EU Payments Directive Opens Door to Open Banking

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK




The second European Payment Services Directive (PSD2) is scheduled to become law on January 13, 2018. Heralded as a way to make it faster, easier and less expensive for consumers to pay for goods and services, it also forces European banks to share customer data and payment infrastructure with third-party service providers and disruptive new competitors known as fintechs.

For better or worse, banks will soon have to comply with the law. Their only choice lies in whether to embrace this disruption and use it as the catalyst for an “open banking” business model, or succumb to the competitive threat.

The European Parliament adopted PSD2 in October 2015 to promote innovation (especially by third-party providers), enhance payment security and standardise payment systems across Europe. Its practical effects would be to:

  • Regulate fintechs that fall within the wider definition of what is regulated in payment services
  • Limit transaction fees and rebates
  • Require banks to open their payment infrastructure and customer data to third-party financial service providers; and
  • Provide new protections to consumers and users of payment services.

In practical terms, PSD2 would create an open banking environment where banks would be required to share a customer’s personal financial data, at the customer request, with any regulated account information service provider (AISP), while the bank still retains responsibility for the risk and compliance aspects of the customer and his or her data. This will be done through an application programming interface (API) that complies with a set of technical standards set forth by PSD2.

For sure, this expanded access and consolidation of data increases existing risks (i.e., fraud) and poses new potential risks to the current business model of certain institutions such as banks, but it bring opportunities as well — particularly for challenger banks, and for traditional banks that choose to do more than the bare minimum PSD2 compliance. Perhaps a bit surprisingly, the prevailing sentiment — even among some bankers — is one of excitement and optimism.

Time will tell what innovations and unintended consequences PSD2 will create. In the most likely scenario, the financial services industry will see a dramatic rise in mobile technology driven by APIs. In the future, banks wishing to remain competitive will use API to build an “ecosystem” with not just payment providers but merchants, so they would remain their customers’ “everyday bank.” The use of APIs in financial services has been hampered by privacy rules and the private ownership of data and infrastructure. PSD2 clears those hurdles.

Consider this small sampling of possibilities:

  • Account aggregation, which provides consumers with an overview of all accounts held across different institutions, without having to log into multiple proprietary customer portals.
  • Automated balances sweeping across multiple accounts to maximise interest payments and minimise debit balances.
  • “Marketplace” banks that offer lowest-cost services for loans, overdrafts and foreign currency transfers.
  • Credit decisions based on actual data by any institution and not just the institution currently providing bank account services — increasing choice and competition.
  • Payment facilities for the Internet of Things, such as, say, a self-replenishing refrigerator authorized to “shop” on the owner’s behalf, or a car that can pay for fuel or recharge without the customer leaving the vehicle.

There will be winners and losers. Potentially the biggest winners will be consumers and entities making and receiving payments within the European Economic Area. Cost and lack of competition in the existing payment space has been a concern for European regulators, and the opening up is likely to drive costs down for banks and consumers alike as competition increases.

An issue I deliberately did not mention here is data security and the safeguards built into PSD2 to ensure that personally identifiable data is protected. This is a topic for a discussion of its own right, and we will be covering the security aspect of PSD2 here on this blog and elsewhere. In the meantime, you can bet that PSD2 will be front and center, when the European financial services industry gathers June 26-28 in Copenhagen for Money 20/20. I hope to see you there!

John Harvie, Business Performance Improvement, Protiviti UK and Justin Pang, Risk and Compliance, Protiviti UK contributed to this content.

Commitment to Equality Promotes Trust and Growth: Protiviti Celebrates Pride Month

By Steven Stachowicz, Managing Director
Risk and Compliance




As we progress through June, which is traditionally pride month for the lesbian, gay, transgender and bi-sexual (LGBT+) community, I want to take a moment to reflect on Protiviti’s commitment to the LGBT+ community and our employees, and share my thoughts on the value of diversity, and my experience as an out and proud executive within our firm.

At Protiviti, we know that diversity of ideas and experiences is essential to fulfilling our promises to our people and developing and maintaining a truly global, collaborative and diverse workforce. We strive to deliver an exceptional experience to our people, our clients and our communities. We know that we are stronger because of our inclusive work environment, where employees see one another’s uniqueness as assets and strengths. Stephen Covey, in his best-selling book, The Seven Habits of Highly Effective People, noted that valuing and respecting differences is “the essence of synergy,” because diverse individuals working together can bring their individual experience to the table, build on each other’s strengths, and produce far better results than they could individually. Diversity of thought is critical to the professional development of our people, the creativity, innovation and value we bring to our clients in the marketplace, and the way we engage with our communities as a responsible corporate citizen.

We work hard every day to be an inclusive organization, and so we are very proud that our parent company, Robert Half International, received a perfect score of 100 on the 2017 Corporate Equality Index (CEI). The CEI is a national benchmarking survey and reports on corporate policies and practices related to LGBT+ workplace equality, administered by the Human Rights Campaign (HRC) Foundation. The CEI criteria reflect leading policies, benefits and practices for the LGBT+ workforce and their families. These criteria are based on the notion of parity rather than prescription, and the CEI helps us know if we are achieving our goals to address the needs of the LGBT+ communities.

From an organizational standpoint, support is key to building a community. By promoting an environment of inclusion, all employees are respected and valued as demonstrated by equal access to opportunity and advancement reflected in our policies and programs. Our ProPride employee network group began in 2014 in the U.S., and now includes nearly 200 employees globally. This group, under the leadership of Philip Maziarz, Patrick Luong and Belton Flournoy, has made a tangible difference in promoting awareness within our organization and providing support to our LGBT+ employees and allies in their professional development through networking and mentoring. This outreach extends to Protiviti’s recruiting efforts, our community service through participation in AIDS Walks, and so much more.

Organizations that embrace inclusivity and diversity realize positive economic impacts. This should be common sense – people who feel comfortable within their companies tend to stay longer (reducing attrition rates), demonstrate increased productivity, and have less difficulty finding valuable mentorship and social networks. Research bears out this truth; these factors stimulate growth within organizations while reinforcing the fundamental principle – treat people the way you would want to be treated.

As a new Managing Director, I look back on my career with Protiviti and am thankful for all of the support that I have received over the years. I have grown in this organization “in my own skin,” as my authentic self, within my project teams and management teams, at my clients’ locations, social events, holiday parties, baseball games and in my day-to-day interactions with my leadership team and colleagues. I was recently engaged and married and am taking steps to form my own family, and the continued outpouring of congratulations and support has been and continues to be humbling.  I am closer to my coworkers and clients because of this, and have not once felt anything other than a strong sense of belonging.

However, it isn’t enough that I am grateful for the support I’ve received.  I believe it is important that I give back – that we give back. That we support others and truly listen to them and encourage them to be authentic in all aspects of their lives. That we work to promote awareness and understanding that we are all different, yet equally worthy of opportunities. That we actively recognize and value differences and diversity. That we communicate to the broader LGBT+ community, including among our peers, employees and clients, how we can support them, and why earning the CEI recognition is valuable to us and to them.

In other words, we must continue to be agents of change.

I am proud that Protiviti’s core values and vision embrace diversity and inclusion, and am proud to be a part of the firm.

From all of my LGBT+ colleagues and allies at Protiviti, happy pride month!

PCAOB Revises Auditor’s Report

By Chris Wright, Managing Director
Finance Remediation and Reporting Compliance Practice Leader




With the Public Company Accounting Oversight Board’s (PCAOB) new auditor reporting standard finally pending before the U.S. Securities and Exchange Commission (SEC) after nearly a decade in the making, Protiviti has published a Flash Report summarizing the changes and examining possible consequences.

The Auditor’s Report on Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion is intended to make the auditor’s report more relevant to investors by requiring more information about the audit. In a nutshell, the new standard requires auditors to communicate in the report any critical audit matters (CAMs) — that is, matters that were communicated or required to be communicated to the audit committee and that (1) relate to accounts or disclosures that are material to the financial statements, and (2) involve especially challenging, subjective or complex auditor judgment.

The latter distinction takes into account certain factors including, but not limited to:

  • The auditor’s assessment of the risks of material misstatement, including significant risks
  • The degree of auditor judgment related to areas in the financial statements that involved the application of significant judgment or estimation by management, including estimates with significant measurement uncertainty
  • The nature and timing of significant unusual transactions and the extent of audit effort and judgment related to these transactions
  • The degree of auditor subjectivity in applying audit procedures to address that matter or in evaluating the results of those procedures
  • The nature and extent of audit effort required to address the matter, including the extent of specialized skill or knowledge needed or the nature of the consultations outside the engagement team regarding the matter; and
  • The nature of audit evidence obtained regarding the matter

The distinguishing factor in determining whether something is a CAM is the degree to which it involves challenging, subjective or complex auditor judgment during the audit process. The audit report must include identification of each CAM, a description of the principal considerations that led the auditor to determine that the matter was a CAM, description of how the CAM was addressed in the audit, and reference to the relevant financial statement accounts or disclosures.

Because CAM determinations are subjective, some say it will give auditors leverage to encourage additional management transparency to the benefit of investors. Others see it as a significant cost, and, potentially, a competitive threat, depending on the kinds of issues discussed and disclosed.

The final standard includes other changes to the auditor’s report intended to affirm the auditor’s independence, clarify the auditor’s role and responsibilities related to the audit, provide additional information about the auditor, and make the auditor’s report easier to read.

The new standard applies to audits conducted under PCAOB standards. In addition, it specifically concludes that the communication of CAMs is not required for audits of brokers and dealers; investment companies other than business development companies; employee stock purchase, savings and similar plans; and emerging growth companies.

Subject to SEC approval, the final standard and amendments will take effect as follows (although the PCAOB allows auditors to comply with the standard before the effective date, at any point after SEC approval):

  • All provisions other than those related to critical audit matters will take effect for audits of fiscal years ending on or after December 15, 2017.
  • Provisions related to CAMs will take effect for audits of fiscal years ending on or after December 15, 2020.

One consequence to watch for is whether auditors will require disclosure of original information in articulating CAMs encountered during the audit. Limitations of the auditor’s knowledge and expertise, potential liability implications, and friction in the relationship with the company may become influencing factors that could discourage auditors from going beyond management disclosures. No doubt, this will place companies, their SEC counsel and their auditors on a collision course when it comes to deciding how much disclosure is enough disclosure.

We will continue to follow this issue and advise clients on best practices as they develop. For more detail, you can download the full flash report free from our website.

Critical Condition: Cybersecurity in Healthcare

By Adam Brand, Director,
IT Security and Privacy




On June 2, the Health Care Industry Cybersecurity Task Force issued a draft of its Report on Improving Cybersecurity in the Health Care Industry, an analysis of how to strengthen patient safety and data security in an increasingly connected world.

The Congressional report, which sums up the state of healthcare cybersecurity to be in “critical condition,” may shock outsiders, but should come as no surprise to those in the industry, who are well-aware of the challenges and have been awaiting the report as a preview of potential future government regulatory action.

The report lists six imperatives, along with several recommendations and action items. The recommendations bring to the forefront several issues facing the healthcare industry — most notably the risk to patient safety. That’s a departure from the traditional focus on privacy and data protection, and suggests a regulatory gap that needs to be addressed quickly.

The release of this report could not have been timelier, coming on the heels of the debilitating worldwide “WannaCry” ransomware attack that forced hospitals in England to cancel surgeries. Last week we published a flash report that takes a deeper look into the Task Force’s document.

We think that organizations should not wait for the government to initiate solutions. Instead, healthcare providers and medical device makers should proactively increase efforts to bolster cybersecurity to avoid potentially overreaching or misaligned legislation.

