Morphing consumer privacy controls, emerging investor protection issues, and the recalibration of existing federal regulations have made the global finance environment anything but static. In its 2019 report on regulations directly impacting the financial services sector, KPMG reports no less than 10 challenges on the horizon in the coming year for firms in the segment that hope to effectively curb risk and ensure operational resiliency.
Against the backdrop of these related new compliance pressures, it’s often hard for institutions to tell which workflow solutions and hacks will best fortify institutional resilience over the long haul. Here’s how three leading experts are leveraging the sacred union of security and compliance practices and technologies to rise to the challenge.
In the case of the compliance and security partnership dominating financial sector operations today, the “how we met” story is much less about love and affection than it is a functional necessity. Falling somewhere along the relationship spectrum between arranged marriage and shotgun wedding, experts on the front-line characterize this union as critical, pervasive and the linchpin of institutional longevity.
“Institutional compliance and security within the financial sector are very intertwined,” says Steve Simmons, director of security at Union Savings Bank — a Connecticut institution focused on small to mid-sized commercial and retail accounts. Charged with detecting illicit financial activity ranging from fraud and money laundering to terrorist and human trafficking transactions, his reliance on Union Savings Bank’s compliance team is substantial. “As a heavily regulated industry, a lot of what we do in the space to keep information secure is driven by government oversight and regulation. Because it’s impossible to be aware of every new requirement from a security perspective, we work in lock step with a seasoned regulatory compliance team to detect what we might miss, correctly interpret risks, and ensure we’re meeting prescribed criteria from a government standpoint.”
Weighing in from the compliance side, Jena Bjornson, Chief Compliance Officer of Kennedy Capital Management — an institutional asset management firm, focused in part on code of ethics enforcement and ensuring compliance with SEC and other industry regulations — agrees. “Because cybersecurity represents a much more critical risk today, most firms — irrespective of their size — are significantly interconnected.”
Lending context, she adds, “The relationship between compliance and security has really ramped up over the past five years. Before 2013 and cybersecurity sweep exams performed by the SEC, compliance pretty much stayed out of the IT department’s way.”
Working daily in concert with Kennedy Capital’s Director of Technology on a wide variety of business concerns ranging from business continuity and cybersecurity to recurrent SEC desktop exams, Bjornson explains that based on the reality that every administrative function within an institution relies on technology — from the CFO’s office to the legal team — and that cyberattack inroads are ever-evolving, oversight of system integrity can no longer be simply relegated to the IT department. “Given the nature of technology being used and all the potential points of weakness against malicious hacking attempts, you need a higher level of understanding surrounding electronic, physical and administrative controls to ensure all bases are covered.”
“It’s definitely a marriage,” says Judith Villareal, general counsel and Chief Compliance Officer (CCO) of securities brokerage CoreCap Investments and CoreCap Advisors in Detroit, Michigan. Highlighting the inherently interconnected relationship between compliance and security functions in the finance realm today, she is not only acting CCO of this midsized firm, but is also focused on compliance as the firm’s anti-money laundering (AML) compliance officer, information privacy officer, and information security officer, while working closely with the IT department.
Explaining the relationship dynamic at CoreCap, she shares, “Our compliance, security and IT teams all operate on a foundation of mutual respect for one another’s niche expertise and the inherent understanding of the necessity of working in concert with each other on a wide variety of initiatives — from customer vetting and anti-money laundering to meeting the operational parameters of the bank secrecy act and achieving asset and information security standards such as ISO 27001. The reality is that we can’t operate effectively without each other.”
Navigating trouble in paradise
Vital as the union may be between security and compliance, as our experts explain, it’s certainly not without challenges. From a marked lack of technologies that streamline sensitive communication in real time, to price point-accessible solutions for small to mid-sized firms, the couple’s path to ensuring institutional and regulatory integrity remains peppered with potholes — if not landmines in the immediate term.
“Compliance does not equal security,” explains Simmons. “While you can be fully compliant as an institution, that doesn’t necessarily mean customer information is secure.” Pointing to the widespread lack of real-time visibility of questionable transactions and activity within smaller institutions, he cites timely communication as the detrimental weak link in the relationship. “If compliance isn’t available the moment you need an answer, you oftentimes need to seek an answer on your own, and the additional time spent seeking those answers inherently adds to the risk.”
According to Bjornson, uneducated employees remain the leading security and compliance risk to the financial sector. “Because financial services is a money center, it’s naturally the most popular target for attacks,” she explains. “It’s not a matter of whether you’re going to get hit with something, but when. Educating employees on the universe of meaningful risks from urgent, personalized email messages urging action in the form of clicking a link, or sharing private information to web browsing certain sites is a key vulnerability.” Citing this simple but profound inroad to institutional security breaches, she adds “While you do what you can as an organization to block site access on business networks like Gmail that may harbor viruses and malware in spam folders, test around knowledge vulnerabilities, and continue to educate employees, this barrier of understanding among laypeople is ultimately how attacks continue to evolve in sophistication, targeting those not in the know.”
Pointing to not only the growing proliferation of social media and encrypted communication platforms, but also the lack of division between personal and business technologies, Bjornson highlights what is potentially the most hazardous element of finance sector security and compliance in the modern era. “In an environment that requires record review and retention, communication technologies like WhatsApp and WeChat — that encrypt and delete conversations — and social account messaging platforms also represent a challenge. Without a way to monitor financial service employee conversations that may reveal trading tips distribution or other market manipulation attempts, institutional control of that communiqué is limited to employee honor system policies.”
