The Office of Foreign Assets Control ("OFAC") of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. OFAC acts under Presidential national emergency powers, as well as authority granted by specific legislation, to impose controls on transactions and freeze assets under US jurisdiction. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments.
The Bank Secrecy Act of 1970 (or BSA, or otherwise known as the Currency and Foreign Transactions Reporting Act) requires U.S.A. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an "anti-money laundering" law ("AML") or jointly as “BSA/AML”. Several anti-money laundering acts, including provisions in title III of the USA PATRIOT Act, have been enacted up to the present to amend the BSA. (See 31 USC 5311-5330 and 31 CFR 103.)Bank Secrecy Act (BSA) Statute
The Federal Register contains final regulations issued after the date of codification, as well as the Notices of Proposed Rulemaking.
The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). The Act was meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.
FISMA has brought attention to cybersecurity within the Federal Government, which had previously been much neglected. As of February 2005, many government agencies received extremely poor marks on the official report card, with an average of 67.3% for 2004, an improvement of only 2.3 percentage points over 2003.This shows a marginal increase in how federal agencies prioritize cybersecurity, but experts warn that this average must increase for the Government to truly protect itself.
FISMA Compliance Process for an Information System
FISMA imposes a mandatory set of processes that must be followed for all information systems used or operated by a US Government federal agency or by a contractor or other organization on behalf of a US Government agency. These processes must follow a combination of Federal Information Processing standards (FIPS) documents, the special publications SP-800 series issued by NIST, and other legislation pertinent to federal information systems, such as the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act.
Determination of Boundaries of System
The first step is determining what constitutes an "information system." There is not a direct mapping of computers to information system; rather an information system can be a collection of individual computers put to a common purpose and managed by the same system owner. NIST SP 800-18 provides guidance on determining system boundaries.
Determination and Categorization of Information Types in System
The next step is to determine the information types resident in the system and categorize each according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.
Select and Implement a Set of Security Controls for System
If the system in question is in the design or implementation life-cycle phase, a set of security controls must be selected and incorporated into the system implementation. NIST SP 800-53 provides a catalog of
Pertinent system information such as system boundaries, information types, constituent components, responsible individuals, description of user communities, interconnections with other systems and implementation details for each security control need to be documented in the system security plan. NIST SP 800-18 Rev 1 gives guidance on documentation standards. Additional documentation such as a contingency plan for the system also needs to be prepared at this stage. Guidance on contingency planning can be found in NIST SP 800-34.
Performing Risk Assessment
Once the controls implementation are documented, a risk assessment can be performed. A risk assessments starts by identifying potential threats and vulnerabilities, and maps implemented controls to individual vulnerabilities. One then determines risk by calculating the likelihood and impact of any given vulnerability being exploited, taking into account existing controls. The culmination of the risk assessment shows the calculated risk for all vulnerabilities, and describes whether the risk is to accepted or mitigated. If mitigated, one needs to describe what additional SP 800-53 controls will be added to the system. NIST SP 800-30 provides guidance on the risk assessment process.
Certification of System
Once the system documentation and risk assessment is complete, the system needs to have its controls assessed and certified to be functioning appropriately. For systems with a FIPS-199 categorization of Low, a self assessment is sufficient for certification. For systems categorized at higher FIPS-199 levels, a certification performed by an independent 3rd party is required. NIST SP 800-26 provides guidance on the self assessment process. NIST SP 800-53A provides guidance on the assessment methods applicable to individual controls.
Accreditation of System
Once a system has been certified, the security documentation package is reviewed by an accrediting official, who, if satisfied with the documentation and the results of certification, accredits the system by issuing an authorization to operate. This authorization is usually for a 3 year period, and may be contingent on additional controls or processes being implemented. NIST SP 800-37 provides guidance on the certification and accreditation of systems.
All accredited systems are required to monitor a selected set of security controls for efficacy, and the system documentation is updated to reflect changes and modifications to the system. Significant changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified. Guidance on continuous monitoring can be found in NIST SP 800-37 and SP 800-53A.
Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Federal Information Security Management Act of 2002".
ISO/IEC 27002 (formerly 17799) is an information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version published in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.
ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. Information security is defined within the standard in the context of the C-I-A triad:
The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).
The 2005 version of the standard contains the following twelve main sections:
• Risk assessment and treatment
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management
Within each section, IT security controls and their objectives are specified and outlined. The IT security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:
• Each organization is expected to undertake a structured information security risk assessment process to determine its requirements before selecting controls that are appropriate to its particular circumstances. (The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO Technical Report TR 13335 GMITS Part 3 - Guidelines for the management of IT security - Security Techniques.)
• It is practically impossible to list all conceivable controls in a general purpose standard
ISO/IEC 17799 has directly equivalent national standards in countries such as Australia and New Zealand (AS/NZS ISO/IEC 17799:2006), the Netherlands (NEN-ISO/IEC 17799:2002 nl, 2005 version in translation), Sweden (SS 627799), Japan (JIS Q 27002), UNE 71501 (Spain), the United Kingdom (BS ISO/IEC 17799:2005) and Uruguay (UNIT/ISO 17799:2005). Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released.
ISO/IEC 17799:2005 is expected to be renamed ISO/IEC 27002 in 2007. The ISO/IEC 27000 series has been reserved for information security matters with a handful of related standards such as ISO/IEC 27001 having already been released and others such as ISO/IEC 27004 - Information Security Management Metrics and Measurement - currently in draft.
ISO/IEC 27001 (Information technology - Security techniques - Information security management systems - Requirements) specifies a number of requirements for establishing, implementing, maintaining and improving an information security management system consistent with the best practices outlined in ISO/IEC 17799. This replaced BS 7799-2:2002: Information security management systems - Specification with guidance for use. Previously, organizations could only be officially certified against the British Standard (or national equivalents) by certification/registration bodies accredited by the relevant national standards organizations. Now the international standard can be used for certification.
The official title of the USA PATRIOT Act is "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001." To view this law in its entirety, click on the USA PATRIOT Act link below.
The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and other purposes, some of which include:
Below is a brief, non-comprehensive overview of the sections of the USA PATRIOT Act that may affect financial institutions.
Section 311: Special Measures for Jurisdictions, Financial Institutions, or International Transactions of Primary Money Laundering Concern
This Section allows for identifying customers using correspondent accounts, including obtaining information comparable to information obtained on domestic customers and prohibiting or imposing conditions on the opening or maintaining in the U.S. of correspondent or payable-through accounts for a foreign banking institution.
Section 312: Special Due Diligence for Correspondent Accounts and Private Banking Accounts
This Section amends the Bank Secrecy Act by imposing due diligence & enhanced due diligence requirements on U.S. financial institutions that maintain correspondent accounts for foreign financial institutions or private banking accounts for non-U.S. persons.
Section 313: Prohibition on U.S. Correspondent Accounts with Foreign Shell Banks
To prevent foreign shell banks, which are generally not subject to regulation and considered to present an unreasonable risk of involvement in money laundering or terrorist financing, from having access to the U.S. financial system. Banks and broker-dealers are prohibited from having correspondent accounts for any foreign bank that does not have a physical presence in any country. Additionally, they are required to take reasonable steps to ensure their correspondent accounts are not used to indirectly provide correspondent services to such banks.
Section 314: Cooperative Efforts to Deter Money Laundering
Section 314 helps law enforcement identify, disrupt, and prevent terrorist acts and money laundering activities by encouraging further cooperation among law enforcement, regulators, and financial institutions to share information regarding those suspected of being involved in terrorism or money laundering.
Section 319(b): Bank Records Related to Anti-Money Laundering Programs
To facilitate the government's ability to seize illicit funds of individuals and entities located in foreign countries by authorizing the Attorney General or the Secretary of the Treasury to issue a summons or subpoena to any foreign bank that maintains a correspondent account in the U.S. for records related to such accounts, including records outside the U.S. relating to the deposit of funds into the foreign bank. This Section also requires U.S. banks to maintain records identifying an agent for service of legal process for its correspondent accounts.
Section 325: Concentration Accounts at Financial Institutions
Allows the Secretary of the Treasury to issue regulations governing maintenance of concentration accounts by financial institutions to ensure such accounts are not used to obscure the identity of the customer who is the direct or beneficial owner of the funds being moved through the account.
Section 326: Verification of Identification
Prescribes regulations establishing minimum standards for financial institutions and their customers regarding the identity of a customer that shall apply with the opening of an account at the financial institution.
Section 351: Amendments Relating to Reporting of Suspicious Activities
This Section expands immunity from liability for reporting suspicious activities and expands prohibition against notification to individuals of SAR filing. No officer or employee of federal, state, local, tribal, or territorial governments within the U.S., having knowledge that such report was made may disclose to any person involved in the transaction that it has been reported except as necessary to fulfill the official duties of such officer or employee.
Section 352: Anti-Money Laundering Programs
Requires financial institutions to establish anti-money laundering programs, which at a minimum must include: the development of internal policies, procedures and controls; designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs.
Section 356: Reporting of Suspicious Activities by Securities Brokers and Dealers; Investment Company Study
Required the Secretary to consult with the Securities Exchange Commission and the Board of Governors of the Federal Reserve to publish proposed regulations in the Federal Register before January 1, 2002, requiring brokers and dealers registered with the Securities Exchange Commission to submit suspicious activity reports under the Bank Secrecy Act.
Section 359: Reporting of Suspicious Activities by Underground Banking Systems
This amends the BSA definition of money transmitter to ensure that informal/underground banking systems are defined as financial institutions and are thus subject to the BSA.
Section 362: Establishment of Highly Secure Network
Requires FinCEN to establish a highly secure network to facilitate and improve communication between FinCEN and financial institutions to enable financial institutions to file BSA reports electronically and permit FinCEN to provide financial institutions with alerts.
The United States Occupational Safety and Health Administration (OSHA) is an agency of the United States Department of Labor. It was created by Congress under the Occupational Safety and Health Act, signed by President Richard M. Nixon, on December 29, 1970. Its mission is to prevent work-related injuries, illnesses, and deaths by issuing and enforcing rules (called standards) for workplace safety and health.
OSHA's statutory authority extends to most nongovernmental workplaces where there are employees. State and local government workers are excluded from Federal coverage, however, states operating their own state workplace safety and health programs under plans approved by the U.S. Department of Labor cover most private sector workers and are also required to extend their coverage to public sector (state and local government) workers in the state. Section 2 (11) of the OSH Act encourages states to develop and operate their own state OSH programs.
The same act (OSHA) also created the National Institute for Occupational Safety and Health (NIOSH) as a research agency whose purpose is to determine the major types of hazards in the workplace and ways of controlling them. As of March 2006, the agency is headed by Assistant Secretary of Labor Edwin Foulke.
OSHA regulations [29 CFR Part 1956] also permit states without approved plans to develop plans that cover only public sector workers. In these states, private sector employment remains under Federal OSHA jurisdiction. Twenty-two states and territories operate plans covering both the public and private sectors and four states - Connecticut, New Jersey, New York and the US Virgin Islands - operate public employee only plans.
OSHA was widely criticized in its early years for confusing, burdensome regulations. A good deal of the early conflict came about because of arbitrary and inconsistent enforcement during OSHA's early years. In addition, businesses were expected to retrofit guards and other safety devices on existing equipment and to implement other hazard controls, often at considerable expense, to bring them in line with then-current best safety practices. Other requirements, such as mandated training, communication, and extensive documentation were seen as even more difficult and expensive.
With time, manufacturers of industrial equipment have included OSHA-compliant safety features on new machinery. Enforcement has become more consistent across jurisdictions, and some of the more outdated or irrelevant rules have been repealed or are not enforced.
During the Jimmy Carter administration, under the leadership of University of Cincinnati toxicologist Eula Bingham, OSHA began to concentrate more on health hazards, such as toxic chemicals. Bingham also launched the "New Directions" program, OSHA's first worker training grant program.
With the Ronald Reagan and George H.W. Bush administrations came efforts to weaken OSHA enforcement and rulemaking, although several important rules were issued including hazard communication (right to know about chemical exposures) and blood-borne pathogens (to protect workers against illnesses such as hepatitis and AIDS). The Reagan administration also launched OSHA's Voluntary Protection Program (VPP), OSHA's first foray into voluntary programs and partnerships with industry. In the VPP, management, labor, and OSHA establish cooperative relationships at workplaces that have implemented a comprehensive safety and health management system. Approval into VPP is OSHA's official recognition of the outstanding efforts of employers and employees who have achieved exemplary occupational safety and health.
The Bill Clinton administration began a reorganization of OSHA's approach, focusing more on "stakeholder" satisfaction through compliance assistance. When the Republicans took over Congress in 1994, one of their goals was reducing some of the agency's ability to issue standards. Some Republican sponsored bills were stopped by the Democratic minority and moderate Republicans, but other legislation passed, such as the Small Business Regulatory Enforcement Fairness Act of 1996 and the Congressional Review Act.
In 2000, OSHA issued the ergonomics standard after ten years of study and struggles with a Republican-controlled Congress and business associations such as the Chamber of Commerce and National Association of Manufacturers that were unconvinced that additional government regulation was the right way to address the issue of ergonomic injuries to American workers. Ergonomic injuries (also known as musculoskeletal injuries) such as back injuries and carpal tunnel syndrome, account for 1/3 of all serious injuries suffered by American workers. In March 2001, the Republican controlled Congress voted to repeal the standard and the repeal was one of the first major pieces of legislation signed by President George W. Bush. Since the repeal of the ergonomics standard, OSHA has issued three ergonomics guidelines, and only a small handful of ergonomic citations under the Act's "general duty" clause.
The Bush administration has largely replaced the process of issuing mandatory regulations with voluntary guidelines and put additional resources into other, previously existing voluntary programs, as well as new "Alliance" program. In 2004, the General Accounting Office issued a report questioning the effectiveness of these programs and warning that their projected growth threatened to take resources away from OSHA's enforcement budget.
Much of the debate about OSHA regulations and enforcement policies revolves around the cost of regulations and enforcement, versus the actual benefit in reduced worker injury, illness and death. A 1995 study of several OSHA standards by the Office of Technology Assessment (OTA) found that regulated industries as well as OSHA typically overestimate the expected cost of proposed OSHA standards.
OSHA has come under considerable criticism for the ineffectiveness of its penalties, particularly criminal penalties. OSHA is only able to pursue a criminal penalty when a willful violation of an OSHA standard results in the death of a worker. The maximum penalty is a misdemeanor with a maximum of 6-months in jail. In response to the criticism, OSHA, in conjunction with the Department of Justice, has pursued several high-profile criminal prosecutions for violations under the Act, and has announced a joint enforcement initiative between OSHA and the Environmental Protection Agency (EPA) which has the ability to issue much higher fines than OSHA. Meanwhile, Congressional Democrats, labor unions and community safety and health advocates are attempting to revise the OSHAct to make it a felony with much higher penalties to commit a willful violation that results in the death of a worker. Some local prosecutors are charging company executives with manslaughter and other felonies when criminal negligence leads to the death of a worker.
Here are some of the changes in industrial safety regulation brought about by OSHA:
• Guards on all moving parts - By 1970, there were guards to prevent inadvertent contact with most moving parts that were accessible in the normal course of operation. With OSHA, use of guards was expanded to cover essentially all parts where contact is possible.
• Permissible exposure levels (PEL) - Maximum concentrations of chemicals stipulated by law for chemicals and dusts. They cover only around 600 chemicals and most are based on research from the 1950's and 1960's
• Personal protective equipment (PPE) - broader use of respirators, gloves, coveralls, and other protective equipment when handling hazardous chemicals; goggles, face shields, ear protection in typical industrial environments
• Lockout/tagout - In the 1980s, requirements for locking out energy sources in an "off" condition when performing repairs or maintenance
• Confined space - In the 1990s, specific requirements for air sampling and use of a "buddy system" when working inside tanks, manholes, pits, bins, and similar enclosed areas
• Hazard Communication (HazCom) - Also known as the "Right to Know" standard, it was issued as 29CFR1910.1200 in November 25, 1983 (48 FR 53280, requires developing and communicating information on the hazards of chemical products used in the workplace.
• Process Safety Management (PSM) - Issued in 1992 as 29CFR1910.119 in an attempt to reduce large scale industrial accidents. Although enforcement of the standard has been spotty, its principles have long been widely accepted by the petrochemical industry.
• Bloodborne Pathogens (BBD)- In 1990, OSHA issued a standard designed to prevent health care (and other) workers from being exposed to bloodborne pathogens such as hepatitis B and HIV.
Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Occupational Safety and Health Administration".
Before the signing ceremony of the Sarbanes-Oxley Act, President George W. Bush meets with Senator Paul Sarbanes, Secretary of Labor Elaine Chao and other dignitaries in the Blue Room at the White House on July 30, 2002.The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or SarbOx; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and WorldCom (now MCI). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents, and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.
The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.
The House passed Rep. Oxley's bill (H.R. 3763) on April 25, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673.
Senator Sarbanes' bill passed the Senate Banking Committee on June 18, 2002, by a vote of 17 to 4. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $3.2 billion during the past five quarters, primarily by improperly accounting for its operating costs. Sen. Sarbanes introduced Senate Bill 2673 to the full Senate that same day, and it passed 97-0 less than three weeks later on July 15, 2002.
The House and the Senate formed a Conference Committee to reconcile the differences between Sen. Sarbanes' bill (S. 2673) and Rep. Oxley's bill (H.R. 3763). The conference committee relied heavily on S. 2673 and "most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions." (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.)
The Committee approved the final conference bill on July 24, 2002, and gave it the name "the Sarbanes-Oxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." (Elisabeth Bumiller: "Bush Signs Bill Aimed at Fraud in Corporations", The New York Times, July 31, 2002, page A1).
