Strategy + Business
In banking, as in other heavily regulated industries such as utilities and health care, keeping abreast of federal regulatory requirements is of paramount importance. To avoid an endless cycle of reacting to new regulations, banks [and business in other regulated industries] must anticipate the regulatory fallout from problems such as identify theft, and implement solutions that address existing and longer-term security issues. Leaders should consider decentralized security structures to enable a faster response to new rules. Making customers aware of new security measures is also vital and can help mitigate risk.

. . .

[...] Companies in heavily regulated industries, a group that includes pharmaceuticals, health care, and utilities, often act as though the regulations that besiege them are irritating trivialities. However, new requirements can offer companies an opportunity to escape the cycle. For instance, instead of maintaining an ad hoc approach to foiling invasions and complying with regulations, banks should craft an overall public-facing security strategy. Although it can be difficult to persuade senior management to invest in long-range plans, there’s no better time to do it than when they are in the shadow of an imminent regulatory deadline — especially one that is disrupting the entire organization as the company marshals its resources to deal with it.

For example, in aiming to go beyond regulatory compliance and achieve security excellence, banks can institute a mechanism for self-analysis and self-improvement that allows them to anticipate their future security needs. In doing so, they will meet their current burden of compliance, lessen the impact of any future regulatory guidance, reduce their risk exposure, and address customers’ concerns about the security of online banking.

[...] The second element is an effective organizational structure to manage the initiative. A common roadblock to implementing new security standards is a decentralized company, which can lead to inconsistent approaches to IT security across the enterprise, along with incomplete monitoring and accountability. However, piecemeal fixes will not work. Grafting a centralized security program onto a decentralized organization often results in the corporate equivalent of organ rejection.

How might banks address this issue? They can create a hybrid centralized–decentralized model, in which critical compliance activities and governance oversight are centrally managed, while less critical functions remain with the business units. Alternatively, banks can construct enforcement mechanisms that shift the burden of compliance to the heads of the business units, rather than keep it centralized at corporate headquarters. Regardless of the specific solution, banks can manage risk exposure and regulatory compliance in a uniform fashion only if they have the requisite organizational structures in place.

The final element of a robust risk-mitigation program, customer awareness, can be a key component of a company’s defense against fraud and identity theft. A well-educated bank customer can more easily spot phony come-ons, like phishing e-mails, and avoid being deceived. In fact, many banks are finding that educated consumers are their front line of defense in reporting phishing and other fraud attempts. One basic but effective measure is to advise customers to always type the bank’s Web address into their Internet browser rather than click on a link in an e-mail, because the e-mail may be fraudulent.

Furthermore, making customers aware of enhanced online security is a key differentiator in the marketplace. In a 2005 survey by Deutsche Bank Research, “security offering” was far and away the most important feature to prospective online banking customers, with 87 percent calling it their top priority. A well-publicized security program could prove a significant lure to new customers in the highly competitive banking environment.

Any highly regulated industry will face similar vicious cycles of its own and should be thinking about approaches for leaping ahead of regulatory requirements. The common thread is that simply responding to regulatory guidance will never be enough. Anticipatory thinking is the only way to avoid being caught in the middle of an endless series of provocation and regulation.

Labels: risk mitigation, security