Citing the rapidly evolving nature of both compliance and security, Villareal shares that one of the key challenges in the finance sector today lies in its morphing complexity, which naturally requires resources and additional time to navigate as a team. “It used to be that broker dealers only needed to observe brokerage rules. However, over the past 30 years as financial firms became more integrated, so did the rules. Security and compliance for financial institutions is now very complicated. A much broader level of regulatory expertise is now required. It also bears noting that financial regulations now apply to a much broader swath of businesses with even a vague level of financial engagement, like casinos and check cashing outlets.”
“Ensuring your technology is keeping pace with what the hackers are doing is also a meaningful challenge today,” she adds. “Among the more complicated financial regulations that exist today is one held by 33 different US states that require their own special notice in the event of a breach, in addition to federal notice requirements.” Highlighting how this might play out in the event of an institutional breach, she explains, “A financial institution may well be at the mercy of 52 different sets of statutes with varying limits and regulations, have to deal with 53 regulators, risk fines and losing their registration in any number of states — as well as their eligibility for insurance — and report out of state judgments to other regulators on a mandatory basis, all of which mar its credit rating and compromise its business viability.”
The core tenets of successful partnership
So, what solutions offer the greatest value today and hold the most promise for tomorrow? Our experts weigh in with a strategic mix of technology-fueled solutions and operational tactics they believe have the wherewithal to sustain a successful financial workflow and compliance-security relationship into the future.
For his part, Simmons points to moderately priced technology platforms for the little guy. Citing highly sophisticated workflow solutions like Archer and Metric Stream currently available to large financial enterprises, he says, “While platforms that streamline vital communication between compliance and security certainly exist, given their price point to implement, customize and sustain, they’re largely inaccessible to smaller scale operations.”
He explains, “Without the benefit of expensive enterprise solutions, the standing approach to identifying and flagging respective risks in your and others’ area of operation involves adapting your workflow — not programming technology. In a perfect world, issue response for small institutions would graduate from a combination of email communication, face to face meetings and live, ongoing remediation updates to dashboard-based electronic platform communications that are accessible to teams in various locations and capable of highlighting issues in real time. Instead of reconfiguring operations to fit the technology, price-point accessible technology would serve the unfolding scenario and respective teams.”
Bjornson says multi-tasking technology solutions are the answer, “In recent years, technology companies have begun building productivity solutions with compliance in mind, effectively evolving their products to do two things — and to do them both well.” Speaking to the historic challenge of ensuring compliance for technology-reliant operational processes, she recalls, “Before, we just had to find a way to make it work, so smarter technologies are definitely benefiting compliance in a meaningful way today.”
According to Bjornson, a sample of these smart design, multi-tasking tools and platforms that work to support compliance and security include OnBase for project management, workflow and records management, Salesforce for project and relationship management, Bloomberg Terminal for trade execution approval, and Smarsh and Global Relay for email, text messaging and website archiving.
Villareal points to a combination of recurrent operational exercises and the cloud for a happy compliance and security relationship. “A key solution for keeping pace with evolving hacker threats can be incorporated into your standard, ongoing operations,” she says. “Monthly audits conducted for privacy and cybersecurity compliance can include incentivized cybersecurity training led by IT and the distribution of test phishing emails — neither of which are particularly time consuming.”
“Inspired by the events of 9/11, a solid business continuity plan that includes comprehensive offsite duplicate systems that are ready to access in the event of an emergency relocation or network compromise remains an important solution,” she adds. “Leveraging cloud technology and regular offsite backups of SEC-required records on platforms such as Office 365 from emails and text messages to social posts can serve a firm well in catastrophic events from weather to terrorist and ransomware attacks.
Happily ever after?
With open lines of communication, highly cooperative operational practices and some creative solution development, overall, our experts see a bright future for the compliance-security union.
For his part, Simmons believes that a combination of lean development and the increased scale that public cloud services are affording smaller institutions will only strengthen the union into the future. “If the recent past is any indicator of the future, rapid iteration will do a lot for smaller organizations across every industry in the future. Looking at the proliferation of newly developed and continually improved iPhone applications launched by lean start-ups — speed is absolutely the name of the game. I believe that as the cloud continues fueling rapid development and implementation of scalable new solutions, the finance industry will increasingly rely on small, third party developers to create the solutions it needs on smaller budgets.”
Cautiously optimistic, Bjornson believes that as technology continues to bake compliance into the back end of enterprise platforms and solutions, institutions can hope for an operationally streamlined — if not more secure — future. That said, she also points to human error and incident response speed as the chief hurdles to overcome on the path to realizing that future. “At the end of the day, it’s always going to be garbage in, garbage out. Technology aside, it’s critical for compliance that electronic records be indexed and legible. Today, SEC electronic recordkeeping remains difficult, messy and imperfect. As technologies and threats continue to evolve at an accelerating pace, we must also maintain a high-level understanding of risk and continue working on the interconnectedness between compliance and security professionals. From global institutions losing credit card numbers and credit agencies losing everyone’s information, we must all evolve or we won’t keep pace with emerging threats.”