The Sarbanes-Oxley Act's major provisions include the following:
• Creation of the Public Company Accounting Oversight Board (PCAOB)
• A requirement that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies "attest" (i.e., agree, or qualify) to such disclosure
• Certification of financial reports by chief executive officers and chief financial officers
• Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company's Audit Committee of all other non-audit work
• A requirement that companies listed on stock exchanges have fully independent audit committees that oversee the relationship between the company and its auditor
• Ban on most personal loans to any executive officer or director
• Accelerated reporting of insider trading
• Prohibition on insider trades during pension fund blackout periods
• Additional disclosure
• Enhanced criminal and civil penalties for violations of securities law
• Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences
• Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, and congressional page abatement orders, and reasonable attorney fees and costs.
Overview of PCAOB's requirements for auditor attestation of control disclosures
(Source: KPMG report)
Auditing Standard No. 2' of the Public Company Accounting Oversight Board (PCAOB) has the following key requirements:
• The design of controls-relevant assertions related to all significant accounts and disclosures in the financial statements
• Information about how significant transactions are initiated, authorized, supported, processed, and reported
• Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur
• Controls designed to prevent or detect fraud, including who performs the controls and the regulated segregation of duties
• Controls over the period-end financial reporting process
• Controls over safeguarding of assets
• The results of management's testing and evaluation
Under Sarbanes-Oxley, two separate certification sections came into effect - one civil and the other criminal. See 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).
Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls" and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared." 15 U.S.C. § 7241(a)(4). The officers must "have evaluated the effectiveness of the company's internal controls as of a date within 90 days prior to the report" and "have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date." Id..
Moreover, under Section 404 of the Act, management is required to produce an "internal control report" as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting." 15 U.S.C. § 7262)a). The report must also "contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." Id. To do this, managers are generally adopting an internal control framework such as that described in COSO.
Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.)
In addition, outside auditors for companies must, for the first time, attest to managers' internal control assessment, pursuant to SEC rules, which currently require only large public companies comply with this part of SOX. This presents new challenges to businesses, specifically, documentation of control procedures related to information technology ("IT"). Public Company Accounting Oversight Board (PCAOB) has issued guidelines on how auditors should provide their attestations.
Information technology and SOX 404
The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure. This framework focuses on information technology (IT) processes while keeping in mind the big picture of COSO's "control activities" and "information and communication". However, these certain aspects of COBIT are outside the boundaries of Sarbanes-Oxley regulation.
IT controls, IT audit, and SOX
The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states:
"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."
Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.
For a detailed discussion on the impact of SOX on IT audit and controls, see Information technology controls.
The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five areas, which when implemented, can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department are as follows:
• Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company's systems are being used and the current level and accuracy of existing documentation. The areas of risk drive the definition of the other four components of the COSO framework.
• Control Environment. An environment in which the employees take ownership for the success of their projects will encourage them to escalate issues and concerns, and feel that their time and efforts contribute to the success of the organization. This is the foundation on which the IT organization will thrive. Employees should cross train with design, implementation, quality assurance and deployment teams to better understand the entire technology lifecycle.
• Control Activities. Design, implementation and quality assurance testing teams should be independent. ERP and CRM systems that collect data, but feed into manual spreadsheets are prone to human error. The organization will need to document usage rules and create an audit trail for each system that contributes financial information. Further, written policies should define the specifications, business requirements and other documentation expected for each project.
• Monitoring. Auditing processes and schedules should be developed to address the high risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits.
• Information and Communication. Without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an under-standing of what needs to be done to comply with Sarbanes-Oxley and how to get there.
Cost of implementation
Some people in the business community have acknowledged that, as John Thain, CEO of the New York Stock Exchange states, "There is no question that, broadly speaking, Sarbanes-Oxley was necessary". However, the cost of implementing the new requirements has led some to widespread questioning of how effective or necessary the specific provisions of the law truly are.
For companies, a key concern is cost of updating information systems to comply with the control and reporting requirements. Systems which provide document management, access to financial data, or long-term storage of information must now provide auditing capabilities. In most cases this requires significant changes, or even complete replacement, of existing systems which were designed without the needed level of auditing details.
Costs associated with SOX 404 compliance have proven to be significant. According to the Financial Executives International (FEI), in a survey of 217 companies with average revenue above $5 billion, the cost of compliance was an average of $4.36 million. The high cost of compliance throughout the first year can be attributed to the sharp increase in hours charged per audit engagement.
As more companies and auditors gain experience with SOX 404, audit costs have been falling. Audit firm revenues are still higher than they were prior to the Act, although audit fees were rising prior to the Act, partly as a result of the accounting scandals that prompted the Act.
The future of SOX 404 compliance
In a recent article by the accounting and consulting firm of Deloitte Touche Tohmatsu entitled "Under Control", the need for "sustainable compliance" is encouraged. The article suggests leveraging lessons learned to shift to a long-term strategy. The following areas are described as impediments to the process:
• "Project mindset: ... many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point."
• "Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed."
• "Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward"
• "Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year."
• "Underestimation of technology impacts and implications: ...IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls... IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting - a critical requirement at most large and complex enterprises."
• "Ignored risks: Effective internal control is predicated on risk... the controls themselves - exist expressly for the purpose of minimizing the risk of financial reporting errors... In year one, risk assessment was treated as an afterthought - if addressed at all."
The future of SOX 404 will depend on the ability of businesses to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the "Sustained Compliance Solution Framework". Key areas of the framework are also taken from "Under Control":
• Effective and efficient processes for evaluating testing, remediation, monitoring, and reporting on controls
• Integrated financial and internal control processes
• Technology to enable compliance
• Clearly articulated roles and responsibilities and assigned accountability
• Education and training to reinforce the "control environment"
• Adaptability and flexibility to respond to organizational and regulatory change.
• Deloitte and the other auditing industry firms will generate significant revenue from these elaborate exercises.
• Both the authors of the bill Paul Sarbanes and Michael Oxley have announced that they will retire after the end of the 2006 term.
