Reading the Anhörung Teilrevision FINMA-RS 08/21 „Operationelle Risiken Banken“ (Appendix 3 to the FINMA Circular 2008/21 “Operational Risks – Banks”) makes you ask yourself the age old question: which came first, the chicken or the egg?
The chicken: In an itemized list produced by the Treuhand Kammer (Schweizerische Kammer der Wirtschaftsprüfer und Steuerexperten, http://www.treuhand-kammer.ch/), this Appendix states that a Governance Framework should exist within the organization. This framework should maintain a level of security standards related to their Client Identifying Data (CID), including regulation of location and access to the data. Security standards for infrastructure and technology should be defined. The selection, monitoring and training of employees with access to CID should also be defined. Most importantly, it should be able to identify and control risks related to the confidentiality of CID. This framework should also be kept in mind when using outsourcing providers to work on large projects in regards to CID. It also requires that in case of such use of outsourcing, clients must be informed, with a specific letter, in detail about the specific activities that take place abroad. This includes information on the protective measures taken to ensure confidentiality.
The egg: Most Identity & Access Governance solutions today provide a framework to manage user data. This includes providing tools that allow continuous certification of access, providing the ability to revoke access across multiple systems in real time in case of breaches of confidentiality, identifying high-risk access users and entitlements and monitoring locations and devices from which such data can be accessed. In the end, such solutions have a two-fold focus: 1) Utilize a “need-to-know” principle where access is granted only for the period of time needed by employees. 2) Provide the ability to monitor access, react and mitigate risks with increased security measures.
In summary, while it may not be easy to answer the chicken or egg question, using an Identity Management solution should allow all banks to comply with the new regulations regarding governance of Client Identifying Data (CID).
Never miss an update by following us and subscribing to our monthly newsletter!