A review of compliance requirements faced by financial sector organisations
Authored by James Carver, Managing Director, Business Continuity and Risk Management, Onyx Group
Compliance Requirements in the Financial Sector
Banking and financial services companies are faced with increasingly stringent compliance requirements when managing their data. Compliance requirements can relate to anything from data backup to how the original data is stored, creating a need for safe and reliable data storage solutions.
A number of high profile cases have been reported involving inaccurate records and data loss, as a result of failing to comply with regulations. Most recently, in October 2012, the Financial Services Authority (FSA) fined the Bank of Scotland (BOS) £4.2 million1 for failures in their systems which meant it held inaccurate mortgage records for 250,000 of its customers.
It is vital to protect any information that relates to any transaction or that could be used as part of a transaction. As a result, every stage of communication, whether it is written or verbal, needs to have an audit trail and be defendable against litigation. For example, it is common practice for voice recordings to be taken and emails to be archived and stored securely.
Each “type” of data has a life cycle and generally each organisation will employ a compliance officer to ensure that it is handled in line with regulations. Depending on the institution, the number of compliance requirements can vary. Guidelines exist to help individuals manage processes and safeguard against risk, such as data loss and the illegal use of privileged information. Data backup strategies are recommended to protect against accidental deletion of data, virus outbreaks, floods or fires, disk failures or theft.
Organisations and institutions that might be making investment decisions for financial institutions, such as pension funds, are also guided and protected by regulatory compliance. In addition to this, some organisations can operate on both sides of a “deal” so they might be offering advice to both buyers and sellers. When this is the case, there needs to be clear, demonstrable demarcations with data and user separation, so as one discipline does not influence the actions of the other.
What do I need to adhere to?
There are a number of regulations that must be adhered to in order to ensure that data is safe and secure. For example, the AICPA (American Institute of Certified Public Accountants) developed and maintains the SAS 70 (Statement on Auditing Standard 70)2, which relates to the processing of transactions by service organisations and can be used to show transparency to customers and regulatory bodies. Some of the many service organisations that are guided by this include insurance claim processors, credit processing companies and clearing houses.
The SAS 70 audit has grown increasingly popular with the implementation of the Sarbanes-Oxley Act of 2002, which suggests using SAS 70 as an important resource to show the effectiveness of a service organisation’s internal controls and data security safeguards.
Overcoming Compliance Challenges
It can be challenging for companies to fully understand compliance requirements as their interpretation can differ from the Financial Services Authority’s (FSA) understanding. For example, regulatory guidelines often use phrases such as “we would expect a company operating in this market to have effective disaster recovery (DR) procedures”, giving an element of choice as to whether companies wish to do so, or as to whether that provision is adequate. Another example is the discrepancy in the area of taking voice recordings from mobile phones. While some companies strictly adhere to regulations and record mobile phone conversations, others simply use internal company policy and ban mobile phone use, but then do not log instant messaging (IM) or conversations via online chat services. These discrepancies can often result in companies receiving fines for non-compliance. Further confusion results when the fines are higher than what the company expects to receive.
Companies like ourselves can offer advice and experience to assist in the understanding of compliance requirements but ultimately the banking or financial services firm must make their own interpretation of their compliance position and the rules, based on the market(s) they operate in, who they service and risk.
Due to a growing need for transparency, companies can be asked to prove that they are adhering to legislation at any time and therefore must have the necessary data security tools in place.
There are a number of IT solutions that have been verified after intense scrutiny from the regulatory authorities and that are known to comply with what an organisation would be expected to present to any regulatory body.
These include email archiving and voice recording technologies, as well as full DR solutions to protect a business’s IT infrastructure in the event of floods, fires or theft, for example.
Some of these types of records have been used in the Leveson Enquiry for example and the Libor scandal, in which Barclays was fined £290m in June 2012 after some of its derivatives traders were found to have attempted to rig the London inter-bank lending rate, which is considered to be one of the most crucial interest rates in finance.
In such cases, banks are expected to be able to produce communications in support of both their version of events and to defend against allegations.
From a DR perspective, many companies gain commissions on trading on markets, or need to make decisions on market changes. Being off-line means they cannot earn commissions or react to change and revenues can be affected. As such, they have very tight Recovery Time Objectives (RTOs).
It is fundamental that all businesses, ranging from small and medium-sized enterprises (SMEs) to multinational corporations (MNCs), implement a comprehensive data back-up system to reduce the risk of data loss.
The agility of “Cloud Storage”, in which data is stored in virtualised pools, is growing in popularity due to its many benefits. These include eliminating the need for physical storage space and reducing energy consumption, which in turn lead to cost savings. Hosting providers operate large data centres and companies that require data hosting buy or lease storage capacity from them. This also adds flexibility as storage space can be easily scaled up or down depending on the requirements of the organisation.
Cloud back-up solutions are highly secure, incorporating bespoke encryptions and security practices such as enterprise-grade firewalls. As an example, Onyx Group’s Cloud Backup provides military-grade encrypted online duplication of source data into secure storage vaults at ISO27001 accredited data centres. This data is then replicated between geographically diverse facilities for added resilience. Peace of mind is provided as 24/7 high-specification security systems and personal monitoring are in place at each data centre.
It is also important to consider authorisation rights and assess who in a company should be able to access specific data. Usage rights can be determined with passwords that give access to different areas of the IT system depending on job role.
The safeguarding of data in the banking and financial services sectors is crucial due to the confidential nature of information. Using cloud solutions to backup and store data gives companies the flexibility to choose between backing up data every second, hour, day or week, helping organisations to comply with stringent regulations.
Multiple data centres provide peace of mind so, if data is lost, it is backed up elsewhere, enabling business continuity. Workplace recovery centres are also in operation, meaning office space is provided to companies in the event that their workplace is inaccessible. Data can then be accessed from the relevant data centre, restoring business operation with minimal or no downtime.
2. AICPA (American Institute of Certified Public Accountants) SAS 70 (Statement on Auditing Standard 70)
3. Sarbanes-Oxley Act of 2002, http://www.soxlaw.com/
4. Leveson Enquiry, http://www.levesoninquiry.org.uk/
5. Libor scandal, http://www.bbc.co.uk/news/business-18671255