• Some companies, mostly smaller ones (less than $30 MM in market capitalization), that used to be publicly traded have de-listed and become privately held in part because of the requirements of SOX compliance and the associated costs. Many other companies have become publicly traded since SOX went into effect. Fewer than 20% of the CFOs of companies large enough to go public that have declined to do so cite SOX as a reason that their companies remained private.
• Some companies have initiated very time consuming and costly internal standards that are beyond what is actually required for SOX compliance.
• On 22 October 2006, the nationally syndicated newspaper comic The 5th Wave by Rich Tennant featured a punch line which mentioned SOX.
Click on the links to get a detailed overview of each regulation.
Energy & Utilities
· Basel II
· SEC Rule 17a
· NRC guidelines
· M&A regs
The Food and Drug Administration (FDA) is an agency of the United States Department of Health and Human Services and is responsible for regulating food (humans and animal), dietary supplements, drugs (human and animal), cosmetics, medical devices (human and animal) and radiation emitting devices (including non-medical devices), biologics, and blood products in the United States.
Authorization and mandate
The FDA derives its authority and jurisdiction from various Congressional acts. The main source of the FDA's authority is the Federal Food, Drug, and Cosmetic Act. Additionally, as a Federal agency, the FDA is required by Executive orders 13132 to review all proposed new rules for Federalism issues.
The main purpose of the FDA is to protect citizens from products that are inherently unsafe or that make claims of effectiveness that cannot be substantiated. Because of the vast number of products or substances that may affect the public and the expertise required to evaluate them, Congress delegates this task to a specilized administrative agency.
The FDA thus has the power to regulate a multitude of products in a manner that ensures the safety of the American public and the effectiveness of marketed food, medical, and cosmetic products. Regulations may take several forms, including but not limited to outright ban, controlled distribution, and controlled marketing. Additionally, the FDA sets the standards under which individuals may be licensed to prescribe drugs or other medical devices. Regulatory enforcement is carried out by Consumer Safety Officers within the Office of Regulatory Affairs and criminal matters are handled by special agents within the Office of Criminal Investigations (OCI).
Anyone can request or petition the FDA to change or create an Agency policy or regulation through the Citizen's Petition process. 21 CFR Part 10.30. . Despite the name, this process is primarily used by companies seeking a change to an FDA policy.
Since the FDA derives its authority from enabling legislation, it is principally a delegate of Congress to handle the large number of detailed issues related to its authority. As such, it at any time may be redirected, reorganized or even dissolved at the discretion of Congress. This puts the purpose of the FDA at risk with any change in the balance of power in Congress.
In addition to direct control over the agency's charter, Congress has leverage over the FDA's operations by means of budget allocation. Since budgetary legislation and amendments are very common and many times have a "must pass" status, this method of control is much easier to implement than to gain the wide agreement by Congress to modify the charter of an agency.
Additionally, the FDA's Commissioner is nominated by the President and confirmed by the Senate. This allows the President to select Commissioners who may be sympathetic to political issues he deems important. Additionally Senate rules allow for nominations to be blocked by means of filibuster, whereby the Senate must first obtain a super-majority of 60% to close debate on an issue before vote.
Finally, the Commissioner himself has discretion regarding the staff employees within the agency and has the power to influence their decisions simply by being able to dismiss those who are not aligned with his views.
The FDA does not pre-approve dietary supplements on their safety and efficacy, unlike drugs. In contrast, the FDA can only go after dietary supplement manufacturers after they have put unsafe products on the market. However, certain foods (such as infant formula and medical foods) are deemed special nutritional because they are consumed by highly vulnerable populations and are thus regulated more strictly than the majority of dietary supplements.
Under former Commissioner David Aaron Kessler the FDA in the 1990's attempted to regulate tobacco as a pharmaceutical. The courts determined in FDA v. Brown & Williamson Tobacco Corp. that the FDA did not have Congressional authority to regulate tobacco.
One aspect of its jurisdiction over food is regulation of the content of health claims on food labels. However, because regulating the content of labels impacts First Amendment issues, FDA must balance concerns about the public health with the right to free speech. Daniel Troy, Chief Counsel of the Food and Drug Division from August 2001 to November 2004, raised the agency's focus on First Amendment issues.
Currently, the FDA is divided into five major Centers, each with its own origins and history:
• The Center for Drug Evaluation and Research (CDER)
• The Center for Biologics Evaluation and Research (CBER)
• The Center for Devices and Radiological Health (CDRH)
• The Center for Food Safety and Applied Nutrition (CFSAN)
• The Center for Veterinary Medicine (CVM)
• National Center for Toxicological Research (NCTR)
• Office of Regulatory Affairs (ORA)
• Joint Institute for Food Safety and Applied Nutrition
• National Center for Food Safety and Technology
The CDER, which regulates human pharmaceuticals, receives considerable public scrutiny, and thus implements processes that tend toward objectivity and tend to isolate decisions from being attributed to specific individuals. In keeping with this, reviews are generally staffed by teams that are intended to come to consensus on decisions.
Within the CDER "Review teams" employs around 1,300 employees to approve new drugs. Additionally, the CDER employs a "safety team" has 72 employees to determine whether new drugs are unsafe or present risks not disclosed in the product's labeling.
The FDA's budget for approving, labeling, and monitoring drugs is roughly $290 million per year. The safety team monitors the effects of more than 3,000 prescription drugs on 200 million people with a budget of about $15 million a year. The FDA requires a four phased series of clinical trials, with phase three being the largest and usually requiring 1,000-3,000 patients.
The CBER, which is the oldest operations center, oversees blood products, vaccines, and newer therapeutics related to stem cells and gene therapy.
Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "The Food and Drug Administration (FDA)".
The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition among banks, securities companies and insurance companies. The Glass-Steagall Act prohibited a bank from offering investment, commercial banking, and insurance services. The Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. For example, in its wake Citibank merged with Travelers Group, an insurance company, and formed the conglomerate Citigroup, a corporation combining banking and insurance underwriting services. However, the law was not passed until some major mergers in the financial sector had already taken place such as the Smith-Barney, Shearson, Primerica and Travelers Insurance Corporation combination in the mid-1990's. This combination announced in 1993 and finalized in 1994 already violated the Glass-Steagall Act by combining insurance and securities companies. The law was passed to legalize these mergers. Historically, the combined industry has been known as the financial services industry.
