On July 21, 2010, President Barack Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) into law. The Dodd-Frank Act is the most sweeping reform to financial regulation since the Great Depression and has significantly altered the American financial regulatory environment, impacting all federal financial regulatory agencies and influencing practically all aspects of the financial services industry nationwide. Chief among them is information technology (IT).
About the Dodd-Frank Act
According to the Dodd-Frank Act, a primary intent is, “To promote the financial stability of the United States by improving accountability and transparency in the financial system, to end "too big to fail", to protect the American taxpayer by ending bailouts, to protect consumers from abusive financial services practices, and for other purposes.”
The Dodd-Frank Act has changed the regulatory structure by merging and removing agencies while creating others. It also contains mandates to financial institutions regarding IT practices and controls, specifically system safeguards and recordkeeping requirements for institutions offering investment products. System safeguards include:
- Establishing and maintaining a program of risk analysis and oversight to identify and minimize sources of operational risk through the development of appropriate controls and procedures and automated systems that are reliable and secure and have adequate scalable capacity.
- Establishing and maintaining emergency procedures, backup facilities, and a plan for disaster recovery that allow for the timely recovery and resumption of operations and the fulfillment of the responsibilities and obligations of the facility.
- Periodically conducting tests to verify that the backup resources of the facility are sufficient to ensure continued order processing and trade matching, price reporting, market surveillance, and maintenance of a comprehensive and accurate audit trail.
Regarding recordkeeping, the Dodd-Frank Act specifies that “each organization shall maintain records of all activities related to the business of the facility, including a complete audit trail in a form and manner that is acceptable to the Commission and for a period of not less than 5 years.”
Implications to Information Technology
Financial institutions are required to implement technologies that protect their shareholders and minimize risks. In order to do this, banks are looking at state-of-the-art tools and processes to address:
- Data Retention and Archiving: The Dodd-Frank Act will require banks to maintain records for no less than five years. This will necessitate the use of archival technology that stores data in Write Once Read Many (WORM) format in order to ensure the integrity of information by preventing alterations. Along with it, banks will want a means to search and recover documentation so that employees will be able to see data in its original format from any location and at the time it’s needed. Archival mechanisms must be able to capture message traffic, both incoming and outgoing, without disrupting the flow of e-mail or instant messaging.
- Disaster Recovery: Financial institutions will need to revisit their disaster recovery programs to make sure they include steps to support their entire infrastructure, including hardware, software, and sites needed in the restoration of mission-critical services, including e-mail and voice communications. Back-up tapes will no longer be sufficient as an alternative to a disaster recovery system due to the risks related to reliance on tape only, such as extensive recovery times, damage to tapes left on site too long or during transit, or the information being inaccessible during a disaster or outage. As before, financial institutions will need to prioritize their systems in terms of how much downtime and unavailability of data they can tolerate. A risk assessment of their IT environment will help determine the technologies to be employed to assure timely restoration of critical systems.
- Business Continuity Planning: In addition to implementing a disaster recovery system, financial institutions may minimize potential disruptions to their businesses by incorporating a framework for maintaining business processes and operations. Business continuity planning helps ensure that critical operations and processes will be available in the event of a disruption. Planning should include a risk assessment, business impact analysis, plan and recovery strategy, and ongoing testing and training.
While regulations have emphasized these areas, many financial institutions have already included these requirements in their due diligence process.
Approaches to Auditing Information Technology
While there’s no official guidance from the Federal Financial Institutions Examination Council (FFIEC) for auditing information technology in light of Dodd-Frank Act requirements, common sense should prevail. The following are best practices:
- Management has conducted a risk assessment that comprehensively prioritizes all systems and data, as well as all methods to access, collect, store, use, transmit, protect, or dispose of customer information (including vendors with access to customer information). The risk assessment should consider technology that handles communication, such as e-mail and voice, in their risk ranking.
At times, financial institutions will risk rank everything equally under the premise that their systems and processes are all critical; however, management will need to be reminded that they must consider which systems and process need to be up and running first and how long they can go without critical data so that they know under a disaster scenario how they will respond. The auditor should be asking, “In the event of disaster when management must make a choice, which systems and data will the institution need to restore first?”
- Management has sufficient backup and archival mechanisms in place to obtain near instantaneous restoration and availability of data. While many financial institutions have upgraded their backup systems and processes, others still rely on tape backup and transport to remote locations, which may no longer meet the expectations of the regulators. The auditor will need to inform management that while tape backups and off-site storage were previously acceptable, times have changed along with the newer technologies that are increasingly affordable and available.
- Management has instituted a business continuity plan to ensure that the institution may resume business operations without unnecessary interruption. The auditor should determine if the plan includes at a minimum:An accurate employee/manager contact tree.
- Responsibilities and decision-making authorities for designated teams and/or staff members.
- Emergency preparedness and crisis management aspects.
- Actions to be taken in specific emergency situations.
- Voice communications.
The auditor may also test to see if the plan requirements cover the:
- Numbers and types of desks, whether dedicated or shared, required outside of the primary business location in the secondary location.
- Individuals involved in the recovery effort along with their contact and technical details.
- Applications and application data required from the secondary location desks for critical business functions.
- Manual workaround solutions.
- Maximum outage allowed for the applications.
- Peripheral requirements like printers, copier, fax machine, calculators, paper, pens, etc.
Executives and management leading financial institutions, information technology professionals, and financial and information technology auditors will need to keep posted regarding the development of regulatory measures to monitor and enforce compliance with the Dodd-Frank Act. While there are some common sense approaches to remain vigilant, official guidance may be forthcoming.