Security and Privacy in Financial Services: Q&A Addressing Top Concerns


By Ed Page, Managing Director
Technology Consulting, Financial Services

and Andrew Retrum, Managing Director
Security and Privacy


Global cybersecurity risk has never been higher, especially at financial institutions, which are often targeted for their high-value information. Earlier this year, Protiviti published its 2017 IT Security and Privacy Survey, which found a strong correlation between board engagement and effective information security, along with a general need to improve data classification, policies and vendor risk management.

We sat down with our colleagues Scott Laliberte, Managing Director in our Cybersecurity practice, and Adam Hamm, Managing Director, Risk and Compliance, to discuss how these overall findings compared to those specific to the financial services segment, and why the financial services industry differed from the general population in some aspects. We outlined the comparisons in a recently published white paper. What follows is a sampling of some of the questions we addressed, with a brief summary of the answers. For a more detailed analysis and more data specific to the industry, we recommend downloading the free paper from our website.

Q: What are the top IT security and privacy-related challenges facing financial services firms today?

A: Disruptive technologies, third party risk, shadow IT — systems and solutions built and used inside the organization without explicit organizational approval — and data classification, are top concerns, not only for FSI firms but for survey respondents generally.

Data classification is a particularly challenging and important issue for the financial services industry — both from security and compliance perspective. We often talk about “crown jewels” — data that warrants greater protection due to its higher value. Establishing effective data classification and data governance are multi-year efforts for most institutions, and they must be consistently managed and refreshed. And, the difficulty of these efforts are compounded by the unique complexity of financial systems. Naturally, financial services forms are slightly ahead in the data classification game than their counterparts in other industries, due to their more acute awareness and ongoing and focused efforts, but they still have a long way to go.

Q: Boards of directors of financial firms are more engaged and have a higher understanding of information security risks affecting their business compared to other industries. What does this tell you about the level of board engagement at financial institutions?

A: Financial institutions are being attacked and breached more often than companies in other industries due to the high value of their information. As a result, regulators have been pushing boards at financial services firms to become more aware of and involved in cyber risk management. The Gramm-Leach-Bliley Act (GLBA), as well as guidance from the Federal Financial Institutions Examination Council (FFIEC), both encourage regular cyber risk reporting to the board and management. The New York Department of Financial Services similarly requires that CISOs at insurance companies provide a report to the board on the cyber program and material cyber risks of the company, at least annually. As we noted in the beginning, our survey found a strong correlation between board engagement and cybersecurity maturity in all organizations — so the higher involvement of financial services firms’ boards bodes well for their companies’ cybersecurity, provided directors get actively engaged with management on this topic.

Q: Over half of financial services respondents to the survey said they were “moderately confident” they could prevent a targeted external attack by a well-funded attacker. Is this an accurate assessment of most financial institutions?

A: Given that the probability of a cyber attack on a financial institution has become a matter of “when,” rather than “if,” we would not expect any institution to have a high — or even moderate — degree of confidence. It may be a measure of false confidence that so many organizations think they can prevent an attack. The onus is now on firms to assume that an attack is likely, and be prepared to limit its impact.

Q: Most financial services respondents indicated that they were working with more big data for business intelligence compared to last year. What should firms be concerned about with regard to their growing use of big data?

A: Big data includes both structured and unstructured data, which is more difficult to classify. Firms may also be dealing with new technologies with different security characteristics as well as more data distributed in the cloud. All of these factors complicate data management for financial institutions. As financial institutions rely more on big data, it is critical that they know what data to protect, its location and all of the places it might travel over its lifecycle in the system. Just as important is the need to control access to data and to protect the integrity of that data as more users interact with it for a growing number of reasons.

Q: More and more firms are using third parties to access better services and more advanced technology, but are financial institutions doing enough to counter new risks arising from third parties, such as partnerships with fintech companies?

A: Financial institutions are digital businesses, with more and more capabilities provided via mobile devices and through partnerships with financial technology, or fintech, companies. Many fintechs are small startup organizations that may lack the rigor and discipline of a traditional financial services firm. While innovation is necessary to compete in today’s fast-paced world, organizations need to take appropriate steps to ensure there are appropriate controls in place, and test those controls to minimize risk from third parties.

The full paper goes into significantly more detail on these and other questions than the abstract provided here, and presents the perspective of both security and risk and compliance experts. Let us know if you find it helpful.

EU Payments Directive Opens Door to Open Banking

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK




The second European Payment Services Directive (PSD2) is scheduled to become law on January 13, 2018. Heralded as a way to make it faster, easier and less expensive for consumers to pay for goods and services, it also forces European banks to share customer data and payment infrastructure with third-party service providers and disruptive new competitors known as fintechs.

For better or worse, banks will soon have to comply with the law. Their only choice lies in whether to embrace this disruption and use it as the catalyst for an “open banking” business model, or succumb to the competitive threat.

The European Parliament adopted PSD2 in October 2015 to promote innovation (especially by third-party providers), enhance payment security and standardise payment systems across Europe. Its practical effects would be to:

  • Regulate fintechs that fall within the wider definition of what is regulated in payment services
  • Limit transaction fees and rebates
  • Require banks to open their payment infrastructure and customer data to third-party financial service providers; and
  • Provide new protections to consumers and users of payment services.

In practical terms, PSD2 would create an open banking environment where banks would be required to share a customer’s personal financial data, at the customer request, with any regulated account information service provider (AISP), while the bank still retains responsibility for the risk and compliance aspects of the customer and his or her data. This will be done through an application programming interface (API) that complies with a set of technical standards set forth by PSD2.

For sure, this expanded access and consolidation of data increases existing risks (i.e., fraud) and poses new potential risks to the current business model of certain institutions such as banks, but it bring opportunities as well — particularly for challenger banks, and for traditional banks that choose to do more than the bare minimum PSD2 compliance. Perhaps a bit surprisingly, the prevailing sentiment — even among some bankers — is one of excitement and optimism.

Time will tell what innovations and unintended consequences PSD2 will create. In the most likely scenario, the financial services industry will see a dramatic rise in mobile technology driven by APIs. In the future, banks wishing to remain competitive will use API to build an “ecosystem” with not just payment providers but merchants, so they would remain their customers’ “everyday bank.” The use of APIs in financial services has been hampered by privacy rules and the private ownership of data and infrastructure. PSD2 clears those hurdles.

Consider this small sampling of possibilities:

  • Account aggregation, which provides consumers with an overview of all accounts held across different institutions, without having to log into multiple proprietary customer portals.
  • Automated balances sweeping across multiple accounts to maximise interest payments and minimise debit balances.
  • “Marketplace” banks that offer lowest-cost services for loans, overdrafts and foreign currency transfers.
  • Credit decisions based on actual data by any institution and not just the institution currently providing bank account services — increasing choice and competition.
  • Payment facilities for the Internet of Things, such as, say, a self-replenishing refrigerator authorized to “shop” on the owner’s behalf, or a car that can pay for fuel or recharge without the customer leaving the vehicle.

There will be winners and losers. Potentially the biggest winners will be consumers and entities making and receiving payments within the European Economic Area. Cost and lack of competition in the existing payment space has been a concern for European regulators, and the opening up is likely to drive costs down for banks and consumers alike as competition increases.

An issue I deliberately did not mention here is data security and the safeguards built into PSD2 to ensure that personally identifiable data is protected. This is a topic for a discussion of its own right, and we will be covering the security aspect of PSD2 here on this blog and elsewhere. In the meantime, you can bet that PSD2 will be front and center, when the European financial services industry gathers June 26-28 in Copenhagen for Money 20/20. I hope to see you there!

John Harvie, Business Performance Improvement, Protiviti UK and Justin Pang, Risk and Compliance, Protiviti UK contributed to this content.

The Importance of Data Lineage for AML Systems

By Vishal Ranjane, Managing Director
Risk and Compliance




Financial organizations have long embraced the advantages that information technology offers, and many are looking forward to larger digitalization initiatives to gain market advantage. Customers appreciate the convenience of digital offerings, while firms enjoy the reduction in operating costs that information technology enables. Of course, in the multifaceted, highly regulated environment in which financial institutions operate, mastering the complexity of this digital future is both rewarding and risky.

In any financial firm’s application landscape, data flows from system to system. In an ideal world, key data gathered at the front end (customer-facing systems) makes it to the back-end systems without hitches. In reality, in the application architecture of almost any financial institution, systems are sometimes imperfectly integrated, often as a result of multiple acquisitions, and data does not always make the journey from system to system without some amount of attrition or change. However, banks and other financial institutions that handle customer data must be able to demonstrate that the information which originates upstream, in customer-facing systems, is the same information found in the bank’s risk and compliance systems downstream. This is where data lineage becomes important.

Data lineage tells the complete story of how data within an organization was produced, consumed, and manipulated by the organization’s applications. It traces the data’s movement through systems.

Once, it was sufficient to demonstrate to regulators that the right policies were in place, that the right procedures were followed, and the right reports were generated and reviewed to protect against threats like fraud and money laundering. Now, financial institutions must be able to demonstrate to regulators that they are using complete and accurate data to monitor for these activities.

Asserting data legitimacy

An organization asserts de facto data legitimacy when it relies on the integrity of its data for key reporting or decision-making activities, such as those involved with risk and compliance solutions. It is imperative that data from upstream systems of record or points of capture arrives in these downstream risk and compliance systems in a manner that does not materially alter or obscure the content received from the system of record or point of capture.

De facto data legitimacy claims is an area of focus for regulatory authorities who require that these claims be documented and proven. The recent Part 504 regulation by the State of New York Department of Financial Services emphasizes the importance of data lineage in an AML context, stating that a covered institution must not only identify all data sources that contain data relevant to its transaction monitoring and watchlist filtering programs, but also must ensure that these programs include the validation of the integrity, accuracy, and quality of the data to ensure that an accurate and complete set of data flows into these programs. In addition, the regulation specifically notes data mapping as a key component of end-to-end pre- and post-implementation testing of transaction monitoring and watchlist filtering programs.

Going back to the firm’s application landscape, upstream data – data entered initially by the customer, for example – may not survive the journey downstream, and facts about the transaction may be lost with each hop from system to system. Can an auditor know if a particular transaction was made with a teller, a wire, or via an ATM, for example? Was a deposit made by check or cash?

Data lineage documentation can be done using a variety of tools ranging from simple to sophisticated. In smaller, less complex systems, simple spreadsheets and diagramming tools may suffice, while large financial institutions may deploy vendor toolsets to automate tedious and error-prone capture and documentation activities.

Data lineage as part of data governance

Establishing the data lineage should, of course, be more than just an exercise in documenting what’s already in place. Performing this level of analysis and uncovering previously unknown silent errors or gaps in the data being used to manage AML risks and generate reports should lead to increased accuracy and confidence in the reports and management information presented to senior management, internal audit and regulators. An additional benefit is getting better insights into customer behavior – a value for any business.

Having a sustainable data lineage initiative is only the start. To be sustainable over the long run, such initiative needs to be part of a larger data governance program that is firm-wide and involves all departments and functions. Data governance efforts are viewed well by regulators, who increasingly put pressure on financial institutions to formally document business processes, data controls, source-to-target mapping, and defend all activities around data management. A Protiviti white paper, “AML and Data Governance: How Well Do You KYD?,” provides more information and may be of relevance to your company.

Benjamin Kelly of Protiviti’s Regulatory Risk and Compliance practice contributed to this content.

Compliance Insights Latest: Regulator Warns on Sales Incentives, New York Fed on Ethics, and More

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance




Culture and ethics are important in financial services; this much has always been clear to anyone working in the industry. Consumers and businesses alike place a great deal of trust in the system, and continue to hold it in high regard even in light of recent scandals and events that have highlighted certain questionable practices, testing this trust. But culture and ethics are much more than empty statements printed on a poster or in an employee bulletin and posted in the breakroom – a financial institution must take tangible steps to instill in its employees the values it declares publicly. Risks and rewards should be managed in a manner consistent with these values, as well as applicable legal and regulatory requirements and expectations and the best interests of the institution’s customers. In our most recent edition of Compliance Insights, we share the latest public statements from the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Bank of New York related to these topics.

In November 2016, the CFPB issued a bulletin regarding detecting and preventing consumer harm from sales and production incentives (we provide examples of such incentives in our current edition). The CFPB stresses the importance of proper oversight of employee incentives, particularly those that may pose potential harm to consumers if not designed and monitored appropriately. The CFPB expects financial institutions that employ incentive compensation programs to implement effective controls and risk management oversight of both employees and service providers participating in the programs. The CFPB reminds institutions of its expectations that they establish strong compliance management systems that detect violations of Federal consumer financial laws and, in particular, prevent unfair, deceptive or abusive acts or practices (UDAAP). The CFPB makes clear that compliance departments have an important role to play in managing the risks associated with these programs.

The CFPB bulletin was issued a month after William Dudley, president and CEO of the Federal Reserve Bank of New York, called for increased regulatory oversight to ensure accountability for misconduct and lapses of ethical judgment at financial institutions. Among his suggestions, Mr. Dudley articulated the need for tangible regulatory requirements rather than principled high-level statements. He proposed certain solutions, such as a database of banker misconduct and an annual, industry-wide culture survey. However – and clear to anyone involved in financial services – the responsibility for reforming culture ultimately lies with the banking and financial services industry itself, and financial institutions must make coherent, comprehensive efforts to correct any cultural and ethical weaknesses.

 In other compliance news, the Financial Crimes Enforcement Network (FinCEN), in coordination with the Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS), issued an advisory in September to help financial institutions identify and prevent the growing number of e-mail compromise fraud schemes.

The advisory includes a list of relevant red flags and detailed scenarios related to e-mail fraud schemes, and highlights the growing trend of cyber-enabled criminal activity. According to FinCEN, there have been approximately 22,000 reported cases of e-mail compromise fraud involving $3.1 billion in losses since 2013.

Finally, a study by the Global Association of Risk Professionals found that only half of the banks that were required to comply with Basel 239 risk data aggregation and reporting requirements by January 1, 2016 are in compliance. Risk data aggregation refers to a bank’s ability to consolidate various sources of risk data, such as loan default or derivative exposure across various business units.

For a more in-depth analysis of December’s compliance topics, you can read the full insights report here. We look forward to following and sharing more financial services compliance news with you in 2017. Happy New Year!

Money 20/20, Day 3: Get the View From the Inside With Today’s Podcasts

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.


Ed Page, Managing Director, Technology Consulting for Financial Services, on IT Trends (6:08 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Regulating Fintech (3:03 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Good vs. Bad Innovation (4:46 mnutes)

Share on Twitter

Robert Ferguson, Senior Manager, Business Performance Improvement, on Customer Stickiness (3:21 minutes)

Share on Twitter

Introducing Compliance Insights: Protiviti’s Monthly Roundup of News for Financial Services Firms

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance



With global banking regulation consistently ranking as a top concern for financial service industry executives and directors, Protiviti has launched Compliance Insights, a monthly advisory newsletter designed to provide financial services industry (FSI) executives with timely news on issues that are relevant now.

Although primarily focused on banking compliance matters related to consumer protection, privacy, anti-money laundering/anti-terrorist financing, and sanctions, this short newsletter also includes topics applicable to other types of financial institutions, including those in capital markets and emerging financial technology (“fintech”).

The information we choose for our monthly briefing is not intended to be a complete picture of the FSI compliance landscape, but to provide clear and concise summaries on key topics we consider of interest to the industry.  We’re not going to cover everything; rather, each month we’ll highlight a handful of issues, tapping our subject-matter experts for analyses of the latest changes in rules and guidance.

Our inaugural issue, launched in July, led with a couple of updates on global payment systems.  In the wake of cyberattacks on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payments network, which facilitates cross-border interbank transfers, both SWIFT and the Federal Financial Institutions Examination Council (FFIEC) issued reminders to institutions of the need to manage risks associated with interbank electronic transactions. We also shared new guidance from the Wolfsberg Group of International Financial Institutions, an association of 13 global banks with a common goal of developing effective anti-money laundering (AML) standards. The guidance is related to financial institutions’ use of certain SWIFT services.

Other topics included:

  • Proposed rules from the SEC limiting the use of derivative investments by mutual funds;
  • The long-anticipated proposal from the Consumer Financial Protection Bureau (CFPB) on rules governing payday, vehicle title, and other short-term, small-dollar loans; and
  • The possibility of fintech firms obtaining limited-purpose national bank charters, enabling them to operate under uniform federal regulation and supervision.

Our August issue, released last week, provides updates on another CFPB proposal, this one focused on third-party debt collection practices, plus several other topics we consider relevant:

  • A joint regulatory update of Community Reinvestment Act (CRA) Q&As
  • Increased regulatory scrutiny of potential money laundering at card clubs, casino-like gambling establishments offering exclusively card games
  • A ruling by a Miami judge in an anti-money laundering case that calls into question whether bitcoins are “money”
  • Upcoming changes to the Military Lending Act (MLA), which extends additional consumer lending protections to active-duty military personnel and their dependents

We hope you’ll find this resource useful – please let us know if you do or if you have any suggestions or suggested topics. It is part of our ongoing effort to help financial service institutions face the future with confidence.

You can subscribe to Compliance Insights or send us your feedback here.

2015 Consumer Survey Finds Bank Branches Alive and Well

Jason GoldbergBy Jason Goldberg
Director, Protiviti’s Payments and Retail Banking Practice




Pundits have long predicted the death of the brick-and-mortar bank branch – citing widespread closures of major financial institutions and correlating this with the rise of online and mobile banking.

And yet, according to the Federal Deposit Insurance Corporation (FDIC), the number of branches has almost doubled over the last 30 years, even as the total number of banks has decreased by almost two-thirds. Most of that increase has happened since 1995, the acknowledged dawn of commercially viable online banking.

So what’s the real story? Protiviti surveyed more than 2,000 consumers in the second quarter of 2015 to glean their banking and payment preferences. The results, published in our just-released 2015 Protiviti Consumer Banking and Online Payments Survey Report, showed that while online and mobile banking is the go-to option for many routine transactions, the neighborhood branch continues to anchor the banking relationship – even among younger consumers – and serves an important sustaining role as a center for financial advice and customer service.

Some stand-out findings from the survey:

  • There is little to no correlation between frequency of branch visits and web and mobile banking use. For example, 49 percent of frequent bank visitors use their bank’s mobile app to transfer funds, compared with 50 percent of non-visitors of branches. While web and mobile banking have shifted a large percentage of everyday transactions away from older channels (checks, branches, ATMs), customers of all ages still want the convenience of visiting a branch if they are nearby, and continue to want human interaction for their more complex or high-value transactions, such as loans, product tutorials or investment advice.
  • Frequent bank visitors tend to hold more credit cards, carry higher balances and be more engaged with other banking channels, especially ATMs and phone banking. Frequent and regular visitors are also more convinced than non-visitors that new credit card chip technology will make their transactions more secure, even if experience in Europe, where the technology has been in use for more than a decade, indicates that the drop in physical credit card fraud will likely be offset by fraudulent use of credit cards online.

What can we take away from all this? The more things change, the more they remain the same. Predictions calling for the imminent demise of branch banking have been and continue to be premature, to say the least. The bank on the corner may very well be different in the future than the one you are used to – more tech, fewer transactions. But there will still be a bank on the corner for years to come.

Read the entire 2015 Consumer Banking and Online Payments Survey Report here.