Embed Size (px)
DESCRIPTION
Citation preview
Effectively Analysing Information Retention as a Business Risk and Taking the Necessary Steps to Mitigate this Risk
Michael Spadea
Head of Privacy, Barclays Wealth
30 September 2009
2
Disclaimer (otherwise knows as the exciting stuff)
The statements and contents of this presentation are my own and do not necessarily represent Barclays Wealth’s positions, strategies or opinions.
Absent rules from the conference organisers to the contrary, you may quote or reproduce these slides with appropriate citation.
Barclays Wealth is the wealth management division of Barclays and operates through Barclays Bank PLC and its subsidiaries. Barclays Bank PLC. is registered in England and authorised by the Financial Services Authority (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions.
No part of this presentation constitutes legal or tax advice.
3
Issues
Ensuring compliance with external regulations and internal policies. Key Takeaway Point 1: Know the standards you are held to, where you are
in relation to those standards, what you need to do to get there.
Potential business risks and the strategies to help overcome these risks. Key Takeaway Point 2: If you can’t measure it, you can’t manage it.
Risk Vs. Cost: What is the best strategy for your business? Key Takeaway Point 3: Point 1 must be BAU.
4
I think you just stepped in . . .
Privacy All our customers are suppressed!
What a great opportunity! We’ll market therapists and take a cut!
Giant bags of customer personal information! Let’s share!
Records Management They said we did what? What is an AUSASDNY? What’s a litigation hold? They want what? Does anyone know where it is? How much?!?!?! Don’t delete anything!!!
5
Stating the Obvious: Ensuring compliance is not easy Thousands of employees.
Variety of business lines.
Huge volumes.
International presence.
Significant IT and process change programmes running continually.
Increasing dependencies on third parties.
6
Let’s Run a Programme! All we need is:
Senior management support.
Funding.
Clear understanding of what you want to achieve as your BUSINESS AS USUAL end result.
Clear definition of the baseline requirements for your organisation which comprehensively covers the legal/regulatory obligations and is usable by the business.
Make sure you have the right people with the right skills.
Stakeholder involvement & pilots.
Divide into manageable segments & a flexible approach.
7
What are your risks? Prioritise
Detail is important: What are your risks?
Some factors Types of data. Volumes of data. Geography. Internal or external.
Segment the programme and business to pinpoint accountability.
Tools Data capture sheets. Questionnaires - for the business and for vendors.
Questions mapped to local legal requirements mapped to baseline. Gap analysis with actions and owners and dates.
Captures everything - ongoing risks and one-off fixes.
8
Data Capture Sheet
Data Stream Sub-Data Stream
Data Capture Questions
Ref. Number Brief Description
Data Capture Sheet QuestionsData Stream (Team)Sub-Data Stream (Streams within the Team)Reference NumberBrief descriptionIs data collected at this point or used?Corporate confidential data?Personal Data?Sensitive Personal Data?Employee data?
IT Organisation and ManagementCollected from or available on the Internet?Collected from or available on the intranet?Data used for marketing?Transferred or accessed in another country?Data transferred or accessible by a third party?Name of third party Do you have any data that requires special consideration?
Approximate volumes Where is data received from? Where is data sent?Which jurisdiction is data stored in?What format?Name of systemBusiness contact nameTechnology contact nameCaptured by CCTV?
9
Privacy QuestionnaireBaseline Baseline
Requirement
Equivalent Local Law
Brief Description of Local Law
Questions
UK DPA \ Principle 1UK DPA \ Principle 2UK DPA \ Schedule 2Dir 95/46/EC \ Article 6.1aDir 95/46/EC \ Article 6.1bDir 95/46/EC \ Article 7
For processing of personal data to be fair and lawful, legitimate reasons for processing the data must be identified. In the UK, these are set out in Schedule 2 of the DP Act (Dir 95/46/EC Article 7)
HKDPOPrinciple 1 ver 1
Personal data shall not be collected unless: (a) the data are collected for a lawful directly related to a function or activity of the entity who will be using the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data is not excessive in relation to that purpose. Personal data shall be collected by means which are lawful and fair.
(-) Have you identified on what basis you are able to lawfully process the personal data? (+) When you collect personal data, do you disclose the purpose of use to the data subject?
UK DPA \ Principle 1UK DPA \ Principle 2UK DPA \ Schedule 3Dir 95/46/EC \ Article 6.1aDir 95/46/EC \ Article 6.1bDir 95/46/EC \ Article 8
If sensitive personal data is processed, further conditions must be met to do this, for example obtaining explicit consent for the processing
In the UK a Data Protection Act Schedule 2 and 3 condition is required to process sensitive personal data (Dir 95/46 EC Article 8)
N/A Under the HKPO there is no separate concept of "Sensitive Personal Data".
(-) Are you processing sensitive personal data? Defined as personal data relating to:(a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union, (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
10
“Bucket”
Description
ExamplesDefault *
Exceptions to default *
Customer
Client relationships, accounts, finances; published marketing/ sales/research
Accounts, statements, securities held, correspondence, proof of customer identification, signature cards, agreements to deal/execute, safe custody assets, money laundering reports/tests/evidence, prospectuses, investment offerings
t (client relationship ends) + 6
5 (client correspondence;marketing, advertising, sales material; MSRB offerings/disclosures; proxy solicitations; pitch books, road show materials, client presentations) t + 5 (acct guarantees; KYC/OFAC records; investment advisory client records; CFTC-related records; client securities w/ BarCap voting rights; client subscription/redemption records) Perm (published research)
Electronic Communication
All Email, IMs, Blackberry messages 3
5 (CFTC-related communications) [NOTE – 3 & 5 years are minimum periods & apply where an electronic comm isn’t within any of the other buckets or applicable disposal holds/litigation overrides]
Transaction Transactions of the firm and clients
Orders, tickets, order tracking, order audit trail systems, price/volume data, execution, offers, allocations, aggregations, confirms, settlement, reconciliation, counterparties, collateral, broker commissions, trade blotters, ledgers, securities lending/borrowing
c (payment obligation ends) + 3
(5 yr min.)
1 (margin calls, margin payments) c + 5 (customer confirms, CFTC transactions, securities/ funds borrowed/ loaned, funds transfers, bank activity transactions, security futures/ index products, clearing agency records, options & options granted/guaranteed records) 6 (order tickets) c + 6 (trade/settlement blotters, securities positions ledgers, municipal securities)
Accounting / Tax Finances of the firm
Annual/quarterly reports, balance sheets, P&L, cash flow statements, risk reports/ models, general ledgers/supporting ledgers and ledger entries (debits, credits, etc.), A/P, A/R, purchase orders, invoices, taxes, audited financial statements
c (financial year end) + 6
7 (Sarbanes-Oxley ‘samples’ selected for testing by auditors (to be held by Internal Audit on behalf of the firm); Sarbanes-Oxley financial attestations)
Employee
All records re staff, consultants, temps, contractors as individuals
Job applications, drug tests, fingerprints, work authorizations, background checks, licenses/reviews/ examinations, personal dealing, wages/salary, payroll, promotions, job performance, benefits, pensions, injuries/ accidents, health & safety
t (last day on payroll) + 4
5 (personal trading records, futures-introducing brokers) 6 (lists of: principals responsible for compliance/who can explain record types, MSRB records, benefit plan records) 18 (accident and injury reports) 30 (OSHA-related records) Perm (exemptions from fingerprint requirements, employee pension/benefits-required documentation)
Corporate Entity
Corporate records of the firm as a business entity
Company Secretarial – Certificate of incorporation/charter; titles; deeds; board of directors/shareholder records; stock certificatesOther – Contracts, agreements, internal/external audit, policies and procedures, real/personal property, intellectual property, IT designs/source code, process flows/user documentation, application/software licenses
Corp Secretarial – Permanent
Other -c (agreement
end) + 6
c + 3 (internal audit working papers; compliance manuals) 3 (records evidencing internal controls – eg SOX, intersystem recs, snr mgmt MIS, other Audit related) t + 3 (non-RR policies/procedures) Perm (records articles of incorp’n, stock books, Forms BD, records re securities kept in custody, documentation on how to access indices and records)
Legal / Regulatory
Required reports to regulators, all regulatory inquiries, legal actions
Submitted to regulators in the ordinary course or in response to legal/ regulatory inquiry, investigation, external audit, complaints, lawsuits, subpoenas, hearings
t (end of litigation/dispute/regulatory
inquiry)+ 3
1 ½ (surveillance & activity exception rpts) 5 (rpts re accts firm owns at foreign institutions, FOCUS Parts II / IIA, CFTC, SARS, Customs/ Treasury/IRS (currency transactions > $10,000)) c + 6 (customer complaints) Perm (employee charges re discrimination)
US One-Page Summary RR Schedule (Note: Disposal Hold Override**)
Definition of “c” & “t”The above descriptions of “c” & “t” are not fixed, they are the most common references. More example below:‘c’– period of time ‘c’ until an event closes (e.g., transaction completes, contract/agreement ends) such that auto destruct
date can be assigned today (known end date)‘t’ – period of time ‘t’ until a relationship/event terminates (e.g., employee leaves, customer ends relationship) such that
auto destruct date cannot be assigned today (unknown end date)
‘Curr’ – keep as long as record remains current ‘Perm’ – keep record permanently * All figures denote number of years unless otherwise stated** Relevant records must be preserved throughout an applicable Disposal Hold independent of any prescribed
retention period stated here
Paper vs. Electronic - Where a complete set of Business Records is retained in paper and electronic version, it is recommended to designate the electronic version as the official if legally possible. Refer to the FAQ’s at the Records Retention homepage at http://rrhome
NOTE: This is the default Records Retention Schedule and does not apply in cases where there is a litigation disposal hold or other disposal hold.
Revised – Nov 08
11
BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU Operating model- Don’t get hung-up on the detail.
Think buckets. Country retention schedules. Records Retention and Privacy Policies RMCs / DPCs
Each jurisdiction and or each business. Barclays:
UK - one in each business line. Outside the UK - one in each jurisdiction.
Incident Management Policy Escalation criteria, communications plan Incident Management Committee for the big ones (Legal, PR, Compliance, HR, IT Security, Risk)
Litigation hold committee (technology, risk, accountable executive, internal and external counsel)
Annually refresh Legal requirements. Policy Risk and Control Assessments (we will visit this soon)- Risk Based Approach. MI
Retention schedule for each jurisdiction. Push out to each business line and jurisdiction through the RMCs. Train your RMC and DPCs so they are the front line for the basic queries. Training and Awareness - all staff get the basics (tie into your gaps, key
themes).
12
Risks (our risks may not be your risks)
Some Privacy Risks:
• Failure to inform individuals about the collection and use of their information.
• Privacy registration requirements are not complied.
• Failure to have a lawful basis for processing personal information.
• Privacy is not incorporated into the expansion into new markets and jurisdictions or the acquisition of new entities.
• Personal information transferred to and processed by vendors is not adequately protected.
•The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures.
• Responsibilities and accountabilities for the management of privacy are not appropriately defined, agreed, or implemented.
• Incidents, including those originating with third party suppliers, are not effectively identified and reported or managed and resolved in a manner that protects both the individual and Wealth.
Some Records Management Risks:
• Non-implementation of internal controls around Records Management leads to non-compliance with Group Policy.
• A lack of appropriate management oversight may cause Business-Unit non-compliance with regulations and policies leading to a regulatory impact for Wealth.
• A lack of internal controls may cause Business Unit non-compliance with regulations, policies, standards and relevant attestations leading to a regulatory impact for Wealth.
• Retention periods are not known or communicated to the business resulting in fines or reputational damage.
• Failure to categorise records appropriately may lead to non-compliance with Wealth/Group standards resulting in regulatory fines.
• Failure to index or store records which may lead to non-retrievability of Wealth records which may result in regulatory fines.
•Failure to complete adequate MI and reporting results in management being misinformed about current records management issues leading to regulatory or reputational exposures.
13
Controls (what works for us may not work for you)
Some Privacy Controls:
• The privacy SME approves the collection and use of personal information of staff, customers and 3rd parties (e.g., shareholders, prospects).
• Individuals receive an up-to-date privacy notices that includes full disclosure of how personal information is processed, including cross-border transfers and disclosures to third parties.
• Material changes in the processing of personal information (including that of vendors) are captured and approved by the relevant SME.
• Information and process owners ensure the minimal amount of personal information is processed (e.g., collected, stored, disclosed) by having privacy SME sign-off.
• Compliance with local records retention policies and ensure the need to retain each category of personal information is necessary.
• Ensure business process to receive, capture and action marketing supression requests to local supression lists.
•RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues.
Some Records Management Controls:
• Accountable Executive responsible for Records Management is in line with Group requirements.
• Appropriate senior stakeholder forum across all key Wealth business lines (UKPB, IPB, Stockbrokers and Direct, BWI and WI, Wealth Advisory and IPO) is in place to address and progress Records Management issues.
