September 17th – 19th, 2014, · information. Determine whether service providers’ expertise, internal controls, and financial condition meet internal criteria. Ensure contract

Washington, DC Atlanta Brussels Denver Dubai Hong Kong London Milan New York Paris San Francisco Singapore Sydney Tokyo Toronto

© 2014 Promontory Financial Group LLC. All rights reserved.

Compliance and Risk Essentials for Financial Services CSPs

IAPP Privacy Academy and Cloud Security AllianceSeptember 17th – 19th, 2014, San Jose

2© 2014 Promontory Financial Group LLC. All rights reserved.

Agenda and Takeaways

• Agenda

I. Regulation, Regulators, and Financial Services (FS)

II. Problems Facing CSPs in the FI’s Market

III. Finding Solutions

IV. Communicating with Regulators

• Takeaways

Understand the extraordinary regulatory pressure financial institutions and vendors are under

Insight into regulators’ concerns and guidance

Strategies to address regulator and client needs


I. Regulation, Regulators, and Financial Services (FS)

• Agenda

‒ Overview of Regulators

‒ The US Bank Services Act

‒ Current Regulatory Environment

‒ Vendor Selection Process at Financial Institutions

‒ Regulators’ Approach to Banks’ Use of Vendors

‒ Financial Institution’s Views of Regulators and Regulations

‒ Financial Institution Governance


Overview of Regulators

The US financial services industry is highly regulated by several different government agencies.

Federally‐chartered or insured credit unions

Federally‐insured depository institutions, including state banks that are not members of the Federal Reserve System and state‐chartered thrift institutions

National banks, U.S. federal branches of foreign banks, federally chartered savings institutions

Bank holding companies, savings and loan holding companies, certain state banks and U.S. branches of foreign banks

Nonbank mortgage‐related firms, private student lenders, payday lenders, and consumer businesses of banks with over $10 billion in assets.


The US Bank Service Company Act

The Bank Service Company Act provides statutory authority to the Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation to supervise third‐party servicers (or vendors) that enter into contractual agreements with their regulated financial institutions.


Current Regulatory Environment

• The impact of the recent financial crisis has significantly changed the supervision and regulation of financial institutions.

• Supervisory attention on the scope and quality of third party risk management has increased (see Appendix).

• Recent exam activity and enforcement actions as well as updated guidance reinforce long‐standing supervisory expectations of sound risk management, but also introduce new expectations.

• Industry‐wide programs for third‐party management are undergoing revision and realignment to better meet evolving business objectives and supervisory expectations ‐ Financial Services in particular.


Vendor Selection Process at Financial Institutions

Decide to Engage a Third

Party or Vendor

Conduct Risk Assessment

Perform Due Diligence

Negotiate Contract Terms

Perform Ongoing

Monitoring

Evaluate whether the decision to hire a third party is consistent with the company’s strategic direction and appropriately balances costs and benefits.

Conduct a risk assessment to identify risks associated with hiring third party (operational, strategic, compliance, credit, and reputation risks). Assess whether vendor will have access to non‐public information.

Determine whether service providers’ expertise, internal controls, and financial condition meet internal criteria.

Ensure contract or SLA contains termination rights, audit rights to facilitate the company’s oversight, and reporting obligations to enable the company to monitor performance and financial condition.

After signing an agreement, the company must monitor the third party’s performance, internal controls, and financial condition.


Regulators’ Approach to Banks’ Use of Vendors

• Banks have long outsourced technology, processing, and other operational and support functions to service providers, affiliates, and other third parties.

• Banking regulators have long maintained that the risks of outsourced activities remain a bank’s risks with bank management and boards of directors accountable for their effective management and control.

• Historically, regulators have focused on management of risks to protect the interests of the bank and in particular on outsourced information technology and processing services with an emphasis on retail oriented banks.

• Five prongs of regulatory expectations underlie the risk management of third party relationships.


Regulators’ Approach to Banks’ Use of Vendors

Business Assessment. Assessment of the strategic fit of potential outsourced activities with an organization’s business model, strategy, and operational and risk management capacity;

Due Diligence. Comprehensive review of the competencies and reputation of individual prospective vendors and their abilities to meet an organizations’ business objectives;

Contracting. Written contracts identifying the roles and responsibilities of all parties in third‐party relationships and the consequences of contractual non‐performance;

Ongoing Oversight. Oversight and monitoring of vendor performance, adherence to contract terms, and expectations of risk management; and

Governance. Adequacy of the organization’s written policies and framework, and its organization and oversight of business units and functions necessary for effective risk management.


Financial Institution’s Views of Regulators and Regulations

• Regulators will expect you to abide by their guidance absent a good reason

• Number and depth of regulatory examinations are increasing as are financial and cost pressures

• Regulatory findings must be avoided or impact could be severe

• Examination guidance and regulation can be contradictory and ambiguous

• Relationship with regulators and examiners is critical

• Inconsistent regulator technical and information security sophistication


Financial Institution Governance

COSO’s Internal Control – Integrated Framework

“An internal control is a process, effected by an entityʼs board of directors, management, and other personnel, designed to provide reasonable assurance

regarding the achievement of objectives in: 1) the effectiveness and efficiency of

operations, 2) reliability of reporting, and 3) compliance with applicable laws and

regulations.”

… think of it in terms of Accuracy, Integrity, and Completeness



Types of Controls

I. Preventive Controls – applied before an activity occurs to provide reasonable

assurance that only valid transactions are recognized, approved, and submitted

II. Detective Controls – performed after an activity occurs to provide reasonable

assurance that errors or irregularities are discovered and corrected on a timely

basis

III. “Hard” Controls – tangible controls such as policies and procedures, segregation of

duties, authorizations, etc.



Types of Controls

IV. “Soft” Controls – intangible controls associated with corporate culture such as

shared values, ethics, etc.

V. Automated Controls – associated with IT Controls suitable for high volume

or recurring activities

VI. Manual Controls – performed by people and are more suitable when judgment

and discretion are required



First Line – Management and Internal Controls • Controls designed into systems and processes, implemented through cascading

responsibility structure • Responsible for maintaining effective internal controls from day to day

Second Line – Risk and Compliance Functions • Offer guidance on internal control requirements, conduct or oversee risk

assessments, and evaluate adherence to defined standards• Ensure the first line is working effectively

Third Line – Internal and External Audit • Independently assesses and reports on internal control and recommends corrective

actions or enhancements for management consideration and implementation• Provides assurance regarding effectiveness of both the first and second lines of

defense


3rd Line of Defense

Financial Institution Governance ‐ Three Lines of Defense

Governing Body / Board / Audit Committee

Senior Management

1st Line of Defense

Management Controls

Internal Controls

2nd Line of Defense

Internal Audit

External Audit

Regulator

Source: Institute of Internal Auditors, “Position Paper: The Three Lines of Defense in Effective Risk Management and Control”, January 2013.

Financial Control

Security

Risk Management

Quality

Inspection

Compliance



I. Enterprise Risk Management is designed to help management and boards of directors answer these relevant business questions:

A. What are all the risks to our business strategy and operations (coverage)?

B. How much risk are we willing to take (risk appetite)?

C. How do we govern risk taking (culture, governance, and policies)?

D. How do we capture the information we need to manage these risks (risk data and infrastructure)?

E. How do we control the risks (control environment)?

F. How do we know the size of the various risks (measurement and evaluation)?

G. What are we doing about these risks (response)?

H. What possible scenarios could hurt us (stress testing)?

I. How are various risks interrelated (stress testing)?

(Risk Management Association, 2012)


II. Problems Facing CSPs in the FI’s Market

• Agenda

– It’s complicated . . .

– Increased risk (perceived by regulators and FI risk teams)

– Cloud can be a bad word

– Cloud has reputational risk

– Comingled data and services may be considered unreasonable risks

– Meeting multiple FIs’ and regulators’ requirements


It’s complicated . . .

• Regulatory requirements– Little actual guidance or lots of ambiguity

– Responsibility is unclear

– Non‐compliance impact unclear

– Who wrote this &#$^?

• How should risk of cloud use be measured

• Gap analysis

• Remediation


Increased risk (perceived by regulators and FI risk teams)

• Enforcement action for customer non‐compliance

– Customer no longer allowed to use CSP

– CSP named in enforcement action, but not a party

• Examination

– What is a First Day Letter?

– Enforcement

• Incidents

– At your organization

– Another CSP


Cloud can be a bad word

• Regulators dislike

– Lack of risk transparency

– Unknown data and processing location

– Unknown data deletion, security, isolation

• Client security teams

– Prefer in‐house solutions they can review

– Have blocked or are blocking public cloud use

• Snowden fallout


Meeting multiple FIs’ and regulators’ requirements

• Cloud services will need to comply with various interpretations of risk and guidance

– Ambiguity in guidance will make for ambiguous client requirements

– CSPs may have hundreds of security questions from some FIs and most will be different from other FIs

– Cost and resource impacts will grow given the need to develop additional controls and work with FIs vendor management teams



• Agenda

‒ Practical Suggestions

‒ Sample Control Review



• Embrace and understand guidance and regulation– Walk a mile…

• Three words ‐ Transparency, transparency, transparency – If you are better, be prepared to prove it

• Provide tools for clients to make risk decisions

• Prepare clients to represent service value and risk on your behalf– You may not be in the room when regulators decide they don’t like cloud

• Be prepared to be examined by regulators– Regulatory exams are serious and must be handled appropriately



Rule Text Requirement Primary Source Citation CSP’s Responsibility Title/Source Description Analysis

Japa

n

Operations conducted after entry into the room should be managed.

FIs should manage operations conducted after entry into the computer and data storage rooms.

FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions (March 2012) (Operational management, O61)

Maintain restrictions on what personnel are able to possess and access when entrance to a data storage room is granted, including:(i) Restricted entry; and(ii) Limits on cameras, personal computers, and other recording devices.

‐Meeting Notes 1/3/14‐Fall 2013 Asset Management Audit‐SOC 2 Report

‐CSP does not maintain a separate computer data storage room or preparatory room within its data center. ‐CSP relies on data center controls to protect the computer and data storage location.

(i) ‐ (ii) CSP does not maintain a separate computer data storage room or preparatory room within its data center. This does not meet regulatory expectations, which call for additional precautions to be in place for computer and data storage areas.

Australia

Appropriate due diligence would normally ensure an assessment as to the robustness of the IT security risk management framework of the service provider, and alignment with a regulated institution’s own framework.

Appropriate due diligence should be conducted to ensure the robustness of the IT security risk management framework of the service provider, and the framework's alignment with a regulated institution’s own framework.

Attachment C: Service provider management; APRA Prudential Practice Guide CPG 234 ‐Management of Security Risk in Information and Information Technology (May 2013) (2, page 23)

(i) Maintain an IT security risk management framework; and Cooperate with FI due diligence reviews concerning the framework.

Information Security Policy for Technology Roles

‐CSP maintains a documented risk management approach (CSP Risk Management Approach) managed by CSP internal audit. CSP does not provide FI clients with information concerning internal audit techniques, approaches, or findings (ISP‐Tech Roles).

(i) CSP maintains a documented risk management approach; and(ii) CSP does not enable FI clients to review audit information, including risk management documentation, or generally, sufficient internal and security control information for proper due diligence reviews.



Rule Text Requirement Primary Source Citation CSP's Responsibility Title/Source Description Analysis

Australia

Appropriate due diligence would normally ensure an assessment as to the robustness of the IT security risk management framework of the service provider, and alignment with a regulated institution’s own framework.

Appropriate due diligence should be conducted to ensure the robustness of the IT security risk management framework of the service provider, and the framework's alignment with a regulated institution’s own framework.

Attachment C: Service provider management; APRA Prudential Practice Guide CPG 234 ‐Management of Security Risk in Information and Information Technology (May 2013) (2, page 23)

(i) Maintain a IT security risk management framework; and Cooperate with FI due diligence reviews concerning the framework.

Information Security Policy for Technology Roles

‐CSP maintains a documented risk management approach (CSP Risk Management Approach) managed by ‐CSP internal audit. CSP does not provide FI clients with information concerning internal audit techniques, approaches, or findings (ISP‐Tech Roles).

