Despite the formidable appearance of armored trucks, we can't help but wonder if the industry should devote a bit more time training drivers how to lock their doors. We say this because there have been two recent incidents of armored vehicles spilling money out the door while driving because of problematic locks. In the first instance, a kind man retrieved the bag of cash that had fallen from the vehicle and flagged down the drivers to return it. In the second instance and what is perhaps the more likely scenario, when the door of a vehicle driving in MD flew open and sent cash scattering, nearby drivers grabbed all they could and took off with their newfound fortune. State Police subsequently issued a plea for people to return the cash, but we can imagine how far that went.
Just as the banking industry relies on armored trucks to transport cash, the Consumer Financial Protection Bureau (CFPB) relies on a multitude of systems operated and maintained by contractors who may not be entirely within its control. The difficulties came to light in an Oct 30 letter to the agency from US Inspector General Mark Bialek. In his letter, Bialek highlighted the CFPB's reliance on contractors in meeting its mission and the resulting risks. The letter went on to note some of the difficulties organizations face in trying to keep on top of the individual security processes of multiple contractors, particularly in the new world of cloud computing. The letter read, "The CFPB needs to ensure that cloud providers are implementing requirements for records management, electronic discovery, privacy, and information security." Given heightened focus on vendor risk, bankers feel this pain directly, so the CFPB is not alone (and we are sure other regulators and government agencies have a similar issue).
For its part, the CFPB says it has already taken a number of measures to try and strengthen its own oversight of contractor-operated systems. In particular, it has created a control process that examines the potential impact of any and all changes to its systems, including those operated by contractors. It also requires analysis and approval of any such changes. This is a good idea and something banks may want to emulate.
As is the case with banks, credit unions and securities firms it oversees, the CFPB's protection of individuals' financial information is crucial because any sort of security breach could have wide-reaching ramifications. The sensitivity of the information the CFPB works with on a daily basis has resulted in the agency creating a Chief Privacy Officer role for oversight of its compliance and operational activities. Here again, this is perhaps something for banks to consider.
Most community banks rely heavily upon outside contractors for numerous functions. These run the gamut from core systems to card and ATM services. It also means regulators are very focused on the risks that can come from the use of such contractors. After all, every system is only as strong as the weakest link, so banks need to institute processes to oversee all contractors and monitor security practices. It is also important to consider the potential impact a security breach at a contractor could have on the bank. Finally, procedures should be documented and policies put in place so the bank and regulators know this issue has been addressed.
It's good to know that in addition to focusing on the risks contractors bring to banks that regulators are also aware of the risks they carry themselves when it comes to protecting information. Given the level of difficulty in reigning in electronic theft, any efforts to protect sensitive information can only be a good thing for the industry.