In our flash report, we recommend that healthcare providers consider the following actions, tied to key themes of the report:

THEME: (providers) Existing efforts are not enough and patient safety is at risk.
ACTION: Expand cybersecurity efforts to include patient safety.

Healthcare leaders should note the emphasis on patient safety and ensure their cybersecurity program has fully addressed risks that could result in patient safety issues, not just a data breach.

THEME: (providers) Legacy devices are a significant problem.
ACTION: Create a concrete plan for legacy devices.

Develop a plan to phase out or update insecure legacy devices and operating systems, ideally over the next five years, and implement compensating controls such as network segmentation, enhanced monitoring and application whitelisting in the next 12 months to help address the near-term risk.

THEME: (providers) Lack of standard cybersecurity practices.
ACTION: Start formally aligning to a cybersecurity framework.

The report recommends that the Department of Health and Human Services (HHS) develop a health-care specific framework based on the minimum standard of security provided by the NIST Cybersecurity Framework and the HIPAA Security Rule. Health care organizations should begin now to think about how they would align their controls to the NIST CSF standard.

THEME: (manufacturers) Lack of cybersecurity focus; software development lifecycle (SDLC) gaps.
ACTION: Expand cybersecurity efforts, focus on SDLC.

Manufacturers should use the report as an opportunity to determine whether their medical device security program is adequate, given the increased attention on this area and the risks highlighted in the report. Specifically, manufacturers should be able to demonstrate clear security inclusion from new product model requirements through product retirement.

THEME: (manufacturers) Legacy systems are a hot-button issue.
ACTION: Increase activities for reducing numbers of in-use legacy devices.

To avoid negative impacts, manufacturers should work with healthcare providers to reduce the number of potentially compromised medical devices, through customer education and incentives.

THEME: (manufacturers) Minimum cybersecurity standards for medical devices.
ACTION: Work with industry peers to develop a standard.

We anticipate that future FDA device approvals will be contingent on meeting minimum cybersecurity standards. With the typical device development process of five to seven years, manufacturers need to collaborate now to get ahead of regulations and avoid business disruption.

The task force took a year to complete its report, and the result is a very thorough look at the challenges facing healthcare security today. Healthcare providers and medical device manufacturers would be well-served by a careful review of the report to determine how the adoption of these recommendations might affect their organizations.

Download the Protiviti flash report here.

Cyber Attacks Can Be Costly – Is Cyber Insurance the Answer?

By Adam Hamm, Managing Director
Risk & Compliance




The WannaCry malware attack in mid-May focused the attention of corporations around the world on escalating cyber threats. Our Flash Report released immediately after the attack noted that it marked a new and unsettling aggressiveness on the part of cyber criminals: No previous assault matched the breadth of impact of WannaCry, which affected hospitals, corporations and government offices in more than 150 countries around the world.

The cost of getting businesses up and running after the attack was expected to potentially add up to billions of dollars. Additionally, some organizations could face lawsuits over their failure to secure the previously disclosed Windows vulnerability that the criminals exploited.

In fact, news on May 23 that Target Corp. had agreed to pay $18.5 million to settle state and financial institution claims stemming from an enormous data breach should have warranted as much corporate attention as the WannaCry event. Hackers stole data from up to 40 million credit and debit cards belonging to the retailer’s shoppers during the holiday season in 2013, and the company disclosed that the total cost of its cyber security failure had amounted to $202 million so far. A settlement stemming from a consumer class action has yet to be finalized.

The grave consequences of weak cyber security – from business disruptions to the expense of repairs and lawsuit payouts – may lead some to believe organizations are scrambling to make cyber liability insurance part and parcel of their IT security protocols. Yet, according to recent surveys, roughly half of U.S. firms don’t have cyber risk insurance, and more than 25 percent of executives without a policy say they have no plans to add one. Among the companies that have insurance, only 16 percent reported that they have policies that cover all liabilities.

