Regulatory Compliance for Financial Institutions Term Paper

Download this Term Paper in word format (.doc)

Note: Sample below may appear distorted but all corresponding word document files contain proper formatting

Excerpt from Term Paper:

Regulatory Compliance for Financial Institutions: Implementation of a GLBA-Complaint Information Security Program

The objective of this work in writing is to examine the implementation of a GLBA-complaint information security program.

Objectives of the Information Security Program

The Gramm-Leach-Bliley Act (GLBA) makes a requirement of financial institutions to "develop, implement, and maintain a comprehensive written information security program that protects the privacy and integrity of customer records. GLBA mandates emphasize the need for each bank, thrift, and credit union agency to adopt a proactive information security and technology risk management capability. By doing so, your institution can protect information, applications, databases, and the network as part of a comprehensive information security program." (Net Forensics, 2012, p.1)

Financial institutions are required by banking regulators to "evolve beyond point-security products. You must employ an integrated security strategy that establishes perimeter security as well as security inside the network and among all databases, applications, and end-point devices such as laptops, PCs, wired and wireless devices, PDAs, and more." (Net Forensics, 2012, p.1) All devices on the network are required to collaborate "to ensure proactive security is working effectively." (Net Forensics, 2012, p.1)

In addition all devices must be adaptable in real-time to the changing profile risk and new threats to security as they happen. (Net Forensics, 2012, p., paraphrased) The FDIC reports that the Interagency Guidelines Establishing Information Security Standards (Guidelines) "set forth standards pursuant to section 39 of the Federal Deposit Insurance Act, 12 U.S.C. 1831p -- 1, and sections 501 and 505(b), 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w)." (2000, p.1)

III. Scope of the Information Security Program

According to the FDIC, the guidelines are applicable to customer information that is maintained "by or on behalf of, and to the disposal of consumer information by or on the behalf of, entities over which the Federal Deposit Insurance Corporation (FDIC) has authority. Such entities, referred to as "the bank" are banks insured by the FDIC (other than members of the Federal Reserve System), insured state branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers)." (2000, p.1)

IV. Oversight and Delivery of the Information Security Program

Stated as the arrangement for overseeing service provider arrangements are that each bank shall:

(1) Exercise appropriate due diligence in selecting its service providers;

(2) Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and (3) Where indicated by the bank's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers. (FDIC, 2000, p.1)

V. Information Security Program Overview

The Information Security Program involves each bank implementing a "comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities." (FDIC, 2000, p.1) A uniform set of policies is not required to be implemented by all parts of the bank it is required that all elements of the information security program are coordinated. The bank's information security program should be designed in such a way that:

(1) Ensures the security and confidentiality of customer information;

(2) Protects against any anticipated threats or hazards to the security or integrity of such information;

(3) Protects against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and (4) Ensures the proper disposal of customer information and consumer information. (FDIC, 2000, p.1)

VI. Identification and Classification of Information Security

Customer information includes "any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial institution or its affiliates." (Purdue University, 2000) Non-public personal information means financial information personally identifiable that is:

(1) Provided by a consumer to a financial institution;

(2) Resulting from any transaction with the consumer or any service performed for the consumer; or (3) Otherwise obtained by the financial institution. (Purdue University, 2000)

This also includes "…any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived using any personally identifiable financial information that is not publicly available." (Purdue University, 2000) Nonpublic Personal Information includes such as the following:

(1) Social Security Number (SSN)

(2) Financial account numbers

(3) Credit card numbers

(4) Date of birth

(5) Name, address, and phone numbers when collected with Financial data

(6) Details of any financial transactions (Purdue University, 2000)

Stated as examples of financial activities at a college university covered by GLBA are those stated as follows:

(1) Student or other loans, including receiving application information, and the making and servicing of such loans

(2) Collection of delinquent loans

(3) Check cashing services

(4) Financial or investment advisory services

(5) Credit counseling services

(6) Travel agency services provided in connection with financial services

(7) Tax planning or tax preparation

(8) Obtaining information from a consumer report

(9) Career counseling services for those seeking employment in finance, accounting, or auditing. (FDIC, 2000, p.1)

VII. Information Security Risk and Vulnerability Assessment

In the area of managing and controlling risk, it is stated that each bank is required to:

(1) Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank's activities. Each bank must consider whether the following security measures are appropriate for the bank and, if so, adopt those measures the bank concludes are appropriate: (a) Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means; (b) Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals; (c) Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; (d) Procedures designed to ensure that customer information system modifications are consistent with the bank's information security program; (e) Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;(f) Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; (g) Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and (h) Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

(2) Train staff to implement the bank's information security program.

