Tom Hinkel, Director of Compliance
Well, it’s that time of year, time for end-of-year checklists and look-ahead preparations for 2013. So I thought this would be a good time to provide a couple of checklists to help keep you organized next year, and just maybe a step ahead of the regulators. Checklists not only keep you organized, they encourage process consistency, and are an excellent way to document your practices.
The first checklist is from a blog post earlier this year on the changing Board of Directors annual report. We saw several examination findings this year related to the insufficiency of the reports and requesting additional details. Here is what your annual report should contain:
- A status report on your information security program. Focus on the risk assessment, making sure you’ve identified all current and anticipated threats to information security.
- Results of any and all tests, audits, examinations or other reviews of your information security program.
- Any security breaches or other incidents since the previous Board report. Include management’s response to the incident.
- A summary of your employee information security awareness training.
- The status of your customer awareness program. This is a new requirement for the Board report and originates from the updated FFIEC Internet Authentication Guidance.
- Status of your Business Continuity Program efforts, including any testing and test results.
- A summary of your vendor management program. Identify and rank all service providers according to (at a minimum) their access to NPI/PII as well as their access to confidential information.
And while we’re on the subject of vendor management, 2012 gave us plenty to talk about there as well. Specifically, new guidance from the FFIEC in the form of cloud computing statements and updated Examination Handbooks, as well as a first look at the new AICPA SOC reports which replaced the SAS 70. We also saw the FDIC issue a supervisory letter on a core provider, and then contact the provider’s financial institution customers to make sure they were aware of it. So, because it is a pretty safe bet that vendor management will remain an area of increased scrutiny going forward, here is a summary checklist for your vendor management program:
- Conduct thorough pre-contract due diligence. Don’t forget to document the strategic basis for your decision to engage the provider (particularly cloud providers).
- Risk assess each provider, and either rank (or otherwise classify) them low to high according to risk.
- Determine the controls appropriate for each vendor based on the risk. Ask yourself, “What do I need from this vendor to satisfy myself that they are handling my data as safely and securely as I would?”
- Request the appropriate risk management controls from each vendor.
- Obtain and review the information (financials and third-party reviews) that they provide you.
- Review each vendor at least annually. More often if circumstances (yours or theirs) change.
Finally, will 2013 be the first year we’ll see CFPB examinations? They are hiring examiners now, and all indications are that we just might. Stay tuned to the complianceguru site for more on this, as well as other regulatory updates.
The compliance department has a number of other checklists and resources to help keep you organized and ahead of the regulators. Ask your Account Manager, or feel free to reach out to me directly. All the best for the holidays and a finding-free New Year!