There are reasons many companies are reluctant to purchase cyber liability insurance or beef up existing policies, and the two main ones are cost and complexity. Certainly, insurers can improve clarity on their policies and enhance the ability for customers to compare different proposals. And, it may very well be the prohibitive cost of cyber insurance that is causing some companies hit by ransomware attacks to try and recoup their losses using kidnapping, ransom and extortion policies originally acquired to protect workers in dangerous locations.

Even so, a cyber liability insurance policy is a prudent course of action in most cases. Although it should never be a substitute for strong cybersecurity defenses, it can spell the difference between a severely affected and fairly unscathed bottom line in the aftermath of an attack. Before committing to a policy, however, it is important that management teams and their insurance brokers discuss three pivotal issues:

  • What kind of cyber liability insurance policy does the company need? Does it need a first-person policy to cover the cost of retrieving data critical to the operation, or does the company possess consumer information that requires protection against third-party lawsuits? Does it need both?
  • What amount of coverage does the company want to obtain? This figure will depend on a number of factors, including the size of the company and the type of coverage it needs. To mitigate third-party risk, for example, settlements like Target’s could provide useful benchmarks.
  • What is the premium an organization is willing to pay? A number of variables should be used to determine this figure, including a company’s earnings, the size of the IT budget, and the operations or data at risk.

Once a company has answered these questions, it can begin to shop for cyber liability insurance. As part of the process, the management team needs to fully understand what the policies cover. But perhaps most importantly, organizations need to understand what the policies don’t cover, which will ultimately indicate whether the policy is worth the expenditure.

Given the sophistication and prevalence of successful data breaches, it is now more important than ever for companies to analyze whether a cyber liability insurance policy should be a part of their overall cyber strategy.

Can Your SOX Compliance Process Benefit From Some Fine-Tuning? Find Out With Our Latest Benchmarking Survey

By Brian Christensen, Managing Director
Executive Vice President, Global Internal Audit




The results of Protiviti’s latest SOX compliance survey are in, and one takeaway in particular – cost of SOX compliance – may be music to the ears of some companies. For many organizations, those costs were reported to be lower this year than last, even as the number of controls, as well as hours dedicated to compliance, increased.

We don’t know the specific reasons why the costs at some companies decreased but we have some reasonable guesses: The fact that many companies have now completed their adoption of the new COSO Internal Control – Integrated Framework most certainly is a factor. The cost of the COSO implementation work was estimated to be between $50,000 and $100,000 on average.

Another potential factor regarding costs is who, exactly, is doing the work. As we illustrate in our infographic, a majority of organizations either outsource or co-source SOX compliance activities. This, in effect, may be masking some SOX compliance costs, as the expense for these external resources may not be captured under direct SOX costs the organization is tracking.

One other important point: The downward cost trend is not across the board – in fact, the overall number of companies spending over $2 million annually rose this year compared to last.

In addition, we wanted to get some further insight into why some companies report increasing controls, as well as increased hours and costs, so we introduced a new parameter in our survey this year – number of unique locations per company. Not surprisingly, the results revealed that the more locations a company has, the higher the number of controls it has and the higher its SOX costs are. This trend is quite clear, and it should help companies plan for their SOX costs next year, based on their plans to expand, reduce, or keep the same their number of unique locations.

Another trend driving hours and costs up is the dynamic nature of the SOX controls environment. With regulatory changes and developments constantly in play – PCAOB, new revenue recognition standard, cybersecurity, SOC 1, etc. – the learning curve seems to always be up, dragging hours up as well.

I’ve just highlighted the top trends here. The survey report provides much more granular insights, by type and size of company, type of control environment and more. Interest in benchmarking and peer performance with regard to SOX compliance is strong, and we are confident that the survey report provides a useful benchmark with detailed numbers and explanations. Download the survey report here and watch our highlights video below.

Manufacturers Are Upbeat About 2017 Business Climate Under New Administration

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader




Four straight months of manufacturing job growth through March this year and a decidedly more pro-business climate emerging in Washington have given many manufacturers good reason to consider 2017 off to a good start.