Changes caused by the Act
The Act was desired by many of the largest banks, brokerages, and insurance companies in the United States at the time. The justification was that people usually put more money in investments in a good economy, but when it turns bad, they put their money into savings accounts. With the new Act, they would do both with the same company, so the company would be doing well in all economic times. This has to some extent proven true.
Prior to the passage of the Act, most financial services companies were doing this anyway. On the retail/consumer side, a bank called Norwest led the charge in offering all types of financial services products in 1986. Also at the time American Express attempted to own almost every genre of financial business (although there was little synergy between them). Things culminated in 1997 when Travelers, a financial services company with everything but a retail/commercial bank, bought out Citibank, creating the largest and most profitable company in the world. At the time this was technically illegal, and was a large impetus for the passage of the Gramm-Leach-Bliley Act.
Also prior to the passage of the Act, there were many relaxations to the Glass-Steagall Act. For example, a few years before, Commercial Banks were allowed to get into investment banking, and before that banks were also allowed to get into stock and insurance brokerage. The only main operation they weren't allowed to do was insurance underwriting (something rarely done by banks even after the passage of the Act).
Since the passage of the GLBA, much consolidation has occurred in the financial services industry, but not as much as some expected. Retail banks for example, do not tend to buy insurance underwriters, since they expect they can make more money selling other companies insurance products in their branches (this is called insurance brokerage). Many other retail banks have been slow to adopt investments and insurance products, and to package those products in a convincing way. Brokerage companies have had a hard time getting into banking, because they do not have a large branch and backshop footprint. Banks have recently tended to buy other banks, such as the recent Bank of America and Fleet Boston merger, yet they have had less success integrating with investment and insurance companies. Many banks have expanded into investment banking, but have found it hard to package it with their banking services, without resorting to questionable tie-ins which caused scandals at Smith Barney.
Senator Phil Gramm led the Senate Banking Committee which sponsored the Act; he later joined UBS Warburg, at the time the investment banking arm of the largest Swiss bank.
Some restrictions remain to provide some amount of separation between the investment and commercial banking operations of a company. For example, licensed bankers must have separate business cards, eg. "Personal Banker, Wells Fargo Bank" and "Investment Consultant, Wells Fargo Private Client Services". Much of the debate about financial privacy is specifically centered around allowing or preventing the banking, brokerage, and insurances divisions of a company from working together.
In terms of compliance, the key rules under the Act include The Financial Privacy Rule which governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions - such as credit reporting agencies - that receive customer information from other financial institutions.
• GLBA compliance is not voluntary; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity
• Major Components put into place to govern the collection, disclosure, and protection of consumers' nonpublic personal information; or personally identifiable information:
• Financial Privacy Rule
• Safeguards Rule
• Pretexting Protection
Financial Privacy Rule
(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801 through 15 U.S.C. § 6809)
(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801 through 15 U.S.C. § 6809)
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients' nonpublic personal information. (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.) This plan must include:
• Denoting at least one employee to manage the safeguards,
• Constructing a thorough [risk management] on each department handling the nonpublic information,
• Develop, monitor, and test a program to secure the information, and
• Change the safeguards as needed with the changes in how information is collected, stored, and used.
This rule is intended to do what most businesses should already be doing: protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.
(Subtitle B: Fraudulent Access to Financial Information, codified at 15 U.S.C. § 6821 through 15 U.S.C. § 6827)
Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a "phony" website or email to collect data). The GLBA has provisions that require the financial institution to take all precautions necessary to protect and defend the consumer and associated nonpublic information. Pretexting is illegal and punishable by law beyond any recognition by the GLBA.
Financial Institutions Defined
The GLBA defines "financial institutions" as: ..."companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:
• non-bank mortgage lenders,
• loan brokers,
• some financial or investment advisers,
• debt collectors,
• tax return preparers,
• banks, and
• real estate settlement service providers.
These companies must also be considered significantly engaged in the financial service or production that defines them as a "financial institution".
Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLBA. State law can require greater compliance, but not less than what is otherwise required by the GLBA.
Consumer vs. Customer Defined
The Gramm-Leach-Bliley Act defines a ‘consumer' as
"an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual." (See 15 U.S.C. § 6809(9).}
A ‘customer' is a consumer that has developed a relationship with privacy rights protected under the GLBA. A ‘customer' is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a ‘customer' might have; i.e. a mortgage loan, tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the GLBA. A business, however, may be liable for compliance to the GLBA depending upon the type of business and the activities utilizing individual's personal nonpublic information.
Consumer/Client Privacy Rights
Under the GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.
The privacy notice must also explain to the consumer of the opportunity to ‘opt-out'. Opting out means that the client can say "no" to allowing their information to be shared with affiliated parties. The Fair Credit Reporting Act is responsible for the ‘opt-out' opportunity, but the privacy notice must inform the consumer of this right under the GLBA. The client cannot opt-out of:
• information shared with those providing priority service to the financial institution
• marketing of products or services for the financial institution
• when the information is deemed legally required.
Violation of the GLBA may result in a civil action brought by the United States Attorney General. The penalties, as amended under the Financial Institution Privacy Protection Act of 2003 (108th CONGRESS - 1st Session - S. 1458; To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes., In The Senate of the United States, July 25 (legislative day, JULY 21), 2003)include,
• "the financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation"
• "the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation".
This article or section deals primarily with the United States and does not present a worldwide view of the subject.
Continuity of Government (COG) is the principle of establishing defined procedures that allow a government to continue its essential operations in case of a nuclear war or other catastrophic event. Developed during the Cold War, COG plans were implemented by many countries to avoid leaving a vacuum at any governmental level, which could lead to anarchy or to an unlawful assumption of authority. Effectively the democratic process is revoked temporarily until the effects of the event have subsided and normal government can resume. It is not a generally published part of government policy and is generally shrouded in secrecy for security reasons.
