Regulation Effects to the Payment Industry: AMEX is a Bank

So, there are tremendous implications for their business model, but to place the spotlight on one area lets focus on data security and regulations (my favorite).  AMEX is one of the organizations that built the PCI DSS, PCI SSC, and all recent publications.  The intent of PCI was to have industry forced mandates that protect cardholder data.  As private companies, Visa and MasterCard, had a lot of leeway on how they handled operations and were able to contain the management of requirements.  Given the IPOs of these two associations, and now AMEX becoming a bank does present a future that is far different then it was 3 months ago and 12 months ago.
Banks are regulated under extensive regulations and there is substantial information surrounding the safeguarding of data through information technology controls.  The FFIEC books are world renowned for their coverage in this area.  In addition to these known requirements there are additional third party requirements that will be introduced.  If anyone has done with a financial institution that is required to abide by GLBA, they know that they too must satisfy the requirements.
My highlighting of GLBA and regulatory leakage (when requirements of one trickle down into other sectors of the economy – SOX anyone) is that while PCI DSS is here to stay, there must be greater forms of validation surround Information Technology and Controls.  Those who operate within the payment industry would be strongly advised to continue to practice PCI DSS, but also maintain a more holistic view of contributing and supportive regulation mandates to ensure smooth operations in the near future.
Other thoughts on how AMEX becoming bank will impact business?

Kind regards,

James DeLuccia IV

Event Update:  BOOK Signing, Free Tastings, and such at Starbucks 1400 Dunwoody Rd, 2-4pm Nov. 23rd. (there will be prizes, so feel free to stop by even for just a moment!)

The western hemisphere ahead of AsiaPacific

“Medicine rarely tastes good. The introduction of Sarbanes Oxley was, for many, accompanied by significant distaste for the idea. In the longer term, it does appear that those institutions exposed to the rigours of more exacting compliance regimes have made more progress with developing integrated governance and controls frameworks.
Financial institutions in the western hemisphere are ahead of their eastern colleagues. Our analysis shows only a quarter of financial firms operating worldwide have a reasonably integrated compliance and controls framework – all of these firms are from the west. These results suggest there is much to do in the Asia Pacific region both in continuing to create regulatory regimes and continuing to raise the quality of internal governance and control systems. “

A published research study by Deloitte, quoted above, highlights the importance of integrating compliance, governance, security controls, and risk management into a enterprise control environment.  The economies of scale translate to approximately 2.5% difference in expenses incurred, and at current $78 billion in expense that is a material impact on any companies bottom line.  In addition, “Banks, insurers and investment banks have all seen the costs for governance and control rise by around a third between
2003 and 2006.”
Check out the article here, and consider how integrated is your control environment?  Have you eliminated the silos that manifest themselves over time?  Are you leveraging the full value of your technology infrastructure, your licenses, your power consumption?

Always Curious,

James DeLuccia

IIA South Eastern Regional Conference Day 2.1 – Effective Compliance Programs

The second day of the conference was excellent. Everyone I spoke with regarding the speakers, topics, and materials thought day 2 was the best and blew away the first day. I had the privilege to attend several sessions that focused on Corporate Governance, Audit Committee Oversight duties, Fraud Risk Assessments, and Effective Audit techniques. I was unable to attend the full day on Wednesday, Day 3, but was able to enjoy Ed Robinson’s presentation and a thorough breakdown on the Foreign Corrupt Practices Act (FCPA). I will post my notes from the conference in sections given the need to digest all that I heard prior to posting:

“Structuring an Effective / Comprehensive Compliance Program“, was presented as a panel discussion that included several notables on the panel to include – Ryder, OCEG, Turner, and Southern Company.

• It was noted that SOX provided several benefits – attention and resources around the existing compliance program and the motivation to mature. Second, SOX identified how weak many of the technology controls were surrounding the controls of the financial reporting systems.
• A study from the OCEG was presented with several trends and statistics (Available – Check out this post for the OCEG and many more):

• The Status Quo in organizations is the existence of SILOS (Finance, HR, IT) on the management of compliance and control requirements
• Technology solutions are trending to bridge these SILO gaps and create a central management approach
• 2/3 of companies were found to be adversely effected from redundant/duplicate controls. These included:

• Pain of reconciling disparate data
• Difficult to find the truth

• • 1/2 of all identified failures caused harm and damage to the organization (deficiencies), but these effects were short lived and the memories were quickly forgotten in the organization.
  • Only 14% of respondents had integrated their compliance programs
  • The overarching theme that resonated from the study was the need for consistency and accountability

• Compliance departments must not become the Department of NO. (A role that IT Security once held, and in some cases still holds)
• The existence of a Chief Risk or Compliance Officer is attributed to the FSG (Federal Sentencing Guidelines)
• General overview of the FSG (Mainly pulled from Chapter 8):

• • Possess good policies and procedures
  • Assign a responsible party (Compliance Officer)
  • Existence and presence of a program
  • communicate / Publish / Train on program
  • Enforce the Standards
  • React and address problems
  • “Effective” as defined by the FSG is a program that has the ability to identify and prevent criminal activity
  • Note: The government does not care how much was spent on a safeguard, but only that it is effective – business perspectives must be considered
  • FSG is not a compliance or standard for an organization, but should be incorporated to ensure that the organization is both protected and due care is taken for the personnel

• Challenge of Ethics

• • Organizations can choose to accept fines for non-compliance if only direct costs are considered
  • Ethics are decided based upon social duties, doing the right thing, and based on the maturity of the business

• When dealing with auditors, create a relationship and seek to understand the intent of the effort

• Understanding the reasons information is sought allows for the organization to provide the correct information.

