IT Compliance with a Side of Banking

Patrick WhelanBy Patrick Whelan

It’s not breaking news that compliance around information technology has become an ever-growing hindrance to community financial institutions that fall under the guidelines of the Federal Financial Institutions Examination Council. With the onset of the Gramm-Leachy-Bliley Act in 1999, protection of customers’ private information became paramount overnight. The mindset of “information technology is fine as long as it works” was no longer acceptable.

Information technology now requires policies that govern all aspects of IT, documenting the existence of required controls. From the way bankers interface with their customers to the way records are stored, the operations and client deliverables of financial institutions have gone digital. This has resulted in institutions taking greater measures to ensure the confidentiality, integrity and availability of the digital processes of banking.

Needless to say, the acts of Hurricane Sandy resulted in increased awareness as to the importance of availability. Just as institutions were starting to understand that customer risk was the same in smaller institutions as large, along came the largest natural disaster to hit the East Coast in decades. The impact of Hurricane Sandy increased the focus and attention to controls and redundancy of the institution’s computing infrastructure. Institutions were forced into a real-life disaster scenario and had a front row seat to witness how well they had prepared for unforeseen scenarios.

Community financial institutions were at a severe disadvantage when it came to redundancy and geographic dispersion of information technology assets. Unlike mega and super-regional banks, whose primary and secondary sites can be hundreds and thousands of miles apart, it is not uncommon for community banks to have disaster and recovery sites five to 30 miles away from their primary infrastructure. This scenario works well for a building-specific scenario, but falls short when facing regional disasters. Regional blackouts, snowstorms and terrorist attacks are now a part of all disaster and recovery planning.

Service-Bureau-IT_imageA question for every banker: “Why do your customers keep their funds with you?”

The benefits of keeping your money in a financial institution are by no means holistic to the subsequent points, but as it relates to infrastructure, consider the following:

  • Institutions have a safe that slightly trumps the firebox stored under one’s bed; not only is it impressive in size, but it’s under constant surveillance from both human and mechanical controls. Security of the customer’s funds are carefully taken into account, and ultimately insured for up to $250,000 in deposits.
  • One would look a bit out of place traveling with this firebox on daily errands or vacations, so ease of access is a huge bonus. From widely accepted debit cards to ATMs, funds are much more accessible. If you are not big on recounting your chips after every hand, you run into an issue of knowing exactly how much your assets in the firebox are worth. Online banking has since taken over passbooks, but financial institutions, in one way or another, provide up-to-date information about what customers’ assets are worth and were they reside.
  • There is a financial benefit to gaining interest on funds stored in financial institutions, whereas the funds in one’s mattress continuously lose value at the rate of inflation.

From an infrastructure standpoint, we have seen these same benefits come from institutions moving their infrastructure to redundant enterprise data centers. Cutting through the ambiguity of fancy cloud terms, data centers have been built out in order to serve some of the very same needs as vaults in financial institutions. The need to have readily available, on-demand, secure infrastructure at a predictable cost – as opposed to wondering what is going on and where all the investments go in the room with all of the wires – has proved to be a great benefit.

Outsourcing has become increasingly important to community financial institutions’ competitive advantage, and technology is no exception to this. No longer do your facilities need to be built around a scaled-down data center – you simply build a bank and plug into an enterprise desktop as a service solution. By paying a monthly fee based upon the requirements of the institution, you shift the risk from the institution to the vendor. There is no longer a need to take the chance of spending hundreds of thousands of dollars on devices, only to find out that you are acquiring a bank, or building branches, that your technology investment is undersized to handle. The vendor now has the responsibility to build out and maintain a scalable environment that can be spun up to handle the institution’s terminal and application needs as they arise.

Executive meetings should not be inundated with talks around generators, separate zone cooling, fire suppression, terabytes and megahertz. The ability to partner with a banking-specific outsourced provider of service bureau IT allows the institution to focus on innovative competitive advantages, as opposed to weighing out the risk of the devices that support these efforts.

Patrick Whelan, CISA, is a strategic consultant focused on security, compliance and infrastructure planning for community financial institutions. He may be reached at or (908) 596-0843.