GREP-BLOG

Saturday, 14 June 2014

Key Selected Financial Services IT Regulatory Requirements

Below is an incomplete list of key selected financial services IT regulatory requirements that should be considered when developing an IT risk and controls or assessing IT risks and controls. This list is by no means complete and I am working on a more comprehensive list and associated mappings that I will share in due course. I thought I'd share as I developed the list and I hope this is found to be useful. If anyone has any feedback or additional regulatory requirements they'd like to see in this list please let me know. This may be used as guidance but you should do your due diligence to ensure that you've looked at all the relevant regulations for your particular organisation.

Key IT risk and control regulations and associated guidance as at June 2014

US
  • Sarbanes Oxley Act 2002 Section 404 (SOX 404)
    • States management responsibility for establishing and maintaing “adequate” and “effective” internal controls and this being independently attested to annually. The controls in scope were historically derived from the guidance from PCAOB AS2 which has now been superseded by AS5 (see PCAOB in this article)
  • Gramm-Leach-Bliley Act of 1999 (GLBA)
    • Section 6801 and section 6805 in Title 15 of the US Code applies the Gramm-Leach-Bliley Act of 1999 (GLBA) to financial institutions including Bank holding companies.
    • Section 501(a) of the GLBA sets out the “Privacy obligation policy” which requires that financial institutions have an obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.
    • Section 501(b) of the GLBA introduced the “Financial Institutions Safeguards” requirement that requires financial institutions implement administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information
    • Further guidance as to how to establish these safeguards is provided by CFR Regulation Y - Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards. These guidelines were developed by the Member agencies of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC published examination handbooks that apply to the examination of a financial institution's operations and all related data, and serves as a supplement to the agencies' GLBA 501 expectations
  • FFIEC IT Examination Handbooks
    • The FFIEC IT Examination Handbooks cover examinations of IT controls pertaining to Audit, Business Continuity Planning, Development and Acquisition, E-Banking, Information Security, Management, Operations, Outsourcing Technology Services, Retail Payment Systems, Supervision of Technology Service Providers (TSP) and Wholesale Payment Systems.
    • These handbooks define a number of IT controls along with supplementary guidance such as referencing Cobit and ISO 27002 as external guidance in the IT Handbook for Information Security.
  • FINRA Rule 1230(b)(6) stipulates that senior management or their designated persons are responsible for covered operations which includes:
    • At Rule 1230(b)(6)(xiii) definition and approval of sales and trading systems and other systems related to FINRA covered functions and validation that these systems meet the defined and approved business requirements.
    • At Rule 1230(b)(6)(xiv) definition and approval of business security requirements and policies for information technology, including, but not limited to, systems and data, related to covered functions; and
    • At Rule 1230(b)(6)(xv) definition and approval of information entitlement policies relating to covered functions;
  • PCAOB Auditing Standard 5 “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements”
    • Provides guidance to auditors in attesting to a companies internal controls including IT specifically recommending the auditor should understand how IT affects the company's flow of transactions and apply paragraph 29 and Appendix B of Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement. These standards are primary standards used in undertaking assessments of internal controls in the US.
  • Office of the Comptroller for the Currency Bulletins (OCC)
    • OCC Bulletin 2013-29 (October 2013) provides risks management guidance with respect to third party relationships including coverage of the topics of information security, management of information systems and reslience. The OCC “expects” that banks monitor third parties as an ongoing process and that this should include “information technology used for the management of information systems” and “the ability to respond to and recover from service disruptions or degradations and meet business resilience expectations”
    • OCC Bulletin 2006-39 requires that information security and data protection be maintained for Automated Clearing Houses (ACHs)
    • OCC Bulletin 2008-16 (May 2008) “expands” on the FFIEC Handbook on Information Security and Development and Acquisition by “reminding” banks and their technology service providers that all applications whether internally developed, vendor acquired or contracted for, should be subject to appropriate security assessment and mitigation processes. The key factors this issuance outlines that should be considered are:
      • Accessibility of the application via the internet
      • Whether the application processes or provides access to sensitive data
      • How the application is developed (in-house, vendor acquired or contracted for)
      • Extent that security practices are used in the application's development process
      • Existence of an effective on-going vulnerability management process
      • Existence of periodic independent application security assurance
  • Federal Reserve Guidance on Managing Outsourcing Risk (December 2013)
  • Health Insurance Portability and Accountability Act 1996 (HIPAA) requires that a person who maintains or transmits health information is required to maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of that information.
  • Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) Stress Tests (DFASTs) and the Federal Reserve's Comprehensive Capital Analysis and Review (CCAR) stress tests. The Dodd-Frank Act and Federal Reserve Board requires that effective systems and controls are maintained to provide accurate and reliable reporting required for these annual stress tests returns.
    • Section 165(i)(2) of the Dodd-Frank Act requires national banks and federal savings associations with total consolidated assets of over $10b to conduct an annual stress test. The stress test rule 12 CFR 46
    • The FRB also requires annual CCAR Stress Tests

UK
  • Combined FCA and PRA Prudential Handbook
    • PRIN 2.1 Principle 2 - Skill, care and diligence: A firm must conduct its business with due skill, care and diligence.
    • PRIN 2.1 Principle 3 - Management and control: A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
    • Rule SYSC 3.1.1 R requires that a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business and that per guidance 3.1.2 G (2) the firm should regularly review these systems and controls.
    • Rule SYSC 3.1.6 R requires a firm take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime. Furthermore rule 3.2.6C R requires these systems and controls are regularly reviewed.
    • SYSC 3.2.5 G states that where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.
    • SYSC 3.2.7 G (1) states that depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
    • SYSC 3.2.11A G (2) outlines risks of regulatory concern being those that relate to the fair treatment of the firm's customers, to the protection of consumers, to effective competition and to the integrity of the UK financial system. Risks which are relevant to the integrity of the UK financial system include risks which relate to its soundness, stability and resilience and to the use of the system in connection with financial crime.
    • SYSC 3.2.15 G sates that a firm should have an audit committee
    • SYSC 3.2.19 G sates that a firm should have appropriate business continuity arrangements in place
    • Rule SYSC 3.2.20 R (1) requires that a firm take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system. Guidance at 3.2.21 G states A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
    • Rule SYSC 4.1.1 R (1) requires that a (1) A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.
    • SYSC 4.1.4 R requires that a firm must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the financial services and activities undertaken in the course of that business. The rule goes on to include governance and management reporting and internal controls for all areas of the firm (that includes IT).
    • SYSC 4.1.5 R requires that a MiFID investment firm and a management company must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.
    • SYSC 4.1.6 R requires that a common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the common platform firm must employ appropriate and proportionate systems, resources and procedures.
    • SYSC 4.1.7 R requires that a common platform firm and a management company must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, in the case of a management company, its collective portfolio management activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities.
    • SYSC 4.1.7A G guidance states that other firms should take account of the business continuity rules (SYSC 4.1.6 R and 4.1.7 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G. Guidance at SYSC 4.1.8 G highlights that systems and IT process would be included in the requirements of SYSC 4.1.7 R.
    • SYSC 4.1.9 R requires the timely delivery of accounting reports including financial statements compliant with accounting standards. This necessarily requires availability of accounting information systems.
    • SYSC 4.1.10 R requires that A common platform firm and a management company7 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.
    • SYSC 4.1.13 G states that firms should also consider the additional guidance on risk-centric governance arrangements for effective risk management contained in SYSC 21 G SYSC 21.1 provides guidance on risk governance and control arrangements.
    • SYSC 13 provides rules and guidance for insurers on operational risk systems and controls. Specifically, SYSC 13.7.6 G states that a firm should establish and maintain appropriate systems and controls for the management of its IT system risks.
    • SYSC 14 provides further guidance for insurers with respect to he establishment and maintenance of systems and controls for the management of a firm's prudential risks
    • SYSC 6.1.1 R and SYSC 6.1.2 R require that a firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.
    • 6.2.1 R requires firms to setup an independent internal audit function responsible for evaluating the adequacy and effectiveness of internal controls
    • SYSC 7.1.2 R requires that common platform firms implement risk management policies and procedures including effective risk assessment procedures to identify risks relating to activities, processes and systems. SYSC 7.2.3 G advises that other firms should also apply SYSC 7.1.2 R.
    • SYSC 7.1.5 R, SYSC 7.1.6 R and SYSC 7.1.7 R require a common platform firm to monitor the adequacy, effectiveness and compliance level for its internal controls along with any remediation to achieve adequacy, effectiveness and compliance.
    • SYSC 7.1.7A G advises that the SYSC 7.1.5 R, SYSC 7.1.6 R and SYSC 7.1.7 R should apply to all firms.
    • 7.1.16 R requires that a BIPRU firm must implement policies and processes to evaluate and manage the exposure to operational risk, including to low-frequency high severity events. Without prejudice to the definition of operational risk, BIPRU firms must articulate what constitutes operational risk for the purposes of those policies and procedures.
    • 7.1.17 R, 7.1.18 R and 7.1.21 R require that a CRR firm establish a risk management function, framework and committee.
    • SYSC 8.1 stipulates requirements and guidance for managing risks associated with outsourcing. This section also makes it clear that the firm remains fully responsible for discharging all of its obligations under the regulatory system.
    • 9.1.1 R A firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it, which must be sufficient to enable the appropriate regulator or any other relevant competent authority under MiFID or the UCITS Directive3 to monitor the firm's compliance with the requirements under the regulatory system, and in particular to ascertain that the firm has complied with all obligations with respect to clients.
    • 9.1.2 R A common platform firm 4must retain all records kept by it under this chapter in relation to its MiFID business for a period of at least five years.
    • 9.1.3 R In relation to its MiFID business, a common platform firm must retain records in a medium that allows the storage of information in a way accessible for future reference by the appropriate regulator or any other relevant competent authority under MiFID, and so that the following conditions are met:
      • (1) the appropriate regulator or any other relevant competent authority under MiFID must be able to access them readily and to reconstitute each key stage of the processing of each transaction;
      • (2) it must be possible for any corrections or other amendments, and the contents of the records prior to such corrections and amendments, to be easily ascertained;
      • (3) it must not be possible for the records otherwise to be manipulated or altered.
    • SYSC 9.1.5 G In relation to the retention of records for non-MiFID business, a firm should have appropriate systems and controls in place with respect to the adequacy of, access to, and the security of its records so that the firm may fulfil its regulatory and statutory obligations. With respect to retention periods, the general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
  • Data Protection Act 1998 requires that organisations keep personal information confidential and apply the 8 data protection principles. Particularly principle 7 requires that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

