2017 Technologies Driving GRC Change

By Scott Wisniewski, Managing Director
GRC Tech Advisory Solutions

 

 

 

Digital transformation was probably one of 2016’s top buzzwords, meaning many different things to different analysts, journalists and vendors. For me, it represents real and significant investments in modernizing IT infrastructures, including those that support GRC activities and processes.

Consider the trends we’re immersed in. Enterprises are adopting cloud and mobile technologies at an extraordinary rate in the hopes of driving greater productivity and collaboration, and organizations of all sizes are launching data initiatives involving the collecting and analyzing of massive amounts of data in order to drive better business decisions and improve customer experience. At the same time, the rapidly evolving regulatory environment, such as the EU’s impending Global Data Protection Regulation (GDPR), is putting pressure on legal, compliance, security and IT departments to invest in a range of new data initiatives, consulting services and technologies.

In response to the trends, organizations are rethinking their GRC infrastructures, hoping to gain a much broader and deeper understanding of risk drivers and the bigger GRC picture. Further, to make GRC work effectively in increasingly complex and highly distributed organizations, GRC leaders recognize they must embed GRC into the everyday activities of the business.

The combined impact of all these activities will make 2017 the year that GRC practitioners will:

  • Acknowledge that effective GRC cannot be achieved via a single technology or application. Instead it will depend on a new, complete architecture. A single GRC application today may expose operational risk, but it cannot develop and present the type of complete GRC picture that regulators and boards are now demanding. Developing such a picture requires the combination of traditional GRC applications and new tools to:
    • Extract data from internal systems, such as information security and ERP
    • Consume external content, such as regulatory content feeds
    • Incorporate performance metrics, such as sales and financial results
    • Collect and consolidate market and credit risks as well as the risks identified by business intelligence tools and other analytics

With all these new tools in place, organizations will finally be able to build new presentation layers that provide a complete – and far more useful – picture of their GRC profile.

  • Take advantage of increased information sharing and collaboration to improve governance. As part of their digital transformations, many enterprises are focused on developing new and more effective ways to share information and collaborate. The ability to manage and track this activity will enable GRC programs to incorporate affirmative governance components, such as corporate culture and business achievements. It will also enable the embedding of GRC program elements, such as activities assigned to Line 1 business owners, into the enterprise applications they access every day, encouraging them to more consistently follow governance best practices as they engage in their daily activities.
  • Improve risk decision-making by using data analytics. Thanks to an array of new technologies – in-memory computing, visualization tools, mobile reporting services, etc. – organizations can now rapidly aggregate and analyze huge volumes of data from systems across the enterprise. Data scientists are also developing new methodologies and business rules to aggregate and optimize data for analytics more effectively. As a result, organizations will finally be able to automate many GRC tasks, such as risk scoring assessments, thereby automatically exposing potential risk hot spots that previously went undetected until the damage was done.

I have never been more optimistic about the evolution of GRC. As assurance professionals, lines of business and IT work together to implement new strategies and new supporting technologies, we will transform GRC from mere operational risk management to a function that can protect organizations while actually helping them to be more successful.

Compliance News Roundup: The Clearing House AML Recommendations, CFPB on Alternative Data and More

Protiviti published its March issue of Compliance Insights this week. We sat down with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, to discuss some of the highlights. Listen to our podcast below, or click on the “Continue Reading” link to read the interview.

 

In-Depth Interview, Compliance Insights [transcript] Continue reading

Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

New York Steps Up With First State-Level Cybersecurity Regulations for Financial Services Companies

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

With the future of federal regulations uncertain, the New York Department of Financial Services (NYDFS) has taken cybersecurity matters into its own hands. Effective March 1,, 2017, banks, insurers and other financial services regulated by the NYSDFS must maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

New York is the first state to adopt comprehensive cybersecurity regulation. Others are watching closely. The National Association of Insurance Commissioners (NAIC) is still crafting its own highly anticipated cybersecurity model law, and comparisons between the two frameworks will continue. We will be following up on these developments as they happen, as well as monitoring whether other states will follow New York’s lead.

Much more than a ritual box-checking exercise, the New York regulation requires the state’s banks, insurance companies and other financial service providers to each conduct a thorough cybersecurity risk assessment and design a robust cybersecurity program based on the findings.

Risk assessments will vary according to the individual risk profile of each covered entity but, generally, the documented risk assessment needs to do the following:

  • Provide criteria for the evaluation and categorization of identified cybersecurity risks or threats which the entity may face.
  • Design criteria for the assessment of the confidentiality, integrity, security and availability of the entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks.
  • Develop a risk mitigation program that describes how actual risks will be mitigated (or accepted) and how the company will monitor these risks. It is important to document the systems that are in place to detect and defend against cyberattacks, and test employee response to ensure that protocols are both followed and effective.
  • Develop policies and procedures for the implementation and operation of the cybersecurity program, and train employees in these procedures.

In addition, each entity must designate a qualified chief information security officer (CISO) to administer the cybersecurity program. This may not be news to larger financial institutions, but for a smaller entity it may be a brand new requirement that requires some restructuring.

