Banking Industry Regulations: Don t Burn A Hole In Your Pocket






Full text


Banking Industry Regulations:

Don’t Burn A Hole In Your Pocket

If you ever mention the word “compliance” in a social gathering of bankers, you will evoke very animated responses from even the dullest of dull. Regulation in the banking industry has undergone a sea of changes in the last over ten years. The re-sult is today’s heavily regulated banking industry, which faces the challenge of fitting regulatory compliance into constrained information security budgets.

While there arguably are many regulations and standards to comply with, the right approach can ensure that compliance doesn’t burn a hole in your pocket. As a matter of fact, you can stay well within your budget and attain compliance at the same time.

The Regulatory Scene

The Regulatory Scene

The Regulatory Scene

The Regulatory Scene

First, a brief look at some of the important information security regulations and industry standards that banks and financial institutions are likely to encounter.

Gramm Gramm Gramm

Gramm----LeachLeachLeachLeach----Bliley Act (GLBA)Bliley Act (GLBA)Bliley Act (GLBA)Bliley Act (GLBA)

The Gramm-Leach-Bliley Act mandates that financial institutions develop standards for administrative, physical and technical safeguards to protect the non-public personal information of their customers from being disclosed to third parties. Further guidance issued in January 2003 requires banks to take specific action to protect all information assets, not just customer infor-mation. At a high level, the GLBA requires:

• Implementing and maintaining a comprehensive and ongoing information security program.

• Assessing and evaluating threats and associated risks with the help of comprehensive risk assessments.

• Implementing controls that are commensurate with the associated risk identified in the risk assessment process.

• Instating “pretexting1 protection,” which involves implementing safeguards against social engineering attacks, in the form

of evaluations, audits and employee training.

• Oversight of service providers.


Fair and Accurate Credit Transactions Act (FACTA) Fair and Accurate Credit Transactions Act (FACTA) Fair and Accurate Credit Transactions Act (FACTA) Fair and Accurate Credit Transactions Act (FACTA)

FACTA came into effect as an amendment to the Fair Credit Reporting Act (FCRA) to address the growing problem of identity theft. Financial institutions faced a mandatory deadline of November 1, 2008 to comply with the new FACTA regulations re-ferred to as the Red Flag Rules (addressed in sections 114 and 315 of the FACTA). Compliance with Section 315 has subse-quently been postponed by the Federal Trade Commission (FTC) to May 1, 2009. The Red Flag Rules require:

• Performance of on-going and comprehensive risk assessments to identify covered accounts and related threats that pose a

reasonably foreseeable risk of identity theft.

• Based on the risk assessment, a comprehensive identity theft prevention program is required. Further, management and

oversight of the program is required.

• The implementation of formal change of address procedures that properly verify the validity of a customer’s change of

ad-dress request.

• Employee training to ensure that employees are knowledgeable in the concepts of identity theft and are fully able to

recog-nize and counter threats posed by it.

• Development of specific policies, procedures and practices to combat identity theft.

• Oversight of third party providers.

Payment Card Industry Data Security Standards (PCI DSS) Payment Card Industry Data Security Standards (PCI DSS) Payment Card Industry Data Security Standards (PCI DSS) Payment Card Industry Data Security Standards (PCI DSS)

While PCI DSS is a standard, not a regulation, the worldwide security standard is effectively as good as a regulation because the PCI Security Standards Council (PCI SSC) is comprised of founding members American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. So, effectively, if you were ever planning on issuing credit cards that bear any one of these logos, you would have to comply with the PCI DSS. Depending upon the quantity and nature of transac-tions you process as a merchant or service provider, you may have to undergo at least one of the following:

• A network scan performed quarterly by an Approved Scanning Vendor (ASV).

• An annual on-site review and assessment by a Qualified Security Assessor (QSA) which includes a review of network

secu-rity, cardholder data protection, vulnerability management, access control measures, networking monitoring and testing, and information security policies.

• An annual assessment questionnaire which is a validation tool to assist merchants and service providers in

self-evaluating their compliance with the PCI DSS.

• Further, the PCI DSS states that if you need to do an on-site assessment or you need to complete the self-assessment

ques-tionnaire, you need to perform external and internal penetration tests at least once a year and after any significant infra-structure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environ-ment, or a web server added to the environment).


A Collective Approach

A Collective Approach

A Collective Approach

A Collective Approach

A cursory look at the regulations and standards we briefly covered might appear too costly for any average budget. However, a closer, analytical look reveals that the key is to go about compliance with the right approach – the collective approach.

Combining requirements of different regulations and addressing them collectively will not only save you a significant amount of time and money, but will also equip you with more efficient and effective information security.

Risk Assessment Risk Assessment Risk Assessment Risk Assessment

GLBA and FACTA both require risk assessments that consider all reasonably foreseeable threats and then require implementing controls that commensurately address the risks identified. While the focus of the risk assessments is slightly different - GLBA emphasizes information security and FACTA underscores identity theft - resources to conduct them can be greatly reduced if the logistics are carried out in a parallel fashion.

Key risk assessment components, such as asset identification and classification, threat identification and analysis, and safeguard identification and implementation, can be performed to collectively address the requirements of both the GLBA and the FACTA. Information security and identity theft are areas of considerable overlap; one cannot really be considered without tak-ing the other into perspective. So it is fitttak-ing that these be collectively addressed even though they may be documented sepa-rately for compliance purposes.

Comprehensive Program Comprehensive Program Comprehensive Program Comprehensive Program

GLBA and FACTA both require a comprehensive program document that addresses information security and identity theft. While the program documents would need to be separate, a number of key components are closely tied and at times the same. For instance, aspects such as logical/physical security, incident response, service provider oversight, legal issues, and help desk would actually be better addressed if they were viewed from the angles of information security as well as identity theft.

