Thursday, March 4, 2010

Regulatory Priorities for the Financial Industry in 2010

The Financial Industry Regulatory Authority (FINRA) just released its annual letter highlighting the examination priorities for 2010.

Once again in FINRA expects Identity and Access Intelligence (IAI) to be a significant priority for regulatory examiners.

This continues a regulatory focus on IAI seen last year when FINRA's 2009 letter stated:
"Insider threats remain an elevated risk, especially during this time of corporate downsizing in response to current economic conditions. FINRA has seen several high-profile problems result from poor IT account management within the employee ranks. Systems that are used to control employee activities and provide a check and balance should be reviewed to ensure that only currently authorized personnel are granted access to these systems. The same holds true for other systems, such as trading systems that can be used to commit firms to a trade or contract.  Weaknesses in these controls can be costly and can significantly damage a firm’s business and/or reputation."
This year the letter highlights the need for Identity and Access Intelligence in mergers and acquisitions, particularly in relation to insider threats from disgruntled employees and contractors.
"The substantial integration efforts involved in combining two entities present unique opportunities for regulatory risk...firms may need to address heightened insider threats and system attacks resulting from layoffs and otherwise disgruntled personnel... firms must ... update system entitlements and physical access restrictions"
In addition, FINRA in 2010 will focus on the protection of customer information includes an emphasis on Identity and Access Intelligence for systems containing customer information. 
"Firms can also be susceptible to malicious internal activity. Insiders may include employees, exemployees, contractors or vendors. A disgruntled employee often has more access and ability than an external intruder to harm a firm or its customers." "Firms should also consider how they mitigate the risk of insider threats, such as through internal surveillance, monitoring and controls."
The good news is that financial service firms can get outside help with Identity and Access Intelligence from Veriphyr whose on-demand service does the grunt work of identifying user access policy exceptions, such as excessive access rights, shared logins, and dormant accounts.  The FINRA 2010 letter highlights service providers as a source for addressing compliance.
"While a firm may never contract away its supervisory and compliance activities from its direct control. This prohibition, however, does not preclude a firm from outsourcing certain activities that support the performance of its supervisory and compliance responsibilities."
View a 3 minute video demonstration of the Veriphyr identity and access intelligence service.

No comments:

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at