Big Banks Ally for Data Security Program

By Lisa Vaas  |  Posted 2006-02-01 Print this article Print

Major financial institutions are banding together to adopt common guidelines that ensure that their customers' data is protected.

Big banks are confronting technology service providers to learn how their customers sensitive data is being protected from security breaches. The Wall Street Journal on Feb. 1 reported that Wells Fargo, Bank of New York, Bank of America, Citigroup, J.P. Morgan Chase and U.S. Bancorp, backed by major accounting firms and a financial services industry group, are adopting common guidelines to which suppliers will be required to adhere. Such service suppliers include telecommunications companies and data-service hosting companies such as IBM.
The program, called the Financial Institution Shared Assessments Program, aims to do away with what is now a considerable amount of wasted resources on the part of financial institutions as they call on service providers for information needed to appease auditors.
Peoples Bank loses a tape containing confidential information. Read more here. "Third-party providers are providing some information, but financial institutions are using their own resources to continue" seeking additional information on a broad array of security details, according to Faith Boettger, a senior consultant to BITS, the industry group behind the project. The effort is aimed at making it easier on both sides: for the financial institutions that need the information, and for the service providers that are getting deluged with invariably disparate and often redundant requests. "Service providers receive inconsistent audit information and requests," Boettger said in an interview with eWEEK. "Were looking at a standardized way of obtaining that information." The new policy wont just touch on what level of encryption providers put on data or what security protects databases that contain customer information, although those are two of the granular details it will touch on. Rather, the policy will cover a providers entire security ecosystem. The group is putting together a standardized questionnaire that will touch on service providers security policy, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, system development and maintenance, business continuity and regulatory issues. The questionnaire will be released on Feb. 9, as will a set of agreed-upon procedures. On the same day, BITS also plans to announce the formation of a working group to ensure ongoing education and coordination of the program, Boettger said. IBM extends its hosted client offerings to banks. Click here to read more. IBM, Acxiom, First Data, Viewpointe and Yodlee participated in a pilot of the program last year and have agreed to participate when the program is expanded this month, according to the Wall Street Journal article. Priscilla Rabbayres, a global regulatory executive in the financial services sector for IBM, told eWEEK that IBM considers the financial institutions efforts to be of "enormous importance," particularly given the times. "If we look back even a year ago, this was an important issue, but it really came to life with the California legislation of 2003 [that required enterprises to inform customers of security breaches]," she said. "Since then, with reports we see in the press on a regular basis, secure data has been lost through high-tech means, through low-tech means, pretty much any which way." As it is, the FCC on Feb. 1 proposed fining AT&T for a missing privacy report. On the same day, the Boston Globe ran a full-page letter apologizing for packing bundles with paper containing the credit card numbers of some 200,000 subscribers. Along with this increasing leakiness of data repositories comes auditors interest in them. "Regulators are looking at this very carefully," Rabbayres said. "Enforcement penalties are now becoming the norm. Everybodys on notice—not just financial services companies. It behooves them to ensure theyre appropriately handling confidential information of customers as well as confidential corporate information, because its being targeted." Until fairly recently, Rabbayres said, the efforts by financial services companies to evaluate the security levels of service providers in order to satisfy auditors have been "somewhat diverse," she said. "One service provider may look at one standard, another at another aspect," she said. "It hasnt been an easy prospect to know which service providers do provide state of the art" security measures. At issue is consumer confidence. "With banks, for example, the transformation of the service industry depends on the confidence in online banking," Rabbayres said. "If consumers shy away because they think information wont be secure, that has a major impact on the business of financial institutions." The program pilot looked at a range of security capabilities in place at IBM and other providers, Rabbayres said, including their methodology of assessment of security capabilities. That methodology deals with resilience, what kind of hardware and software is used, what processes are in place, and how providers interact with financial institutions. Check out eWEEK.coms for the latest database news, reviews and analysis.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel