IT Manager's Handbook: Getting Your New Job Done (56 page)

The Basel II framework sets out the details for adopting more risk-sensitive minimum capital requirements for banking organizations. The new framework reinforces these risk-sensitive requirements by laying out principles for banks to assess the adequacy of their capital to ensure that banks have sufficient capital to support the risks that they undertake. Like Sarbanes–Oxley, it also seeks to strengthen the transparency and integrity of banks’ financial reporting.

The Basel II Accord is built around “three pillars”:

•
Pillar 1 of the new capital framework revises the 1988 Accord's guidelines by aligning the minimum capital requirements more closely to each bank's actual risk of economic loss.

•
Pillar 2 of the new capital framework recognizes the necessity of exercising effective supervisory review of banks’ internal assessments of their overall risks to ensure that bank management is exercising sound judgment and has set aside adequate capital for these risks.

•
Pillar 3 leverages the ability of market discipline to motivate prudent management by enhancing the degree of transparency in banks’ public reporting. It sets out the public disclosures that banks must make that lend greater insight into the adequacy of their capitalization (Bank of International Settlements,
www.bis.org
).

In the United States, adoption and implementation of Basel II are managed by the four Federal banking agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision). In 2007, these agencies issued final rulings about adoption of Basel II for the largest banks in the United States (others may opt-in). The implementation process, which includes parallel and transition periods, won't have any bank fully subject to the rule until 2012 at the earliest.

Basel III, which the United States expects to adopt beginning in 2013, primarily strengthens bank capital requirements and introduces new regulatory requirements on bank liquidity and bank leverage, and provides for an enhanced supervisory review process, and disclosures.

SB-1386

California's Security Breach Information Act (SB-1386) is a state law requiring organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised. This act stipulates that if there's a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained information. The act, which went into effect July 1, 2003, was created to help stem the increasing incidences of identity theft. Essentially, it requires an agency, person, or business that conducts business in California and owns or licenses computerized “personal identifying information” to disclose any breach of security to any resident whose unencrypted data are believed to have been disclosed.

SB-1386 defines Personal Identifying Information (PII) as an individual's unencrypted first and last name in conjunction with at least one other piece of information, such as:

•
Social Security number

•
Debit or credit card number

•
Driver's license number or California ID card number

•
Account number in conjunction with a PIN or access code

PII data is referenced in many different regulations and laws around the globe. However, each may define PII differently. Because of the reference to unencrypted data, many organizations have taken to encrypting data that leave their custody. Interestingly enough, the California law doesn't set any minimum requirements or make any statement about the strength of the encryption.

Although it's a California state law, it doesn't mean that companies located outside of California are exempt. If your company does business anywhere in California, you are affected. Since California has the largest population of any state, it's highly likely that SB-1386 has an impact on your business.

When data are compromised, SB-1386 outlines specific courses of action that an affected company must follow.

Massachusetts Data Protection Law

The Massachusetts Data Protection & Privacy law went into effect on March 1, 2010 and applies to anyone that processes, stores, or maintains data associated with a Massachusetts resident.

The law requires that companies have a written information security program (WISP), which would:

•
Designate employees responsible for the program

•
Create an inventory of personal information

•
Assess the risk of a breach

•
Have disciplinary measures for failure to comply

•
Provide for training of employees

•
Define how the WISP is to be monitored

The law covers both paper and electronic records, and says that access must be restricted and that the data must be safeguarded. For paper records, this would include locked cabinets and storage rooms, for example. For electronic files this would include appropriate user authentication protocols, encryption of transmitted files and portable devices (e.g., USBs, laptops), firewalls, anti-malware solutions, operating system patching, among others.

With fines up to $5,000 per compromised record, the Massachusetts law is considered one of the strictest in the nation.

Fair and Accurate Credit Transactions Act (FACTA)

The
FACTA
is a consumer rights bill that became fully effective June 1, 2005, and is an extension of the Fair Credit Reporting Act (
FCRA
). The rule says that in regard to consumer information (such as name, Social Security number, address) you must “take reasonable measures to protect against unauthorized access or use of the information.” FACTA is designed to cut down on the incidences of identity theft as a result of valuable consumer information contained in business records. FACTA also discusses destruction methods, such as shredding of paper documents and destroying/erasing electronic media. FACTA also includes the “red-flag rule” to have systems in place to identify activity that may indicate attempts at fraud and possible identity theft.

Although you might think that this act only applies to organizations such as credit bureaus, banks, and retailers, its reach is actually far greater. You could easily have FACTA-covered data if you've done background checks on your employees and job applicants.

Gramm–Leach–Bliley

The Financial Modernization Act of 1999, also known as the Gramm–Leach–Bliley Act (named for its Republican Party sponsors Phil Gramm, Jim Leach, and Thomas Bliley), or GLB Act, has provisions to protect consumers’ personal financial information held by financial institutions. The act is enforced by multiple federal agencies as well as states. It affects not only banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.

The GLB Act consists of three sections:

•
The Financial Privacy Rule, which regulates the collection and disclosure of private financial information.

•
The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information.

•
The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses).

For IT, it's important to note that the act provides each agency or authority described in Section 6805(a) of this act to establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards:

1.
To ensure the security and confidentiality of customer records and information.

2.
To protect against any anticipated threats or hazards to the security or integrity of such records.

3.
To protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.

GLB also requires the safeguarding of “nonpublic personal information,” which includes nonpublic “personally identifiable financial information,” such as any information (1) a consumer provides to obtain a financial product or service and (2) about a consumer resulting from any transaction involving a financial product or service otherwise obtained about a consumer in connection with providing a financial product or service (
www.ftc.gov/privacy/glbact/glboutline.pdf
).

The act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices. In 2008 and 2009, GLB received criticism as a contributing factor in the subprime mortgage crisis, as GLB repealed the Glass–Steagall Act of the 1933s, thereby allowing banks, securities companies, and insurance companies to compete with one another directly and leading to the creation of financial conglomerates such as Citigroup.

U.S. Securities

•
Rule 342 of the New York Stock Exchange (NYSE)
states that member organizations shall have “internal supervision and control of the organization and compliance with securities’ laws and regulations.” The rule also provides that member organizations have “reasonable procedures for review of registered representatives’ communications with the public.”

•
Rule 440 of the NYSE
requires that “every member organization shall make and preserve books and records as the Exchange may prescribe and as prescribed by [SEC] Rule 17a-3. The record keeping format, medium, and retention period shall comply with Rule 17a-4 under the Securities Exchange Act of 1934.”

•
Rule 17a-3 of the Securities and Exchange Act of 1934
defines the requirement to keep various types of records.

•
Rule 17a-4 of the Securities and Exchange Act of 1934
provides that “broker and dealer shall preserve for a period of not less than 3 years, the first two years in an accessible place … originals of all communications received and copies of all communications sent by such member, broker, or dealer (including interoffice memoranda and communications) relating to his business as such.”

•
Rule 3010 of the National Association of Securities Dealers (NASD)
requires that member firms establish and maintain a system to “supervise” the activities of each registered representative, including transactions and correspondence (which includes e-mail) with the public. In addition, NASD 3110 requires that member firms implement a retention program for all correspondence involving registered representatives.

Patriot Act

The USA Patriot Act (formally called Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) was passed in the wake of the terrorist attacks of September 11, 2001. While the act provides primarily for giving greater latitude to the U.S. government, it does have its impact on the private sector.

The act has a number of requirements for financial institutions in regard to verifying customers’ identities and determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations (thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03162:). The act has been quite controversial, particularly as it relates to issues of civil rights and privacy. The act's provisions have been amended over the years.

Dodd–Frank Act

This bill was passed in direct response to the massive financial collapse that occurred in 2008 and 2009. It more stringently regulates the U.S. financial system with the goal of preventing another meltdown. The Act created a host of new agencies (while merging and removing others) with a goal of streamlining the regulatory structure, and increasing oversight of specific institutions regarded as a significant risk. The Act establishes rigorous standards and supervision to protect the economy and American consumers, investors, and businesses, and eliminates the loopholes that led to the economic recession.

Office of Foreign Assets Control (OFAC)

OFAC
is part of the U.S. Department of Treasury and administers and enforces economic sanction programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers. OFAC regulations prohibit individuals and businesses from transacting business with specific individuals, organizations, and countries. Compliance with OFAC regulations requires checking the names of customers against the OFAC list.

CLERP-9
(Australia)

The Australian Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (more commonly known as CLERP-9) came into effect on July 1, 2004, and is designed to restore confidence in the market after a number of high-profile corporate collapses.

CLERP-9 is a substantial piece of legislation that in many ways is comparable to the Sarbanes–Oxley legislation in that it includes reforms relating to:

•
Disclosure of directors’ remuneration

•
Financial reporting

•
Auditors independence

•
Continuous disclosure

•
Enhanced penalty provisions

Also, like SOX, misstatement of financials under CLERP can lead to jail time, fines, or both for executives.

Personal Information Protection and Electronic Documents Act (PIPEDA)