Rough Seas For Global Trade: EU Court Tosses “Safe Harbor”

In the biggest fallout to date stemming from Edward Snowden’s exposure of the U.S. government’s personal data surveillance program, the Court of Justice of the European Union, on October 6, 2015, threw out a 15-year-old trans-Atlantic data transfer agreement defining the terms under which the personal data of EU citizens could be shared with companies in the United States.

The so-called “Safe Harbor” agreement is the basis for electronic consumer commerce between the U.S. and EU and affects more than 4,000 companies, including Facebook, Google and Microsoft. Since the agreement’s inception in 2000, EU regulators have raised significant concerns regarding compliance and enforcement, with the strongest criticism aimed at the self-policing certificate of compliance program.

Snowden’s revelations heightened concerns, and the situation deteriorated further in December 2013, when the U.S. government sued Microsoft to compel the software giant to turn over private emails held on a server in Ireland. The court ruled in that case that the U.S. government has the right to demand the emails of anyone in the world from any email provider headquartered in the United States. Microsoft has appealed.

Here’s what you need to know:

  • The EU Court’s ruling is effective immediately, with enforcement action to begin by the end of January 2016 if no new agreement is reached.
  • In the interim, personal data transfers are subject to individually negotiated “personal data transfer model contracts.” While the EU has pre-approved certain types of these contracts, exceptions apply.
  • It is unclear whether such contracts will be sufficient to demonstrate that personal data is adequately protected as long as the U.S. government continues to claim the right to access any digital document stored on U.S. territory (and even beyond that, as the Microsoft case demonstrates).
  • Companies may need to obtain explicit consent from EU citizens granting permission for their data to be transferred to the United States, and provide the ability to “opt out.”

Protiviti recommends:

  • Personal data segmentation. Segmenting data into EU and non-EU categories should be an urgent priority.
  • Data privacy impact assessments. These are needed to understand the extent of private data your organization holds and key privacy risk exposures.
  • Model contracts for personal data transfer. Model contracts are available in two forms from the EU Commission. Consult with your legal advisers as to whether these standard contracts will cover your organizations’ specific needs.
  • Establish binding rules. Needed for companies that share data internationally among internal corporate entities. Proceed with caution and consult with legal advisers.
  • Assess personal data flows and encryption. Do so to ensure that personal data from EU citizens is kept within the EU. Explore EU-based data processing.

For a more robust analysis of this issue, read the Protiviti Safe Harbor Flash Report.


2015 Consumer Survey Finds Bank Branches Alive and Well

Jason GoldbergBy Jason Goldberg
Director, Protiviti’s Payments and Retail Banking Practice




Pundits have long predicted the death of the brick-and-mortar bank branch – citing widespread closures of major financial institutions and correlating this with the rise of online and mobile banking.

And yet, according to the Federal Deposit Insurance Corporation (FDIC), the number of branches has almost doubled over the last 30 years, even as the total number of banks has decreased by almost two-thirds. Most of that increase has happened since 1995, the acknowledged dawn of commercially viable online banking.

So what’s the real story? Protiviti surveyed more than 2,000 consumers in the second quarter of 2015 to glean their banking and payment preferences. The results, published in our just-released 2015 Protiviti Consumer Banking and Online Payments Survey Report, showed that while online and mobile banking is the go-to option for many routine transactions, the neighborhood branch continues to anchor the banking relationship – even among younger consumers – and serves an important sustaining role as a center for financial advice and customer service.

Some stand-out findings from the survey:

  • There is little to no correlation between frequency of branch visits and web and mobile banking use. For example, 49 percent of frequent bank visitors use their bank’s mobile app to transfer funds, compared with 50 percent of non-visitors of branches. While web and mobile banking have shifted a large percentage of everyday transactions away from older channels (checks, branches, ATMs), customers of all ages still want the convenience of visiting a branch if they are nearby, and continue to want human interaction for their more complex or high-value transactions, such as loans, product tutorials or investment advice.
  • Frequent bank visitors tend to hold more credit cards, carry higher balances and be more engaged with other banking channels, especially ATMs and phone banking. Frequent and regular visitors are also more convinced than non-visitors that new credit card chip technology will make their transactions more secure, even if experience in Europe, where the technology has been in use for more than a decade, indicates that the drop in physical credit card fraud will likely be offset by fraudulent use of credit cards online.

