Tag Archives: financial services

Immediate Vault Immediate Access

Reducing Risk Exposure Through Sanctions Screening

Posted on by

International sanctions have increased in recent years and discrepancies still exist between how financial institutions and non-banking financial institutions in different countries and regions handle them. This has led to ongoing international tensions where politicians use asset-freezing, confiscation and other sanctions as tools to forward personal agendas, producing an increased stream of sanctions. It also leads to headaches for the compliance industry as it attempts to assess their level of risk.

For example, there is a great sanction application difference between the United States and the European Union/United Kingdom as a result of the United States leaving the Joint Comprehensive Plan of Action (JPCOA) agreement and re-implementing sanctions against Iran progressively in 2018. In a post-Brexit world, it is likely that a divergence between European Union and United Kingdom sanctions will occur over time.

Increasing challenges add to complexity for compliance professionals conducting sanctions and transactions screenings in accordance with regulations and institutions’ policies. The rapid transition to an increasingly digital world amidst COVID-19 begs the question: Do financial institutions truly understand the identities moving within their digital networks?

The Wolfsberg Group recently published detailed guidance for financial institutions regarding sanctions screening. The guidance highlights the importance of account and transaction screenings, but does not propose fundamental changes to the processes that financial institutions should follow already. Compliance officers need to rely on robust sanctions screening systems, high data quality and up-to-date policies to drive a successful long-term sanctions screening program.

Compliance departments should continue to conduct basic functions such as documented controls and procedures. They should also require a clear understanding of sanctions risk and how essential it is to take a risk-based approach to customer onboarding. Further, the compliance team should consider improving the following:

  1. Sanctions List Management: List data can be incomplete and decay over time. Active list management is essential for compliance personnel to ensure complete, accurate and up-to-date data.
  2. Screening Technology: Screening engines vary in capability. Platforms should meet business needs on a basic level and be able to:
    • Manage requisite screening record volumes
    • Configure to reflect the differing risk profile lists
    • Efficiently remediate alerts through fully functioning workflow tools
    • Ingest a variety of external lists
    • Integrate APIs into enterprise systems
  3. Sanctions Data: Not all externally provided sanctions lists are created equal. Financial institutions should conduct thorough due diligence and compare data from different sources. Some issues to consider:
    • How the data is synthesized from original issuing bodies
    • The quality controls within the research process
    • The extent that the provider enriches the data to maximize secondary identifiers of sanctioned individuals
    • How complete the data set is, given the many official bodies globally and whether the system is configurable to select those relevant to the institution in question
    • Whether the data provided facilitates consolidation of entities appearing on multiple sanctions lists to lower duplicate alerts and minimize analysts’ efforts

Sanctions screening is a vital but complex process and a continuously trained compliance staff helps ensure that the financial institution is consistently screening against the most relevant and up-to-date sanctions lists. Sanctions authorities require increasingly strict compliance and this involves employing intelligent augmentation through a combination of human efforts and new technologies such as big data, data analytics, machine learning and artificial intelligence.

Organizations can best reduce risk exposure by using all the compliance tools in a responsible and efficient way. Only then can a financial institution be sure that it is navigating the increasingly complex and rigorously enforced regulatory landscape.

Financial Services IT Overconfident in Breach Detection Skills

Posted on by

Despite the doubling of data breaches in the banking, credit and financial sectors between 2014 and 2015, most IT professionals in financial services are overconfident in their abilities to detect and remediate data breaches. According to a new study by endpoint detection, security and compliance company Tripwire, 60% of these professionals either did not know or had only a general idea of how long it would take to isolate or remove an unauthorized device from the organization’s networks, but 87% said they could do so within minutes or hours.

When it comes to detecting suspicious and risky activity, confidence routinely exceeded capability. While 92% believe vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on their network, for example, 77% said they automatically discover 80% or less of the devices on their networks. Three out of 10 do not detect all attempts to gain unauthorized access to files or network-accessible file shares. When it comes to patching vulnerabilities, 40% said that less than 80% of patches are successfully fixed in a typical cycle.

The confidence but lack of comprehension may reflect that many of the protections in place are motivated by compliance more than security, Tripwire asserts.

buy spiriva online abucm.org/assets/jpg/spiriva.html no prescription pharmacy

“Compliance and security are not the same thing,” said Tim Erlin, director of IT security and risk strategy for Tripwire.

buy ventolin online abucm.org/assets/jpg/ventolin.html no prescription pharmacy

“While many of these best practices are mandated by compliance standards, they are often implemented in a ‘check-the-box’ fashion.

buy prograf online abucm.org/assets/jpg/prograf.html no prescription pharmacy

Addressing compliance alone may keep the auditor at bay, but it can also leave gaps that can allow criminals to gain a foothold in an organization.”

Check out more of the study’s findings below:

financial services cyber risk management

Staying Ahead of the Financial Industry’s Next Wakeup Call

Posted on by

The financial services sector is no stranger to stringent regulation. At the very least, financial institutions are audited every 18 months. But without a proper security posture, complying with the likes of the Payment Card Industry Data Security Standard (PCI DSS) and others doesn’t always have the dual benefit of protecting against breaches: the PwC 2015 Global State of Information Security report noted a 141% year over year increase in the number of financial services firms reporting losses of $10 million to $19.9 million.

This tells us a few things: first, compliance is all about a company’s interpretation of the rules, which can be bent and glossed over–compliance is, after all, a minimum standard to which firms should adhere. Additionally, regulation needs to have more teeth as security threats become more sophisticated and targeted. Most importantly, with the regulated ecosystem being so complex, institutions should identify the elements prescribed most frequently across compliance mandates and put solutions in place that meet them. While doing so won’t guarantee complete security, it will put firms in the best possible position to protect against attack while simultaneously satisfying auditors.

The Cost of Compliance

The 2014 SANS Financial Services Security Survey, which examines the drivers for security-related spending in the financial services industry, reports that 32% of organizations spend more than one quarter of their IT security budget on compliance mandates. Nearly 16% of respondents say they are spending more than 50% of their security budgets on compliance.

Unfortunately, this investment in compliance doesn’t translate to investment security dollars. In fact, the survey also demonstrates that certain drivers behind firms’ information security programs are competing for resources with compliance mandates; while 69% of respondents say that demonstrating regulatory compliance is a top driver, a majority also cited drivers that tie closely to that, including reducing risk (64%) and protecting brand reputation (51%).

To ensure investment in security and compliance are not mutually exclusive, it takes effort on both sides–firms should put more effective solutions in place, while regulators should have stronger directives to encourage firms to streamline those efforts.

Securing the Endpoint

Specifically, firms should put systems in place that address endpoint vulnerabilities, including insider threat and malware on the devices, rather than on network solutions. The same SANS report elucidates that endpoint vulnerabilities were the biggest causes of security incidents among financial institutions, with abuse or misuse by internal employees or contractors (43%) and spear phishing emails (43%) the most prevalent, followed by malware or botnet infections (42%).

It doesn’t take long to find explicit use cases that corroborate these findings. The JPMorgan Breach, which impacted nearly 76 million households, came down to a hacker that gained high-level administrator privileges. Put simply, the cause for breach wasn’t necessarily the sophisticated malware, but rather, the ritual IT administrator tasks that were compromised. Clearly, while perimeter technologies like firewalls can prevent certain types of external attacks, they cannot block malware that has already found its way onto endpoints within an organization. Layering proactive solutions will be critical to preventing serious threats from occurring.

Least Privilege: The One-Two Punch

Proactive solutions should incorporate layering elements like patching, application whitelisting and privilege management. Taking this defense-in-depth approach will enable financial organizations to more effectively protect against the spread of malware, defending their valuable assets and ultimately their reputation. The dual benefit? They will satisfy auditors.

The least privilege methodology in particular, which limits administrator privileges from individuals and grants them to certain applications instead, is broadly prescribed across multiple financial mandates in the United States–from PCI DSS, to Federation of Defense and Corporate Counsel (FDCC) to the Sarbanes-Oxley Compliance (SOX) mandate. For instance, the PCI DSS has a specific requirement to log activity of privileged users and states that employees with privileged user accounts must be limited to the least set of privileges necessary to perform their job responsibilities.

Internationally, the practice is even more strictly enforced. For instance, the Monetary Authority of Singapore (MAS) has technology risk management guidelines that detail a number of system requirements–such as limiting exposure to cyber and man-in-the-middle attacks – that would be very difficult to achieve without a least privilege environment. In fact, the document presents one section dedicated entirely to least privilege. Here, requirements encourage restricting the number of privileged accounts and only granting them on a ‘need-to-have’ basis. The guidelines also encourage the close monitoring of those who are given elevated rights, with regular assessments to ensure they are always appropriately assigned.

Ultimately, limiting privileged access limits hackers’ attack vector and also prevents staff from implementing sophisticated attacks like logic bombs, knowingly or unwittingly. At the same time, the practice will help achieve compliance, driving down unnecessary spending. While progress is being made collectively between firms and regulators, more can be done; regulators can bring endpoint security top of the priority list and firms can put in practice simpler elements for a strong architecture. A next high-profile security beach shouldn’t be the industry’s wakeup call.

Is the Insurance Industry Improving for Women?

Posted on by

women in financial services

More than 70% of women in insurance believe the industry is making progress toward gender equality and, for the second year in a row, over two-thirds think their company is working to promote gender diversity, according to a new survey from the Insurance Industry Charitable Foundation.

After the IICF Women in Insurance Global Conference, which brought together 650 insurance professionals, senior executive speakers, and CEOs to discuss how the industry can increase gender diversity in the workplace, the foundation polled attendees on the current reality of gender diversity and its evolution across the insurance industry.

Almost half of attendees agree that their company is working to promote gender diversity with another 19% strongly agreeing, but 24.5% disagreed, and 7.1% disagreed strongly. Biases in advancement (51%) and lack of opportunities for professional advancement (24.6%) remain the biggest barriers for women seeking leadership positions in their companies, respondents said. The industry may be making some progress on those issues, however, as the percentage of women who named “biases in advancement” and “lack of opportunities for professional advancement” as the chief barriers fell to 68% from 76% last year.

“As evidenced by the tremendous turnout of the 2015 Women in Insurance Global Conference and the engaging discussions it created, companies are clearly recognizing the need for a more gender inclusive workplace,” said Betsy Myatt, executive director of IICF’s Northeast Division.

buy anafranil online azimsolutions.com/wp-content/uploads/2023/10/jpg/anafranil.html no prescription pharmacy

But the findings make clear that insurance still lags far behind other sectors of the financial services industry in terms of support for women. Those surveyed – who were all there because they work in the insurance industry – said that insurance was the least supportive of advancing women to senior leadership, compared to accounting (47.8%), banking (26.1%) and investment services (14.1%).

“While there is still progress to be made toward achieving gender equality, the vast majority of survey respondents who have found a positive shift in corporate culture is certainly telling of the strides the insurance industry has made thus far,” said Bill Ross, CEO of IICF.

Some of the survey’s key insights include:

Which of the following is the greatest challenge women face in is ascending to positions of leadership within the insurance industry?

  1. Inflexible workplace standards: 7.
    buy zocor online azimsolutions.com/wp-content/uploads/2023/10/jpg/zocor.html no prescription pharmacy

    4%

  2. Women don’t promote themselves enough or effectively: 30.1%
  3. Limited opportunities mobility up the corporate ladder: 39.4%
  4. Lack of C-suite sponsorship: 23.0%

Which of the following financial services sectors is the most supportive of the advancement of women to senior leadership.

  1. Banking: 26.1%
  2. Insurance: 12.0%
  3. Accounting: 47.8%
  4. Investment Services: 14.1%

Which of the following is the biggest barrier to entry (perceived or actual) for women seeking leadership positions in their company.

  1. Lack of opportunities for professional advancement: 24.6%
  2. Lack of desire from company leadership to appoint women to senior leadership roles: 17.0%
  3. Biases in advancement: 51.1%
  4. Desire to start a family: 14.1%

In what way do you believe gender equality has been most improved across the insurance industry?

  1. The establishment of mentorship programs: 14.
    buy diflucan online azimsolutions.com/wp-content/uploads/2023/10/jpg/diflucan.html no prescription pharmacy

    2%

  2. Sponsoring executive networking opportunities: 24.0%
  3. More active recruitment of a gender-diverse workforce: 26.2%
  4. Shift in corporate culture: 35.6%