|
|
Blog 
Archive for the ‘Vicki’ Category
Tags: SEC Document Destruction; SEC File Purging
Posted by admin on August 23rd, 2011 | Comments (3)
The Financial Times recently reported that the SEC may have destroyed over 9,000 documents related to the legal investigations of various financial groups, including SAC Capital, Bernard Madoff and Goldman Sachs. Sen. Charles Grassley (R-IA) is quoted as saying “If these charges are true, the agency needs to explain why it destroyed documents, how many documents it destroyed over what time frame, and to what extent its actions were consistent with the law.” Apparently this is not the first time that the SEC’s actions have been scrutinized. According to the article, Sen. Grassley “has repeatedly questioned the agency’s enforcement actions and procedures.” While it is unclear how or why the SEC destroyed the documents, the accusations are alarming, especially during this time of economic turmoil. Moreover, there is a hint of irony to the story in that the organization responsible for holding financial organizations accountable for their services is unable to account for its own actions. Herein lies the one of the problems with the financial and securities regulation sector in general – no best practices, guidelines, or standards exist to guide these organizations in the management of their investigative records, that is, evidence collected and created by investigators and litigators.
It is clear that large amounts of evidence, in all forms and formats, are placing strains on financial and securities organizations. Within the financial and securities regulator community there is no established set of best practices or international standard that guides these organizations on how best to manage their investigative records. Such a document may provide the necessary guidance for these organizations to, among other actions, offer best case management practice, establish the necessary measures for proper chain of custody needed to protect the authenticity of the document, and determine appropriate retention and disposition periods. Following an established set of guidelines, best practices, and/or international standards instills a level of accountability among any organization’s community and peer institutions. This documentation should also lead to the creation of internal documentation by each organization, such as policies and procedures, leading to the education of staff to better manage their records, the creation of necessary units or departments to handle the flow of evidence within the organization, and, most importantly, the support of senior management (or at the very least senior management sign off on the documentation).
The unfortunate attention that the SEC has received highlights the need for a set of best practices, guidelines, and/or international standards for financial and securities regulators. A recent project conducted by the author as part of CiFER entitled “Guidelines for Managing Records Created in the Investigative and Litigation Process” resulted in a White Paper proposing an initial set of guidelines for these organizations. These guidelines merge legal and recordkeeping requirements, drawing on a variety of sources such as academic literature, legal requirements, interviews with individuals for several financial and securities organizations, and relevant documentation. By adopting these recommendations, financial and security regulators will strengthen the management of their investigative records. These practices will enable regulatory organization to more effectively and efficiently respond to legal challenges and be able to better justify their actions when they come under close scrutiny by external groups, such as the Congressional Committee led by Sen. Grassley.
The proposed Guidelines may be found on CiFER’s website: http://www.ciferresearch.org/products_service/products buy kamagra online
Donald C. Force
August 23, 2011
Posted by admin on September 1st, 2010 | Comments (2)
The recent computer glitch at Barclays Bank in the UK prevented customers from withdrawing money from cash machines and brought down telephone and internet banking services. While the reasons for this glitch are yet unknown, this case is not an isolated incident in the banking industry. Just a month before the system failure at Barclays Bank, DBS Bank in Singapore encountered a system failure resulting in a 7 hour downtime in cash machine, internet and mobile banking services. An investigation revealed that this was largely a human error. IBM engineers did not abide by correct procedures in changing a faulty cable to the bank’s storage system four times. The system shut down to protect data, resulting in a disruption of banking services. IBM is DBS’ network vendor since 2002. While outsourcing of IT services is nothing new and allows for financial institutions to focus on their core functions, some financial institutions may need to be reminded that outsourcing is not a strategy to transfer their risks to a third party. Outsourcing does not negate their responsibility in meeting regulatory requirements. The Monetary Authority of Singapore (MAS), Singapore’s central bank and financial regulatory body rebuked DBS for not putting in place a technology risk management framework of its mainframe storage network and imposed an additional $230 million of regulatory capital for operational risks. MAS also requested DBS to conduct an internal review of its system, to diversify its risk exposure so that it does not become overly reliant on a single service provider and to assess the ability of service providers in meeting the banks’ service level standards. The MAS, in a strongly worded press release, said “MAS takes a serious view of this incident. We expect all financial institutions to put in place a robust technology risk management framework that will ensure the reliability, resiliency and speedy recoverability of the institution’s IT systems and infrastructure, whether outsourced or in-house. We have recently written to the CEOs of all financial institutions to remind them of this. MAS will not hesitate to take appropriate supervisory action against any financial institution which fails to meet the standards set in the Internet Banking and Technology Risk Management Guidelines.” The bottom line: it pays for financial institutions to keep a close eye on technology risk as in addition to business losses from system outages, there can be regulatory fines.
Elaine Goh, CiFER Research Team
Tags: JP Morgan Fine
Posted by admin on June 6th, 2010 | No Comments
It may seem strange to say that we might have seen the JP Morgan fine concerning client money coming. Following the collapse of Lehman Brother's, the FSA fired a warning shot off it's bow in a Dear Compliance Officer letter in March 2009 in which it stated, "Recent firm visits suggest that many firms do not have the appropriate trust acknowledgements in place. Where these are placed on file, we found instances where the documentation had not been executed in the name of the relevant bank or with appropriate authority on behalf of the relevant bank. Creating and operating these accounts are of paramount importance in establishing trust status for the benefit of the underlying client, the purpose of which again is only apparent on insolvency. . . In periods of market turbulence, we would anticipate that firms would conduct due diligence more frequently. We are reminding firms to document their due diligence."
The reason that the FSA has become so exercized about a so-called “administrative error” is that this particular error has been implicated in global economic crisis; namely, poor trust documentation surrounding the process of rehypothecation – the process by which a dealer lends out collateral posted by a client to another counterparty. Rehypothecation of client assets was one of the “dominant drivers of contagion” during the financial crisis, amplifying the market turmoil in the wake of the Lehman Brothers collapse according to the the Senior Supervisors’ Group (SSG). The body, consisting of financial regulators from the US, Japan, Germany, France, the UK, Canada and Switzerland, made the assertion in its Risk Management Lessons from the Global Banking Crisis of 2008 report. The authors noted that, following the bankruptcy of Lehman Brothers International Europe, clients that had elected to allow the dealer to rehypothecate their assets found themselves caught in the bankruptcy as mere unsecured creditors to the estate, rather than having their assets preserved in segregated customer accounts.
As a result, counterparties that should not have been significantly affected by the collapse of the dealer found their assets trapped in the insolvency, shrinking their funding base and dragging a host of additional institutions into a precarious fiscal position, further deepening the crisis. Lehman Brother’s administrators PricewaterhouseCoopers confirmed that more than $40 billion in hedge fund collateral had been swallowed in the collapse. Custody of assets and rehypothecation practices were dominant drivers of contagion, transmitting liquidity risks to other firms. The loss of rehypothecated assets and the “freezing” of custody assets created alarm in the hedge fund community and led to an outflow of positions from similar accounts at other firms. Some firms’ use of liquidity from rehypothecated assets to finance proprietary positions also exacerbated funding stresses, the authors concluded. At the heart of the problem lay a failure to keep accurate and complete trust documentation. Given this latest move by the FSA, risk managers are warned to establish regular checks on the quality of this type of documentation.
Dr. Victoria Lemieux, CiFER
Posted by admin on January 30th, 2010 | Comments (5)
I recently attended an interesting educational session held by the Vancouver Chapter of ISACA. At that talk, one of the presenters likened social media to cocktail parties on steroids. As with cocktail parties, social media sites offer the good and the bad. On the plus side, there is information sharing, resource evaluation and service rating and on the bad side there is the too much information phenomenon, narcissistic posturing, and sometimes creepy stalking. For better or worse, social media is here to stay and organizations, including financial institutions, recognize that they need to learn how to maximize the benefits and manage the risks in the brave new world of Enterprise 2.0 or face being left behind the pack as an Enterprise 1.0.
Some of the business benefits of using social media include: recruitment of new employees through sites such as People.com, Zoominfo or Linked In; employee retention, especially of the so-called Millenials who are said to thrive on using social media technology; crowdsourcing initiatives such as Starbucks Coffee that uses social media to ask customers what they think about everything from service to advertising; creation of connections internally to leverage in-house knowledge and talent; creation of a collaborative, continuous and connected learning environment.Many excellent examples of how social media can be used to good effect within the Enterprise 2.0 can be found on www.Socialmedia.org.
But what of the risks? Fans of social media will tell you there are risks in not adopting social media – of remaining an Enterprise 1.0 in a Web 2.0 world. Frustrated employees can end up creating skunk works social media projects; loss of brand control in a Web 2.0 world leading to reputational damage; loss of market share to competitors who are using social media to gain market share; and low employee morale and high employee turnover. These opportunity costs all add up to a compelling case for most organizations to jump on the Enterprise 2.0 band wagon.
Even the biggest fans of social media do not advise adopting it in an uncontrolled manner, however. The key to successfully mitigating the risks associated with adoption of social media is governance. For the Enterprise 2.0, governance includes:a clear social media business strategy; a clear social media policy or set of guidelines for employees outlining appropriate use; developing the right infrastructure (e.g., several different social media platforms in one organization on which employees must maintain profiles and keep up-to-date will only add more work and create frustration, not help retain and enable good people) ; active sentiment monitoring of the organization’s brand in the “blogosphere” and on social media sites; a proactive organizational protocol for responding to negative sentiments or social media “incidents”; adequate privay and security policies and controls.
What I am not hearing about from many firms yet is recognition of the need to ensure that business communications exchanged using social media are captured and controlled in a manner that is consistent with the management of other business communications, such as email, and that policies, procedures and plans are in place to ensure that the way in which these communcations are handled meets legal, regulatory and e-discovery requirements. Financial institutons, along with other orgnizations, should be incorporating social media archival retention/preservation plans into their existing archival plans. Those who don’t risk the kinds of stiff penalties that have, in the past, accompanied failures to properly manage and preserve emails. Just last week, FINRA, the US Financial Industry Regulatory Authority issued an advisory notice (http://www.finra.org/Industry/Regulation/ Notices/2010/P120760) requiring that Brokerages must record employees’ business-related postings on Web sites such as Facebook, Twitter and LinkedIn to ensure brokers don’t skirt internal controls. The advisory note also said that Firms that archive client communications including e-mails need to adopt similar policies for social networking sites and may use software to automatically log brokers’ Web messages. Some technology providers are developing systems that are intended to enable firms to retain records of communications made through social networking sites. CiFER will continue to monitor develops and provide updates through future postings.
Dr. Victoria Lemieux, Director, CiFER
|
