1 / 25

Balancing Act: Privacy & Info Security in Financial Institutions

Explore regulatory developments related to privacy and information security in financial institutions. Understand the importance of complying with legal requirements while maintaining customer privacy and data security. Discover how records management can help mitigate risks and ensure compliance in a changing legal environment.

dainer
Download Presentation

Balancing Act: Privacy & Info Security in Financial Institutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. At the Crossroads – Privacy and Information Security20th Annual National Training ConferenceFiduciary and Investment Risk Management Association Inc. ™ Julia Kirby, Senior Manager Deloitte & Touche, LLP Regulatory Consulting Group April 11, 2006

  2. Agenda The purpose of this presentation is to briefly describe regulatory developments related to privacy and information security. Deloitte & Touche LLP is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte & Touche LLP shall not be responsible for any loss sustained by any person who relies on this presentation. For complete regulatory requirements, please refer to the text of the rules themselves.

  3. Overview – At the Crossroads

  4. The Balancing Act – Privacy & Information Security Financial institutions must balance growing expectations while complying with the current legal environment. Expectations Compliance • Customer privacy • Information security • Convenience of electronic services • Ethical behavior • Local/state laws • Federal regulations • Regulatory agency guidelines • Investigations and litigation

  5. Expectations • Centrally-managed security facilitates changes in procedures and technology • Records management provides consistent standards for managing customer and corporate information • Conforming to records management policy guidelines promotes ethical corporate behavior throughout the organization Compliance • Retention is no longer sufficient - retention, retrieval, destruction, and security are now considered in regulatory examinations • Legal environment is constantly changing – a flexible framework is needed to adapt to new retention periods and record types • Records management aids document discovery in investigations and lawsuits A Tool to Help Along the Way Records management is a risk-focused tool that can help manage expectations and maintain compliance. Factor How Records Management Can Help

  6. Objective The goal of records management is to control and mitigate an organization’s exposure to risk. • Retention Requirements • Customer Privacy Compliance • Government Investigations • Regulatory Sanctions • Media Headlines RISK Reputation Litigation • Sufficient vs. Excessive Recordkeeping

  7. Banc of America Securities Violations of “the recordkeeping and access requirements of various securities laws” (March 2002) SEC $10 million Compliance Risk Recent compliance failures have placed greater public scrutiny on corporate records management practices. Company Failure Sanctioning Body Fine J.P. Morgan “Failed to preserve for three years…all electronic mail communications”(February 2005) NASD, NYSE, SEC $2.1 million Brokerage Firms (4) Violations of “recordkeeping requirements concerning business-related internal e-mail communications” (August 2004) SEC $3.1 million Brokerage Firms (5) Violations of “record-keeping requirements concerning e-mail communications” (December 2002) SEC $8.25 million

  8. Merrill Lynch PAZ Securities, Inc. Bear, Stearns & Co., Inc. UBS Warburg LLC Failed to respond in a timely and effective manner to a subpoena by the State of Illinois Securities Department (June 2005) In Zubulake v. UBS Warburg LLC, UBS was ordered to search and retrieve relevant e-mails from its archives (July 2004) Failed to effectively respond to NASD subpoena of various records (October 2005) Conflicts of interest “revealed in internal e-mail communications” during an investigation by Elliot Spitzer (May 2002) $300,000 Expelled from NASD $10,000 $100 million Litigation Risk The risk of incurring litigation or failing to meet legal responsibilities can also have financial impact for an organization. Company Event Monetary Impact ($)

  9. Merrill Lynch Announcement of investigation by NY AG Elliot Spitzer (April 2002) 1 month $11 billion Insurance Firms (4) NY AG Elliot Spitzer files civil complaint against Marsh & McLennan, ACE, The Hartford, Munich American Risk Partners (October 2004) 4 trading days $26 billion AIG Investigation by NY AG Elliot Spitzer and the SEC led to the resignation of AIG's CEO and Chairman Hank Greenberg (January 2006) 11 months $59 billion Reputational Risk Investigations and/or negative media headlines can result in dramatic changes in the market value of a company. Company Event Timeframe Change in Market Value

  10. Driving Forces

  11. Consumer Needs Convenience and cost are forcing new information delivery strategies that paper-based systems cannot deliver Regulation Government and industry are aligned to implement laws that encourage the elimination or reduction of paper Legal Discovery Electronic discovery is becoming more common as electronic records management increases Records Retention Costs Unit prices of traditional vs. electronic records retention (at scale) are incomparable Technology Increasing reliability and decreasing costs lead to limitless applications of technology Market Traditional records management firms are hungry for new revenues and view electronic services as a logical next step Driving Forces in Records Management The growing importance of records management has led to changes in the marketplace, government, and industry. Force Impact

  12. Banking Regulations Court Decisions Foreign Jurisdictions State Law Universe of Record Retention Requirements for International Financial Institutions* Internal Revenue Code International SupervisoryBody Requirements Federal Regulations Evolving Technology Federal Laws Securities Laws Bank Records Vast and Complex Environment The universe of retention requirements applicable to an organization’s activities has grown to several thousand and is continually evolving. *These are provided as an example. Seek counsel’s advice regarding requirements applicable to your organization.

