Resources

nrc

nerc

ferc

ISO/IEC 27002 (formerly 17799) is an information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version published in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.

ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining information security management systems. Information security is defined within the standard in the context of the C-I-A triad:

The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).
The 2005 version of the standard contains the following twelve main sections:

• Risk assessment and treatment
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management
• Compliance

Within each section, IT security controls and their objectives are specified and outlined. The IT security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:

• Each organization is expected to undertake a structured information security risk assessment process to determine its requirements before selecting controls that are appropriate to its particular circumstances. (The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO Technical Report TR 13335 GMITS Part 3 - Guidelines for the management of IT security - Security Techniques.)
• It is practically impossible to list all conceivable controls in a general purpose standard

ISO/IEC 17799 has directly equivalent national standards in countries such as Australia and New Zealand (AS/NZS ISO/IEC 17799:2006), the Netherlands (NEN-ISO/IEC 17799:2002 nl, 2005 version in translation), Sweden (SS 627799), Japan (JIS Q 27002), UNE 71501 (Spain), the United Kingdom (BS ISO/IEC 17799:2005) and Uruguay (UNIT/ISO 17799:2005). Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released.

ISO/IEC 17799:2005 is expected to be renamed ISO/IEC 27002 in 2007. The ISO/IEC 27000 series has been reserved for information security matters with a handful of related standards such as ISO/IEC 27001 having already been released and others such as ISO/IEC 27004 - Information Security Management Metrics and Measurement - currently in draft.

Certification
ISO/IEC 27001 (Information technology - Security techniques - Information security management systems - Requirements) specifies a number of requirements for establishing, implementing, maintaining and improving an information security management system consistent with the best practices outlined in ISO/IEC 17799. This replaced BS 7799-2:2002: Information security management systems - Specification with guidance for use. Previously, organizations could only be officially certified against the British Standard (or national equivalents) by certification/registration bodies accredited by the relevant national standards organizations. Now the international standard can be used for certification.

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "ISO/IEC 17799".

ffiec

Before the signing ceremony of the Sarbanes-Oxley Act, President George W. Bush meets with Senator Paul Sarbanes, Secretary of Labor Elaine Chao and other dignitaries in the Blue Room at the White House on July 30, 2002.The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or SarbOx; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and WorldCom (now MCI). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents, and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.

The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.

History
The House passed Rep. Oxley's bill (H.R. 3763) on April 25, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673.

Senator Sarbanes' bill passed the Senate Banking Committee on June 18, 2002, by a vote of 17 to 4. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $3.2 billion during the past five quarters, primarily by improperly accounting for its operating costs. Sen. Sarbanes introduced Senate Bill 2673 to the full Senate that same day, and it passed 97-0 less than three weeks later on July 15, 2002.

The House and the Senate formed a Conference Committee to reconcile the differences between Sen. Sarbanes' bill (S. 2673) and Rep. Oxley's bill (H.R. 3763). The conference committee relied heavily on S. 2673 and "most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions." (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.)

The Committee approved the final conference bill on July 24, 2002, and gave it the name "the Sarbanes-Oxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." (Elisabeth Bumiller: "Bush Signs Bill Aimed at Fraud in Corporations", The New York Times, July 31, 2002, page A1).

Provisions
The Sarbanes-Oxley Act's major provisions include the following:

• Creation of the Public Company Accounting Oversight Board (PCAOB)
• A requirement that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies "attest" (i.e., agree, or qualify) to such disclosure
• Certification of financial reports by chief executive officers and chief financial officers
• Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company's Audit Committee of all other non-audit work
• A requirement that companies listed on stock exchanges have fully independent audit committees that oversee the relationship between the company and its auditor
• Ban on most personal loans to any executive officer or director
• Accelerated reporting of insider trading
• Prohibition on insider trades during pension fund blackout periods
• Additional disclosure
• Enhanced criminal and civil penalties for violations of securities law
• Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences
• Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, and congressional page abatement orders, and reasonable attorney fees and costs.

