Security and Privacy in Financial Services: Q&A Addressing Top Concerns


By Ed Page, Managing Director
Technology Consulting, Financial Services

and Andrew Retrum, Managing Director
Security and Privacy


Global cybersecurity risk has never been higher, especially at financial institutions, which are often targeted for their high-value information. Earlier this year, Protiviti published its 2017 IT Security and Privacy Survey, which found a strong correlation between board engagement and effective information security, along with a general need to improve data classification, policies and vendor risk management.

We sat down with our colleagues Scott Laliberte, Managing Director in our Cybersecurity practice, and Adam Hamm, Managing Director, Risk and Compliance, to discuss how these overall findings compared to those specific to the financial services segment, and why the financial services industry differed from the general population in some aspects. We outlined the comparisons in a recently published white paper. What follows is a sampling of some of the questions we addressed, with a brief summary of the answers. For a more detailed analysis and more data specific to the industry, we recommend downloading the free paper from our website.

Q: What are the top IT security and privacy-related challenges facing financial services firms today?

A: Disruptive technologies, third party risk, shadow IT — systems and solutions built and used inside the organization without explicit organizational approval — and data classification, are top concerns, not only for FSI firms but for survey respondents generally.

Data classification is a particularly challenging and important issue for the financial services industry — both from security and compliance perspective. We often talk about “crown jewels” — data that warrants greater protection due to its higher value. Establishing effective data classification and data governance are multi-year efforts for most institutions, and they must be consistently managed and refreshed. And, the difficulty of these efforts are compounded by the unique complexity of financial systems. Naturally, financial services forms are slightly ahead in the data classification game than their counterparts in other industries, due to their more acute awareness and ongoing and focused efforts, but they still have a long way to go.

Q: Boards of directors of financial firms are more engaged and have a higher understanding of information security risks affecting their business compared to other industries. What does this tell you about the level of board engagement at financial institutions?

A: Financial institutions are being attacked and breached more often than companies in other industries due to the high value of their information. As a result, regulators have been pushing boards at financial services firms to become more aware of and involved in cyber risk management. The Gramm-Leach-Bliley Act (GLBA), as well as guidance from the Federal Financial Institutions Examination Council (FFIEC), both encourage regular cyber risk reporting to the board and management. The New York Department of Financial Services similarly requires that CISOs at insurance companies provide a report to the board on the cyber program and material cyber risks of the company, at least annually. As we noted in the beginning, our survey found a strong correlation between board engagement and cybersecurity maturity in all organizations — so the higher involvement of financial services firms’ boards bodes well for their companies’ cybersecurity, provided directors get actively engaged with management on this topic.

Q: Over half of financial services respondents to the survey said they were “moderately confident” they could prevent a targeted external attack by a well-funded attacker. Is this an accurate assessment of most financial institutions?

A: Given that the probability of a cyber attack on a financial institution has become a matter of “when,” rather than “if,” we would not expect any institution to have a high — or even moderate — degree of confidence. It may be a measure of false confidence that so many organizations think they can prevent an attack. The onus is now on firms to assume that an attack is likely, and be prepared to limit its impact.

Q: Most financial services respondents indicated that they were working with more big data for business intelligence compared to last year. What should firms be concerned about with regard to their growing use of big data?

A: Big data includes both structured and unstructured data, which is more difficult to classify. Firms may also be dealing with new technologies with different security characteristics as well as more data distributed in the cloud. All of these factors complicate data management for financial institutions. As financial institutions rely more on big data, it is critical that they know what data to protect, its location and all of the places it might travel over its lifecycle in the system. Just as important is the need to control access to data and to protect the integrity of that data as more users interact with it for a growing number of reasons.

Q: More and more firms are using third parties to access better services and more advanced technology, but are financial institutions doing enough to counter new risks arising from third parties, such as partnerships with fintech companies?

A: Financial institutions are digital businesses, with more and more capabilities provided via mobile devices and through partnerships with financial technology, or fintech, companies. Many fintechs are small startup organizations that may lack the rigor and discipline of a traditional financial services firm. While innovation is necessary to compete in today’s fast-paced world, organizations need to take appropriate steps to ensure there are appropriate controls in place, and test those controls to minimize risk from third parties.

The full paper goes into significantly more detail on these and other questions than the abstract provided here, and presents the perspective of both security and risk and compliance experts. Let us know if you find it helpful.

Regulatory Activity Unabated Despite Uncertain Regulatory Outlook

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk & Compliance




A month into the new U.S. administration, it’s clear that the political landscape is shifting. The administration has issued executive orders calling for a review of existing laws and regulations based on how they promote certain “core principles” related to the regulation of the U.S. financial system; a review of the Department of Labor’s Fiduciary Rule scheduled to take effect later in 2017; and an “implement one, repeal two” standard for the issuance of new regulations. Talk abounds about congressional actions aimed at actual or possible legislation, such as the TAILOR Act and the Financial CHOICE Act, which would affect the current regulatory structure as well.

The long-term ramifications of these actions for financial services regulation, supervision and enforcement are still unknown, and it may be some time before we have a clear view of what the future will look like. Meanwhile, financial institutions must still contend with the regulatory structure that exists today. Regulatory or self-regulatory agencies at the state, federal and even international levels are continuing to move forward with their existing supervisory and regulatory responsibilities. We address these in the February edition of Compliance Insights.

  • In the anti-money laundering (AML) space, we note that the Conference of State Bank Supervisors released a Bank Secrecy Act/AML Self-Assessment Tool to help financial institutions better manage money laundering risk. Risk assessments are top of mind for regulators, who consider logical, well-balanced and robust assessments the focal point of a sound risk management program. The self-assessment tool was issued not only to help provide transparency into how risks are assessed, monitored and communicated within an institution, but also to promote greater transparency among institutions to benefit the broader financial services industry.
  • Within the securities space, the Financial Industry Regulatory Authority (FINRA) published its Regulatory and Examination Priorities Letter for 2017, which identifies known and potential risks facing broker-dealers, investor relationship management and market operations. FINRA uses the annual priorities letter to communicate areas of focus for its information requests and examinations for the upcoming year. The 2017 letter highlights the “blocking and tackling” roles of compliance, supervision and risk management through FINRA’s focus on reviewing firms’ business models, internal control systems and client relationship management. Priorities identified for 2017 include: monitoring brokers with a history of disciplinary actions or complaints; sales practices; financial risk management and liquidity; operational risks; and market integrity.
  • Privacy concerns are atop the agenda for the European Commission (EC), which published the draft text of a proposed e-privacy regulation that, if adopted, would replace the EC’s current ePrivacy Directive with a more expansive regulation. Data privacy is a top priority for the EC, which seeks to establish a new privacy legal framework for electronic communications as part of a digital single market. The proposed regulation was developed with the intent to create better access for consumers and businesses to digital goods and services, level the playing field for digital networks, facilitate development of innovative services, and increase the growth potential of the digital economy.
  • Finally, the Consumer Financial Protection Bureau (CFPB) recently sued a bank for apparent unfair and deceptive practices related to enrolling customers into overdraft protection services. The suit contends that the bank violated the CFPB provision for implementing the Electronic Funds Transfer Act by misleading customers that overdraft protection was mandatory, concealing fees, deceptively seeking consent, and pushing back against customers who questioned the opt-in requests. Notably, the CFPB cites that the bank’s employee incentive program likely contributed to these issues, further highlighting the attention that the regulatory agencies are placing on sales practices and incentive compensation programs.

Even as Washington sorts itself out, financial institutions cannot lose sight of regulatory obligations and expectations that exist at the local, state, federal or even international level. The regulatory environment is likely to be quite dynamic in the foreseeable future, and financial institutions will remain challenged to manage their risks in this environment and not relax their compliance efforts.

Continue to follow our monthly roundups of compliance news here and on our site. The February issue is available here.


CECL/IFRS 9 Update: New Credit Impairment Model Deadlines and Implementation Considerations



Charles Soranno - MD New Jerseyby Charlie Anderson, Managing Director, Model Risk Management


Charles Soranno, Managing Director, Financial Reporting Remediation & Compliance

As Protiviti reported back in May, the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) have been looking for lessons in the global banking crisis of 2007-08 and have come up with new forward-looking predictive models for financial institutions to use when estimating how much to reserve against potential loan losses.

The FASB’s CECL model will become effective in 2020, with the IASB’s International Financial Reporting Standard 9 (IFRS 9) standard beginning that year if early adoption is not elected. Protiviti strongly recommends immediate action because of the extensive changes in data-collection practices, systems configuration, loan classification and risk modeling required by the change.