Continuity of Government in the United States
The main points of such a plan in the United States are to suspend certain parts of the United States Constitution and to allow the alternative use of federal land and buildings (including use as internment camps) by FEMA for the housing/detention of US citizens as required, as well as any rescue/recovery operations. It also allows for power in the US to be centralized to the White House and "appointment of military commanders to run state and local governments and declaration of martial law". In the former regard the United States arrangements for Continuity of Government are unusual. The plans in most countries are intended to preserve the legal and constitutional framework, the American system relies on circumventing it. There is no legal basis for the imposition of so-called "martial law".
House Democrat Jack Brooks brought up the issue during the Iran-Contra Affair hearings. Try as he might, he was not able to get the answers to his questions from Col. Oliver North, (it had been reported in the Miami Herald that North had worked on such plans) as he was repeatedly requested by the Chairman to refrain from discussing the issue and to request for a (non-public) executive session if he wanted to discuss the issue at all.
Apparently the Legislative and Judiciary Branches pf the US Government each have similar continuity plans. However, both require the Executive to notify them before they are activated. There appears to have been no notification following 9-11 to either the Congress or US Supreme Court until it was finally admitted to Congress in 2002.
It appears the US is still in the Continuity of Government status invoked as a result of 9/11.
There is considerable confusion between the use of extra-constitutional powers and "martial law" in an emergency situation, and Continuity of Government as such. Continuity of Government properly refers to processes, systems, and infrastructure whereby Government control and communications can be maintained. They involve communications systems, operating procedures, delegation of responsibility, and emergency accommodation- including bunkers.
The use of unusual powers in an emergency- whether legal or illegal- are not Continuity of Government so much as restraints on legal and constitutional rights. Historically many governments and leaders have used a disaster or attack as an excuse to assume illegal and draconian powers.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services' (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.
Title II of HIPAA, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.
Title I: Health Care Access, Portability, and Renewability
Title I of HIPAA regulates the availability and breadth of group and individual health insurance plans. It amends both the Employee Retirement Income Security Act and the Public Health Service Act.
Title I prohibits any group health plan from creating eligibility rules or assessing premiums for individuals in the plan based on health status, medical history, genetic information, or disability. This does not apply to private individual insurance.
Title I also limits restrictions that a group health plan can place on benefits for preexisting conditions. Group health plans may refuse to provide benefits relating to preexisting conditions for a period of 12 months after enrollment in the plan or 18 months in the case of late enrollment. However, individuals may reduce this exclusion period if they had health insurance prior to enrolling in the plan. Title I allows individuals to reduce the exclusion period by the amount of time that they had "creditable coverage" prior to enrolling in the plan and after any "significant breaks" in coverage. "Creditable coverage" is defined quite broadly and includes nearly all group and individual health plans, Medicare, and Medicaid. A "significant break" in coverage is defined as any 63 day period without any creditable coverage.
To illustrate, suppose someone enrolls in a group health plan on January 1, 2006. This person had previously been insured from January 1, 2004 until February 1, 2005 and from August 1, 2005 until December 31, 2005. To determine how much coverage can be credited against the exclusion period in the new plan, start at the enrollment date and count backwards until you reach a significant break in coverage. So, the five months of coverage between August 1, 2005 and December 31, 2005 clearly counts against the exclusion period. But the period without insurance between February 1, 2005 and August 1, 2005 is greater than 63 days. Thus, this is a significant break in coverage, and any coverage prior to it cannot be deducted from the exclusion period. So, this person could deduct five months from his or her exclusion period, reducing the exclusion period to seven months, Hence, Title I requires that any preexisting condition begin to be covered on August 1, 2006.
Title I also forbids individual health plans from denying coverage or imposing preexisting condition exclusions on individuals who have at least 18 months of creditable group coverage without significant breaks and who are not eligible to be covered under any group, state, or federal health plans at the time they seek individual insurance .
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Title II of HIPAA defines numerous offenses relating to health care and sets civil and criminal penalties for them. It also creates several programs to control fraud and abuse within the health care system. However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.
These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA  .
Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.
The Privacy Rule
The Privacy Rule took effect April 14, 2003, with a one-year extension for certain "small plans". It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.
Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.
A covered entity may disclose PHI to facilitate treatment, payment, or health care operations or if the covered entity has obtained authorization from the individual. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. For instance, an individual can ask to be called at his or her work number, instead of home or cell phone number.
The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They must appoint a Privacy Official and a contact personresponsible for receiving complaints and train all members of their workforce in procedures regarding PHI.
An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR) .
The Transactions and Code Sets Rule
The HIPAA/EDI provision was scheduled to take effect October 16, 2003 with a one-year extension for certain "small plans"; however, due to widespread confusion and difficulty in implementing the rule, CMS granted a one-year extension to all parties. As of October 16, 2004, full implementation was not achieved and CMS began an open-ended "contingency period." Penalties for non-compliance were not levied; however, all parties are expected to make a "good-faith effort" to come into compliance.
CMS announced that the Medicare contingency period ended July 1, 2005. After July 1, most medical providers that file electronically will have to file their electronic claims using the HIPAA standards in order to be paid. There are exceptions for doctors that meet certain criteria.
Key EDI transactions are:
837: Medical claims with subtypes for Professional, Institutional, and Dental varieties.
820: Payroll Deducted and Other Group Premium Payment for Insurance Products
834: Benefits enrollment and maintenance
835: Electronic remittances
270/271: Eligibility inquiry and response
276/277: Claim status inquiry and response
278: Health Services Review request and reply
These standards are X12 compliant, and are grouped under the label X12N.
Implementation Guides are available from the Washington Publishing Company for a fee, now that CMS is not subsidizing the publications.
The National Council for Prescription Drug Programs' Telecommunication Standard version 5.1 is also used for the transmission of third-party pharmacy claims. The NCPDP Telecommunication Standard version 5.1 is available to NCPDP members at NCPDP's website.
