05:40 PM
Nancy Feig
Nancy Feig
Connect Directly

Contrary to stereotyped perceptions (and Saturday Night Live skits), IT staff members aren’t necessarily targets of verbal abuse, they do get positive feedback from users, and they aren’t constantly surfing the Web looking for new jo

Banks are trying to leverage enterprise compliance technology to improve effectiveness and efficiency while driving business value.

The basic goal of regulatory compliance is simple: Stay out of trouble. Likewise, the main criterion for compliance technology has been to reduce a bank's compliance risk -- including the risk of legal or regulatory sanctions, financial loss, or damage to reputation and franchise value. But banks are beginning to view compliance initiatives more strategically -- with an eye on future regulatory requirements as well as the bottom line. As a result, they are looking for ways to leverage their compliance programs and technology in ways that will maximize their investments.

As compliance pressures continually increase, they have become a business issue more than just a technology issue. And banks' business leaders are starting to demand more holistic and cost-effective approaches to compliance. According to industry experts, in addition to saving money, an enterprisewide compliance platform can help banks become more responsive, accurate and forward-thinking in their compliance and risk-management activities.

Compliance Tech Tips

1. Start by defining your governance, risk and compliance (GRC) vision.

2. Develop your long-term strategy for GRC.

3. Be selective about the platform you choose.

4. Get your feet wet first -- don't try to swallow the ocean.

It is essential to have the right enterprise systems in place to mitigate the cost of complying with future requirements, says Miles Everson, a partner with New York-based PricewaterhouseCoopers. Traditionally, he notes, banks have used a Band-Aid approach to compliance technology, waiting until they have a compliance mandate and then slapping a solution in place to address that particular issue. But eventually, Everson adds, it will dawn on bank executives that there is a better way of deploying compliance solutions.

Banks also are starting to get the message from regulators. "Regulatory expectations are quite clear," Everson says, noting that regulators -- and customers -- view financial institutions as one company, not separate business units. As a result, they expect banks to implement enterprisewide systems, he says. >>

Federal Reserve Gov. Susan Schmidt Bies, for example, has been a vocal proponent of an enterprisewide approach to compliance and risk management, although she stops short of endorsing any particular technology. In October, Bies, speaking at the American Bankers Association's (ABA) annual convention, said that such a program should be "dynamic and proactive, meaning it constantly assesses evolving risks when new business lines or activities are added, or when existing activities and processes are altered."

Federal regulators have said that they expect a bank's compliance/risk management program to adequately identify, measure, and monitor and control the compliance risks involved in its organization. Further, a bank's compliance technology should add an element of automation to such a program.

However, experts and bankers alike warn that, for an enterprisewide compliance/risk management platform to work, both business and technology leaders must see beyond established silos. "We have seen organizations silo critical compliance information rather than share it with all levels of the organization, which can handicap an organization's ability to identify systemic risks," observed Federal Reserve Gov. Mark W. Olson in a June 2006 speech to the ABA.

A 'C' Change

To ensure a holistic approach, many banks have elevated authority for compliance and risk initiatives to the C level. As chief risk officer for Cherry Hill, N.J.-based Commerce Bancorp ($39.5 billion in assets), James L. Gertie oversees a team of 140 people divided into audit, consumer/deposit compliance, AML, credit risk review, analytics and operating risk. The team helps Gertie handle the demands put on the bank from its many regulators, including its principal regulator, the Office of the Comptroller of the Currency, as well as the Federal Reserve, the FDIC, the state of New Jersey, the NASD and the SEC.

Commerce Bank developed an overall compliance framework that is based on an in-house-developed middleware system, according to Gertie. In searching for an enterprise compliance platform, he relates, the bank failed to identify an off-the-shelf solution that would serve all of its compliance needs. "We're using a combination of Excel workbooks and Access databases effectively, but there are no great technology solutions for a central, organizationwide compliance and risk management function," Gertie contends. "More often you go to consultants who will develop a solution that hooks into what you do have. If you are going to do that you may as well do it yourself," he says.

"We work with the business units, educate them, make sure they design processes that ensure compliance, then we test them to make sure those processes are effective," Gertie continues. "We are not sitting back here with some 'ta-da' system in the middle, saying we've got all the answers."

1 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.