The new impairment model from FASB, which applies to banks, savings and loans, credit unions, and non-bank lenders in the United States, and global institutions traded on U.S. exchanges, is called Current Expected Credit Loss (CECL). Final guidance on the model was issued on June 16, 2016. The new impairment model from IASB, which applies to institutions based outside the United States, is a part of IFRS.

For a detailed analysis of these new methodologies, see Protiviti’s Point of View briefing, Impact of the New Current Expected Credit Loss (CECL) Methodology, and the companion paper, IFRS 9 Impairment — Practical Implications. Both models are discussed, along with implementation considerations, in our Aug. 17 webinar, “Impact and Challenges of CECL and IFRS,” available in our online webinar archive.

The methodologies are similar in that they both replace traditional reserve requirements based on historical losses with new predictive models incorporating past, present and future data, as well as market intelligence and macroeconomic trends. The primary difference is that IFRS 9 uses a three-stage loan classification model not included in CECL.

The basics of these two methodologies have been covered in our previous blog post, so we don’t want to rehash them here, but we do want to share some implementation considerations we discussed in the webinar. Successful implementation is going to require an enterprisewide effort with input from most, if not all, departments. Some of the bigger details to be worked out include:

  • Gathering required data assets/history to feed the new model requirements
  • Creating underlying models and IT infrastructure for determining the required reserves
  • Identifying required business process updates, along with resources required to validate the updated reserving methodologies

Specific deadlines for CECL include:

  • SEC filing institutions effective for years beginning after Dec. 15, 2019
  • Non-SEC filing public business entities effective for years beginning after Dec. 15, 2020
  • All other entities, plus nonprofit organizations, effective for fiscal years beginning after Dec. 15, 2020, and interim periods with fiscal years beginning Dec. 15, 2021

IFRS 9 is effective for all entities for annual periods beginning on or after Jan. 1, 2018, but firms may choose to adopt the standard early.

Protiviti is already working closely with clients to help them prepare, and we encourage all financial institutions to act without delay. We fully expect practical issues and questions to be raised during the implementation and auditing phases, and further evolution of the guidance is quite likely. Financial service organizations need to start assessing the implications of these approaches sooner rather than later.

Thank you to Protiviti Associate Director Benjamin Shiu for his contributions to our CECL and IFRS 9 materials as well as our webinar.

Vendor Management – Realizing Opportunities in Financial Services

Chris MonkBy Christopher Monk
Managing Director, Protiviti Supply Chain Solutions 




Banks and other financial institutions have conducted tactical vendor management activities for decades. Much of this activity also has been performed in silos throughout these organizations.

As reliance on third-party providers domestically and globally grows, often driven by competitive pressures, the management of those vendors has become increasingly complex and scrutinized. Indeed, it’s not unusual for the largest financial institutions to have more than 50,000 vendors!

Add to the picture aggressive rollout of new services and products, heightened merger and acquisition activity, and new regulations regarding third parties, and it’s no wonder that financial services industry observers are left with one word to describe the current state of vendor management: Chaotic.

Even in the midst of this challenging environment, companies that employ the right strategic approach can do more than just meet compliance requirements; they can capitalize on better vendor management to achieve operational improvements and enhance the value provided by third parties. A recently published Protiviti white paper, Vendor Management: Realizing Opportunities in the Financial Services Sector, offers guidance in this regard.

One of the most common problems afflicting organizations is that there is no single point of accountability for managing vendor activity. Different functions and lines of business often hire their own vendors – or sometimes the same vendor – unaware of the vendor’s existing relationship with the company. The lack of centralized vendor data or reporting may make it difficult, if not impossible, to understand the complete picture with each vendor, identify spending patterns or uncover opportunities for more cost-efficient sourcing. Such a deficiency also hinders sharing of best practices across business units.

Furthermore, companies that lack good mechanisms for the ongoing management of their vendor relationships likely will struggle to ensure that contractual terms and related service-level agreements are fulfilled. These issues, in part, explain why regulators – including the Office of the Comptroller of the Currency and the U.S. Federal Reserve Board – are increasingly concerned that institutions have:

  • Failed to perform adequate due diligence and ongoing mentoring of third party relationships
  • Entered into contracts without assessing the adequacy of a third party’s risk management practices
  • Entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers in order to maximize the third party’s revenues.