The Security Rule
The Final Rule on Security Standards was issued on February 20, 2003. It took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for "small plans". The Security Rule complements the Privacy Rule. It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The standards and specifications are as follows:
Administrative Safeguards - policies and procedures designed to clearly show how the entity will comply with the act
• Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures.
• The policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls.
• Procedures should clearly identify employees or classes of employees who will have access to protected health information (PHI). Access to PHI in all forms must be restricted to only those employees who have a need for it to complete their job function.
• The procedures must address access authorization, establishment, modification, and termination.
• Entities must show that an appropriate ongoing training program regarding the handling PHI is provided to employees performing health plan administrative functions.
• Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
• A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures.
• Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based.
• Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.
Physical Safeguards - controlling physical access to protect against inappropriate access to protected data
• Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
• Access to equipment containing health information should be carefully controlled and monitored.
• Access to hardware and software must be limited to properly authorized individuals.
• Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.
• Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public.
• If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities.
Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
• Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
• Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
• Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
• Covered entities must also authenticate entities it communicates with. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
• Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.
• In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
• Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act's security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)
The Enforcement Rule
On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations.
Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Health Insurance Portability and Accountability Act".
Basel II, also called The New Accord (correct full name is the International Convergence of Capital Measurement and Capital Standards - A Revised Framework) is the second Basel Accord and represents recommendations by bank supervisors and central bankers from the 13 countries making up the Basel Committee on Banking Supervision (BCBS) to revise the international standards for measuring the adequacy of a bank's capital. It was created to promote greater consistency in the way banks and banking regulators approach risk management across national borders. The Bank for International Settlements (often confused with the BCBS) supplies the secretariat for the BCBS and is not itself the BCBS.
An earlier accord, Basel I, adopted in 1988, is now widely viewed as outmoded as it is risk insensitive and can easily be circumvented by regulatory arbitrage.
The Basel II deliberations began in January 2001, driven largely by concern about the arbitrage issues that develop when regulatory capital requirements diverge from accurate economic capital calculations.
With the first draft (called Consultative Paper 1) published in June 1999, further consultative papers followed together with a large quantity of other releases, Quantitative Impact Studies Nos. 2, 3 and 4, and papers, a final version was issued in June 2004, with a minor revision released in November 2005. In June 2006 a Comprehensive version was published including all Basel regulations up to this date. Implementation of the Accord is expected by 2008 in many of the over 100 countries currently using the Basel I accord.
The final version aims at:
• Ensuring that capital allocation is more risk sensitive;
• Separating operational risk from credit risk, and quantifying both;
• Attempting to align economic and regulatory capital more closely to reduce the scope for regulatory arbitrage.
While the final accord has largely addressed the regulatory arbitrage issue, there are still areas where regulatory capital requirements will diverge from the economic.
Basel II has largely left unchanged the question of how to actually define bank capital, which diverges from accounting equity in important respects. The Basel I definition, as modified up to the present, remains in place
The Accord In Operation
Basel II uses a "three pillars" concept - (1) minimum capital requirements; (2) supervisory review; and (3) market discipline - to promote greater stability in the financial system.
The Basel I accord only dealt with parts of each of these pillars. For example: of the key pillar one risk, credit risk, was dealt with in a simple manner and market risk was an afterthought. Operational risk was not dealt with at all.
The First Pillar
The first pillar provides improved risk sensitivity in the way that capital requirements are calculated for three major components of risk that a bank faces: credit risk, operational risk and market risk. In turn, each of these components can be calculated in two or three ways of varying sophistication. Other risks are not considered fully quantifiable at this stage.
Technical terms in the more sophisticated measures of market risk include VaR (Value at Risk), EL (Loss function) whose components are PD (Probability of Default), LGD (Loss Given Default), and EAD (Exposure At Default). Calculation of these components requires advanced data collection and sophisticated risk management techniques.
The Second Pillar
The second pillar deals with the regulatory response to the first pillar, giving regulators much improved 'tools' over those available to them under Basel I. It also provides a framework for dealing with all the other risks a bank may face, such as name risk, liquidity risk and legal risk, which the accord combines under the title of residual risk.
The Third Pillar
The third pillar greatly increases the disclosures that the bank must make. This is designed to allow the market to have a better picture of the overall risk position of the bank and to allow the counterparties of the bank to price and deal appropriately.
September 2005 update
On September 30, 2005, the four US Federal banking agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision) announced their revised plans for the U.S. implementation of the Basel II accord. This delays implementation of the accord for US banks by 12 months.
November 2005 update
On November 15, 2005, the committee released a revised version of the Accord, incorporating changes to the calculations for market risk and the treatment of double default effects. These changes had been flagged well in advance, as part of a paper released in July 2005.
July 2006 update
On July 4, 2006, the committee released a comprehensive version of the Accord, incorporating the June 2004 Basel II Framework, the elements of the 1988 Accord that were not revised during the Basel II process, the 1996 Amendment to the Capital Accord to Incorporate Market Risks, and the November 2005 paper on Basel II: International Convergence of Capital Measurement and Capital Standards: A Revised Framework. No new elements have been introduced in this compilation. This version is now the current version.
Basel II and the Regulators
One of the most difficult aspects of implementing an international agreement is the need to accommodate differing cultures, varying structural models, and the complexities of public policy and existing regulation. Banks' senior management will determine corporate strategy - as well as the country in which to base a particular type of business-based in part on how Basel II is ultimately interpreted by various countries' legislatures and regulators.
To assist banks operating with multiple reporting requirements for different regulators according to geographic location, there are several software applications available. These include capital calculation engines and extend to automated reporting solutions which include the reports required under COREP/FINREP
Regulators in most jurisdictions around the world plan to implement the new Accord - but with widely varying timelines and use of the varying methodologies being restricted. The United States of America's various regulators are yet (October 2006) to agree on a final approach, see Basel IA for a discussion. In response to a questionnaire released by the Financial Stability Institute (FSI), 95 national regulators indicated they were to implement Basel II, in some form or another, by 2015.
Work is apparently already underway on Basel III, at least in a preliminary sense. The goals of this project are to refine the definition of bank capital, quantify further classes of risk and to further improve the sensitivity of the risk measures.