Compliance Insight with David Schneier

It's Easier to Comply Than Explain Why You Haven't

During my formative years, I developed a tendency to spend considerable time trying to figure out ways to circumvent the myriad systems teenagers and young adults are confronted with. So much of what was expected of me just didn't make sense, and I didn't want to simply go-along-to-get-along. My father would often observe my actions and comment that if I'd spent the time doing what I was supposed to, it would likely take less time than I was spending on my avoidance strategies.

Fast forward a few decades, and I find myself working in an industry where I frequently find myself in the role of observer. By conducting the audits and assessments for our practice, I'm essentially noting the behaviors of our clients and providing an opinion as to whether or not they're doing what's necessary to protect their customers/members and be compliant with the various regulations governing the industry. And it's with a touch of irony that I'm able to appreciate the very same perspective my father shared with me lo those many years ago.

Our client-base spans the spectrum of regulatory compliance from industrial strength and effective to bare-bones and ineffective. In the past week I've worked with clients on both ends of this spectrum (as I often do), and find the contrast to be fascinating. There are almost always obvious reasons how or why they've found themselves to be in their current compliance profiles. The strong ones typically are either better funded or have management in place that is compliance-focused, and the weaker ones have limited funds or lack the expertise to address all their needs. But typically there's one common trait shared among all of them, and that is a genuine desire to have everything in place when the examiners arrive.

So, you can imagine how surprised I am when I encounter the occasional institution that isn't primarily concerned with what the examiners think. They have their own idea about what they need to be doing and would rather defend their position than acquiesce and join the majority. In some instances, I can see their logic (of course I can, I'm not so old as to forget the ways of my youth) and want to tell them they're right and should stay the course. But then I snap out of it and remember that there are better ways to achieve such goals (e.g. risk assessments, proper documentation, etc.), which would allow the examiners to understand their decisions and associated activities. If you can provide a credible, well-documented argument why something does or doesn't make sense to the examiners, they'll consider your position. While this would require additional effort, it would also eliminate the need for the extended debate (and occasional Document of Resolution/Memorandum of Understanding). Or as my father would say succinctly, "It would've taken less time to do what you were supposed to than it did to try and avoid it".

With growing concerns regarding the health of our financial institutions (New Bank Failures: Heat is on Leaders to Address Consumer Confidence), this is a good time to strengthen your compliance posture where applicable. These regulatory frameworks and systems are proving themselves effective and will very likely help us successfully navigate through these difficult and uncertain times.



About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.