A CISO doesn’t have to come from within the entity’s ranks. Third parties can provide the CISO oversight services in an outsourced capacity. It is important to note, however, that while the responsibility for the oversight can be delegated, liability for the risk as well as for compliance is not transferable and remains with the entity.

There are many more specific details in the NYDFS regulation that covered entities will need to carefully look into as they shape their cybersecurity programs. Among them are specific initiatives that companies will either need to undertake now, or review to make sure they comply with the rule: incident response plan, data encryption, multi-factor authentication, third-party service provider security policies, penetration testing and vulnerability assessments, access privileges, and an audit trail for all these efforts, among others.

Covered entities have until February 15, 2018, to submit their first certification of compliance (annual requirement). This is a very short timeframe. I would urge companies to begin their risk assessments with utmost speed to ensure adequate time to identify and remediate any security gaps before the 2018 compliance deadline.

You can read the full regulation here.

From Tiny Tech to Populism: Latest Issue of PreView Scans the Global Risk Horizon

jason-dailyBy Jason Daily, Director
Risk and Compliance

 

 

 

Imagine a DNA-programmed nanoparticle capable of hacking cancer cells, a plankton-sized carbon tube that can remove pollutants from water, or food packaging that changes color in the presence of dangerous bacteria. Nanotechnology, with a market predicted to reach almost $13 billion by 2021, has the potential to change the world, and every industry — from healthcare to the military — has a stake in its advances.

Use of Nanomaterials by Industry

With that potential, of course, comes risk. Nanotech may be applied in controversial ways — such as surveillance, or weapons capable of attacking people, plants or livestock at the molecular level. The technology is not visible to the naked eye, raising concern among some, who worry that self-replicating nanobots could destroy the planet if not properly controlled.

Nanotech is only one of the macro-level trends we’re watching as part of Protiviti’s ongoing PreView global risk series. We evaluate emerging risks according to the five global risk categories established by the World Economic Forum. In the January edition, in addition to nanotechnology, we consider the risk of a global water crisis and the “morality” of thinking machines, and we look ahead at the risk of marching populism and what cybersecurity means on a national and global scale.

WEF Global Risk Categories

The flip side of risk is opportunity. While governments and industries grapple with the shortage of fresh, clean water, particularly in developing countries, opportunities for water applications of nanotechnologies abound. As artificial intelligence increasingly replaces humans in making key decisions, opportunities to improve the underlying algorithms can translate into market share and increased profits for the early movers. And finally, with cyber the new warfare, governments and companies have an opportunity to stake a claim in the cybersecurity space by designing products, as well as policies, that protect both digital assets and societal freedoms.

Several of the topics in our current issue are a continuation from previous issues. This trend will continue, as the risks we are keeping an eye on evolve over time and their implications change, sometimes quickly. Whether continuing or newly emerging, such as populism, all of these risks are fascinating to follow, and imperative to take into consideration in mapping long-term business strategies. That’s probably one reason why our PreView series is among our most popular publications.

I encourage you to both read and share our latest issue with your board and executives, to spark discussion and help ensure these emerging risks are part of risk discussions. And, we encourage a discussion here as well. Tell us what you think in the comments.

Regulatory Activity Unabated Despite Uncertain Regulatory Outlook

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk & Compliance

 

 

 

A month into the new U.S. administration, it’s clear that the political landscape is shifting. The administration has issued executive orders calling for a review of existing laws and regulations based on how they promote certain “core principles” related to the regulation of the U.S. financial system; a review of the Department of Labor’s Fiduciary Rule scheduled to take effect later in 2017; and an “implement one, repeal two” standard for the issuance of new regulations. Talk abounds about congressional actions aimed at actual or possible legislation, such as the TAILOR Act and the Financial CHOICE Act, which would affect the current regulatory structure as well.

The long-term ramifications of these actions for financial services regulation, supervision and enforcement are still unknown, and it may be some time before we have a clear view of what the future will look like. Meanwhile, financial institutions must still contend with the regulatory structure that exists today. Regulatory or self-regulatory agencies at the state, federal and even international levels are continuing to move forward with their existing supervisory and regulatory responsibilities. We address these in the February edition of Compliance Insights.

