23 III. Finding Solutions Embrace and understand guidance and regulation Walk a mile Three words Transparency, transparency, transparency If you are better, be prepared to prove it Provide tools for clients to make risk decisions Prepare clients to represent service value and risk on your behalf You may not be in the room when regulators decide they don t like cloud Be prepared to be examined by regulators Regulatory exams are serious and must be handled appropriately 23

24 III. Finding Solutions Rule Text Requirement Primary Source Citation CSP s Responsibility Title/Source Description Analysis Japan Operations conducted after entry into the room should be managed. FIs should manage operations conducted after entry into the computer and data storage rooms. FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions (March 2012) (Operational management, O61) Maintain restrictions on what personnel are able to possess and access when entrance to a data storage room is granted, including: (i) Restricted entry; and (ii) Limits on cameras, personal computers, and other recording devices. Meeting Notes 1/3/14 Fall 2013 Asset Management Audit SOC 2 Report CSP does not maintain a separate computer data storage room or preparatory room within its data center. CSP relies on data center controls to protect the computer and data storage location. (i) (ii) CSP does not maintain a separate computer data storage room or preparatory room within its data center. This does not meet regulatory expectations, which call for additional precautions to be in place for computer and data storage areas. Australia Appropriate due diligence would normally ensure an assessment as to the robustness of the IT security risk management framework of the service provider, and alignment with a regulated institution s own framework. Appropriate due diligence should be conducted to ensure the robustness of the IT security risk management framework of the service provider, and the framework's alignment with a regulated institution s own framework. Attachment C: Service provider management; APRA Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology (May 2013) (2, page 23) (i) Maintain an IT security risk management framework; and Cooperate with FI due diligence reviews concerning the framework. Information Security Policy for Technology Roles CSP maintains a documented risk management approach (CSP Risk Management Approach) managed by CSP internal audit. CSP does not provide FI clients with information concerning internal audit techniques, approaches, or findings (ISP Tech Roles). (i) CSP maintains a documented risk management approach; and (ii) CSP does not enable FI clients to review audit information, including risk management documentation, or generally, sufficient internal and security control information for proper due diligence reviews. 24

25 III. Finding Solutions Rule Text Requirement Primary Source Citation CSP's Responsibility Title/Source Description Analysis Australia Appropriate due diligence would normally ensure an assessment as to the robustness of the IT security risk management framework of the service provider, and alignment with a regulated institution s own framework. Appropriate due diligence should be conducted to ensure the robustness of the IT security risk management framework of the service provider, and the framework's alignment with a regulated institution s own framework. Attachment C: Service provider management; APRA Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology (May 2013) (2, page 23) (i) Maintain a IT security risk management framework; and Cooperate with FI due diligence reviews concerning the framework. Information Security Policy for Technology Roles CSP maintains a documented risk management approach (CSP Risk Management Approach) managed by CSP internal audit. CSP does not provide FI clients with information concerning internal audit techniques, approaches, or findings (ISP Tech Roles). (i) CSP maintains a documented risk management approach; and (ii) CSP does not enable FI clients to review audit information, including risk management documentation, or generally, sufficient internal and security control information for proper due diligence reviews. United States It is important that access to customer data is restricted appropriately through effective identity and access management. Access to financial institution customer data must be restricted appropriately through effective identity and access management. Information Security; FFIEC Outsourced Cloud Computing (page 3). Restrict access to FI customer data through effective identity and access management. Service Organization Control 2 Report (2/1/12 1/31/13) Information Security Technical Standards Information Security Policy for All Roles Process Review Narrative Logical Security Meeting Notes (5/4/13) CSP maintains logical security controls, covering both identity and access (physical, logical, and privileged). See Service Organization Control 2 Report (2/1/12 1/31/13) and Process Review Narrative Logical Security for additional information concerning identity and access controls and business practices. CSP maintains various identity and access controls. However, we identified two potential access issues: (i) CSP technical operations employees have access to client data with limited controls and no operational monitoring system; and (ii) customer support third parties maintain customer support access, which allows access to customer data with client permission. 25

26 IV. Communicating with Regulators Organized and managed All meetings and interactions are structured and chaperoned Just the facts Balance transparency with facts Answer the question asked Too much detail opens new lines of questions Single story Regulators don t like multiple versions of truth Be prepared to back up statements with policy, standards, procedures and evidence Do what you say and say what you do 26

27 Communicating with Regulators If regulators ask a question that does not get to the issue, be constructive to inform and explain the systems, method, approach, exceptions, etc. Make sure the right people are in the meeting (if IT systems are under discussion, then the IT team should be represented). The seniority of the attendees at the meeting should also be considered. Listen and be responsive. Keep track of examiner requests. Follow up and ensure timely responses. Avoid the perception of being defensive. Fine to ask examiners to explain their line of questioning, but the bottom line they can ask about or for anything they want. Don't take offense if examiners are asking for something you already provided. Instead, take the opportunity to educate. Be patient and don't express frustration. 27