What can we take away from all this? The more things change, the more they remain the same. Predictions calling for the imminent demise of branch banking have been and continue to be premature, to say the least. The bank on the corner may very well be different in the future than the one you are used to – more tech, fewer transactions. But there will still be a bank on the corner for years to come.

Read the entire 2015 Consumer Banking and Online Payments Survey Report here.

Risk Appetite – Is Your Entire Organization Engaged?

Matt MooreBy Matthew Moore
Managing Director, Protiviti’s Risk & Compliance Practice




Financial services firms are in the business of taking risks. Although these risks are mainly financial, there are others too, ranging from day-to-day operations, to the companies’ broader strategic moves into new markets or new products. As such, every organization has a risk appetite, whether articulated or not.

Regulators providing oversight to the financial services industry now want firms to define their risk appetite in a written statement, approved by the board of directors. This has proven difficult for many financial services firms. One reason may be that many companies tend to think of risk appetite as a one-time determination, and so have a hard time defining what that is in light of a constantly changing risk landscape. Instead, risk appetite is better viewed as an ongoing, dynamic conversation between the board of directors, management and the operational units in the organization.

Even more important, for companies that have grasped the concept of an evolving risk appetite statement (RAS), driving the RAS through the organization by translating it into clear, understandable guidelines and metrics for business units and operations personnel is turning out to be a formidable challenge.

How, for example, does a bank with multiple lines of business (LOBs) and many complex products and services make its board-level RAS meaningful to its various practices, from real estate to mortgages, many of which are completely separate and operate with their own frameworks, defense lines and understanding of risk appetite?

The answer may disappoint you: No elusive “magical metric” exists that will enable banks to integrate their risk appetite statements once and for all and call it a day. This is also the message from Protiviti’s latest white paper, Driving Risk Appetite: A Pragmatic Approach to Implementing a Broad and Effective Framework. The paper does not offer a magic bullet; nevertheless, it provides plenty of practical advice for firms on how to establish a risk appetite framework (RAF) to assist with this integration.

Here are some of the key points:

  • To be useful, the RAS needs to articulate motivations for taking on or avoiding certain types of risks, and include risk metrics that can be translated into risk limits applicable to the business lines.
  • To put the RAS into action, firms need to develop a risk appetite framework (RAF), which will help push the RAS down into the LOBs and the various support functions. A key component of the RAF are risk appetite metrics, enterprise key risk indicators (KRIs) and business-unit KRIs, all of which have defined tolerances and thresholds that are monitored frequently.
  • The development of risk appetite metrics needs to be collaborative among top management, independent risk management and front-line units. A top-down, didactic approach to developing these metrics without business unit participation will result in a disconnect at the front-line level, making risk appetite a mere check-box exercise.
  • To drive risk appetite effectively, organizations must also be consistent in promoting good risk culture with ongoing education and dialogue. A well-operating risk management framework should enable an ongoing, enterprisewide conversation about risk, while maintaining focus on how risk management objectives are achieved.
  • Finally, even though a RAS is a dynamic position, flexible enough to respond to changes in the business environment, the assertions in the RAS must be viewed as authoritative benchmarks, and any move away from them has to treated as a deliberate decision to move outside of previously established boundaries.

I recommend reading the entire paper. It is clear and concise and offers some highly practical recommendations for firms struggling to integrate their risk appetite statements into the enterprise. I think it is timely too. It is only a matter of time before regulators, having made clear the importance of having a RAS, begin to scrutinize firms’ successes in pushing this RAS down to the business lines – or what would be the point of having a RAS at all?

Core Competency: The Case for FSI IT Modernization

Ed Page - Protiviti ChicagoBy Ed Page
Managing Director, FSI IT Consulting Practice Leader




In the financial services industry (FSI), “too big to fail” has a corollary that applies to core data systems. Call it “too big to fix.”