According to the National Association of Manufacturers’ (NAM) first economic outlook survey of manufacturers since Trump took office, more than 93 percent were feeling positive. This not only represents a high-water mark in the survey’s 20-year history, but it is also up from 56.6 percent a year earlier, said NAM, which represents some 14,000 U.S. manufacturers of all sizes.

We are keeping an eye on Washington’s actions that could have the most impact on manufactures and their investment plans and operations in the near future, including efforts to roll back regulations, reform taxes and renegotiate the North American Free Trade Agreement (NAFTA). We’re also watching how the proposed infrastructure improvements and healthcare overhaul are playing out. They, too, will have a significant bearing on manufacturing decisions.

Big ideas

As we detailed in our Flash Report on the Trump administration’s first 100 days, the focus on deregulation is of critical importance to manufacturers, 94 percent of whom believe that the regulatory burden has increased over the last five years. The new administration has reversed several of the Obama administration policies on environmental reviews related to energy, infrastructure and other projects. President Trump’s executive order for broad regulatory reform, for example, included a public comment period (now closed) on “misaligned regulatory actions” at the Environmental Protection Agency (EPA) that are believed to have impeded economic growth. Congress is also taking up legislation, supported by manufacturers and other organizations, which would require agencies to develop new regulations in the most cost-effective way possible for companies.

Certainly, the media’s attention on the controversies surrounding the administration, including the executive orders, may temper manufacturers’ enthusiasm moving forward. That’s particularly true if, as has been suggested by political observers, the controversies end up thwarting the chances of enacting tax reform and other administration agenda items this year. Geopolitical risks, from North Korea to European terrorist attacks, also could distract attention away from domestic policy making.

Nevertheless, manufacturing leaders to date largely remain optimistic that Washington is focused on their most important interests. Testifying on May 18 at a hearing on how tax reform could spur the economy and job creation, NAM Chairman David Farr told the U.S. House Committee on Ways and Means that “we have the best chance in more than 30 years to advance permanent pro-growth reforms” and to improve the country’s manufacturing competitiveness globally.

At Protiviti, I’ve heard similar sentiments from manufacturers, who say they could make investments to expand, beef up research and development, or accelerate hiring and salaries if tax reform were to include a lower corporate tax rate, favorable treatment of international earnings, and a strong capital-cost recovery system. In 2015, NAM reported that incorporating those and other beneficial tax policies would generate more than $3.3 trillion in new investment and 6.5 million jobs over a decade.

Questions still remain

While it’s clear that the proposed regulation and tax reforms will benefit manufacturers, the effect of a NAFTA remake remains a big question. A 90-day period in which Congress will consult the administration about its goals for an amended pact began in May, and talks with Canada and Mexico officials could begin by the middle of August. Many economists believe that NAFTA has generally benefited the U.S., and some corporations were concerned that a complete withdrawal from the pact would hurt business.

But similar to the recent narrow trade-deal with China, the president has softened his harsh rhetoric on NAFTA in favor of a more judicious approach. The U.S. has proposed a modernization of the agreements, with new provisions on digital trade, regulations, intellectual property rights and other elements. Additionally, automotive executives and labor alike are lobbying for stronger currency manipulation protections in a new deal. Unions are also pushing for updates to procurement and origin rules to better support U.S. workers.

With regard to infrastructure, manufacturing and distribution companies stand to benefit from proposed infrastructure improvements and construction, although as of now it is unclear how much will take place. President Trump’s first proposed budget calls for $200 billion in infrastructure spending, well below the $1 trillion he campaigned on. Some portions of healthcare reform could help companies, as well, particularly the elimination of a special tax on medical devices. But again, these issues continue to evolve and they merit a watchful eye.

Protiviti’s outlook – stay agile

The turmoil in Washington aside, the overall pro-growth tone coming from government has given companies at least some confidence about the industry sector’s outlook in the coming months. Manufacturers that begin planning today will be ready to strike and reap the rewards when policies are enacted. It is best to stay nimble, however, and prepare to address risks in an environment that has the potential for rapid, even tumultuous change.