Compliance Building

These are my notes from the NRS Fall Compliance Conference.

Robert B. Hirth, Chairman, Committee of Sponsoring Organizations of the Treadway Commission
Fred Shane, Chief Risk Officer, Commonwealth Financial Network

Should CCOs be Taking on the Additional Role of a Chief Risk Officer?

It Depends, of Course
• Compliance requirements, degree of regulation, risk
• Objectives
• Complexity
• Size
• Ability to source talent
• Peer companies
• Regulatory constraints
• NO single right answer, NO one size fits all

The SEC is starting use concepts of risk measurement in their inspection program.

SEC’s “Core Initial Information Examiners Request of Investment Advisers” includes the following:

• “On-going Risk Identification and Assessment Inventory of compliance risks that forms the basis for policies and procedures and notations regarding changes made to the inventory.
• Documents mapping the inventory of risks to written policies and procedures.
• Written guidance provided to employees regarding compliance risk assessment process and procedures to mitigate and manage compliance risks.”

The SEC has published an “Investment Adviser Scenario Analysis/Risk Matrix” on its web site: http://www.sec.gov/info/cco/cco_matrixguide.pdf

The SEC has also published a “Risk Inventory Guide” on its web site:  – http://www.sec.gov/info/cco/red_flag_legend_2007.pdf The Guide lists twelve categories of risks for an investment adviser. According to the SEC,

“[a]s a CCO responsible for your firm’s compliance, you should determine what risks are present and how they might affect your firm and its operations, assess whether the controls in place to manage or mitigate these risks are adequate, and make or recommend modifications to the compliance policies and procedures as necessary.”

Risk management is a bigger scope than compliance.

Risk Reporting and Tracking

Use a Risk Management Database

• Impact Risk
• Likelihood Risk
• Vulnerability Risk
• Priority Risk
• Velocity – how fast does it happen?
• Persistent – How long is the impact?

Internal controls – GO beyond the brute force automated systems and think of them as control activities. Meetings can be a control.

Update articulates principles of effective internal control

Control Environment

1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment

6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities

10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication

13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities

16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

These are my notes from the NRS Fall Compliance Conference.

Ted Kobus, Baker Hostetler
Karen M. Aavik, First Niagara Financial Group
Tammy Eisenberg, CLS Bank International

In 2012 the average cost of a data breach was $5.4 million. IBM 2014 Cost of Data Breach Study

More breaches happen from lost laptops and media than third-party hackers. Malicious employees may steal information. Ill-informed employees may leave systems open inadvertently. Also keep an eye on employee’s departure. Make sure you shut down the employee’s remote access.

Malware is hard to stop, but it takes a concerted effort. Phishing and spear-phishing are more common. The attacker tries to cause you to voluntarily open a breach by giving them your account information and password.

Vendors cause a substantial portion of breaches. They may not be as careful as you. At the end of contract, you need to make sure you get the data back and they delete the information.

Data Breach Decisions

• Is it a breach?
• Who are the key internal personnel that should be involved in the response?
• Do you involve law enforcement?
•  Do you hire a forensics company?
• Do you retain outside counsel?
• Do you involve regulatory agencies?
• Is crisis management necessary?
• Do you offer credit monitoring?
• Do you get relief from a “law enforcement” delay?

One silver lining. You will be better prepared for the next breach.

What do regulators expect?

• Transparency
• prompt and thorough investigation
• Corrective action
• appropriate and prompt notification to regulators and customers

Best practices

• Prepare and practice a response plan
• respond quickly
• Bring in the right team
  • Preserve evidence
  • Contain & remediate
  • Let the forensics drive the decision-making
  • Law enforcement
  • Document analysis
  • Involve the C-suite
  • Plan for likely reaction of customers, employees, & key stakeholders
  • Mitigate harm

FTC Recommended Internal Safeguards

Over 50% of data breaches originate from inside the company.
Train and retrain all employees to:
(1) Limit access to customer information to employees who have a business reason to view;
(2) Secure deal jackets and information;
(3) Lock rooms and file cabinets;
(4) Use strong passwords on computers (and don’t share);
(5) Remove access for terminated employees;
(6) Securely dispose of customer information;
(7) Think about what data is provided to a vendor;
(8) Protect customer information.

Identity Theft Red Flag Rules

The key is to see if you are a “covered account” or “financial institution”

Policies/procedures must be based on a periodic identification of client accounts and a risk assessment of potential identity theft, including:
– account opening processes;
– account access processes; and
– previous experiences with identity theft.

The procedures must include the following four elements:
– identifying red flags;
– detecting red flags;
– responding to red flags; and
– periodically updating the program.