Comply or die

Kelly Trammell, Managing Director of Sheshunoff Management Services (SMS), explains how the financial institutions can ensure that they don’t fall foul of today’s regulations.

FST. As a bank executive I may have been through a dozen compliance audits, I know the checklists and I’m confident we’re ready. What could I be overlooking?
KT. Agencies have changed how they assign examiners to banks. The old criteria represented by the checklists no longer applies. In 2007 and 2008, regulators are assigning examiners according to your risk profile. They assign more experienced examiners to banks that have higher risk profiles – it’s a much closer scrutiny.

Examiners perceive that anything the bank does in-house – custom programming, writing their own systems or maintaining their own systems in-house – has more inherent risk than if the bank out sources their technology. The examiners are giving higher risk profiles for any technology operation sets performed in-house. That’s one more compelling reason banks look to outsource providers – not only are there cost advantages, but it lowers their scrutiny from the examiners and thereby lowers the cost of compliance.

Examiners are taking a more asset-based approach to risk. Regulators prioritize so that the highest-risk assets with the most exposure get more scrutiny. It’s no longer sufficient to categorize your risk to the bank as a whole, you have to look at the risks by individual components and asset classes. For example, your Internet banking operation has much more inherent risk than your information-only website or your tele-operations or other technology asset.

FST. Our bank works with one vendor that takes care of our ATMs and another that handles our Internet banking. However, we’re responsible for our own system integrity – how do I know we’re protected and compliant? How do we know we’re getting the best return on these services?
KT. The banking industry is highly outsourced. Along with that goes responsibility of system integrity, data security and maintaining information security overall. You cannot outsource that – responsibility for security will always lie with the bank. There are several ways you can mitigate or control risk even though you do not actually operate the assets.
Make sure that whatever technology service provider you go with has a SAS 70 audit at least annually. A SAS 70 is an accounting firm audit of the provider and ensures they are compliant with information security policies and other practices designed to secure your data. However, the scope of a SAS 70 does not cover access controls, password protection, or other forms of user-level access. You need a Shared Assessment Report that goes through a second level of scrutiny relative to information security.

FST. You say there are opportunities “lurking” in a bank’s IT systems. What do you mean by this?
KT. A lot of banks, especially community or regional banks, typically use their IT examination as kind of a check up. They go through the examination process, deficiencies are identified and the regulatory authorities tell the bank to correct the deficiencies. The bank patches the holes, and they think that – by being compliant with the examiner’s recommendations – they have done everything they need to do to manage their IT function.

FST. What if a bank’s IT staff reports to the COO. He’s seen a lot of development in the technology sector, but he may be relying on the techies for the real complicated stuff. How do we know for sure that everything’s on the up and up down there?
KT. We see this quite a bit. The COO has been there for a really long time, truly understands bank operations and how technology can impact those operations. What they don’t clearly understand is what new technologies can do, and how those new technologies can impact your bottom line.

FST. If a bank has invested heavily in a core processor and is mid-way into a seven-year contract, how does it plan for the future?
KT. The key to contract management is to think about renewal at least 24 months before the contract runs out. Banks commonly go through the contract without getting everything they need, or maybe they weren’t real diligent about setting the service level agreements at the beginning. Sometimes the bank will grow so dramatically that its true requirement sometimes outstrips the scope of the contract, and it’s hard to get the provider to scale performance up. Maybe they need added features to get the most from their system, and it exceeds the scope of the contract. And everyone’s always worried, “am I paying too much?”

FST. How does a bank retain that local feel when more and more customers are choosing to log in online rather than visiting the branch in person?
KT. This is where an investment in technology not only levels the playing field, it returns the advantage to local and regional banks. These are the banks that know several generations of their customers. They recognize their customers when they come in the door, or drive up to the window or walk up to the in-store branch at the supermarket. And they are reliable corporate citizens, playing an active role in the things that make their communities unique.

By using the technology to do more than process transactions, the bank can offer all of the accessibility and on-line convenience of the big national corporations, but include local touches in their automated customer communications and market analysis. No big national bank is going to know when one of the local high schools is going to the state championship. They aren’t going to use their technology to promote local festivals and events. Local bank corporations are all about managing the customer relationship, and technology can help them maintain that important hometown feel.

FST. What are the biggest technology threats banks will be facing tomorrow, that we still haven’t heard about, especially in the media?
KT. You don’t hear about it in the media, but the biggest threats from increasing access channels come from the people in the bank, people who have authorized access to the bank’s information. You know the people you work with, you have known them for years, and so you don’t worry so much that any one of them could slip a flash drive into a workstation, or access a database through a wireless device and pull down thousands of social security numbers, accounts and other protected information in seconds.

Sheshunoff risk consultation can analyze your systems for all kinds of threats – including deep penetration tests that dig as far as they can into your system. We have authentication processes to recommend and other practices that can help your system discriminate between channels, check to see if certain operations are authorized, and track security violations back through the portal and – hopefully – to the perpetrator. No one likes to think about internal threats, and bankers certainly don’t talk about it, but increasing access to your data needs to be matched with risk assessment and strategies that cover all the bases.

Kelly Trammel is an attorney, accountant and technology risk expert with more than 20 years’ experience with data security and compliance. Trammel joined SMS this year through the acquisition of Servique LLC where he was the President and CEO. He has served as Managing Director of NetIQ’s Global Services division, CEO of Facetime Communications, and Managing Director for IBM Global Services where he was in charge of IBM’s Internet Banking solutions and services on a worldwide basis. Trammel is a certified as a CPA, CFE and CISA. He holds a B.B.A. in Accounting from the University of Texas at Austin and a J.D. from the University of Houston.