A sophisticated vendor management organization (VMO) can help institutions to tackle these compliance issues, but just as importantly, it can help them build strategic partnerships with vendors to drive greater value. Protiviti has identified six critical elements that an evolved and mature VMO is built upon: Contracts, spend, classification, metrics, governance and relationships.

How these elements are assembled and the degree to which they are developed determines the effectiveness of the VMO. The first step in making necessary enhancements is to ask key questions, such as:

  • Are our vendors classified using factors such as the importance of business function supported; geography; ease of replacement; dollars spent; frequency of use; data privacy requirements or level of reputational risk?
  • Do our current vendor management activities include a mechanism for reducing risks?
  • To what extent are our current spend analyses driving vendor management decisions?
  • How effective are our existing relationship management metrics in improving vendor performance?

By answering these questions, companies can gain a clearer picture of their existing state of vendor management and a better understanding of the work required to elevate it to a strategic level that yields real operational benefits.

Do you have a vendor management organization that delivers more than just basic performance and compliance management? I’d love to read your insights in the comments.

Reflecting on the Fourth Anniversary of the Dodd-Frank Act

Carol Beaumier - Protiviti EVP - NY

Carol M. Beaumier, Executive Vice President, Protiviti


Protiviti’s quarterly financial services industry newsletter, FS Insights, has tracked the progress and reflected on the merits of the Dodd-Frank Act since its passage four years ago. After four years, we remain left with more questions than answers. Nearly half of the required rules still are not final.  Debate continues about the impact of the law.

In our latest issue, we look at notable regulatory developments, such as the Federal Reserve’s approval of a final rule implementing the enhanced prudential supervision standards of the Dodd-Frank Act and the Office of the Comptroller of the Currency’s proposed guidelines for heightened governance standards for banks with assets greater than $50 billion. We posit whether the regulators might have been able to effect significant change without Dodd-Frank, since most would agree that financial institutions with strong risk management, adequate capital and sufficient liquidity are not likely to fail.

You’ll find the newsletter and the Protiviti Dodd-Frank diagnostic tool on our website. This complimentary online tool helps banking, broker-dealer and mortgage companies to identify quickly the parts of the Dodd-Frank Act that are most relevant to their business. I encourage you to subscribe to the newsletter, check out our diagnostic tool, and provide any comments or responses here.


It’s Not the Time for Banks to Abandon Vendors

Ed Page - Protiviti Chicagoby Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice


A recent article in American Banker Bank Technology News raises the prospect that stiffer vendor risk management requirements may push banks to bring more IT work in-house. Given the rigor being demanded these days, it’s hard to argue against that position, but banks and regulators alike need to be aware that this could have unintended consequences, particularly at midsize and smaller banks.

Large banks generally have the scale and skills to run IT services in-house, so insourcing to reduce the overhead of vendor management may be a viable approach. However, driving IT services in-house at smaller institutions may create a whole different set of risks. Many midsize and smaller institutions have long depended on outsourced relationships to provide essential IT services, both as a means of acquiring technical competencies and to reduce costs related to IT operations. Consequently, many lack the core competencies, experience and expertise needed to run things in-house.

I liken this a little to the do-it-yourself (DIY) phenomenon in home improvement. Although there are certainly a lot of DIY projects that people can undertake, a project such as upgrading the 1940s era knob and tube electrical wiring currently in your home to current standards is better left to the professionals (unless, of course, you are an electrical wiring expert!).

Insourcing may also pose a secondary risk for the industry as a whole. At a time when banks need to innovate to stay competitive, banks may be discouraged from working with vendors – particularly smaller vendors – who may be creating breakthroughs. This may lead to financial institutions missing opportunities to either drive down costs or introduce new products and services, which in turn creates risk from those institutions and non-bank competitors who are more willing to work with outside providers.

Technology and data are the life blood of banking, so the regulatory intent to ensure accountability and governance over these critical services is undeniably correct, but banks must guard against overreacting in ways that create other equal or even greater risks. The industry needs to retain both insourcing and outsourcing as viable alternatives. Ultimately, organizations should develop an IT strategy based on their business priorities and competencies. That strategy should be supported by a well-defined IT architecture, strong IT and data governance, and – where outsourcing is dictated – sound vendor management.

And for more insights into vendor risk management, I encourage you to read the benchmark report that the Shared Assessments Program and Protiviti recently released on the maturity of vendor risk management in organizations today.