Compliance Scorecard: Banking & Financial Regulations

The financial industry is one of the United States' most regulated sectors. Risk issues in this industry can easily impact the livelihoods of thousands if not millions of people, as corporate ethics scandals and our current economic recession have clearly shown. The federal government has set forth number of well-recognized rules intending to better secure this high-profile sector.

Bank Protection Act of 1968

The Bank Protection Act placed minimum security guidelines on banks "to discourage robberies, burglaries and larcenies and to assist in the identification and apprehension of persons who commit such acts." It designated four Federal supervisory agencies - the Comptroller of the Currency; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; and the Director of the Office of Thrift Supervision - to promulgate minimum security standards for the banks or S&Ls they regulate.

Financial Modernization Act of 1999

Also called the Gramm-Leach-Bliley Act or GLB Act, this act includes provisions to protect consumers' personal financial information held by financial institutions. The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information; the Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information; and the Pretexting Provisions protect consumers from companies that obtain their personal financial information under false pretenses. GLB gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule, which apply not only to banks, securities firms, and insurance companies, but also companies providing other types of financial products and services.

The Currency and Foreign Transactions Reporting Act

Otherwise known as the Bank Secrecy Act (BSA) or Anti-Money Laundering Act, this law passed in 1970 and amended by the Patriot Act requires financial institutions to assist government agencies in detecting and preventing money laundering. It requires financial institutions to keep records of cash purchases of negotiable instruments, to file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion or other criminal activities.

Regulation H

Regulation H implements those portions of the Federal Reserve Act that affect state member banks. The Federal Reserve amended Regulation H as part of a broad effort to "risk-focus" the supervisory process and to reduce the regulatory burden on well-run banks. Among other things, Regulation H sets out requirements concerning bank security procedures, suspicious-activity reports, and compliance with the Bank Secrecy Act; and establishes rules governing banks' ownership or control of financial subsidiaries.

Guidance on Authentication in Internet Banking Environment

From the Federal Financial Institutions Examination Council, this updated guidance replaces the 2001 Guidance and specifically addresses why financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services. Its goals are to safeguard customer information; to prevent money laundering and terrorist financing; to reduce fraud and the theft of sensitive customer information; and to promote legal enforceability of financial institutions' electronic agreements and transactions.

Final Rule on Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003

Also known as the Red Flag Rule, this set of regulations requires financial institutions and creditors to develop, implement and regularly update a written identity theft prevention program that will recognize indicators (Red Flags) of possible identity theft attempts in connection with covered accounts and work to prevent and mitigate the risk of such attacks. Each covered organization is responsible for coming up with its own list of Red Flags.

Payment Card Industry (PCI) Data Security Standards

The PCI DSS were developed by the major credit card companies of the PCI Security Standards Council to facilitate the broad adoption of consistent payment account data security measures. They include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Requirements include separation of duties, auditing of access to records, unique identities, conducting vulnerability scanning of Internet-facing systems, and identifying where all credit card data is located inside electronic systems.

The Security Executive Council ( is an innovative problem-solving research and services organization. We work with Tier 1 Security Leaders to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. The Council is building the fastest-growing repository of proven resources to help you manage risk. Visit our resource page on security regulation and compliance issues: