Creating a Compliance CultureEducation is Key In the news on almost any given day you will find a story on a bank or credit union that has lost confidential data due to a security breach. Substantial coverage is also given to the latest laws and regulations that govern these financial institutions and protect them in taking measures to safeguard against data breaches and other security threats.
Overall, compliance has a significant role to play in security education today. "Integrated or Enterprise-wide Compliance Risk Management allows financial services companies to identify and focus enhanced security education efforts on lines of business, facilities and employees with the highest risks," says Catherine Toth, Vice President, Compliance Risk Assurance , Key Corporation. "While education and awareness is critical for all employees, it is essential for an information security program to identify not only critical applications and assets but all of the line of business, facilities and employee linkages to these applications and assets. Implementing an enterprise-wide program which effectively identifies these linkages will provide objective metrics, in addition to critical input from subject matter experts, upon which training or other compliance program efforts can be based in a cost effective manner."
Empowering employees with the knowledge they need to stay in compliance may be the cheapest investment one can make toward compliance. Many institutions are hiring more staff, boosting their training efforts and taking a more proactive approach to compliance by trying to anticipate likely changes in regulatory policy.
Today, compliance has become the yardstick by which many institutions gauge their information security preparedness with respect to security incidents, online banking transactions threats such as phishing attacks, viruses, identity theft etc. New regulations such as Sarbanes-Oxley Act, USA Patriot Act, the Gramm-Leach Bliley Act is forcing banks to build a true compliance culture.
The steps a bank needs to take to ensure a sound compliance program include all the critical components of a sound compliance program:
- board oversight and top down communication of a culture of compliance;
- sound policies and procedures;
- effective controls and control monitoring and testing;
- reporting and issues tracking, new product and process risk analysis;
- an effective mechanism for tracking new regulatory and industry requirements and standards;
- independent audit;
- effective ethics and anti-fraud programs;
- adequate resources;
- effective training.
What is most critical for training is focusing resources on high risks and follow-up to ensure that training has the intended impact. This can be most effectively accomplished if an enterprise-wide risk assessment is added as a critical component of your compliance program, and results are communicated and made a part of the day to day decision making for training efforts.
Other factors to consider for implementing an integrated compliance culture at any bank or institution:
- Compliance should first and foremost be integrated within an institution's overall business management function-A strong compliance culture can only exist where there is a sense of partnership between compliance officers and business managers. The solution is in making sure that both their goals are aligned together.
- Banks should aim at integrating compliance with their overall risk management function by having their top compliance officers meet regularly with senior business managers to make sure legal and regulatory issues are properly explored.
- Security policies should always be implemented at any institution by consulting with the compliance officers first, this way the bank can ensure that policies and procedures are based on what the regulators are looking for.