Anti-Money Laundering (AML) and Bank Secrecy Act (BSA) compliance incorporate the ever-dreaded Know-Your-Customer (KYC) rules. Financial institutions (FIs), such as banks, and non-bank financial institutions (NBFIs) struggle under the weight of the risk mitigation strategies required often enlisting third-party vendors to help them fulfill regulatory requirements. Increasingly, banks using third parties must focus on mitigating risks and monitoring cybersecurity activities.
Financial Risk Management
What is financial risk management?
Financial risk management requires assessing risks to a bank’s portfolio. Since FIs and NBFIs handle sensitive information, they not only need to determine their cyber risks but those of their vendors to answer the Board of Directors’ questions.
Compliance risk impacts FI and NBFI financial risk. Determining liabilities means understanding the potential market risks as well as information security risks. As security risk becomes more important than credit risk, FIs and NBFIs need to address information security as part of their overall asset-liability management programs.
What poses risks to financial institutions?
Historically, fraud threats pose one of the most significant risks to FIs and NBFIs. Thus, AML, BSA, and KYC policies and procedures combined with vendor management oversight protect banks more now than ever before.
Know Your Customer
KYC policies and procedures require collecting the name, address, date of birth, and social security number for customers. Under AML and BSA, organizations must document this information to prove they have vetted their customers.
For commercial accounts, FIs and NBFIs must not only collect personal information about the individuals on the accounts but also protected business information such as articles of incorporation and Tax Identification Number (TIN).
As regards digital data, all of the regulatory requirements incorporate five- to seven-year document retention. Digital information collection such as scanning or using online account opening procedures means more digital customer data remains on networks and in the hands of third-party vendors.
Bank Secrecy Act and Office of Foreign Asset Controls (OFAC)
BSA and OFAC require FIs and NBFIs to continually monitor their customer records to protect themselves from criminal activities. BSA documentation incorporates Suspicious Activity Reports (SARs) and Cash Transaction Reports (CTRs). Not only do these documents contain personal information, but SAR details also cannot be shared with the Board of Directors.
Monthly, OFAC requires that FIs and NBFIs document their Specially Designated Nationals and Blocked Persons List (SDN List) reviews but must anonymize the information. This anonymization includes removing names or information that could identify someone listed.
Where Enterprise Risk Management Overlaps With FI Compliance
Considering ERM as holistically reviewing risks, FIs and NBFIs face more compliance risk than other industries.
Increasingly, FIs and NBFIs allow for online account opening. These processes require endpoint security and encryption to ensure ongoing data protection. For organizations outsourcing the collection, they must perform ongoing due diligence for third-party vendors.
Managing the regulatory compliance requirements for data in conjunction with information security compliance requirements becomes overwhelming when solely handled on spreadsheets.
How NBFIs and FIs can monitor vendors
Vendor management in the financial arena has long created a compliance hassle. Not only do FIs and NBFIs need to ensure that their vendors remain solvent, they must ensure the information security of these vendors. Many FIs and NBFIs incorporate SOC 1, SOC 2, and SOC 3 report reviews as part of their vendor management practices. However, the review cannot stop there.
FIs and NBFIs must remain agile when reviewing their business partners. In the early days, spreadsheets provided the most efficient cross-departmental communication. However, with more departments needing more information to ensure appropriate compliance, FIs and NBFIs require a management solution that streamlines communication.
What FIs and NBFIs can learn from blockchain technology
Recently dubbed “RegTech,” FIs and NBFIs now attempt to incorporate machine learning and artificial intelligence to replace manual and reporting process.
Blockchain now appears as an emerging technology helping FIs and NBFIs to protect transaction information while still being able to retain it. Essentially, each party to the transaction creates data called a “block” protected using a cryptographic key. This block then maintains only its information but allows the parties to build upon it, creating a chain. This chain, because of the encryption, protects the data while incorporating the transaction’s full history.
FIs and NBFIs can now maintain detailed and anonymized transaction histories to prove due diligence over customer information. However, creating fintech blockchain networks will require additional vendors that organizations must monitor. For example, Swift recently announced proof of concept for blockchain technology that will enable inter-FI communications regarding customers. However, the messaging system itself would be considered a vendor.
How automation enables agile for the Fintech industry
As fintech drives more financial services, FIs and NBFIs need to re-evaluate their monitoring activities.
First, with the information they retain, FIs and NBFIs must continuously monitor their controls to protect data. Additionally, BSA requires the segregation of duties. These requirements place burdens on information technology teams who must ensure appropriate system access. Thus, monitoring controls becomes even more critical.
ZenGRC provides real-time insight into threats. Our risk heat maps can help FIs and NBFIs track critical system updates needed to protect information.
When engaging in vendor due diligence, FIs and NBFIs need a single place to store their reviews. Not only does ZenGRC provide the location, but it also allows organizations to track vendor responses. Our PCI DSS compliant questionnaires allow FIs track their credit card partners and ensure compliance.
Additionally, as banks look to add more payment organizations to their commercial account lists, they may need to prove HIPAA compliance as well. As a payment processor for a healthcare provider or service, banks should be evaluating their data controls to align with the healthcare industry’s requirements. Moving into healthcare payment processing not only allows banks a higher market share but also gives customers more options. With ZenGRC’s ability to do a gap analysis, banks can determine any additional steps necessary for moving into this customer base.
For more information on how ZenGRC enables financial institutions, request a demo.