  13. Implementation Issues

  14. Implementation Issues Each of the major components of records management presents different implementation issues. Governance Structure Processes/ Procedures Key Components Retention Schedule Warehouse E-Mail/Electronic Management Policy Records Management Program

  15. Policy A comprehensive policy is critical to communicating and implementing a records management program. Issue Description Approval Approval may be required from all business units, a lengthy process which can significantly delay implementation Consistency Records management must be consistent with existing bank policies, i.e. ethics, data security, e-mail Enforcement Enforcement of the policy must be incorporated into the self-assessment or audit processes Training Logistical obstacles must be overcome in training all employees and new hires

  16. Retention Schedule The retention schedule must capture all applicable requirements while remaining user-friendly for the business units. Issue Description Scope Applicable requirements are dependent upon the structure of the organization, i.e. bank holding company, financial company, non-bank subsidiaries Complexity Requirements originate from a number of sources, i.e. legal statutes (federal, state, local), regulatory guidance, industry guidelines, foreign jurisdictions Maintenance Organizations must be able to easily update the retention schedule to account for new requirements Ease of Use Business users must be able to easily lookup a record and determine its retention period

  17. Governance Commitment and communication are vital to successful program governance. Issue Description Resources Records management responsibilities must be added without overburdening existing roles Accountability Every employee impacts records management, from the CEO to the new hire Management Support Consistent commitment from the top facilitates compliance throughout the organization Communication Communication is key to establishing a culture where records management is emphasized

  18. Processes/Procedures Secure processes are required to ensure effective storage, retrieval, and destruction of bank records. Issue Description Retrieval Legal and regulatory inquiries demand that records be retrieved in a timely manner by content, date, or creator Storage Storage of off-site itemsmust be documented and transported consistently Destruction Complicated destruction procedures are needed to offset advances in forensic recovery analysis Security Retrieval, storage, and destruction processes must be invulnerable to unauthorized access of data

  19. Warehouse Third-party warehousing has far reaching consequences beyond records management. Issue Description Logging A consistent logging procedure is necessary to ensure storage, retrieval and destruction Vendor Reputation The reputation of the vendor will directly correlate with the reputational risk to the bank Business Continuity Warehouses must be integrated with business continuity plans to recover from disaster Contract Third-party vendor requirements must be applied

  20. E-Mail and Electronic Records Effective e-mail management mandates changes in systems as well as corporate behavior. Issue Description System Functionality Management of electronic records is dependent on system search, backup, and restoration capabilities Volume System storage capacity is finite and average industry volume is excessive Desktop Archiving E-mail records on personal workstations are accessible as part of a legal or regulatory inquiry Misconceptions All e-mails are business records, regardless of the content

  21. Critical Success Factors

  22. Initial Approach Evaluating the current state and envisioning the ideal state are the first steps to be taken. 1. Review Policies and Procedures 2. Identify Existing Records 3. Organize a Team 4. Develop a Vision • Assess existing: • Documentation types • Retention processes • Security procedures • Staffing commitment • Storage opportunities and capabilities • Conduct an inventory of existing records to determine: • Record types • Storage media • Security classification • Record location • Volume • Forming a team requires: • Cross-functional leadership • Commitment from senior management • Defined roles and responsibilities • A records management program must consider: • Corporate culture • Infrastructure • Timing

  23. Critical Success Factors • Focus on practical and implementable policy Practicality • Effective warehouse management • System solutions • Understanding of support infrastructure • True organizational commitment and effort • Training and communication Infrastructure Commitment Critical Success Factors • Anticipate long-term needs and trends Long-Term Vision Expertise • Access to legal and regulatory expertise

  24. Questions and Answers

  25. Contact information: Julia Kirby Deloitte & Touche LLP 555 12th Street N.W., Suite 500 Washington, D.C. 20004-1207 202-879-5685 jukirby@deloitte.com

More Related