• Methodology for Records Management contains key roles and responsibilities for all stakeholders.
• Records Management Policy aligned with Group Records Management Policy is in place and is updated annually.
• Attestation process is in place for the Records Management Policy.
• Attestation is completed by key Wealth staff annually and reviewed by Compliance for completeness.
•A refresh process exists for the key policy and guidance available for Records Management.
• A destruction policy and process has been developed and exists for Wealth. An annual refresh is completed for policy documents.• Adherence to disposal holds can be evidenced to IRM.
14
Putting it together
(Principle) Risk
Control Risk Owner (Local v. Central)
Overall Risk RAG Rating
Evidence Remediation Actions
Remediation RAG Rating
The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures.
Conformance testing is conducted on a regular basis to ensure that personal information is processed in accordance with the Wealth Privacy Policy and all controls are operating effectively.
Boba Fett Amber Identify area of testing.
Green
Develop and implement.
Green
Analyse results. Amber
Remediation plan.
Red
MI is reported regularly and reviewed and challenged to ensure that it reflects the activity and status of privacy controls and to evaluate privacy risk.
The Emperor
Green Obtain. Green
Use Jedi mind trick.
Amber
Receive update. Green
Execute under-performers.
Green
RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues.
Darth Vader
Amber Inspect the stormtroopers.
Amber
Check they are using the RCA to inspire fear.
Amber
Validate results with the locals.
Amber
15
Dashboard mock-up
Not Real Data
16
Records Management audit report issued in draft with a Satisfactory Rating for Wealth and 2 Medium audit points
Phase one of the RM/DP Assessment/Remediation project now complete with all high risk teams action plans QA’d and remediation underway with the assistance of project staff.
Current State Assessment action closure increasing following active chasing by IRM – 58% closed at end June.
IRM RM SME fully engaged with USA PIM business to embed Wealth RM policies
BAU Schedule for RM management activities in place.
Management of RM/DP project actions integrated with existing CSA action management system.
Focus: Records Management – June 2009
Current State Residual RiskCommentary
1,217 Current State Assessment actions were given a default due date of end Apr 2009. IRM actively chasing owners for the newly overdue actions to establish expected due dates.
Activities to date have reduced the overdue actions with further focus being applied in July.
RM/DP Remediation actions are increasing as the project team are completing team reviews - expectation is for a high volume of identified actions as the project progresses.
Exception Commentary
Cumulative Achievements
Improved BU team refresh process to be proposed and implemented if agreed
Continued engagement with RM audit action owners to ensure coherent plans and funding are in place to address.
Refresh Retention Schedules in conjunction with Group and Legal.
Launch phase two of the assessment programme beginning with Jersey and Guernsey
Major Activities next month
RM SME resource departed mid June
Technology resource for shared drive analysis/remediation no longer exists in Wealth – conversations underway with BarCap to acquire resource.
Risks Identified to DateNot Real Data
17
Lessons we have learned
There is a global shortage of privacy/records management professionals so the approach had to work with project managers and business analysis without a technical privacy/records management background.
Quality assurance of the ouput is vital and should be integral to the process.
Training should be little and often. Link in with key stakeholders, e.g., internal audit, compliance, IT,
internal comms, financial crime, etc. Awareness & training is a long-term exercise and cannot be fixed
overnight. Too much detail on some of the question sets.
Awareness Material
Awareness Material
Awareness Material
Awareness Material
22
The big SECRETS are . . .
Prevention is cheaper. Thinking ahead is cheaper. You are going to get into trouble - no matter what.
The trick is to spread out the incidents and make them less severe and less costly.
We are interested in sharing the privacy approach with other financial organisations.
23
It works! Barclays won the 2009 IAPP Award for Privacy Innovation by a large
organisation (toot toot)! We’ve been hit with our second major litigation hold . . . and we know
where all the data is!!! Data viewed as an asset. Significant increase in
Compliance;
Engagement of the privacy and records management SMEs at early project stages;
Employee and vendor awareness; and
Number of breaches reported.
Measuring compliance and awareness. Inventory of processing and data. Identification and remediation of supplier contract and processing
gaps. Reduction of reputation and fines risks. Improved regulatory relationships. Change in culture. Global Operating Models.
24
BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU Yes, it’s that important that I needed to mention it again.
25
The End
Michael SpadeaBarclays Wealth1 Churchill PlaceLondon, E14 5HP
(Email me for a copy of this presentation and a sample questionnaire.)