Penetration Testing and Vulnerability Assessments Penetration Testing and Vulnerability Assessments Penetration Testing and Vulnerability Assessments Penetration Testing and Vulnerability Assessments

GLBA regulators often look for evidence that penetration testing and vulnerability assessments are performed, at least at a net-work level, on a periodic basis. Under the light of the GLBA, penetration testing and vulnerability assessment results need to be conducted in conjunction with risk assessments. Under PCI DSS, the likelihood is high that quarterly network scans will need to be performed. Also, external and internal penetration testing is a requirement under the PCI DSS. The penetration tests and vulnerability assessments you perform for addressing GLBA requirements can go a long way in helping you comply with the PCI DSS.

If external and internal penetration tests are performed and followed-up rigorously and comprehensively, your organization’s security will increase greatly and you will have no need to engage in any additional efforts to comply with the PCI DSS require-ments, both on quarterly scanning and penetration testing. Further, if you were to undergo an on-site QSA audit, vulnerability assessments done diligently will ensure that lesser stones need to be unturned.


Social Engineering Social Engineering Social Engineering Social Engineering

Social Engineering evaluations are performed to find out how weak your weakest link is. People are deemed the weakest link in information security because their helping nature often leads to disclosure of sensitive information. Newer techniques such as phishing2 and vishing3 have proven to be quite successful for hackers. While social engineering evaluations are highly

encour-aged for GLBA, as it offers steps against pretexting, they serve as exceptional tools to counter identity theft. Identity thieves are often very clever and skilled at using social engineering so social engineering evaluations can be highly effective in combating the threat. The evaluation results can then also be used to present to FACTA regulators as additional steps being taken at the organization to address identity theft—demonstrating to regulators organizational responsibility.

Employee Training Employee Training Employee Training Employee Training

Information security and identity theft are, without doubt, two areas that can benefit the most from employee training. An em-ployee educated in the risks that he/she may face on the job that could seriously undermine the organization’s reputation and sustainability can often avert serious security or identity theft incidents.

Employees are best trained on information security and identity theft simultaneously. Employees need to know where these two areas overlap, because an incident in one area could almost immediately impact the other. From a regulatory standpoint, a clearly common aspect about employee training as required by the GLBA and the FACTA is that the training needs to be a co-ordinated effort between different areas of the organization. Hence, it should be provided to the entire enterprise and must have the clear support and direction from the board of directors.

A collective training program encompassing information security and identity theft, and further tailored to meet different audi-ences within an organization, will minimize resource expense and result in a well-trained, intelligent, and efficient workforce.

Service Provider Oversight Service Provider Oversight Service Provider Oversight Service Provider Oversight

With the growing reliance on outsourcing, the important element of oversight is often overlooked. It is important to remember that work sent outside the organizational perimeter is still the organization’s own work. An issue as sensitive as information security is vital to an organization’s reputation. It is essential to ensure that a service provider is as secure as you are. The regu-latory requirement aside, a responsible attitude towards service provider oversight is a fundamental building block of informa-tion security.

The GLBA and the FACTA both require diligent service provider oversight. Ensure that due diligence is exercised during ser-vice provider selection. Serser-vice providers should be required by contract to implement appropriate safeguarding measures. Ser-vice providers should also be required to immediately notify the parent organization of any security breach at their end. SerSer-vice provider oversight measures, supported by ongoing monitoring can go a long way to ensure a robust information security envi-ronment and at the same time it will bring you GLBA and FACTA compliance in a single effort.


Smart Compliance

Smart Compliance

Smart Compliance

Smart Compliance

Ever-growing regulatory requirements and limited information security budgets can be a challenging conflict. Yet organiza-tions cannot forego one for the other. All regulatory requirements come with heavy penalties for non-compliance. It is vital that requirements from different regulations be coupled and addressed collectively.

Bear in mind that regulatory compliance is just one side of the coin. The reputation and sustainability of an entire business is in question when it comes to information security. Implementing the collective approach in a methodical and goal-oriented man-ner is essential to manage enterprise risk the right way.

References References References References 1. 2. 3.


Enterprise Risk Management:

At a Glance

ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk manage-ment issues of today, as well as the broader and ever-increasing security challenges of the future.

ERM wants to hear from YOU….

With this edition of our newsletter, we’re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to

For more information, visit For more information, visit For more information, visit

For more information, visit

E-mail: Phone: 305-447-6750

800 Douglas Road North Tower, Suite 835 Coral Gables, FL 33134





IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation





Certified Public Accountant (CPA)

Certified Information Systems Security

Professional (CISSP)

Certified Information Systems Auditor (CISA)

Certified Information Systems Manager (CISM)

Certified Information Technology

Professional (CITP)

GIAC Security Essentials Certification GIAC Systems and Network Auditor

Qualified Security Assessor (QSA)

Approved Scanning Vendor (ASV)

Some of our Clients

Some of our Clients

Some of our Clients

Some of our Clients

ABN-AMRO Private Banking Bacardi-Martini, Inc.

Bancafe International

Banco Industrial de Venezuela Banco ITAU

Bank United Caja Madrid Bank

Carnival Cruise Lines, LLC CitiBank

Coconut Grove Bank Commerce Bank E-data Financial

Florida International University Florida Power & Light Company Heico Aerospace

Helm Bank Knight Ridder

Nova Southeastern University Rinker Materials

Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc.

The International Bank of Miami TransAtlantic Bank





Related subjects :