European Union
  • EU Data Protection Directive 95/46/EC (proposed to be superseded in 2014 by the General Data Protection Regulation)
  • Directive 2002/95/EC (issued 2003) on the Restriction of the use of certain Hazardous Substances in electrical and electronic equipment (RoHs). This rlates to the use and disposal of certain IT infrastructure that contains hazardous substances.
  • MiFID (Directive 2004/39/EC) Article 13 Operational Requirements require that an investments firm establish and maintain an effective governance and controls relating to its operations including information processing and ensure effective controls and safeguard arrangements for information processing systems.
  • Directive 2006/73/EC implements the 2004 MiFID directive and with Article 5 – General Organisational Requirements (1)(c) stating that “Member States shall require investment firms to comply with the following requirements: to establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the investment firm”. Additionally (5) states “Member States shall require investment firms to monitor and, on a regular basis, to evaluate the adequacy and effectiveness of their systems, internal control mechanisms and arrangements established in accordance with paragraphs 1 to 4, and to take appropriate measures to address any deficiencies.”

Japan
  • Financial Instruments and Exchange Act 2006 (J-SOX)
    • Article 24-4-4(1) Requires an internal control report to be provided
  • Part 5 of the Japan FSA “Inspection Manual for Financial Instruments Business Operators” deals specifically with a company's IT Risk Management System. The scope of this guidance is IT risk management policy development specifically mentioning information security policy and IT outsourcing policy development. IT also pertains to IT operations and systems development or acquisition.

Canada
  • Bill 198 2002 (C-SOX) enforced by the Canadian Securities Administrators (CSA) and Multilateral Instrument MI 52-109. MI 52-109 requires the CEO and CFO personally certify that they have designed, or supervised the design of, internal controls and that those controls provide reasonable assurance that the financial statements are fairly presented and comply with generally accepted accounting principles (GAAP) and that these were operating effectively over the relevant reporting period.

Australia
  • CLERP9 2004
  • Privacy Act requires that personally identifying information be kept confidential by organisations processing such information.
  • Office of the Australian Information Commissioner defines a set of Australian Privacy Principles (APPs) that should be complied with

Singapore
  • Monetary Authority of Singapore (MAS) “Technology Risk Management Notices” outlined in the MAS TRM Notices FAQ A1
    • MAS Technology Risk Management guidelines 21 June 2013 and associated checklist

Hong Kong
  • HKMA Supervisory Policy Manual module “General Principles for Technology Risk Management”
  • HKMA Supervisory Policy Manual module “Supervision of E-Banking”
  • HKMA Supervisory Policy Manual module “Business Continuity Planning”
  • SFC (16 March 2010 Circular)
  • Personal Data (Privacy) Ordinance

