As I write this column, the House Financial Services Committee is holding a hearing to discuss Congress’ options for the development of new rules to govern the U.S. financial sector. Treasury Secretary Henry Paulson has just publicly remarked that it will be several months before the country begins to feel relief from the recently passed $700 billion financial rescue package and that another stimulus package may be needed. So I think I’m pretty safe in saying that as this article goes to print, the U.S. economy remains in a slump, and the financial sector globally is looking at increased regulatory requirements.
But what should the sector expect? And what might it mean for the security professionals who protect its businesses?
Richard A. Lefler, former CSO for American Express and emeritus faculty member of the Security Executive Council, believes we will see an increased demand for investigative programs within financial services companies as a result of emerging regulatory issues, which are likely to be focused on risk and fraud. According to Lefler, the failure of “trusted relationships” in the financial services industry should lead toward the following four potential impacts of emerging legislation:
“Financial services companies may need to expand their idea of ‘know your customer,’” Lefler says. The “know your customer” concept has previously been focused on uncovering and preventing money-laundering, but it will likely be expanded under new regulation to include documented due diligence in “knowing” customers whose firms are being loaned large sums of money. This will typically require security to partner with compliance and business units to develop team solutions.
“We may see an increased focus on regulatory due diligence for third-party relationships,” Lefler says. “One problem that contributed to the mortgage crisis was that mortgage initiation partners were not being fully vetted regarding how they were conducting business. Regulation may require closer examination of such third-party vendors, including who owns them and what the company background is.”
“We will probably see increased reporting requirements for questionable risks or suspected fraud,” Lefler continues. The financial services industry already has a good number of reporting requirements to various regulators, but, says Lefler, “we should expect increased regulations regarding suspect risk or fraud reporting, which falls more within traditional security programs.”
“It’s likely that the government will increase requirements relative to due diligence on the senior executives being hired by financial services companies,” Lefler concludes. Previously, companies worked to verify that candidates actually worked at positions they claimed to have held, but there will likely be an expansion of due diligence to larger numbers of senior managers to identify failure or inability to manage risks and fraud exposures in their past employment.
All these potential regulatory impacts would increase the load on security investigations — and increased workload probably means increased cost. But the economic downturn that has triggered the Congressional focus on new regulation has also left many financial services companies with fewer resources to go around, meaning budget cuts for business units including security are on the horizon or already underway. How can financial services companies balance an increased demand for investigative services with decreased funding?
Lefler recommends that all security directors in financial services begin working now to prioritize their security programs. “If protecting employees and facilities with physical security was previously your first priority,” he says, “you need to recognize that investigations may now have to move up to that #1 spot, which will impact how you allocate your budget dollars. The hard part is, you have to sustain budget reductions while managing your change of priorities within this reduced budget framework. It’s hard enough to take a 15-percent budget cut, but you’ll have to take a 15-percent budget cut while reprioritizing your functions to ensure you’re giving more support to investigations with the reduced budget you now have.”
In fact, security directors in all types of businesses will likely be looking at smaller budgets for the coming year, and so will their executives and managers. This brings up another issue that applies to companies and security professionals across the board, says Bob Hayes, managing director of the Security Executive Council. “In times of economic downturn, managers and employees are facing great financial pressure, both professionally and personally,” he says. “People who are inclined to act inappropriately by cutting corners or committing fraud will be more likely to do so to reduce cost in a tough economic environment, even if they’re in a highly regulated market. Security directors should expect more hotline calls and allegations of inappropriate behavior, as well as more unscrupulous managers attempting to avoid reporting infractions or complying with regulations because of cost. Security professionals must be particularly diligent in this time of economic turmoil to ensure that their companies stay compliant.”
Marleah Blades is senior editor for the Security Executive Council, where her responsibilities include writing and editing the council’s industry articles, columns, and communications. Prior to joining the Security Executive Council she served for six years as managing editor of Security Technology & Design magazine. The Security Executive Council is a member organization for senior security and risk executives from corporations and government agencies responsible for corporate and/or IT security programs. In partnership with its research arm, the Security Leadership Research Institute, the Council is dedicated to developing tools that help lower the cost of members’ programs, making program development more efficient and establishing security as a recognized value center. For more information and inquiries on membership requirements, visit www.securityexecutivecouncil.com/?sourceCode=std.