FSI companies are technology businesses. Every product and service they offer is technology-enabled, and the rapid evolution of mobile banking and digitization of processing makes technology even more critical.

The technology at the core of many of these companies, however, is outdated – layer upon layer of aging information technology (IT) systems, including mainframe computers dating back to the 1960s.

This dinosaur-age infrastructure (in technological ages) means high maintenance costs, ever-decreasing supply of knowledgeable staff to support it, and degraded business agility, among other things.

Add to this mix next-generation financial companies and businesses, which enter the market unburdened by legacy systems and ready to reap the competitive advantages of new technology from day one, and you, the bank with an outdated core system, now face the very real risk of being left behind.

With this state of affairs, one would think banks are scrambling to modernize their cores. Not exactly: Less than one-third of companies are considering core modernization, according to the latest Protiviti research. This is understandable: Core modernization projects can last years and cost hundreds of millions, even billions, of dollars. An IT executive wishing to make a business case for a project of this size, when the old systems continue to chug along, faces an uphill battle, to say the least.

Instead, many financial institutions forced to meet current market challenges do so by wrapping the old core in new functionality. While this practice costs less in the short run, it just adds complexity, and kicks the outdated infrastructure issue can down the road for someone else to deal with later.

There is reason for hope, however. FSI respondents to Protiviti’s 2015 IT Priorities Survey identified some important catalysts driving them to replace core systems. The three main ones are risk mitigation (aging technology and/or aging workforce): 64 percent; cost savings: 20 percent; and revenue generation (e.g., greater product/service innovation, time-to-market): 15 percent.

As FSI IT managers, aided by these catalysts, seek to make the case for core modernization, there are several approaches they can take to reduce sticker shock and minimize the risk of service disruption associated with an all-in core upgrade.

The lowest-cost option, and a good starting point for any IT transformation, is to clear the underbrush. The evolving nature of IT infrastructure, over time, can lead to an accumulation of redundant and non-productive technology. Simplification can streamline processes without affecting customer-facing services, improve performance, and lay the groundwork for more aggressive core modernization.

When it comes to actual replacement, a phased approach is another way to ease the pain. The phased approach consists of launching new functionalities incrementally and slowly replacing portions of the core over time. This beats “big bang,” or full, core replacement in terms disruption and cost, and although maintenance of old systems will continue to be needed for a while, the problem is not pushed indefinitely into the future. A recent Protiviti white paper on the subject covers these and other core modernization options.

Managing change takes skill and courage. By developing a well-reasoned plan for IT core migration you can help your organization cut costs, increase revenue, and mitigate the growing risk of an embarrassing IT-driven strategic crisis. And while doing nothing is certainly an option, I wouldn’t suggest you stake your career on it.

State of Cybersecurity: An Informative Podcast with Cal Slemp

With the cybersecurity “circle of knowledge” expanding, are companies feeling more or less confident in their ability to defend themselves? Listen to find out.

Hot Topics in Cybersecurity – an IT Audit Perspective

By David Brand
Managing Director, Protiviti’s IT Audit Practice




Just the other day, Protiviti released our 2015 IT Security and Privacy Survey, which once again highlights the need for continued vigilance on the cybersecurity front, even as it marked certain improvements from last year. Staying on topic, I want to share some additional hot issues that continue to crop up in conversations with our IT audit clients. Many of the people we speak with recognize the need to do something in these areas, or at least be aware of their existence, but many organizations continue to struggle with the action steps necessary to address them.

All organizations – regardless of size – should review and discuss the following points to ensure they are not only on the company radar, but that management and the board understand the risks to the organization and the actions available to mitigate them. These are comparatively simple, self-contained action items that can be initiated without the need for significant deliberation or resources.