International Guidance
  • COSO Internal Control - Integrated Framework May 2013 defines Internal control as consisting of five integrated components that apply to the “operations, reporting and compliance” objectives for the four levels within the organisation “Entity level, Division, Operating Unit and Function”. These are:
    • Control Environment – covers setting up control structures, responsibilities and accountabilities
    • Risk Assessment – covers ensuring the is an adequate and effective risk management system
    • Control Activities – has a specific objective 11 that states: “The organization selects and develops general control activities over technology to support the achievement of objectives.” and at objective 12 “The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.”
    • Information and Communication – relates to ensuring that there is information captured to report on the adequacy and effectiveness of internal control and that this is communicated to appropriate management
    • Monitoring Activities – provides guidance that organisations will monitor their internal controls to ensure they are “present and functioning” and that deficiencies are remediated appropriately
  • COSO Enterprise Risk Management (ERM) 2014
  • Cobit 5 is an umbrella IT Risk and Control Framework that encompasses almost all the regulatory requirements and better practices relating to IT. Cobit 5 consists of 1,111 control activities that map to 210 control practices that map to 37 control processes split under 5 control domains. The five domains are:
    • EDM – Evaluate, Direct and Monitor – This comprises the governance activities
    • APO – Align, Plan and Organise – This comprises higher level IT management activities
    • BAI – Build, Acquire and Implement – This comprises systems acquisition and development activities
    • DSS – Deliver, Service and Support – This comprises it service management activities
    • MEA – Monitor, Evaluate and Assess – This comprises risk and control activities
  • ITIL v3 published in 2011 consists of 5 core areas:
    • Service Strategy
      • IT service management
      • Service portfolio management
      • Financial management for IT services
      • Demand management
      • Business relationship management
    • Service Design
      • Design coordination
      • Service Catalogue management
      • Service level management
      • Availability management
      • Capacity Management
      • IT service continuity management
      • Information security management system
      • Supplier management
    • Service Transition
      • Transition planning and support
      • Change management
      • Service asset and configuration management
      • Release and deployment management
      • Service validation and testing
      • Change evaluation
      • Knowledge management
    • Service Operation
      • Event management
      • Incident management
      • Request fulfilment
      • Problem management
      • Identity management
    • Continual Service Improvement
      • Identify the strategy for improvement
      • Define what you will measure
      • Gather the data
      • Process the data
      • Analyse the information and data
      • Present and use the information
      • Implement improvement
  • ISO 27002:2005 – Code of Practice for Information Security Management
    • Contains 39 control objectives and further guidance for the following security domains:
      • (a) security policy
      • (b) organisation of information security
      • (c) asset management
      • (d) human resources security
      • (e) physical and environmental security
      • (f) communications and operations management
      • (g) access control
      • (h) information systems acquisition, development and maintenance
      • (i) information security incident management
      • (j) business continuity management; and
      • (k) compliance
  • ISO 27001:2005 – Information Security Management System Requirements
    • Established the “Plan-Do-Act-Check” model to establish, maintain, montior and improve the Information Security Management System (ISMS)
  • ISO 15408 – Evaluation Criteria for Information Technology Security
    • Sets out the “Common Criteria” for providing security assurance. Assurance criteria are categorised into the following classes:
      • ACM – Configuration management
      • ADO – Delivery and operation
      • ADV – Development
      • AGD – Guidance documents
      • ALC – Life cycle support
      • ATE – Tests
      • AVA – Vulnerability assessment
  • ISO 38500 – Corporate Governance of IT is based on 6 principles that each have an “Evaluate”, “Direct” and “Monitor” dimension as with the Cobit 5 EDM processes:
    • Responsibility
    • Strategy
    • Acquisition
    • Performance
    • Conformance
    • Human behaviour
  • ISO 90003:2004 – Software Engineering – Guidelines for the application of ISO 9001:2000 to computer software sets the standard for maintaining a software development quality management systems to ensure that software is developed to required quality standards.
  • Payment Card Industry Data Security Standard (PCI DSS) developed by the Payment Cards Industry Standards Council (including American Express, Visa, Mastercard, Discover and JCB). The “PCI DSS Requirements and Security Assessment Procedures” published November 2013 contains the requirements and associated test procedures and guidance.
    • The standard consists of 12 requirements categorised under the following 6 areas:
      • (1) Build and maintain a secure network
      • (2) Protect cardholder data
      • (3) Maintain a vulnerability management program
      • (4) Implement strong access control measures
      • (5) Regularly monitor and test networks
      • (6) Maintain and information security policy
  • International Standard on Auditing 315 (ISA 315) - Identifying and assessing the risks of material misstatement through understanding the entity and its environment requires an auditor in signing off the financial statements requires that the auditor identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control. This assessment is to include the information systems and technology involved in producing the financial reporting and associated balances.

I am currently working on a mapping document (which includes further expansion of these jurisdictions and adding some others) that would provide the baseline controls required to meet these regulatory obligations and then also identify the further industry practice controls that would be considered better practice. Please let me know if you know of further regulations to add to this list and I will research these and add them where appropriate. Watch this space...