By Patrick Morin
Over the past several years, compliance activities have increased to keep pace with the ever expanding scope of industry regulations. Thankfully, information systems can provide significant help in carrying out regulatory activities and responsibilities, such as:
- providing security features to protect the privacy of customer information;
- monitoring and alerting pre-specified activity automatically;
- managing processing workflows to ensure consistent and complete processes; and
- retaining required documentation in an indexed and easily available database.
Because of the effectiveness of these tools, financial institutions have come to rely on systems. However, to be able to trust these systems, financial institutions need to assess whether they have considered certain recent trends associated with their use.
Along with the growth of system use, the corresponding information systems landscape has changed in at least the four following areas:
Environment – In the past, the information system environment was much simpler. The information system was limited to one, maybe two, software applications and computers that were operated from a single facility. Now, information systems can include many different software applications that can be in a hybrid environment – some in-house, some with third-party vendors, and some ‘in the cloud’ – all at the same time.
Management – Information systems that were once centrally managed often now have distributed management, with the potential of end users having the ability to change how the system operates.
Upgrades and Updates– New development methods have replaced the former annual or semi-annual updates with rapid update cycles, which are sometimes updated automatically by the system provider.
Access Control – The single or local access points have been expanded to allow for multiple points of entry, including remote access to systems and access to master data files from additional, third-party applications.
Due to these changes, there are increased opportunities for systems to become unreliable or for information to migrate to systems of which risk management and compliance functions are not aware. We have noted increased unanticipated risks associated with the confidentiality, integrity and availability of information systems and data managed by financial institutions, when implementing new systems. The following examples highlight some trends seen and other observations we have made during recent projects:
- Cloud-based solution: A commercial lender recently implemented a cloud-based underwriting and credit assessment solution. The financial institution performed thorough due diligence of the vendor and verified that the solution is subject to routine audits, the results of which are shared. The solution provides flexible end-user configuration to customize assessment rules, triggers and reporting. Upon implementation, management deemed it unnecessary to allocate IT management oversight due to the noted “intuitive nature” of the system’s configuration utilities. The system is managed jointly by the financial institution’s marketing and lending departments. Risk noted: Some of the configurations have the potential to materially affect how the system operates, and in some cases, can result in changes to the underlying data and assessments. Without subjecting the configuration process to the financial institution’s change management process, controlled by the IT function, there is risk of loss of both system and data integrity.
- Document imaging system: A small financial institution implemented an internal, network-hosted document imaging system to capture and store all customer paper records. The solution was implemented following the vendor’s recommendation but to save costs, it was installed on a server that provides common network space. Further, the default setup allowed more than one-third of users to modify or delete document images once scanned. Risk noted: Due to the use of a shared server volume, scanned image documents could be accessed directly through the network, circumventing the imaging system’s user controls and potentially impacting the confidentiality of the information. Further, the high number of users with access to modify or delete images increased the risk of unintended loss or availability of the documents.
- Informational website vendor: A wealth management group for a financial institution engaged a vendor to host an “informational” web site for prospective and existing customers. The only connection to the financial institution’s transactional banking site was through a hyperlink that redirected browsers on the web site. During an independent vulnerability testing engagement, the gathered testing data disclosed that the corresponding web address of the site changed; the timing of the change relative to the testing activities was a coincidence. Further analysis of the site data indicated that the web site had been migrated to a new web server, and that the new server was not implemented securely. Risk noted: Due to the unsecure nature of the web server, in spite of the web site’s “informational purpose,” there was increased risk of unauthorized changes to the web site (integrity), and a risk that customers’ hyperlink access of the transactional site would be hijacked (security).
As seen from these examples of risk considerations, financial institutions should conduct an assessment of the systems they rely upon for carrying out and addressing regulatory responsibilities. For each tool or data set, financial institutions should:
Evaluate whether the financial institution’s risk management function has a comprehensive system inventory of the related systems and providers. Working with IT support, trace data, reports or tools back to the source system or environment. Once located, we recommend asking IT, “where else” at least five times, to help ensure all data storage locations are identified. Once completed, determine if all relevant systems are adequately covered in the risk assessment process, and update the system inventory as necessary.
Assess whether adequate assessment activities have been performed. Using the system inventory described above, determine whether adequate vendor due diligence was performed during system acquisition, and if the vendor provides ongoing support and services, determine whether the vendor is subject to ongoing monitoring. Further, for outsourced systems, determine whether they are subject to periodic testing and audits, with the results shared for your financial institution to review.
Engage third-party assistance, if needed. Fortunately, no financial institution needs to complete this alone. When evaluating the systems, consider leveraging information from peer institutions that use the systems, and any related user groups, and if needed, consider hiring third-party testing vendors.
By following a periodic action plan containing these elements, your financial institution should have a good foundation for an effective assessment process.
(tag)Patrick Morin is principal of risk and business advisory for CPA firm Baker Newman Noyes. www.bnncpa.com