With the ever-present threat of cyber-attacks taking its toll, information security risk has become more significant that credit risk. This makes it imperative for FIs and NBFIs to not only include information security in their overall asset-liability management programs but to also determine the cyber risk of their vendors. Financial management involves evaluating and mitigating not just information security risk, but also credit risk and compliance risk in order to ensure safety to a bank’s portfolio.
Policies and Procedures for Risk Management
For a long time, fraud threats have been among the major risks to FIs and NBFIs. Today, banks are protected more than ever before by BSA, KYC and AML policies and procedures in conjunction with vendor management oversight. One of the requirements for institutions is to know their customers. In this regard, banks are required to do the following:
When collecting customer information, personal digital data is bound to be retained in networks and in the possession of 3rd-party vendors. This is most especially when data collection procedures such as account opening and scanning are done online. FIs and NBFIs are required to retain digital for not more than 7 years.
Requirements by the Bank Secrecy Act (BSA)
FIs and NBIFs are required to monitor their customer records regularly in order to safeguard themselves against criminal activities. Both Cash Transaction Reports (CTRs) and Suspicious Activity Reports (SARs) should be incorporated to BSA documentation. While these documents contain customers’ personal information, SAR details should not be shared with the Board of Directors.
Requirements by the Office of Foreign Asset Controls (OFAC)
Under OFAC, FIs and NBFIs are required to document their Blocked Persons List and Specially Designated Nationals (SDN) list reviews. The information should, however, be incognizable, i.e. it shouldn’t include names or personal information that could make a listed person identifiable.
Reasons why FIs and NBFIs Require Enterprise Risk Management
Today, many FIs and NBFIs allow their customers to open accounts online. To ensure that customer data is protected, endpoint security and encryption is required for all online data collection processes. Therefore, due diligence must be performed, especially when 3rd-party vendors are involved to collect customer data.
FIs and NBFIs face more compliance risks compared to other industries. Therefore, an effective enterprise risk management system is required to manage both information security and compliance requirements and regulatory compliance requirements.
How FIs and NBFIs can Enhance Vendor Monitoring
To prevent information security risks, FIs and NBFIs must remain agile when evaluating 3rd-party vendors. Besides ensuring the information security of the vendors they associate with, they must also ensure that those vendors remain solvent. To achieve this, many FIs and NBFIs integrate SOC 1, SOC 2, and SOC 3 into their vendor monitoring practices.
With many departments requiring more information in order to ensure appropriate compliance, there’s need for a management solution (other than spreadsheets) that provides the most efficient cross-departmental communication.
How FIs and NBFIs can Benefit from Blockchain
In their bid to protect transaction information, FIs and NBFIs are utilizing an emerging technology known as Blockchain. This is a new technology that helps organizations build radically better and safer financial systems.
Blockchain uses encryption technology that safeguards data while incorporating the transaction’s full history. Therefore, systems that adopt this technology are capable of protecting transactions while still being able to retain it. Use of this technology enables FIs and NBFIs meet OFACs requirements.
Benefits of Automation to FIs and NBFIs
FIs and NBFIs retain enormous amounts of data, which makes it imperative for them to incessantly monitor their controls to protect the data. Since segregation of duties is among BSA’s requirements, the IT teams must put monitoring controls in place to ensure appropriate system access.
There’s also need for FIs and NBFIs to have a single place where they can store their reviews. Furthermore, financial organizations may be required to prove HIPAA compliance as they add more payment organizations to their commercial accounts lists.
FIs and NBFIs should take advantage of automation programs to manage all the risks to their portfolios. One advantage of such programs is that they provide real-time insight into threats. Another advantage is that the programs can help track vital system updates that organizations need to safeguard their databases.
Since FIs and NBFIs are increasingly taking up healthcare payment processing, they should evaluate their data controls to ensure that they align with the requirements of the healthcare industry.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.