  • In the anti-money laundering (AML) space, we note that the Conference of State Bank Supervisors released a Bank Secrecy Act/AML Self-Assessment Tool to help financial institutions better manage money laundering risk. Risk assessments are top of mind for regulators, who consider logical, well-balanced and robust assessments the focal point of a sound risk management program. The self-assessment tool was issued not only to help provide transparency into how risks are assessed, monitored and communicated within an institution, but also to promote greater transparency among institutions to benefit the broader financial services industry.
  • Within the securities space, the Financial Industry Regulatory Authority (FINRA) published its Regulatory and Examination Priorities Letter for 2017, which identifies known and potential risks facing broker-dealers, investor relationship management and market operations. FINRA uses the annual priorities letter to communicate areas of focus for its information requests and examinations for the upcoming year. The 2017 letter highlights the “blocking and tackling” roles of compliance, supervision and risk management through FINRA’s focus on reviewing firms’ business models, internal control systems and client relationship management. Priorities identified for 2017 include: monitoring brokers with a history of disciplinary actions or complaints; sales practices; financial risk management and liquidity; operational risks; and market integrity.
  • Privacy concerns are atop the agenda for the European Commission (EC), which published the draft text of a proposed e-privacy regulation that, if adopted, would replace the EC’s current ePrivacy Directive with a more expansive regulation. Data privacy is a top priority for the EC, which seeks to establish a new privacy legal framework for electronic communications as part of a digital single market. The proposed regulation was developed with the intent to create better access for consumers and businesses to digital goods and services, level the playing field for digital networks, facilitate development of innovative services, and increase the growth potential of the digital economy.
  • Finally, the Consumer Financial Protection Bureau (CFPB) recently sued a bank for apparent unfair and deceptive practices related to enrolling customers into overdraft protection services. The suit contends that the bank violated the CFPB provision for implementing the Electronic Funds Transfer Act by misleading customers that overdraft protection was mandatory, concealing fees, deceptively seeking consent, and pushing back against customers who questioned the opt-in requests. Notably, the CFPB cites that the bank’s employee incentive program likely contributed to these issues, further highlighting the attention that the regulatory agencies are placing on sales practices and incentive compensation programs.

Even as Washington sorts itself out, financial institutions cannot lose sight of regulatory obligations and expectations that exist at the local, state, federal or even international level. The regulatory environment is likely to be quite dynamic in the foreseeable future, and financial institutions will remain challenged to manage their risks in this environment and not relax their compliance efforts.

Continue to follow our monthly roundups of compliance news here and on our site. The February issue is available here.

 

Anticipating the Fifth EU AML Directive: What Financial Institutions Need to Know

matt-taylorBy Matt Taylor, Managing Director
Regulatory Compliance Practice

 

 

 

Money laundering regulations are proving to be as complicated as the shadowy financial transactions they are trying to prevent. A case in point: The Fourth European Union Anti-Money Laundering Directive (4AMLD), approved in 2015 and scheduled to go into effect June 26, 2017, has already been supplanted by 5AMLD — amended text addressing threats that have emerged in the period between the adoption and implementation of 4AMLD.

As it stands, the agreed 4AMLD text and effective date will remain, but financial institutions should anticipate additional regulatory changes from 5AMLD shortly thereafter. We issued a flash report last week, which outlines the proposed changes in 5AMLD and provides recommendations on how financial institutions can prepare for them.

There are five main requirements proposed by the 5AMLD that affect financial institutions:

  1. Virtual currencies. The 5th AMLD adds virtual currencies, anonymous prepaid cards and other digital currencies, such as bitcoin exchanges and wallet services, to the list of activities carrying the risk of terror financing. The 5AMLD better defines “virtual currencies” under EU law, and includes the requirement to adopt this legal definition in AML legislation across all member states. Under the proposed amendment, providers engaged in exchange services between virtual and hard currencies and custodian wallet providers will be required to apply customer due diligence (CDD), similar to what is already required for hard currency transactions.
  1. Identifying prepaid card owners. EU member states will be required to identify the customer in the case of remote payment transactions where the amount paid exceeds EUR50. After 36 months from the date 5AMLD enters into force (a date still to be determined), identification requirements will apply to all remote payment transactions. Certain exemptions may apply for “low-risk” customers where defined risk-mitigating factors are met.
  1. Beneficial ownership registers. Member states must comply with register requirements within 18 months of the 5AMLD implementation date. Registers must be interconnected to the European Central Platform within 18 months of implementation in accordance with the technical specifications and procedures set out in Article 4C of Directive 2009/101/EC. Technical requirements, including access controls and operational challenges, should also be considered and tested in preparation for compliance with 5AMLD requirements.
  1. Enhanced information sharing. 5AMLD requires member states to establish automated data clearinghouses at the national level to aggregate individual account ownership across multiple institutions. Data must be searchable by account holder, beneficial owner, IBAN number, and open and close dates, as applicable. Powers of EU Financial Intelligence Units (FIUs) will be enhanced through 5AMLD, as they will be permitted to request information from any obliged entity and would no longer be limited to identification of a predicate offense or suspicious activity report prior to an information request. The proposed amendments make information more easily accessible and align with international best practices.
  1. High-risk third countries. Member states will be required to apply specific enhanced due diligence (EDD) measures for transactions involving entities on a list of “high-risk third countries” defined by the European Commission. This is intended to reduce regulatory differences between member states, where some EU countries offer less-stringent controls in exchange for higher fees, allowing terrorists to exploit the weaknesses in these measures.

5AMLD has proved to be more controversial than 4AMLD, particularly with prepaid cards and virtual currencies being more tightly regulated and uncertainty regarding the implementation of centralized registers. Nevertheless, there is an ambitious timeframe for its adoption. With 4AMLD expected to become effective June 26, 2017 it is reasonable to assume that 5AMLD will become effective shortly thereafter, if not concurrently, and obliged entities should be ready to implement the proposed 5AMLD requirements.

Download the flash report for additional details and recommendations.