(i) CSP maintains a documented risk management approach; and(ii) CSP does not enable FI clients to review audit information, including risk management documentation, or generally, sufficient internal and security control information for proper due diligence reviews.

United States

It is important that access to customer data is restricted appropriately through effective identity and access management.

Access to financial institution customer data must be restricted appropriately through effective identity and access management.

Information Security; FFIEC Outsourced Cloud Computing (page 3).

Restrict access to FI customer data through effective identity and access management.

‐Service Organization Control 2 Report (2/1/12 ‐1/31/13)‐Information Security Technical Standards‐Information Security Policy for All Roles‐Process Review Narrative ‐Logical Security‐Meeting Notes (5/4/13)

‐CSP maintains logical security controls, covering both identity and access (physical, logical, and privileged).

See Service Organization Control 2 Report (2/1/12 ‐ 1/31/13) and Process Review Narrative ‐Logical Security for additional information concerning identity and access controls and business practices.

CSP maintains various identity and access controls. However, we identified two potential access issues:(i) CSP technical operations employees have access to client data with limited controls and no operational monitoring system; and(ii) customer support third parties maintain customer support access, which allows access to customer data with client permission.


IV. Communicating with Regulators

• Organized and managed– All meetings and interactions are structured and chaperoned

• Just the facts– Balance transparency with facts

• Answer the question asked – Too much detail opens new lines of questions

• Single story– Regulators don’t like multiple versions of “truth”

• Be prepared to back up statements with policy, standards, procedures and evidence– Do what you say and say what you do


Communicating with Regulators

• If regulators ask a question that does not get to the issue, be constructive to inform and explain the systems, method, approach, exceptions, etc.

• Make sure the right people are in the meeting (if IT systems are under discussion, then the IT team should be represented). The seniority of the attendees at the meeting should also be considered.

• Listen and be responsive.

• Keep track of examiner requests. Follow‐up and ensure timely responses.

• Avoid the perception of being defensive. Fine to ask examiners to explain their line of questioning, but the bottom line ‐ they can ask about or for anything they want.

• Don't take offense if examiners are asking for something you already provided. Instead, take the opportunity to educate. Be patient and don't express frustration.


Communicating with Regulators

• Build credibility systematically

• Show commitment to the relationship

• Show contrition when wrong

• Regulators are rarely uninformed

• Be thoughtful and measured (no flash)

• Develop a regulatory strategy

• Highlight program state (even if it isn’t very good) but be prepared to set reasonable milestones and meet them (all of them)


Questions?

Stacy [email protected]

202‐384‐1196

Ryan [email protected]

(619) 572‐3074

Michael [email protected]

415‐905‐0254


Appendix

Selected Additional Sources of Information:• COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY

COMMISSION, Internal Control–Integrated Framework, May 2013, Executive Summary.

• BASEL COMMITTEE ON BANKING SUPERVISION, Principles for the Sound Management of Operational Risk, Jun. 2011.

• INSTITUTE OF INTERNAL AUDITORS, IAA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, Jan. 2013.

• OFFICE OF THE COMPTROLLER OF THE CURRENCY, OCC Bulletin 2013‐29 Description: Risk Management Guidance, Oct. 2013.http://www.occ.gov/news‐issuances/bulletins/2013/bulletin‐2013‐29.html

• BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM, Guidance on Managing Outsourcing Risk, Dec. 2013 http://www.federalreserve.gov/bankinforeg/srletters/sr1319a1.pdf


Appendix

Selected Additional Sources of Information by Jurisdiction:• Australia

‒ AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY, Prudential Practice Guide CPG 234 – Management of Security Risk in Information and Information Technology, May 2013http://www.apra.gov.au/CrossIndustry/Documents/Prudential‐Practice‐Guide‐CPG‐234‐Management‐of‐Security‐Risk‐May‐2013.pdf

‒ AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY, Outsourcing and Offshoring ‐ Specific considerations when using cloud computing services, Nov. 2010http://www.apra.gov.au/crossindustry/documents/letter‐on‐outsourcing‐and‐offshoring‐adi‐gi‐li‐final.pdf

• France‒ AUTORITÉ DE CONTRÔLE PRUDENTIEL, Anlyses et Syntheses ‐ The risks

associated with cloud computing, Jul. 2013http://acpr.banque‐france.fr/fileadmin/user_upload/acp/publications/analyses‐syntheses/201307‐The‐risks‐associated‐with‐cloud‐computing.pdf


Appendix

• France‒ COMMISSION NATIONALE DE L'INFORMATIQUE ET DES LIBERTÉS,

Recommendations for companies planning to use Cloud computing serviceshttp://www.cnil.fr/fileadmin/documents/en/Recommendations_for_companies_planning_to_use_Cloud_computing_services.pdf

• Japan‒ FISC (The Center for Financial Industry Information Systems), FISC Security

Guidelines on Computer Systems for Banking and Related Financial Institutions, Mar. 2011

‒ MINISTRY OF ECONOMY, TRADE AND INDUSTRY, Information Security Management Guidelines for the Use of Cloud Services, Apr. 2011


Appendix

Further Information on Controls:• Preventive Controls – applied before an activity occurs to provide reasonable

assurance that only valid transactions are recognized, approved and submitted.• Detective Controls – performed after an activity occurs to provide reasonable

assurance that errors or irregularities are discovered and corrected on a timely basis.

• “Hard” Controls – tangible controls such as policies and procedures, segregation of duties, authorizations, etc.

• “Soft” Controls – intangible controls associated with corporate culture such as shared values, ethics, etc.

• Automated Controls – associated with IT Controls suitable for high volume or recurring activities

• Manual Controls – performed by people and are more suitable when judgment and discretion are required


Appendix

• Preventive Controls ‐ Hard

A. Information processing: IT Controls (Automated or manual) General controls: over data centers operations, software acquisition, systems development and maintenance (policies and procedures for: change management, software version control, incident escalation/management, business continuity/disaster recovery) • Access controls: user IDs and passwords restrict unauthorized access to key systems • Application controls: apply to programs that process transactions to ensure that activity is valid, properly

authorized and accurate (automated checks for: completeness, validity, authorization, authentication, etc.)

B. Physical controls: Safeguarding assets and records: limiting access to computer programs and data files (safes, vaults, safety deposit boxes, locked warehouses, pass key/fingerprint/optical access, alarm systems, security cameras)

C. Segregation of duties: Assigning different people the responsibilities for authorizing transactions, recording transactions, and maintaining custody of assets (Cash controls, A/P controls, etc.) • Supervisory reviews/approval prior to transaction processing

• Detective Controls ‐ Hard

A. Operational/Financial performance reviews: Reconciliations: e.g., bank reconciliations are performed timely, by a different party than the person who writes checks • Analyses and edit reports: timely generation and review of unusual transactions; analyses of actual

performance vs. budget, forecasts, and prior performance


Appendix

• Preventive Controls – Soft

A. Elements of corporate culture:

• Corporate leadership and culture –the “tone at the top” • Competence • High ethical standards • Trust • Openness • Shared Values


Appendix

Banks must adhere to certain regulatory requirements regarding internal control, which direct banks to operate in a safe and sound manner, comply with laws and regulations, and prepare accurate financial statements

Laws and regulations that establish minimum requirements for internal control for national banks include:

• 12 CFR 30 – Safety and Soundness Standards Establishes managerial and operational standards for all insured national banks, including internal control, which includes clear lines of authority and responsibility, effective risk assessment, timely and accurate reporting, and proper safeguarding of assets

• 12 CFR 363 – Annual Independent Audits and Reporting Requirements Applies to national banks with over $500 million in assets, banks must submit an annual report to the OCC and FDIC, which includes managementʼs assessment of the effectiveness of the banks internal control and procedures for financial reporting and compliance with designated laws and regulations

• 15 USC 78m – Securities and Exchange Act of 1934 Requires banks and holding companies with registered securities to develop and maintain a system of internal accounting controls

The formality of the control system will depend primarily on the size of the bank, the complexity of its operations, and its riskprofile


Appendix

“We are no longer willing to accept audit and risk management

functions that are simply satisfactory. We are looking for excellence.”

‐ Thomas J. Curry, Comptroller of the Currency – November 15, 2012