Compliance with the Bank Secrecy Act (BSA), which is the primary law directing banks to develop anti-money laundering (AML) programs, has never been easy. So it should be no surprise that as cybersecurity threats continue to proliferate in the modern era, AML compliance has become increasingly challenging.
Financial institutions (“FIs,” primarily banks) and non-bank financial institutions (NBFIs) struggle under the weight of risk management obligations and often enlist software vendors to help them fulfill regulatory requirements and support their financial risk management strategies.
Enterprise risk management (ERM) solutions empower businesses in the financial services sector with compliance management protocols and comprehensive risk assessment, which helps financial firms to make better decisions and transform their business processes to mitigate identified risks. ERM works by connecting a firm’s governance risk and compliance (GRC) objectives to operations and performance goals with flexible reporting, pre-built risk registers and templates, customization, and support when a financial firm needs it.
What is financial risk management?
Financial risk management involves assessing and mitigating risks to a bank’s portfolio as well as reducing any operational risk within their banking systems. Since FIs and NBFIs handle sensitive information, not only do they need to determine their own organization’s cybersecurity risks; they need to determine those of the vendors they use as well.
As security risk management becomes more important than credit risk management, FIs and NBFIs need to address information security as part of their overall asset-liability management programs.
Banking Risk Management Challenges
As we mentioned earlier, compliance with the Bank Secrecy Act is a high priority for FIs and NBFIs. The BSA directs financial firms to develop AML compliance programs, and more specifically to develop “Know Your Customer” (KYC) policies and procedures to identify suspicious activity. Meanwhile, various U.S. sanctions rules, enforced by the Office of Foreign Assets Control (OFAC) also require financial firms to monitor customer activity
Know Your Customer
KYC policies and procedures require collecting the name, address, date of birth, and other identifiers (Social Security or passport numbers, for example) of customers. AML compliance rules require businesses to document this information, to prove that they’ve performed due diligence on their customers.
For commercial accounts, FIs and NBFIs must not only collect personal information about the individuals using the accounts, but also business information such as articles of incorporation and tax identification numbers (TINs).
AML and KYC regulatory requirements require that most documents collected also be stored for five or seven years. Since lots of this documentation will now exist in digital form (such as scanning or using online account opening procedures) this means customer data may remain on your own corporate networks or those of your technology vendors for years.
Bank Secrecy Act and Office of Foreign Asset Controls
The Bank Secrecy act and OFAC sanction regulations require financial firms to monitor customer transactions for criminal activities. When FIs and NBFIs detect troubling transactions, they are required to file alerts such as Suspicious Activity Reports (SARs) and Cash Transaction Reports (CTRs).
SARs and CTRs do contain personal information about the customers, so they must be kept confidential. Details of SARs cannot even be shared with the board of directors.
OFAC requires that FIs and NBFIs cross-check their customers against the agency’s “Specially Designated Nationals and Blocked Persons List” (known as the SDN List), and document those reviews for OFAC monthly, although the information must be anonymized. This anonymization includes removing names or information that could identify someone listed.
Where Enterprise Risk Management Overlaps With FI Compliance
Financial firms have always been highly regulated. Now, because their compliance obligations keep overlapping more and more with routine business operations, the firms’ enterprise risk management efforts overlap with their compliance efforts as well.
For example, FIs and NBFIs increasingly allow for online account opening. These processes require endpoint security and encryption to ensure ongoing data protection. When the firms rely on technology vendors for parts of the account opening process, the firms must also assess and monitor the cybersecurity of their vendors as well.
Those tasks are onerous under the best of circumstances. When firms try to handle the burden with traditional desktop technology (that is, spreadsheets) and manual procedures, achieving compliance becomes overwhelming.
How NBFIs and FIs can monitor vendors
Vendor management in the financial arena has long created a compliance hassle. Not only do FIs and NBFIs need risk management processes that assure that their vendors will remain financially solvent; they must also assure that their vendors have sound cybersecurity practices so the firms can trust those vendors to handle sensitive data.
Many FIs and NBFIs incorporate SOC 1, SOC 2, and SOC 3 reports as part of their vendor management practices. That’s a good start, but vendor risk management can’t end there. With more parts of the financial firm needing more information to assure appropriate compliance, the firms need a management solution that streamlines communication.
How automation enables agility in compliance
As fintech drives more financial services, FIs and NBFIs need to re-evaluate their monitoring activities.
First, FIs and NBFIs must continuously monitor their controls to keep data in their possession protected and secure. Additionally, BSA compliance requires the segregation of duties. These requirements place burdens on information technology teams who must ensure appropriate system access. Thus, monitoring controls become even more critical.
ZenGRC’s ERM software provides real-time insight into threats. Our risk heat maps can help FIs and NBFIs track critical system updates needed to protect information.
When engaging in vendor due diligence, FIs and NBFIs need a single place to store their reviews. Not only does ZenGRC provide the location, but it also allows organizations to track vendor responses. Our PCI DSS compliant questionnaires allow FIs to track their credit card partners and ensure compliance.
Additionally, as banks look to add more payment organizations to their commercial account lists, they may need to prove HIPAA compliance as well. For example, if a bank becomes a payment processor for a healthcare provider or service, its risk management tools should evaluate data controls to align with the healthcare industry’s requirements.
With ZenGRC’s risk management platform banks have the ability to do a gap analysis, create business continuity plans and a risk framework, and determine the additional steps necessary for mitigating risk.
For more information on how ZenGRC empowers financial institutions, request a demo.