Regulatory financial reform: impact of Dodd-Frank Act on it compliance.

• Author: Yu, Andrew

1. INTRODUCTION

   Information Technology ("IT") is an essential component in financial business transactions and ranges from hardware, such as computers and databases, to applications, such as trading and reporting systems. (1) Data maintained in these systems are critical to bank operations, including regulatory and financial reporting, that impact financial statements. (2) System failures and disruptions may lead to financial misstatements resulting in shareholders and investors obtaining inaccurate information, which can lead to potential securities violations and law suits. (3)

   As a result of the 2008 financial crisis, Congress passed The Wall Street Reform and Consumer Protection Act (4) ("Dodd-Frank Act") for financial regulatory reform in July 2010. The Dodd-Frank Act is complex and requires more transparency, communication, and disclosure by banks. (5) For example, the Federal Reserve is now responsible for overseeing and gathering data from financial firms in order to stabilize the market when necessary. (6) However, this reform will be impossible without incorporating IT compliance standards to ensure complete and reliable information and data. (7) Although many banks currently have IT controls in place, these controls must be enhanced in order mitigate substantial risks. Furthermore, weak system controls can result in fines, lawsuits, disruption in the market, or even the collapse of a company. Hence, with an increase in financial data requirements and the importance of information accuracy, a strong IT control environment and strict IT policies are essential to mitigate financial and legal risks.

2. LEGISLATIVE HISTORY OF FINANCIAL REGULATIONS

   1. Financial Regulations--Historical Context

      The financial industry is governed by many regulatory agencies including the Federal Reserve System (8) ("Fed"), U.S. Securities and Exchange Commission (9) ("SEC"), Financial Industry Regulatory Authority (10) ("FINRA"), and U.S. Commodity Futures Trading Commission (11) ("CFTC"). Financial companies are required to strictly comply with financial regulations, which were first introduced in the Securities Act of 1933 (12) ("1933 Act"). The 1933 Act was primarily concerned with public offerings of securities to prevent fraud and federally regulate the financial industry in response to the 1929 stock market crash that occurred during the Great Depression. (13) One year later, the government enacted the Securities Exchange Act of 1934 (14) ("1934 Act"), primarily governing the secondary trading market and establishing the SEC. (15) Furthermore, the Banking Act of 1933 (16) ("Glass-Steagall Act") was enacted to reform banking control issues and established the Federal Deposit Insurance Corporation ("FDIC"). (17) However, in 1999, Congress passed the Financial Services Modernization Act (18) ("Gramm-Leach-Bliley Act"), repealing part of the Glass-Steagall Act.(19) Another major federal legislation that passed was the Sarbanes-Oxley Act of 2002 (20) ("SOX"). This was in response to the fraudulent activities by major corporations such as Enron (21) and WorldCom. (22) SOX Section 404 addresses internal control reporting for both financial and non-financial companies. (23) As part of this internal control assessment, public firms were required to identify financial and IT risks and deficiencies, which materially impacted the firms' financial statements, and mitigate those risks with adequate controls. (24) Many companies spent a lot of resources to comply with SOX, especially with Section 404. (25) These companies hired accounting firms, such as PricewaterhouseCoopers (26) and Ernst and Young, (27) to assist in complying with SOX Section 404. (28)

      Enron, a large publicly held energy company, collapsed for many reasons, but one of the biggest reasons was a lack of government oversight and auditing for fraud. (29) This resulted in the criminal indictment of Enron executives and the loss of life savings for over 4,000 employees. (30) Arthur Andersen, one of the "Big 5" Accounting firms at the time, audited Enron. (31) Although accounting firms audited companies' books and records, there was less government oversight of the entire process. This lack of oversight not only contributed to the fall of a major corporation, but it also created an awareness of the importance of government regulation.

      As a result of the Enron crisis, the Federal Government enacted SOX in 2002, and it revamped financial regulations and corporate governance. (32) Companies were required to completely overhaul their financial and IT practices to comply with SOX standards, primarily SOX Section 404, "Management Assessment of Internal Controls." (33) This affected not only financial controls, but also IT controls, such as physical and logical access, change management, problem management, and application processing integrity. (34) Although these regulatory changes took much time and money to implement, they resulted in more transparency and public confidence, setting the stage for broader government oversight of publicly held companies.

      Additionally, the Federal Financial Institution Examination Council ("FFIEC') is a government agency

      empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. (35)

      Banks may also refer to Control Objectives for Information and Related Technologies (36) ("COBIT"), an IT governance framework that provides a standard IT policy as best practice. (37) Also, the National Institute of Standards and Technology (38) ("NIST") is responsible for developing standards and guidelines for the implementation of controls for information systems under the Federal Information Security Management Act (39) ("FISMA"). (40) Similar measures were adopted in other countries. For example, the United Kingdom's Financial Services Authority (41) ("FSA") was created in 1997 to oversee the British financial market. (42)

   2. Financial Regulations--Today

      Although companies had IT controls, SOX was critical in setting up the framework to enforce stricter IT controls in companies, but it did not solve all problems. Even after being SOX compliant, companies still faced application access and data retention issues. The Computer Security Institute (43) ("CSI") and the Federal Borough of Investigation (44) ("FBI") conducted a survey indicating that 90 percent of organizations "detected computer security breaches within the past 12 months" and "80 percent acknowledged financial losses due to computer security breaches" and "44 percent quantifies their financial losses for a total of $455,848,000 in losses among 223 respondents." (45)

      Similar to the 1933 Act and SOX, the Dodd-Frank Act calls for more government oversight of companies and has even further changed the financial industry landscape. (46) The sub-prime mortgage crisis led to the government bailout of AIG, (47) the government conservatorships of Fannie Mae (48) and Freddie Mac (49), and the collapse of Lehman Brothers, (50) one of the largest firms on Wall Street at the time. This resulted in President Obama signing the Dodd-Frank Act. (51)

      The Dodd-Frank Act mandates specific information technology requirements (52) and calls for greater transparency and disclosure, (53) resulting in further development and use of technology to collect and distribute information. (54) Hence, the Dodd-Frank Act will inevitably impact how financial institutions manage IT compliance.

      As a result, companies are approaching the situation differently.

      Some companies already increased IT budgets in anticipation of the Dodd-Frank Act, (55) while other companies did not hire more IT staff. (56) After the 2008 financial crisis, companies did not spend as much money on IT. (57) However, due to Title I of the Dodd-Frank Act, "firms are required to get their data in order and submit it to the SEC and Treasury department to show that they are not in danger of collapse or pose a risk to their counterparts and the overall financial system." (58) However, simply increasing budgets to hire IT staff and purchase hardware will not result in achieving compliance with the Dodd-Frank Act. All companies must enforce a stronger IT control environment to ensure that complete and accurate data is reported and disclosed to the public as well as regulatory agencies. Financial institutions are required to maintain an adequate control environment according to regulatory requirements, but current IT control environments will not be enough to comply with the Dodd-Frank Act.

3. IT CONTROLS--BEST PRACTICES

   IT controls are about more than just the systems and encompass various areas such as data security, application security, problem management, change management, system operations, and application integrity. (59) Understanding IT controls, maintaining effective IT policies, and educating employees are key to mitigating risks and accomplishing the goal of complying with the Dodd-Frank Act.

   1. Data Security

      Data security is essential in keeping sensitive information confidential. (60) A company's firewall and passwords must be secure to prevent hackers from obtaining data and data should be encrypted. The infrastructure of a company is vital to maintaining confidentiality and privacy of its customers and employees. (61) Threats may come not only from external hackers, but also internally from the company's employees. (62) For example, an employee from Kodak tried to sell secret information to a competitor. (63) Although Kodak tried to mitigate this risk by segregating access to this data, this specific employee had full...