How to: mitigate your risk

What does risk mitigation mean in the financial services industry and why is it so important today? Robert Fullington, President of LOTSolutions offers his views.

Trust is the keystone in the structure of financial institutions – and risk mitigation is the process that manages this trust. Risk mitigation is critical to all phases of a financial institution’s operation, encompassing a number of consumer issues with a strong focus on customer privacy, and the rash of publicized miscues and the merging of financial sectors have led the federal and state governments to legislate oversight to safeguard the public from data misuse and abuse. Indeed, today’s competitive environment has made ensuring customer trust a key concern to financial institutions. Failure to manage this risk can severely damage the institution’s image and brand and result in civil lawsuits and other industry sanctions.

As a result, financial institutions have allocated substantial resources to address the area of customer privacy during the past few years. Processes have been implemented to more effectively ensure the identity of individuals; passwords and sign-ons have been developed that do not require the use of customer sensitive information. Much progress has been made, but the environment continues to be a moving target. More hacking schemes such as phishing and pharming continue to pop up. Not only is it difficult to manage the safety of the customer data within the organization, but sending it offsite can be even more challenging. According to Privacy Rights Clearinghouse, more than 90 million records containing sensitive personal information involved in security breaches have been compromised since February 2005, and we can expect an increase in customer concerns – and, in response, more stringent legislation in this area.

If your business model requires you to send customer information to a business partner, it is the financial institution’s responsibility to investigate their partner’s capabilities as they relate to maintaining the security of their client’s data. In doing so, keep in mind the current major laws and industry safeguard standards as they may relate to the business and your business partner relationships. These include:

• Sarbanes Oxley (SOX), which focuses on financial transactions. If the financial transaction is material to the company, then business partners must be in compliance with SOX regulations since they will be the reporting company and the financial institution will be responsible for the validity of that information.
• Gramm-Leach Bliley (GLBA), which focuses on the security of your data. Any third party (business partner) with which you do business should take the same steps as you do in securing this data. A security audit of the business partner is a necessity if you are going to provide your partner with sensitive data.
• Payment Card Industry (PCI) Certification is a credit card industry standard that outlines policies and procedures in handling credit card data. This standard establishes processes that require a company store no open credit card number in their system. All credit card information must be encrypted and transmitted in a secure environment.
• SAS 70 is an audit performed by an outside auditing company that tests your policies and procedures and ensures that procedures are carried out as documented. This provides the institution with the assurance that the business partner’s processes are being executed as a matter of everyday operations.

There are two major areas of risk that an institution should be concerned with when releasing their information to a business partner: data security and corporate brand risk. When looking at data security, consider the resources that business partners have invested in creating a secure environment – this is a true indicator of the importance they place on security. If your business partner performs annual SAS 70 audits, has attained PCI Certification (if they are handling credit card information), has a robust internal compliance organization and a secured computing and operational environment, then you can expect that they will handle your data in a secure fashion.

When reviewing brand risk, the institution should be concerned about the product design, compliance, target audience, product price and value. Marketing to your customers can be a great benefit to both you and your customer, but financial institutions must ensure that the product is beneficial and supportive of the institution’s brand and that the information is relevant to its target audience. The institution should select a business partner with extensive knowledge and experience in these fundamental marketing and operational techniques.

A good business partner should have a secure environment for your data as well as extensive experience selling products and creating value for the customer and institution. They should be a willing, active and productive participant in all marketing activities – even if the institution is performing some of the marketing themselves. Also, the institution should take a close look at the application software capabilities of the business partner in terms of reporting and flexibility in moving into new markets. Software applications must have security and quality control processes built into them. Communication is one of the most important aspects of risk mitigation as both the partner and the institution need to understand day-to-day operations and the need to accomplish timely changes as the environment demands.

Financial institutions should consistently articulate the awareness and concern it has about the importance of its customer’s information. Company websites should state this on the homepage and emphasize it on all pages requesting customer information. Call center procedures must incorporate processes that ensure the correct identity of the customer and other regulated procedures. Annual privacy statements are required by law, but you can reinforce this message through statement messaging and inserts. Be vigilant about compliance as new legislation and policies are continually announced and updated.