Regulatory Hot Topics in Financial Services for 2017


Scott JonesBryan Comite, MD NYCBy Scott Jones, Managing Director
Internal Audit and Financial Advisory
Bryan Comite, Managing Director

Business Performance Improvement


Regulatory compliance is always top of mind in the financial services industry, and all the more so this year, with the sweeping, and sometimes conflicting, changes that many expect on the American political landscape. So it wasn’t surprising that our annual regulatory recap webinar for members of The IIA’s Financial Services Audit Center, conducted at the end of last year, drew a large and engaged audience.

The election of Donald Trump and Republican gains in the legislative branch suggest we may be heading into a period of regulatory reform. Indeed, President Trump said during the election process that he wanted to repeal aspects of the Dodd-Frank Wall Street Reform and Consumer Protection Act, and some analysts predict impact to the Consumer Financial Protection Bureau (CFPB), which was created under the Act.

On the other hand, the President has advocated reinstatement of Glass-Steagall, a Depression-era law barring banks from engaging in investment activities. The law was repealed under President Bill Clinton in 1999 — a move that the current president says set the stage for the financial crisis of 2007-2008.

And that’s just the tip of the iceberg. A change of control in Washington means new agency heads and a predicted slowdown in the pace of enforcement activities as the new administration finds its footing.

Nevertheless, financial institutions need to operate under the current rules and regulations until, and if, new regulations replace them. There have been several recent regulatory developments of note, and they were the subject the November edition of our Compliance Insights newsletter, summarized here. Specifically, they are:

  • New prepaid rules — The CFPB finalized a rule that significantly changes the regulatory environment for financial institutions offering prepaid accounts. The new rule provides stronger protections for consumers of prepaid accounts, including new protections for “hybrid” prepaid cards that contain credit features.
  • Reporting cybersecurity issues — The Financial Crimes Enforcement Network (FinCEN) published an advisory to assist financial institutions in fulfilling their Bank Secrecy Act (BSA) obligations regarding the reporting of suspicious activities related to cybersecurity issues.
  • Foreign correspondent banking risks — The Office of the Comptroller of the Currency (OCC) published guidance on the periodic risk re-evaluation of foreign correspondent banking, which is applicable to all OCC-supervised national banks that maintain these relationships. The OCC advises these financial institutions to routinely re-evaluate foreign correspondent banking portfolios.
  • Fiduciary guidance — The Department of Labor (DOL) released both the first and second in a series of frequently asked questions (FAQs) to provide additional guidance on the implementation of its new fiduciary rule, which concerns the expansion of the types of retirement products and communications that trigger fiduciary status for retirement investment advisers and is designed to ensure the advisers’ actions are aligned with the best interests of their clients. Recent press has reported that, as a result of the presidential election, there is a potential for actions to be taken that may modify the implementation of the rule, but no specific details or timing have been released.

Looking ahead to 2017, we anticipate that examiners will focus on sales practices and incentives; cybersecurity; compliance management, especially in the second line of defense; compliance with Bank Secrecy Act/anti-money laundering rules; stress testing; and vendor management.

We’d like to leave internal audit departments within financial institutions with some key points we believe are essential to an effective internal audit performance in this dynamic regulatory environment. Some are intuitive. Some may be new to some, if not others.

  • It all starts with an internal audit risk assessment and internal audit plan development. The right plan in this environment anticipates change. Interview various constituents in your organization (general counsel, chief compliance officers), as well as trusted advisers outside your organization. In addition to required annual reviews — AML, BSA, SAFE Act, and others — it’s important to understand your examiner’s expectations regarding emerging risks.
  • Having the right expertise is important. After developing an internal audit plan, it’s wise to take stock of the internal audit team and proactively address any capabilities gaps, internally through training, or externally through trusted partners with subject-matter expertise.
  • Flexibility and scalability are critical this year given the possibility of regulatory change. We’ve heard from many audit executives who say they are dedicating more special-project time to their internal audit plans, just in case.
  • And, as always, relationship management is key. In times of change, it is especially important to keep in close touch with the chief compliance officer and the compliance organization. We may not be able to anticipate all the changes we encounter, but how we react to that change can make all the difference. With the right frame of mind, proper planning, and the right team of advisers, internal audit departments can look to 2017 with confidence.