• OCEG – the Red Book published in its current form has recommendations on establishing a compliance program
• The risk faced by an organization can come from a number of areas and must be centrally responsible to a core group, i.e. the Compliance group. These risks may be categorized as environmental, compliance, people, ethics, regulations, and business
• A simple method of gaining acceptance by business parties is to first identify the risks (see categories above), second vet these against a formal corporate compliance steering committee (vet and weigh the risks), third give business another pass, and finally compare these digested risks and ratings against any multinational rankings.
• Benchmarking is very important to ensure a business is not over spending or falling behind in the technology innovations. Benchmarks can be gathered through OCEG and public surveys.
• Several Studies were recommended to include:
  • The Conference Board – a Global Study
  • The Conference Board – Emerging Governance Practices in Enterprise Risk Management
• A common refrain by the panel was that compliance programs should promote the delivery of advanced information on compliance to satisfy the concern of management, the Board, and the Audit Committee
• Some takeaway tips from the session:
  • Develop an Agree Upon Procedure process for GRC
  • Define hard metrics for a framework – consider OCEG Red Book
  • Become certified – whether by ANSI, OCEG, or others
  • A tip by the OCEG spokeswoman was that everyone should join the OCEG study survey process, because all participants get a free customized report that provides benchmarks based on each survey.

Benchmark, Benchmark, Benchmark:

• There are some statistics that are not easy to locate and absorb into an organization for comparison that are timely or complete, however a great tip provided by the panel was to look after bad reports!
• Bad compliance or failed audit reports that are made public in proxy filings and by government agencies contain huge amounts of information on what was done wrong – Fannie Mae (348 page report worthy of any good flight across the pond), Boeing, CA)
• Take advantage of free webinars to learn about latest interpretations of laws and requirements

The greatest theme that resonated throughout this session, one-on-one interviews and discussions I had, and those of other sessions can be summed up in the following points:

• Seek to understand an organization’s culture – even transformational leaders must understand where the river flows before effecting change.
• Identify areas of value from the compliance program beyond avoiding fines, and contribute to the mission of the business
• Risk Assessments (of all risk categories) are a necessary starting point before any audit and monitoring is possible.
• Communicate in a language that can be understood – and gain a presence with the Directors and executive management.

A huge overview, and I hope some value to anyone seeking to hone their compliance programs. There is a tremendous amount of thought leadership in this area, and I encourage anyone to contact me to discuss these points.

Best regards,

James DeLuccia IV

U.S. Markets Competitive (again?) – SOX and company are good

Ernst and Young’s global survey released today indicated that despite popular press and political dancing (Paulson Interim Report, Bloomberg/Schumer Report) the U.S. IS, in fact, competitive. This is despite the existence of a strongly regulated market, and one where SOX, at full strength, did not, apparently, hurt the US. market prospects. The study showed that the U.S. generated the largest number of IPOs in 2006, and raised $34.1 billion dollars.

In addition to a stellar 2006, 2007 is working up to be another blockbuster year with the first quarter opening strongly. Plus massive private-equity IPOs (Blackstone, Carlyle, etc…) can only bolster the market as a whole new type of financial industry comes online.

“The fourth quarter of 2006 was the busiest for IPO activity by U.S. companies since 1999, raising $12.4 billion in 72 IPOs,” said Maria Pinelli, Americas Strategic Growth Markets Leader at Ernst & Young LLP. “In 2007, U.S.-based company activity continues to feed into the U.S. stock markets, which also attract key international IPOs, particularly in knowledge-driven sectors like technology and healthcare. Deal sizes are larger than ever and private equity is backing many of them.”

E&Y has some great additional details regarding the study, and I encourage everyone to review the data. The importance of this information is it represents a quantifiable demonstration of the impacts from a heavily regulated financial market and the preference of companies to “go public”.

The past several months have seen massive debate regarding regulations such as SOX, and their negative impacts. These papers, while supported by well researched financial data, are not consistent with the market performance and entrance of companies into the public markets.  A simple search via Google news will present the volumes of debate regarding SOX and competitiveness in the U.S.

The takeaway – Companies are going public in the U.S. with a heavily regulated environment. The U.S. markets may be more expensive to operate within as a company, but the upside from massive amounts of equity and a more transparent operational norm appears to be better for everyone.  This conclusion has also been supported by several academic studies recently highlighted at the WSJ.

A tangent from internal controls, but highly valuable as the question of regulation and controls comes under fire.

James

New format – New Feature

As the hundreds of non-rss readers know, a few days ago I switched the theme of this site to a simpler and easier to read layout. So, if you were tired of the dark fonts and murky background please come by and let me know your feedback. I will still focus on PCI DSS, of course, but will be continuing to expand the topics covered on this site to include global IT control regulations. What does that mean? Well, any standard U.S., EU, and anywhere else will be given some room. I will attempt to not merely repeat the obvious when news breaks, but instead focus on posting intelligent perspectives on the changes around the world.

Another change to the site is the “NEWS Feed” on the right hand side of this site. Please check it out, and feel free to set those as an RSS feed too. The NEWS Feed is my filter on what is important around the globe on the above topics. I sort through literally hundreds of posts, news items, client emails, and service provider information in an attempt to clear out the noise.

It is a new year (my fiscal year clearly is not following the Dec 31 date), and the plan for this site is simple. Keep posting helpful information whenever possible, and don’t simply post to post. On a personal note, I will update the Press Release page and About soon – and look forward to everyone’s comments and suggestions.

Always,

James DeLuccia IV