Overview of PCAOB's requirements for auditor attestation of control disclosures
(Source: KPMG report)
Auditing Standard No. 2' of the Public Company Accounting Oversight Board (PCAOB) has the following key requirements:

• The design of controls-relevant assertions related to all significant accounts and disclosures in the financial statements
• Information about how significant transactions are initiated, authorized, supported, processed, and reported
• Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur
• Controls designed to prevent or detect fraud, including who performs the controls and the regulated segregation of duties
• Controls over the period-end financial reporting process
• Controls over safeguarding of assets
• The results of management's testing and evaluation

Internal controls
Under Sarbanes-Oxley, two separate certification sections came into effect - one civil and the other criminal. See 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls" and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared." 15 U.S.C. § 7241(a)(4). The officers must "have evaluated the effectiveness of the company's internal controls as of a date within 90 days prior to the report" and "have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date." Id..

Moreover, under Section 404 of the Act, management is required to produce an "internal control report" as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting." 15 U.S.C. § 7262)a). The report must also "contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." Id. To do this, managers are generally adopting an internal control framework such as that described in COSO.

Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.)

In addition, outside auditors for companies must, for the first time, attest to managers' internal control assessment, pursuant to SEC rules, which currently require only large public companies comply with this part of SOX. This presents new challenges to businesses, specifically, documentation of control procedures related to information technology ("IT"). Public Company Accounting Oversight Board (PCAOB) has issued guidelines on how auditors should provide their attestations.

Information technology and SOX 404
The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure. This framework focuses on information technology (IT) processes while keeping in mind the big picture of COSO's "control activities" and "information and communication". However, these certain aspects of COBIT are outside the boundaries of Sarbanes-Oxley regulation.

IT controls, IT audit, and SOX
The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states:

"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."
Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.

For a detailed discussion on the impact of SOX on IT audit and controls, see Information technology controls.

IT Impacts

The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five areas, which when implemented, can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department are as follows:

• Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company's systems are being used and the current level and accuracy of existing documentation. The areas of risk drive the definition of the other four components of the COSO framework.

• Control Environment. An environment in which the employees take ownership for the success of their projects will encourage them to escalate issues and concerns, and feel that their time and efforts contribute to the success of the organization. This is the foundation on which the IT organization will thrive. Employees should cross train with design, implementation, quality assurance and deployment teams to better understand the entire technology lifecycle.

• Control Activities. Design, implementation and quality assurance testing teams should be independent. ERP and CRM systems that collect data, but feed into manual spreadsheets are prone to human error. The organization will need to document usage rules and create an audit trail for each system that contributes financial information. Further, written policies should define the specifications, business requirements and other documentation expected for each project.

• Monitoring. Auditing processes and schedules should be developed to address the high risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits.

• Information and Communication. Without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an under-standing of what needs to be done to comply with Sarbanes-Oxley and how to get there.

Cost of implementation
Some people in the business community have acknowledged that, as John Thain, CEO of the New York Stock Exchange states, "There is no question that, broadly speaking, Sarbanes-Oxley was necessary". However, the cost of implementing the new requirements has led some to widespread questioning of how effective or necessary the specific provisions of the law truly are.

For companies, a key concern is cost of updating information systems to comply with the control and reporting requirements. Systems which provide document management, access to financial data, or long-term storage of information must now provide auditing capabilities. In most cases this requires significant changes, or even complete replacement, of existing systems which were designed without the needed level of auditing details.

Costs associated with SOX 404 compliance have proven to be significant. According to the Financial Executives International (FEI), in a survey of 217 companies with average revenue above $5 billion, the cost of compliance was an average of $4.36 million. The high cost of compliance throughout the first year can be attributed to the sharp increase in hours charged per audit engagement.

As more companies and auditors gain experience with SOX 404, audit costs have been falling. Audit firm revenues are still higher than they were prior to the Act, although audit fees were rising prior to the Act, partly as a result of the accounting scandals that prompted the Act.

The future of SOX 404 compliance
In a recent article by the accounting and consulting firm of Deloitte Touche Tohmatsu entitled "Under Control", the need for "sustainable compliance" is encouraged. The article suggests leveraging lessons learned to shift to a long-term strategy. The following areas are described as impediments to the process:

• "Project mindset: ... many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point."
• "Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed."
• "Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward"
• "Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year."
• "Underestimation of technology impacts and implications: ...IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls... IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting - a critical requirement at most large and complex enterprises."
• "Ignored risks: Effective internal control is predicated on risk... the controls themselves - exist expressly for the purpose of minimizing the risk of financial reporting errors... In year one, risk assessment was treated as an afterthought - if addressed at all."
The future of SOX 404 will depend on the ability of businesses to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the "Sustained Compliance Solution Framework". Key areas of the framework are also taken from "Under Control":

• Effective and efficient processes for evaluating testing, remediation, monitoring, and reporting on controls
• Integrated financial and internal control processes
• Technology to enable compliance
• Clearly articulated roles and responsibilities and assigned accountability
• Education and training to reinforce the "control environment"
• Adaptability and flexibility to respond to organizational and regulatory change.
• Deloitte and the other auditing industry firms will generate significant revenue from these elaborate exercises.

Trivia
• Both the authors of the bill Paul Sarbanes and Michael Oxley have announced that they will retire after the end of the 2006 term.
• Some companies, mostly smaller ones (less than $30 MM in market capitalization), that used to be publicly traded have de-listed and become privately held in part because of the requirements of SOX compliance and the associated costs. Many other companies have become publicly traded since SOX went into effect. Fewer than 20% of the CFOs of companies large enough to go public that have declined to do so cite SOX as a reason that their companies remained private.
• Some companies have initiated very time consuming and costly internal standards that are beyond what is actually required for SOX compliance.
• On 22 October 2006, the nationally syndicated newspaper comic The 5th Wave by Rich Tennant featured a punch line which mentioned SOX.

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Sarbanes-Oxley Act".

aml

The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition among banks, securities companies and insurance companies. The Glass-Steagall Act prohibited a bank from offering investment, commercial banking, and insurance services. The Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. For example, in its wake Citibank merged with Travelers Group, an insurance company, and formed the conglomerate Citigroup, a corporation combining banking and insurance underwriting services. However, the law was not passed until some major mergers in the financial sector had already taken place such as the Smith-Barney, Shearson, Primerica and Travelers Insurance Corporation combination in the mid-1990's. This combination announced in 1993 and finalized in 1994 already violated the Glass-Steagall Act by combining insurance and securities companies. The law was passed to legalize these mergers. Historically, the combined industry has been known as the financial services industry.

Changes caused by the Act
The Act was desired by many of the largest banks, brokerages, and insurance companies in the United States at the time. The justification was that people usually put more money in investments in a good economy, but when it turns bad, they put their money into savings accounts. With the new Act, they would do both with the same company, so the company would be doing well in all economic times. This has to some extent proven true.

Prior to the passage of the Act, most financial services companies were doing this anyway. On the retail/consumer side, a bank called Norwest led the charge in offering all types of financial services products in 1986. Also at the time American Express attempted to own almost every genre of financial business (although there was little synergy between them). Things culminated in 1997 when Travelers, a financial services company with everything but a retail/commercial bank, bought out Citibank, creating the largest and most profitable company in the world. At the time this was technically illegal, and was a large impetus for the passage of the Gramm-Leach-Bliley Act.

Also prior to the passage of the Act, there were many relaxations to the Glass-Steagall Act. For example, a few years before, Commercial Banks were allowed to get into investment banking, and before that banks were also allowed to get into stock and insurance brokerage. The only main operation they weren't allowed to do was insurance underwriting (something rarely done by banks even after the passage of the Act).

Since the passage of the GLBA, much consolidation has occurred in the financial services industry, but not as much as some expected. Retail banks for example, do not tend to buy insurance underwriters, since they expect they can make more money selling other companies insurance products in their branches (this is called insurance brokerage). Many other retail banks have been slow to adopt investments and insurance products, and to package those products in a convincing way. Brokerage companies have had a hard time getting into banking, because they do not have a large branch and backshop footprint. Banks have recently tended to buy other banks, such as the recent Bank of America and Fleet Boston merger, yet they have had less success integrating with investment and insurance companies. Many banks have expanded into investment banking, but have found it hard to package it with their banking services, without resorting to questionable tie-ins which caused scandals at Smith Barney.

Senator Phil Gramm led the Senate Banking Committee which sponsored the Act; he later joined UBS Warburg, at the time the investment banking arm of the largest Swiss bank.

Remaining Restrictions
Some restrictions remain to provide some amount of separation between the investment and commercial banking operations of a company. For example, licensed bankers must have separate business cards, eg. "Personal Banker, Wells Fargo Bank" and "Investment Consultant, Wells Fargo Private Client Services". Much of the debate about financial privacy is specifically centered around allowing or preventing the banking, brokerage, and insurances divisions of a company from working together.

In terms of compliance, the key rules under the Act include The Financial Privacy Rule which governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions - such as credit reporting agencies - that receive customer information from other financial institutions.

Privacy
• GLBA compliance is not voluntary; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity
• Major Components put into place to govern the collection, disclosure, and protection of consumers' nonpublic personal information; or personally identifiable information:
• Financial Privacy Rule
• Safeguards Rule
• Pretexting Protection

Financial Privacy Rule
(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801 through 15 U.S.C. § 6809)

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer's right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt-out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer's personal nonpublic information.

Safeguards Rule
(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801 through 15 U.S.C. § 6809)

The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients' nonpublic personal information. (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.) This plan must include:

• Denoting at least one employee to manage the safeguards,
• Constructing a thorough [risk management] on each department handling the nonpublic information,
• Develop, monitor, and test a program to secure the information, and
• Change the safeguards as needed with the changes in how information is collected, stored, and used.

This rule is intended to do what most businesses should already be doing: protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.

Pretexting Protection
(Subtitle B: Fraudulent Access to Financial Information, codified at 15 U.S.C. § 6821 through 15 U.S.C. § 6827)

Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a "phony" website or email to collect data). The GLBA has provisions that require the financial institution to take all precautions necessary to protect and defend the consumer and associated nonpublic information. Pretexting is illegal and punishable by law beyond any recognition by the GLBA.[citation needed]

Financial Institutions Defined
The GLBA defines "financial institutions" as: ..."companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:

• non-bank mortgage lenders,
• loan brokers,
• some financial or investment advisers,
• debt collectors,
• tax return preparers,
• banks, and
• real estate settlement service providers.
These companies must also be considered significantly engaged in the financial service or production that defines them as a "financial institution".

Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLBA. State law can require greater compliance, but not less than what is otherwise required by the GLBA.

Consumer vs. Customer Defined
The Gramm-Leach-Bliley Act defines a ‘consumer' as

"an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual." (See 15 U.S.C. § 6809(9).}
A ‘customer' is a consumer that has developed a relationship with privacy rights protected under the GLBA. A ‘customer' is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a ‘customer' might have; i.e. a mortgage loan, tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the GLBA. A business, however, may be liable for compliance to the GLBA depending upon the type of business and the activities utilizing individual's personal nonpublic information.

Consumer/Client Privacy Rights
Under the GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

The privacy notice must also explain to the consumer of the opportunity to ‘opt-out'. Opting out means that the client can say "no" to allowing their information to be shared with affiliated parties. The Fair Credit Reporting Act is responsible for the ‘opt-out' opportunity, but the privacy notice must inform the consumer of this right under the GLBA. The client cannot opt-out of:

• information shared with those providing priority service to the financial institution
• marketing of products or services for the financial institution
• when the information is deemed legally required.

GLBA Enforced
Violation of the GLBA may result in a civil action brought by the United States Attorney General. The penalties, as amended under the Financial Institution Privacy Protection Act of 2003 (108th CONGRESS - 1st Session - S. 1458; To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes., In The Senate of the United States, July 25 (legislative day, JULY 21), 2003)include,

• "the financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation"
• "the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation".

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Gramm-Leach-Bliley Act (GLBA)".

Basel II, also called The New Accord (correct full name is the International Convergence of Capital Measurement and Capital Standards - A Revised Framework) is the second Basel Accord and represents recommendations by bank supervisors and central bankers from the 13 countries making up the Basel Committee on Banking Supervision (BCBS) to revise the international standards for measuring the adequacy of a bank's capital. It was created to promote greater consistency in the way banks and banking regulators approach risk management across national borders. The Bank for International Settlements (often confused with the BCBS) supplies the secretariat for the BCBS and is not itself the BCBS.

History
An earlier accord, Basel I, adopted in 1988, is now widely viewed as outmoded as it is risk insensitive and can easily be circumvented by regulatory arbitrage.

The Basel II deliberations began in January 2001, driven largely by concern about the arbitrage issues that develop when regulatory capital requirements diverge from accurate economic capital calculations.

