Financial Institutions have for years been required to have an annual audit done for many areas of the bank.  Wouldn’t it be nice to get away from the peaks and valleys of annual audits and examinations and transition to having a means of conducting continuous reviews?  

Here at the The Garland Group, we have had a lot of discussions recently about this topic for annual technology audits, and we believe we can move down that path for the future.  We all agree it will take technology and a cultural change at the institution to really make this work.  We also agree that if financial institutions don’t find ways to improve compliance processes, their labor and/or outside audit costs will continue to rise.

The first step to transitioning to a continuous compliance model for any area of the institution will require a shift in mindset (aka education) from doing reviews once a year to finding ways to do them on a set schedule.  The institution will need to really think out the use of their risk assessment and use that process to set alerts for things that need to be reviewed.  Obviously, your internal and/or external auditors will need to be in the loop to help decide on the schedule, and will need to perform some or all of the reviews themselves.  This new risk assessment methodology combined with a strict audit scope will force compliance, or it will automatically report to the audit committee that it was not done.  This allows your experts to focus on areas of highest risk and maybe even perform reviews of those areas on a more frequent basis. 

A good example of this is user profile reviews on your core system. We ALWAYS review this during our annual review, but normally provide a recommendation to review them at least semi-annually for a small institution and a quarterly reveiw for a larger institution.  What if we had this scope set up on a continuous compliance model?  An alert is sent to someone to run the user report and have it placed in an area where another  independent person could review it and provide recommendations based on current data.

I think we should all begin thinking about how we can make the transition to “Continuous Compliance.”

Here is a combination of Internet Banking text that sums up the controls and security of e-banking. 

Control and security are critical elements in offering Internet banking services to bank customers. Internet banking systems require effective and reliable controls to maintain data integrity, ensure customer privacy, and protect the banks computer and telecommunications systems from unauthorized intrusions, misuse, or fraud. Risk management controls for Internet banking should be incorporated in the overall bank security program. A banks security program should provide “end-to-end” security controls for critical data and critical facilities. Management of the internet banking system should ensure that periodic security risk assessments are conducted to identify internal and external threats that may undermine data integrity, interfere with service, or result in the destruction of information. Threat and vulnerability assessment findings assist management with decisions regarding the types and configuration of security controls. Threats may come from criminal enterprises, hackers, or disgruntled or unethical employees. Careless or improperly trained staff or users of Internet banking systems also can pose security risks. Computer viruses may corrupt data or cause systems to fail. Controls should be implemented to maintain data integrity and to promote privacy and confidentiality. An independent source should be required to review and test the controls in place to ensure their compliance/effectiveness. 

E-banking text may adjust according to the type of environment you are running (outsource/in-house). Proper controls and security will help ensure the protection of both bank and customer.

We live in Angel Fire, New Mexico most of the year, a small resort town of about 2000 in off-season, which mushrooms to 10,000 at peak season. It’s a small community with a handful of banks and retail shops and a few good restaurants. We have become active in several community groups, and I noticed recently while making arrangements for another group meeting, that there is ONE place in town that is used over and over again for meetings by EVERYONE in town — the community room at the local Bank of America branch. In talking with one of the branch managers, they are well aware of the fact that this alone brings in MANY new customers for them, because of the proximity and people walking in their doors for meetings. The cost of adding this extra room has been paid for by the new business and community awareness of their branch and brand. So this set me to thinking about banks and how they can and SHOULD become a part of the community, which pays off in lots of ways. Community relationships must be a major part of any marketing plan for banks wanting to conserve advertising dollars, and yet get their name recognition boosted and out there so people will recognize it.

Community relations is the art of becoming an insider in the community. This requires three important stepping stones:
* dialogue – establishing two-way communication.
* integrity – being what you say you are.
* credibility – you are believable and believed.

It is worth noting that the words community and communications have the same Latin root – communitas – meaning shared. Community relations is the practice of communicating with the community to establish and maintain mutually good relationships. Good community relations is about being a good corporate citizen. A good neighbor. A wise neighbor. And most banks know this. Most banks even designate a specific employee to oversee their relationship with their community.

SOME IDEAS FOR COMMUNITY ENGAGEMENT:
• Community Rooms offering meeting free meeting space for community groups and organizations.
• Braille bank statements made available for visually-handicapped people.
• Free space and publicity provided for weekend farmers’ markets, school car washes, garage sales and flea markets.
• Employees should be encouraged to engage in volunteer community work and join local non-profit organizations in an effort to get to know their membership and participate in their local activities and events.
• Sponsor local events to maximize name recognition by signage, program listings, etc.
• Join local school booster clubs and set aside budgeted amounts for yearly donations, etc.
• Offer regular free blood pressure checks and hearing tests at branches.
• Offer informational meetings for community members in areas of interest to them — for example, identity theft issues for senior adults.
• Put all the local business people and Chamber of Commerce members on permanent subscriptions to their newsletters and by doing this they can increase the exposure to their efforts.

Community relations works best where the organization identifies itself with the broader community and sees itself as part of that community. To aspire to be part of a community is to aspire to be recognized by it and invited to join it. The primary goal of community relations is to gain understanding and support for what you are doing – so maintaining and improving your position in the marketplace, your closeness to customers and your freedom to operate.

Effective community relations can provide substantial rewards in terms of:
* creating excellent marketing opportunities.
* providing a reservoir of good will for the future.
* reinforcing relationships with employees.
* building a leadership position for an organization.

Local Community Banks must support the community that supports them and remain a strong partner in economic redevelopment and down town revitalization, as well as help up and coming entrepreneurs and business people. If the bank can do this then they are well on their way to becoming successful in their area. Public relations for a local community bank are paramount if the bank is to grow in size. Failure to participate in the community at this level will cause a slower growth rates and the local community bank will be overtaken in the marketplace by larger banks with bigger marketing budgets, more advertising and a free guess for opening new accounts.

Whether the bank is located in a small or large community, I believe these are valid points that will result in the bank truly becoming an integral part of their community.

This blog is brought to you by Tamiflu.

In one way, I’m glad America overreacts to things like the Swine Flu. For example, Obama led off his speech about his first 100 days with telling Americans to cover their mouths when they cough and to wash their hands frequently. This one instruction alone didn’t prevent a mass outbreak, but it did make me use another extra squeeze of soap in the bath room at my favorite local deli where I eat pork sandwiches. And since when is being extra clean a bad thing?

I can make the same comparisons about information security. Do financial institutions really need a 15 page incident response plan? No, but they will be glad they have it when some kid in Russia sends out a lame phishing scam to try to get debit card PIN’s via text message (this has actually happened to several of our clients.) So, do we need to shut down school districts and all UIL events for weeks? I say, better safe than sorry and it still makes everyone feel safe, which is very important. And look, no one got sick!

Do you need quarterly Penetration Tests to go along with your 365 and 24 by 7 Intrusion Detection? Probably not, but better safe than sorry right? Just ask your examiners. Just look at the increased TSA measures since 9/11. If someone really wants to terrorize an airport, they will find a way to do it, but just knowing that they are there makes you feel better and the bad guys think twice about carrying nitroglycerin in their water bottles.
I think some overreactions help us more than hurt us and make us feel all warm and fuzzy on the inside. Yeah, you have to hear about the Swine Flu on every media outlet possible, but you should also be glad you don’t have it, because of all the protections put in place because of overreaction.

Finally, why won’t the Mavs get rid of Dirk…he only averages 30 points and 10 rebounds per playoff game. GEEZ!