2016 Vendor Risk Management Benchmark Study Results Released

infographic-2016-vendor-risk-management-benchmark-studyProtiviti and the Shared Assessments Program recently released the results of our jointly conducted 2016 Vendor Risk Management Benchmark Study.

This is the third year that Shared Assessments and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. At right, you’ll find our infographic, and below is our podcast featuring Gary Roboff, senior advisor to Santa Fe Group and Shared Assessments Program, and Cal Slemp, managing director for Protiviti and leader of the firm’s Security Program and Strategy Services practice, discussing the key findings.

Learn more and find our full report at and

Bank Charters for Fintech Companies Top January Compliance News

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance




In December 2016, the Office of the Comptroller of the Currency (OCC), which oversees many of the largest banks in the country, released its plans to consider granting special-purpose national bank charters to a broad range of financial technology (fintech) companies, who are engaged in providing technology-driven financial products and services to consumers and small businesses. The idea is not without controversy as policy makers and industry participants alike debate the pros and cons of chartering such companies, and it raises important questions regarding the standards to which these companies will be held and the benefits to consumers such a move will provide.

The OCC plan tops the news in the January 2017 edition of Compliance Insights, and is highlighted there in further depth.

The products and services that fintech companies offer today rival many heavily regulated banking institutions, including in the areas of consumer and mortgage lending, payment services, financial planning and wealth management. Clearly, the OCC believes chartering these companies to be in the public interest, with the potential to both expand financial inclusion and empower customers to take more control of their finances. It is also an opportunity for the OCC to exert greater supervisory oversight of such companies, ensuring that they engage in safe and sound behaviors and treat consumers fairly, while also encouraging financial innovation.

The OCC makes clear that obtaining such a charter won’t be easy – fintechs will have to demonstrate sound business plans, appropriate risk management, and fundamentally strong financial strength and performance to meet the OCC’s high standards. As fintechs weigh the advantages of a charter against these costs, hardly anyone expects a rush of applicants in the short-term. However, with the proliferation of innovative technologies for financial products and services and increasing consumer adoption of these technologies, it is likely only a matter of time before you see the acronym “N.A.” (for “National Association”) at the end of the name of your favorite online consumer lender or payments provider.

In other compliance news:

  • The Consumer Financial Protection Bureau has released its semi-annual rulemaking agenda and announced its fair lending-specific priorities for 2017. Both announcements provide insights to the financial services industry regarding the agency’s rule-making and supervisory priorities in the upcoming year. Noteworthy items on the Fall 2016 rule-making agenda included arbitration, debt collection and integrated mortgage disclosures. In 2017, the CFPB will be targeting any potential redlining of minority neighborhoods, the role of race and ethnicity in mortgage and student loan workout options, and lending risks related to minority and women-owned small businesses.
  • The Financial Action Task Force (FATF) has published its first evaluation report since 2006. The international standards body, designed to develop and promote anti-money laundering and terrorist financing policies, gave the United States high marks, but identified several areas for improvement.
  • India’s effort to crack down on illegal cash holdings by voiding all 500 and 1,000 rupee notes has had the unintended consequence of digitizing the country’s illicit cash flow. The effort, which removed 86 percent of the country’s cash in circulation, has spawned money laundering networks and alternative money transfer systems. U.S. financial institutions should continue to pay close attention to this developing situation and monitor the potential money laundering risks to their institution.
  • And finally, the Federal Reserve Bank of New York is spearheading an effort to find alternatives to the London Interbank Offered Rate (LIBOR) in the wake of evidence that several banks had colluded to report rates favorable to their trading positions. A decision is expected later this year.

All of these issues are discussed in greater detail in the January 2017 edition of Compliance Insights. Links offering a deeper dive into each of the specific topics are also available.

IT Innovation, Part 2: Maximizing the Value of Security Investments

Jonathan Wyatt

By Jonathan Wyatt, Managing Director
Technology Consulting Practice Leader, UK



As my colleague Ed Page indicated in his January 11 post, digital transformation represents one of the biggest innovation opportunities of the 21st century, and failure to respond quickly to innovation opportunities is one of the biggest risks faced by any business today.

A recent Protiviti white paper, Catching the Digital Wave of Change, points out that no industry is isolated from the challenges and opportunities of disruptive technology. Wearable technology, driverless cars, the Internet of Things, robotics, blockchain, biometrics, drones and nanotech are but a few examples of disruptive technologies that leaders of the future are harnessing today. In many cases, however, while business leaders recognize the opportunities, their IT counterparts struggle to deliver the digital innovation, hamstrung by day-to-day operational challenges and associated budget pressures.

It’s not for lack of trying. Over the past decade, IT departments have been reducing operations and maintenance costs consistently. Most of these savings, however, have gone to fund other priorities, the biggest being security, which now accounts for 16 percent of the average IT budget, according to our most recent benchmarking study of technology trends. Taking into account other priorities, including compliance and system enhancements, mature businesses are left with only 13 percent of their budgets free for innovation.

With a strained budget, it then becomes critical for IT leaders to prioritize spending according to top-down strategic risks. Cybersecurity is one area ripe for such prioritization.

I see too many businesses look at cyber as a generic risk that must be avoided, without taking the time to clearly define the organization’s risk appetite and the adverse business outcomes that they are concerned about. As a result, many businesses end up focusing on the wrong things, reacting to technical vulnerabilities rather than focusing on the desired business outcomes. This, in turn, causes many security programmes to become a drain on resources, without delivering significant results in terms of risk reduction of the business outcomes that the business is most concerned about. Conversely, when IT leaders look at information security risks more holistically, focusing on strategies to manage adverse business outcomes rather than every technical weakness, they end up investing in very different things and adopting very different strategies.

In other words, IT leaders need to step back and ensure that they are getting the results they want from their cybersecurity investments. This means focusing on protecting what’s important (the “crown jewels”) rather than trying to achieve the impossible and completely locking down the entire perimeter; keeping up with the cyber threat landscape to know what kind of attacks are most likely to occur; and being proactive about incident response so that systems can be put back online with minimum impact to the business. Without this discipline, cybersecurity will continue to consume larger and larger portions of the IT budget. Innovation will suffer and the business may ultimately fail — not because a cyber threat is realized, but because the disproportional and unfocused spending on one operational risk has distracted the business from the more strategic risk of failing to mount a competitive response to new entrants and/or innovators.

Considerations for SOC 2 Readiness

david-lehmannBy David Lehmann, Managing Director
IT Audit




As more organizations trade in-house IT applications, systems and related processes for third-party services to enhance capabilities, simplify operations and lower costs, it is critical to demonstrate that data and systems are well-controlled, regardless of where the data resides. While the COSO Internal Control – Integrated Framework clearly states that management is responsible for the design and operation of its controls over IT risk (including the controls that are outsourced to service providers), the burden of organizing the necessary assurance activities directed to the controls in place for outsourced processes and systems falls on service providers. For many, the service organization control report (SOC 2), issued by a service auditor, has become the assurance standard of choice — to the point that many organizations now contractually require vendors to provide annual SOC 2 reports.

A SOC 2 is an attestation report that provides control assurance over a defined set of the service provider’s systems. Each report covers a defined period of time (usually nine months), agreed to between the auditor and the service provider. The report encompasses between one and five trust services principles (TSPs), depending on the needs of the service organization. The five TSPs include security, availability, processing integrity, confidentiality and privacy. The security principle is one of the most commonly selected and is used to determine whether relevant systems are protected against unauthorized access, use or modification.

Deciding to obtain a SOC 2 report is not a one-time event; it requires an ongoing commitment of both management time and financial resources. Consistent execution of controls is critical and often requires significant remediation before an organization is ready to submit to the service auditor’s testing. Most service organizations have yet to develop the control frameworks and tools required to meet the rigorous SOC 2 audit standards. To assist in that process, Protiviti recently published a white paper — On the Road to SOC 2 Readiness, What Service Organizations Need to Know — available for free download from our website.

Getting ready for an initial SOC 2 audit can be an arduous process. It begins with developing an understanding of what is driving the need for a SOC 2 audit and what are the systems relevant to those drivers. It continues through a gap assessment and an iterative cycle of remediation and readiness testing, correcting control and process design gaps along the way until results fall consistently within an acceptable range of outcomes.

The scope of a SOC 2 report depends on the type of service a vendor provides, as well as the needs of its customer base. A thorough scoping should seek to determine for which TSP(s) customers will require assurance and which systems and components must be assessed to achieve the objective. A service organization can select any number and combination of TSPs for inclusion in the report, based on customer need and relevant contractual requirements.

In some cases, organizations may deem two or more TSPs to be relevant to their customers’ needs. In our experience, and depending on process maturity and culture, it is sometimes best to follow a staged approach, focusing on the most important TSP first and increasing the scope of the report over time. Organizations that attempt to address multiple TSPs as part of their first SOC 2 project increase the risk of disruption to normal operations, missed target dates and, potentially, a qualified initial report.

Given the critical importance of a positive report, and the potential reputational and economic consequences of a negative one, service organizations are turning to outside consultants to help them prepare. Service organizations should work with their advisers to determine the best approach that fits the needs of their customers, as well as their own organization.

More than just an IT exercise, SOC 2 readiness should be viewed as a company-wide opportunity for service providers to gain competitive advantage through risk management maturity.

Managing Your Organization’s Culture During Rapid Growth

Charles Soranno - MD New Jersey

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit



Early in December 2016, I had the pleasure of leading an in-depth webinar exploring how fast-growing companies can prepare for challenges related to changes in their culture and talent requirements, particularly when ramping up for an IPO or following one.

I was joined by Carmela Krantz, Vice President of Human Resource at WideOrbit; Danielle Soucek, Director of Insight Product at Equilar; and Michael Waxman-Lenz, CFO at Undertone. Together, we provided analysis and guidance on how to create the right team, scale for growth, benchmark against peers and competitors, and develop a public company mindset.

As companies implement their growth plans in the new year, it’s worth revisiting a few of the big ideas that emerged from the event.

Building the Right Team – Recognize the Influences
An organization’s ownership structure, its industry dynamics, and whether it has a domestic or global presence shape its culture and need for certain skillsets. Challenges typically emerge when companies bring in new investors, prepare to launch an IPO, add locations, or significantly expand their employee base.

Ownership has a tremendous impact on what the right team looks like, for example. A closely held startup may not have formal financial reporting requirements, but as it attracts institutional capital or registers for a public offering, more specialization and structure is required as expectations and demands change. Institutional investors likely will be less forgiving of reporting errors than founders working in a close-knit setting, and companies that execute their IPOs have to meet strict Securities and Exchange Commission (SEC) regulatory, compliance and reporting requirements. Will free-thinking, entrepreneurial-oriented individuals who were involved in virtually all aspects of a startup’s early development be able to not just perform, but thrive, in this more regimented operating environment?

Scale for Growth
Maintaining robust and consistent communications and formal communication protocols (especially for public companies) between an organization’s leaders and its workforce – even to the point of “over communicating” – is perhaps the most important strategy human resources (HR) can promote when employment rosters are expanding by the dozens each month. Letting employees know how they fulfill a company’s mission during times of rapid change keeps them plugged-in, motivated and contributing to desired business outcomes.

Staying ahead of the recruiting battle is another critical step HR can take. Human resource managers and recruiters must work closely with the C-suite to better understand the dynamics of the growing company and the mindset – not just skillset – required to make new hires successful. Also, by keeping employees informed of open positions and using referral incentives, HR can make all employees recruiters. This strategy can help fill jobs more quickly and often nets candidates of a certain caliber that have a higher chance for success.

Benchmark Growth
Compensation practices change dramatically after a company prepares for and ultimately completes an IPO, typically moving from less structured to more formal, documented programs designed to secure and retain talent. The scrutiny, by the SEC and others, of publicly available post-IPO executive compensation data requires organizations to balance shareholder interests with rewarding executives fairly.

One of the best ways to strike that balance begins with defining the talent market by selecting a peer group survey or collecting proxy data, or by combining both methods. Many companies utilize compensation consultants that can provide the data. Often, the advisors also understand how less tangible factors, such as management philosophy and individual performance, may influence pay packages.

Get a Head Start
While an IPO may be the last thought on the minds of executives running rapidly growing companies, especially early-stage companies, operating as if an transaction is imminent can make organizations more attractive and valuable when investors begin to take interest. Steps companies can take in that direction include developing a solid IT and finance infrastructure, assembling superb finance and operations teams, establishing excellent corporate governance, and developing a public company mindset among employees.

Of these initiatives, developing sustainable and scalable IT infrastructure and strong finance and accounting teams are among the most critical. However, infrastructure also encompasses making sure a company’s organizational chart is balanced and determining whether special technical or general needs should be outsourced. Organizations also need to be aware of pitfalls that could derail the development of a transaction-ready public company mentality. Underestimating the effort required not just before, but also after the IPO, is chief among them.

Learn More
Rapidly growing companies face a number of challenges as they transition from freewheeling entrepreneurial startups to more structured, efficient and mature operations. By preparing for headwinds associated with changing cultures, they can put themselves in a better position for success. Listen to the recorded webinar for a deeper dive into the ideas discussed here.

IT Innovation: Does Your IT Budget Have Room for It?

By Ed Page, Managing Director
Technology Consulting




infographic-annual-technology-trends-and-benchmark-study-2016-protivitiOne of the budget struggles chief information officers are continually faced with is reducing operating costs to make room for innovation. And while several studies, including our own, show that they have succeeded in bringing down “lights on” expenditures over the past decade or so, in many cases those savings have been absorbed by urgent non-strategic needs, such as compliance and security, too often leaving innovation to languish.

The consequences of failing to innovate are hardly trivial. The emergence of technology-enabled competitors who, unfettered by legacy technology, are able to develop and deploy new products and services faster and more efficiently threatens to leave behind older, more established companies, and especially those that perennially struggle to build innovation into their IT budgets.

I’ve seen this struggle firsthand in talking to our clients, and our recent benchmarking report, based on the responses of almost 400 C-level technology leaders to Protiviti’s 2016 IT Trends Survey, confirms it.

This dichotomy between the strategic and the urgent is evident in the numbers. While more than half of respondents overall (54 percent) said their organizations were undergoing digital transformation driven by the need for new functionality and innovation, virtually all of their top-10 priorities were security or operations oriented. Only 13 percent of the IT budget, on average, was earmarked for innovation or transformation.

In my experience, companies, and IT departments, fund their most urgent needs. Which means that, even though digital transformation is talked about, most companies are still stuck, budget-wise, in a reactive mode, putting out fires — regulatory, operational, and cybersecurity. These are very real pain points, so that’s where budgets are allocated. While there is an aspiration to transform, other priorities often prevent IT departments from getting where they want or need to be.

There is one consistent differentiator between companies that actually innovate in IT versus those that merely talk about it. The difference is that serious innovators make IT transformation part of their strategic plan and rely on it for the success of other strategic goals and objectives. Very often, these firms view themselves as technology companies, even if others might see them as part of another industry. As the CEO of Capital One, Richard Fairbank, once told investors, “We’re going to need to think more like technology companies and maybe a little less like banks.”

In the absence of a clear plan and executive and board buy-in, IT transformation is just another project competing with a lot of other projects for money. Aligned with company goals and objectives, it becomes an enabling force.

Where such strategic alignment can often benefit an established company the most is in modernizing core IT infrastructure. Management of outdated systems, on which everything else depends, is increasingly becoming the dead weight preventing companies from meeting new challenges and customer demands with agility and speed. CIOs and technology leaders are faced with having to invest more time and resources into keeping these systems up, while at the same time trying to squeeze cost reductions out of them without impacting service levels. In fact, responders to our survey pointed to legacy systems and processes as the number one obstacle impeding IT transformation.

The good news is that a small but growing number of organizations are taking the strategic decision to modernize their aging cores to achieve both increased agility and sustained long-term savings in costs and resources. Among respondents from financial services companies, 70 percent said their companies are undergoing digital transformation (16 percent more than the general population) — perhaps because the field, eagerly entered by emerging fintech companies, is even less forgiving, and because innovative IT structures, once implemented, can create significant opportunities where none existed before.

To be sure, transformation is disruptive, and replacing or modernizing core technology can be very expensive. Both of these barriers can be mitigated, however, through careful planning and a phased approach incorporating newer technologies, more modern architecture approaches and more nimble delivery methods, such as cloud technology, microservices, application program interfaces (APIs), and agile product development and software delivery methodologies.

Once again, real priorities are reflected in the budget, and innovation is unlikely to receive a bigger slice of the pie unless it is seen as a strategic, business project first. While cybersecurity, a key expenditure, will continue to command its share of IT resources, there is a case to be made that these resources can also be used more strategically, efficiently and effectively. We will focus on cybersecurity spend and priorities in a follow-up post. Subscribe to our blog to follow the discussion.