With the first draft (called Consultative Paper 1) published in June 1999, further consultative papers followed together with a large quantity of other releases, Quantitative Impact Studies Nos. 2, 3 and 4, and papers, a final version was issued in June 2004, with a minor revision released in November 2005. In June 2006 a Comprehensive version was published including all Basel regulations up to this date. Implementation of the Accord is expected by 2008 in many of the over 100 countries currently using the Basel I accord.

The final version aims at:

• Ensuring that capital allocation is more risk sensitive;
• Separating operational risk from credit risk, and quantifying both;
• Attempting to align economic and regulatory capital more closely to reduce the scope for regulatory arbitrage.
While the final accord has largely addressed the regulatory arbitrage issue, there are still areas where regulatory capital requirements will diverge from the economic.

Basel II has largely left unchanged the question of how to actually define bank capital, which diverges from accounting equity in important respects. The Basel I definition, as modified up to the present, remains in place

The Accord In Operation
Basel II uses a "three pillars" concept - (1) minimum capital requirements; (2) supervisory review; and (3) market discipline - to promote greater stability in the financial system.

The Basel I accord only dealt with parts of each of these pillars. For example: of the key pillar one risk, credit risk, was dealt with in a simple manner and market risk was an afterthought. Operational risk was not dealt with at all.

The First Pillar
The first pillar provides improved risk sensitivity in the way that capital requirements are calculated for three major components of risk that a bank faces: credit risk, operational risk and market risk. In turn, each of these components can be calculated in two or three ways of varying sophistication. Other risks are not considered fully quantifiable at this stage.

Technical terms in the more sophisticated measures of market risk include VaR (Value at Risk), EL (Loss function) whose components are PD (Probability of Default), LGD (Loss Given Default), and EAD (Exposure At Default). Calculation of these components requires advanced data collection and sophisticated risk management techniques.

The Second Pillar
The second pillar deals with the regulatory response to the first pillar, giving regulators much improved 'tools' over those available to them under Basel I. It also provides a framework for dealing with all the other risks a bank may face, such as name risk, liquidity risk and legal risk, which the accord combines under the title of residual risk.

The Third Pillar
The third pillar greatly increases the disclosures that the bank must make. This is designed to allow the market to have a better picture of the overall risk position of the bank and to allow the counterparties of the bank to price and deal appropriately.
September 2005 update
On September 30, 2005, the four US Federal banking agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision) announced their revised plans for the U.S. implementation of the Basel II accord. This delays implementation of the accord for US banks by 12 months.

November 2005 update
On November 15, 2005, the committee released a revised version of the Accord, incorporating changes to the calculations for market risk and the treatment of double default effects. These changes had been flagged well in advance, as part of a paper released in July 2005.

July 2006 update
On July 4, 2006, the committee released a comprehensive version of the Accord, incorporating the June 2004 Basel II Framework, the elements of the 1988 Accord that were not revised during the Basel II process, the 1996 Amendment to the Capital Accord to Incorporate Market Risks, and the November 2005 paper on Basel II: International Convergence of Capital Measurement and Capital Standards: A Revised Framework. No new elements have been introduced in this compilation. This version is now the current version.

Basel II and the Regulators
One of the most difficult aspects of implementing an international agreement is the need to accommodate differing cultures, varying structural models, and the complexities of public policy and existing regulation. Banks' senior management will determine corporate strategy - as well as the country in which to base a particular type of business-based in part on how Basel II is ultimately interpreted by various countries' legislatures and regulators.

To assist banks operating with multiple reporting requirements for different regulators according to geographic location, there are several software applications available. These include capital calculation engines and extend to automated reporting solutions which include the reports required under COREP/FINREP

Implementation Progress
Regulators in most jurisdictions around the world plan to implement the new Accord - but with widely varying timelines and use of the varying methodologies being restricted. The United States of America's various regulators are yet (October 2006) to agree on a final approach, see Basel IA for a discussion. In response to a questionnaire released by the Financial Stability Institute (FSI)[4], 95 national regulators indicated they were to implement Basel II, in some form or another, by 2015.

The future
Work is apparently already underway on Basel III, at least in a preliminary sense. The goals of this project are to refine the definition of bank capital, quantify further classes of risk and to further improve the sensitivity of the risk measures.

Above article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Basel II".