  • Detecting a potential breach – Companies should use advanced techniques to attempt to determine if they are already breached. Some examples of these techniques include deploying advanced threat detection tools at the Internet egress points to identify command and control communications and other suspicious activity; leveraging user behavior analytics (UBA) tools to detect potentially suspicious activity; and performing advanced log analysis to detect signs of a breach.
  • Secure code review – A lot of vulnerabilities and issues are missed by not reviewing code properly. For example, we recently worked on an e-commerce site where the vulnerability scans showed no issues. On reviewing the code, we discovered that an attacker had modified the code to send credit card numbers to a malicious server, in addition to sending them to the bank. Without a code review, this would have gone undetected. To ensure thoroughness, companies also should evaluate their code review and SDLC processes (if they exist), to further defend against a breach.
  • Phishing – A cybersecurity lab can phish 10,000 employees and collect key metrics, including statistics around how many employees opened the Trojan email, clicked on the link, supplied their credentials, etc. This exercise is highly successful and its results are almost always startling, generating a great dialog that resonates throughout the organization. Performing this analysis on a periodic basis can help measure the organization’s progress in education and awareness.
  • Penetration tests – Organizations should perform a penetration test at least annually and cover both internal and external scopes. For many organizations, IT may already perform this task on a regular basis, which is best practice. Still, Internal Audit may want to ensure this exercise is complemented periodically by an independent penetration test.

Personally, I would love to see more organizations treat these items as standard must-do’s in their annual IT audits, to minimize the risk of being breached. To learn about the current state of IT security and other IT trends as reported in our latest survey, click here.

Focus on Healthcare: Top Priorities for Internal Auditors

Susan HaseleyBy Susan Haseley, Managing Director
Internal Audit and Financial Advisory, Healthcare and Life Sciences Industry Leader



Fundamental changes in healthcare in the past few years, brought on by the Patient Protection and Affordable Care Act (Affordable Care Act, PPACA or ACA) as well as the massive shift to digital records, continue to rock the landscape in which healthcare organizations operate. For healthcare internal audit (IA) departments, the changes continue to bring specific new challenges, which must be balanced with other existing priorities – HIPAA, Meaningful Use, ICD-10, etc.

So how are chief audit executives (CAEs) and IA professionals performing this juggling act, and what priorities are they putting ahead of others? A joint survey from Protiviti and the Association of Healthcare Internal Auditors (AHIA), entitled Priorities for Internal Auditors in U.S. Healthcare Provider Organizations, attempts to answer these questions and more.

Below, we summarize the five key priority areas for healthcare IA functions this year, as identified by survey participants:

  1. Cybersecurity risks and practices – This is an area “under construction” for most healthcare IA departments. Respondents expressed low confidence in their current capabilities; however, a strong majority are evaluating these risks and working to improve practices.
  2. Regulatory compliance – CAEs and their teams are committed to strengthening their knowledge and expertise of new and emerging compliance requirements, especially those emerging from the ACA. Understanding health information and insurance exchanges ranks among the top priorities.
  3. Supporting, enabling and protecting the digital enterprise – While cybersecurity is a top priority for internal audit, it is far from being the only technology-related challenge. Two out of three healthcare organizations are working through a “major IT transformation,” according to healthcare respondents to Protiviti’s 2015 IT Priorities Survey. Among the top priorities for healthcare IA departments in the new digital enterprise are new data analysis and addressing IT risks, especially those related to social media and mobile applications.
  4. Addressing fraud risks – Recent and extensive fraudulent activities against government healthcare programs (Medicare), combined with the ever-present risk of employee fraud, are keeping fraud risks among the top priorities for healthcare internal auditors. Fraud risk assessment, fraud risk, fraud monitoring and fraud auditing make up four of the six top areas of focus.
  5. Multi-stakeholder collaboration – The complex nature of the healthcare industry requires the cooperation and collaboration of several different disciplines, including IT, risk management, operations and legal, among others. To effectively address multidimensional challenges, internal auditors must work with a number of different stakeholders, both internal and external to the organization. Healthcare internal auditors in our survey gave high priority to developing the interpersonal skills required to skillfully navigate these often contentious negotiations.

Overall, this year’s survey results suggest a broader awareness of and increasing commitment to the challenges of the rapidly changing healthcare industry. And, just as the ability to innovate and adapt will be key to the survival of healthcare organizations, so, too, must IA organizations adapt in order to audit at the speed of risk and add strategic value to their organizations.

Click here for more on our healthcare industry results. You can access Protiviti’s 2015 Internal Audit Capabilities and Needs Survey here.