28 Communicating with Regulators Build credibility systematically Show commitment to the relationship Show contrition when wrong Regulators are rarely uninformed Be thoughtful and measured (no flash) Develop a regulatory strategy Highlight program state (even if it isn t very good) but be prepared to set reasonable milestones and meet them (all of them) 28

29 Questions? Stacy Coleman Ryan Smyth (619) Michael Spadea

30 Appendix Selected Additional Sources of Information: COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION, Internal Control Integrated Framework, May 2013, Executive Summary. BASEL COMMITTEE ON BANKING SUPERVISION, Principles for the Sound Management of Operational Risk, Jun INSTITUTE OF INTERNAL AUDITORS, IAA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, Jan OFFICE OF THE COMPTROLLER OF THE CURRENCY, OCC Bulletin Description: Risk Management Guidance, Oct issuances/bulletins/2013/bulletin html BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM, Guidance on Managing Outsourcing Risk, Dec

31 Appendix Selected Additional Sources of Information by Jurisdiction: Australia AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY, Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology, May Practice Guide CPG 234 Management of Security Risk May 2013.pdf AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY, Outsourcing and Offshoring Specific considerations when using cloud computing services, Nov on outsourcing and offshoring adi gili final.pdf France AUTORITÉ DE CONTRÔLE PRUDENTIEL, Anlyses et Syntheses The risks associated with cloud computing, Jul france.fr/fileadmin/user_upload/acp/publications/analysessyntheses/ The risks associated with cloud computing.pdf 31

32 Appendix France COMMISSION NATIONALE DE L'INFORMATIQUE ET DES LIBERTÉS, Recommendations for companies planning to use Cloud computing services se_cloud_computing_services.pdf Japan FISC (The Center for Financial Industry Information Systems), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, Mar MINISTRY OF ECONOMY, TRADE AND INDUSTRY, Information Security Management Guidelines for the Use of Cloud Services, Apr

33 Appendix Further Information on Controls: Preventive Controls applied before an activity occurs to provide reasonable assurance that only valid transactions are recognized, approved and submitted. Detective Controls performed after an activity occurs to provide reasonable assurance that errors or irregularities are discovered and corrected on a timely basis. Hard Controls tangible controls such as policies and procedures, segregation of duties, authorizations, etc. Soft Controls intangible controls associated with corporate culture such as shared values, ethics, etc. Automated Controls associated with IT Controls suitable for high volume or recurring activities Manual Controls performed by people and are more suitable when judgment and discretion are required 33

34 Appendix Preventive Controls Hard A. Information processing: IT Controls (Automated or manual) General controls: over data centers operations, software acquisition, systems development and maintenance (policies and procedures for: change management, software version control, incident escalation/management, business continuity/disaster recovery) Access controls: user IDs and passwords restrict unauthorized access to key systems Application controls: apply to programs that process transactions to ensure that activity is valid, properly authorized and accurate (automated checks for: completeness, validity, authorization, authentication, etc.) B. Physical controls: Safeguarding assets and records: limiting access to computer programs and data files (safes, vaults, safety deposit boxes, locked warehouses, pass key/fingerprint/optical access, alarm systems, security cameras) C. Segregation of duties: Assigning different people the responsibilities for authorizing transactions, recording transactions, and maintaining custody of assets (Cash controls, A/P controls, etc.) Supervisory reviews/approval prior to transaction processing Detective Controls Hard A. Operational/Financial performance reviews: Reconciliations: e.g., bank reconciliations are performed timely, by a different party than the person who writes checks Analyses and edit reports: timely generation and review of unusual transactions; analyses of actual performance vs. budget, forecasts, and prior performance 34

35 Appendix Preventive Controls Soft A. Elements of corporate culture: Corporate leadership and culture the tone at the top Competence High ethical standards Trust Openness Shared Values 35

36 Appendix Banks must adhere to certain regulatory requirements regarding internal control, which direct banks to operate in a safe and sound manner, comply with laws and regulations, and prepare accurate financial statements Laws and regulations that establish minimum requirements for internal control for national banks include: 12 CFR 30 Safety and Soundness Standards Establishes managerial and operational standards for all insured national banks, including internal control, which includes clear lines of authority and responsibility, effective risk assessment, timely and accurate reporting, and proper safeguarding of assets 12 CFR 363 Annual Independent Audits and Reporting Requirements Applies to national banks with over $500 million in assets, banks must submit an annual report to the OCC and FDIC, which includes managementʼs assessment of the effectiveness of the banks internal control and procedures for financial reporting and compliance with designated laws and regulations 15 USC 78m Securities and Exchange Act of 1934 Requires banks and holding companies with registered securities to develop and maintain a system of internal accounting controls The formality of the control system will depend primarily on the size of the bank, the complexity of its operations, and its risk profile 36

37 Appendix We are no longer willing to accept audit and risk management functions that are simply satisfactory. We are looking for excellence. Thomas J. Curry, Comptroller of the Currency November 15,