Financial Regulatory Compliance

Financial Regulatory Compliance

Wednesday, November 29, 2006

Governance and Regulatory Compliance

From an IT perspective, governance and regulatory compliance today is primarily about data protection, information security and the organization's general control environment.

In today’s complex regulatory environment, organizations must

  • grapple with the complexities, costs and overlaps of governance requirements (Combined Code, Turnbull, Sarbanes Oxley, Basel 2, etc)
  • comply with a wide range of information-related regulation, from the Data Protection Act to GLBA, HIPAA, PIPEDA and the Computer Misuse Act
  • deal with an increasing exposure to rapidly mutating, sophisticated threats to their information and information assets. These threats exploit a diversity of technical vulnerabilities in IT systems as well as loopholes in procedures and the behavioural characteristics of employees.

Regulatory and commercial penalties for failing to secure information and information assets can be severe and value-destroying; with the exception of the detailed requirements of the PCI standard, regulatory guidance on compliance requirements is, however, still very limited.

IT Governance: Guidelines for Directors provides advice for boards and senior managers on how to approach compliance issues.

Sarbanes Oxley

The emergence of the US Sarbanes Oxley Act in 2002 brought statutory pressure to bear on US-listed organizations to demonstrate corporate governance compliance. These requirements have had significant impacts on the internal control and risk management approaches of listed companies, and compliance with Section 404 and preparation for the new auditing rules have all been major tasks for many US companies. That challenge is now passing to non-US headquartered companies that nevertheless have US listings. Every organization dealing with Sarbanes Oxley needs Practical Implementation Guidance. SEC Regulation Outside the United States is the authoritative guide for non-US companies trading in the US. Most usefully, the Section 404 Implementation Toolkit can save many organizations many millions in implementation dollars.

Best-Practice Compliance Guidance

A best-practice information security framework will support the co-ordination of compliance strategy across multiple channels and guide control responses to multiple threats to all sorts of information assets. While it is clear that no individual information security product is capable of making any user organization 'compliant', those products and services that reflect best-practice guidance will help organizations position themselves most effectively to deal with current and emerging regulatory requirements.

If you would like a copy of our Compliance White Paper: Leveraging Best Practice Frameworks to Simplify Regulatory Compliance, (here is a compliance webinar on the same subject). Please give us the details below and we will email you a download link.

Essential Compliance Reading:

Manager's Guide to Compliance Sarbanes Oxley

Operational Risk and Basel 2

Compliance with Basel 2 means that financial entities must implement appropriate operational risk frameworks. The Basel Handbook provides advice on every possible consequence of the Basel Accord, and Credit Risk Models shows how to keep model performance in line with the requirements of the Basel Accords

Data Protection and Freedom of Information

Around the world, data protection and privacy legislation is increasingly important, and increasingly onerous. It is in this field, in particular, that new laws are emerging on a regular basis. Many of of these overlap, or contradict existing laws, and for few of them is there any detailed regulatory implementation guidance or meaningful case law.

US legislation such as HIPAA, GLBA, SB 1386, OPPA, the Fair Credit Reporting Act (FCRA), Canada's PIPEDA, the EU's Data Protection Directive (implemented slightly differently in each of the EU countries) - and the EU Safe Harbor regulations which enable US companies to escape prosecution under EU regulations - as well as UK legislation such as the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures combine to make compliance a significant challenge for all organizations.

While very specific guidance exists for the UK's Data Protection Act and the Freedom of Information Act, it is not easy for North American and international companies to identify what steps might help them meet this broad range of compliance requirements. This is where ISO/IEC 17799 can be particularly useful. It contains international best practice on information security, and the concepts of confidentiality, integrity and availability of data, which are at the heart of ISO 17799, are also contained in most information-related regulation. We have plotted the 133 controls of ISO 17799:2005 (Annex A of ISO 27001:2005) to key information-related regulation. Please email us if you would like a copy of this document.


In today's increasingly litigious world, preparedness for litigation is a sensible way to manage a basic business risk. Electronic documents (which include all emails) are always critical to any court case, and organizations need to take appropriate action to ensure that they can comply with court requirements for the production of evidence. Best practice in this field is contained in BIP 008, the "Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically", which is contained in a Legal Admissibility Guidance Kit.

Email, Information and Records Management

Email is fundamental to organizational communication. There are potentially significant costs and risks associated with the business use of email, and this includes operational, regulatory, and litigation risk. These risks are changing and evolving and organizations should use best-practice frameworks to guide their response to these risks. Organizations need end-to-end email management, retention, maintenance and archiving solutions that will enable them to simultaneously meet current and emerging business and regulatory requirements. Email solutions should merge with information and records management solutions. Apart from the general information security guidance of ISO/IEC 17799:2005, organizations can turn to the best-practice records management framework contained in ISO 15489. A more detailed specification for electronic records management is contained in Model Requirements for Management of Electronic Records ('MoReq').

Data Retention Periods

Data retention periods are an area that most companies give insufficient attention to. The fact is, for most companies there is a myriad of laws and regulations that determine how long data should be retained - and data includes email and instant messaging information. Of course, this whole area gets more and more complicated when you consider that some emails might contain financial or personnel information and might, therefore, have to be retained for periods different to those for ordinary emails. This compliance paper gives an overview of data retention requirements for the UK. The picture is similar for most companies in their local jurisdictions and much more complicated for multinational companies, or organizations operating in more than one jurisdiction.

Best-practice approaches

ISO 17799, ITIL and CobiT are all potentially part of a best-practice approach to regulatory and corporate governance compliance. The challenge for many organizations is to establish a co-ordinated, integrated framework that draws on all three of these standards. The recently released Joint Framework, put together by the ITGI (owners of CobiT) and the OGC (owners of ITIL) is a significant step in the right direction.

The solution is to adopt a best-practice approach, such as that set out in the internationally recognized information security standard, ISO/IEC 27001:2005. This standard links to all the IT-related regulations and provides completely independent structured guidance for a risk-based approach to securing the confidentiality, availability and integrity of corporate information. It also provides the general control environment within which the specific controls of an internal control structure can most effectively operate. The ISO 27001 Documentation Toolkit provides essential support to organizations implementing the standard.