(3) Regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the bank's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

(4) Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements of this paragraph III. (FDIC, 2000, p.1)

VIII. Management and Control of Information Security Risk

Risk assessments and controls makes the following requirements:

(1) The Security Guidelines direct every financial institution to assess the following risks, among others, when developing its information security program: (a) Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (b) The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and (c) The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

(2) Following the assessment of these risks, the Security Guidelines require a financial institution to design a program to address the identified risks. The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the financial institution is required to consider the specific security measures enumerated in the Security Guidelines,4 and adopt those that are appropriate for the institution, including: (a) Access controls on customer information systems, including controls to authenticate and permit access only to authorized…[continue]

Cite This Term Paper:

"Regulatory Compliance For Financial Institutions" (2012, March 08) Retrieved December 5, 2016, from

"Regulatory Compliance For Financial Institutions" 08 March 2012. Web.5 December. 2016. <>

"Regulatory Compliance For Financial Institutions", 08 March 2012, Accessed.5 December. 2016,

Other Documents Pertaining To This Topic

  • Databases and Regulatory Compliance Challenges

    Databases and Regulatory Compliance Challenges The advent of technology has increased the popularity of database usage in firms, yet the legislation regulating the field has yet to be finalized. The changing nature of the IT sector, coupled with the legislative traits, creates several situations in which the companies find it difficult to comply with the regulations. This paper recognizes some of those difficulties, and also proposes some solutions. Databases Regulatory challenges for databases No

  • Compliance Manager Operates as an Independent Office

    Compliance Manager operates as an independent office within the corporation. This means that the compliance manager does not work under any of the management personnel. The reason for this is that the compliance manager must be able to maintain independent oversight of all levels within the company. The only way to achieve that is through full independence of the compliance manager. Compliance managers of individual firms are given oversight by

  • Financial Structure of Financial Environment Financial Structure

    Financial Structure of Financial Environment Financial structure is the mixture of financial instruments, financial markets and other financial institutions operating within the economy. ( Fase & Abma, 2003). Financial structure consists of a company's assets, capital and liabilities. Financial structure is also specific equity and long-term debts that firms employ to finance its business operations. Typically, financial structure of a company generally affects the business operations and value of a business.

  • Financial Managers & Compliance Managers

    Despite this fundamental difference, financial and compliance managers work together as healthcare organizations make decisions to lower cost, increase revenue, and improve care. The concept of lowering cost while improving care presents a complex demand, and requires both financial and compliance officers to possess fundamental management knowledge, and similar professional skills in order to implement accounting and ethical standards (Buelow, et al. 2010). For example, a legal requirement or

  • Financial Crisis Threat or Opportunity

    " (2009) Yam states that over the past year the need existed to involve the government more deeply in the banking industry and especially in the area of deposit guarantees and in the supervision of the risk management of banks. Yam states that it is "…gratifying that so many of the tools that we have been able to rely on, including the apparatus and contingency arrangements for ensuring liquidity, have

  • Financial Derivatives on Sub Prime Crisis

    The article that was written by Conley (2011) discusses the impact that collateralized debt obligations (CDO's) would have upon the subprime loans. These were created in 1987, by the Wall Street firm Drexel Burnham. In this product, the investment bankers would take a number of different articles and combine them together as one investment. The various assets that were used included: junk bonds, mortgages and other high yielding investments from

  • HR Functions and Compliance Process

    Compliance and the HR Functions Reviewing the laws and Identification of two HRM compliance issues Organizations as few as 14 employees are required to comply with at least 15 federal labor laws as well as some local and state laws. However, organizations that have at least 50 employees can be subject to 20 federal labor laws. Management of some small employees may believe that labor laws only pertain to large organizations, however,

Read Full Term Paper
Copyright 2016 . All Rights Reserved