Rightsizing Tiered Approaches for Risk & Compliance

Last week was an active week of discussion on issues facing financial services companies. I presented at the 40th annual Roundtable for ISACA’s MN Chapter on The Next Generation of Third-Party Risk Management and attended Deluxe Exchange 2015, where an engaging keynote speech by Sheila Bair, former chair of the FDIC highlighted critical issues facing financial reform and financial stability of our industry.

The dialog with information security auditors and third-party risk professional reflected the current state of protecting data today. Professionals were feeling knocked out, just hanging in and feeling challenged to surmount the growing challenges of revamping third-party risk management programs in light of the growing cyber security risks. Many events have changed our technology point of view in the last twelve months from vulnerabilities with funny names, the wake-up call of the C-Suite, and the pace of social media coverage. Breaches have gone from intrusion to disruption in changing our perspective.

In looking at the area of regulatory compliance post Dodd-Frank, the financial implications between large and small institutions is disparate as smaller banking organizations struggle to meet the same requirements without the people, technology, or manpower to address all the administrative and financial requirements. The capital debates caused by regulations like Basel II and the Volcker Rule are driving a dialog in our nation’s capital to start a discussion about the need for a two-tiered approach to regulatory compliance that better aligns governance with the products, service, and scale of the financial institution.

While these events were very different in focus on topic – it gave me a chance to have one-on-one discussions with thought leaders and practitioners in risk and compliance, and I was struck by the commonalities of the challenge and approaches to navigating successfully, with a simple message. It’s all about rightsizing.

Everywhere in our life we are being shown the value of rightsizing – even the government is providing us advice on our eating habits with the new food plate, stating portion size is the key to weight loss. Reflections on the root causes of the mortgage crisis that led to the financial crisis had implications for homeowners who were buying homes outside their financial ability or budget appetite – they did not rightsize and many mortgage lenders allowed that gap due to economic incentives. We say we need to understand the culture of our risk appetite in implementing risk management programs – it’s all about rightsizing.

Using a rightsize viewpoint to common risk and compliance challenges:

Information Security Audits
The heightened attention in the past year on breaches has led to an increased focus on systems and network monitoring. Detecting abnormalities in log retention and review is not just a post incident activity, but it should require analysis to detect unusual transactions or behavior of employees with broad access.A risk based approach would focus on those areas that could access volumes of data, not just one transaction at a time.

During third-party reviews, it is important to review how a third party manages security policy exceptions, but also the nature and risk of the exception. Materiality is critical to rightsizing the level of oversight and approvals required.

Critical Suppliers
The OCC guidance takes a “rightsize” approach – while the guidance did expand the definition of a third party, and created heightened expectations for risk and regulatory/operational risk oversight, it did not mandate the same level of oversight to all vendors.

Organizations need to tier or classify their third-party relationships by criticality – which can be interpreted as reliance, or by risk. In either, the classification approach is creating a tiered structure that applies more rigorous audits to the highest risk vendors. Small services, or lower risk still require contractual protection, but the level and frequency of due diligence can be right sized to the service the third party is providing.

Complaint Management
Consumer protection and UDAAP enforcement require financial institutions to monitor and address customer complaints.

Complaints can be an early indicator of potential problems in how financial products or services were sold. However, complaints are not alike. Bottom line, most consumers don’t like fees of any kind but it is important to put complaint management analysis into tiers to identify the common themes. Monitoring credit or refund requests and complaint to sales ratios can help an organization weigh or quantify which complaints may need further inspection into marketing practices. The rightsized approach focuses the attention on the complaint trends that could be an early indicator of customer confusion or misunderstandings of fee structures.

Overdraft Protection
Even in the area of overdraft protection can we see a rightsized approach. High volume users of overdraft may be using overdraft more as a payday lending solution. Proportionality of the overdraft fee to the dollar value of the overdraft is also a rightsized approach. Monitoring the volume and number of overdrafts per year can allow an organization to establish a tiered structure for users and that information can be leveraged to identify the “right” financial products and services to meet their budget needs.

While Dodd-Frank “supersized” risk and compliance obligations, the pendulum has swung far in terms of restructuring of the financial services regulatory structure. I think the debate now will be on how to identify the mechanisms to tier or stratify levels of risk management and governance based on the size of the institution and the size of the risk. Sometimes, simple answers are the best to challenging or complex problems. We can’t eliminate risk, we need to mitigate it, but we don’t want to over engineer compliance and stifle innovation.

My new mantra for 2015 is: Let’s rightsize it.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs