Making sense of compliance and governance

• Article 22 of 33
• SC Magazine, June 2010
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages

The crash of the financial markets in 2008 following the bankruptcy of financial services firm Lehman Brothers prompted one of the biggest government bailouts of banks and insurance companies in history. Trillions of dollars around the world were poured into scores of companies to keep them – and, in turn, the rest of the world's economies – afloat. Countries such as the UK and, in particular, Greece are still feeling the effects of the collapse and the debt they built up to fund the bailouts – and will do so for years to come.

‘Never again' was heard in almost every country affected. The over-leveraging of assets in unregulated markets had brought the world to its knees, causing mass unemployment, recession and bankruptcies. So, greater regulation of banks and other financial services companies has been the pledge of governments worldwide, including the UK coalition.

However, on this issue, it seems no government wants to be ‘first to market' with swingeing new regulations, if it causes financial services companies to leave their shores. The UK's Financial Services Act 2010 had already been passed by parliament and received royal assent on 8 April, but its changes are relatively small and the Financial Services Authority (FSA) is still consulting with companies on how it will be enforced.

Only the US has the clout to impose unilateral regulation on the markets, so, as with Sarbanes-Oxley (‘SOX') in 2002, the US is likely to be the first major country to propose compliance legislation of the severity suggested. The EU and others are then likely to follow suit.

“It's not clear exactly what such legislation will look like,” says Craig Carpenter, VP of marketing for information risk specialist Recommind. “At a minimum, new legislation is likely to require added layers of scrutiny and reporting by information security professionals, somewhat like a ‘Sarbanes-Oxley II'. There is also a high likelihood that such legislation will incorporate more data protection requirements, including bigger fines for loss of data, especially personally identifiable information.”

However, Carpenter says that any ‘Son of SOX' law is going to be broader and have a bigger impact on information security professionals in the US. “SOX didn't change the way they went around on a daily basis. This could, since it has transparency and reporting requirements for the financial industry and those close to it that are going to be a lot broader than most anticipate. Whereas SOX was ‘let's prevent fraud', this is going to be like that – but on steroids.”

Outside the US, rather than wholesale change from one large piece of legislation, financial services and other organisations are more likely to face multiple pieces of legislation, usually pertaining to data loss and greater transparency.

“There is a large range of regulation relating to the financial services sector that has recently come into force, or is about to be introduced – or being considered for introduction – by the European Commission,” says Chris Pickles, head of marketing, financial markets and wholesale banking at BT Global Services. “These include MiFID, the Capital Requirements Directive, the Money Laundering Directive and the Market Abuse Directive. These will have direct relationships to risk management and thereby to information management and information security.”

In some cases, Pickles says, the impact can be direct, such as the requirement for the organisation to record and archive voice conversations so they can be used as part of compliance procedures and regulatory investigation. Voice conversations will also need to be integrated into the IT infrastructure, since MiFID means purchase fulfilment now has to be done in the order in which purchases arrived, no matter what the medium used.

More importantly, organisations have to be able to prove this, so audit logs and archives will need to be handled accordingly. But, as in the US, data loss laws are probably going to be the area of most change. In the UK, although most of its requirements have remained the same, recent changes to the Data Protection Act have meant that the maximum fine that can be imposed on an organisation for losing or mishandling personal data is now £500,000. According to Recommind's Carpenter, the UK Information Commissioner's Office is mainly going to be policing larger companies, thanks to the relatively meagre resources allocated to it.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages