Can the Banking Commission proposals impact access risk?

Last month the UK Government backed many of the core proposals in the UK Parliamentary Banking Commission’s final report. This included proposals to make senior bankers individually responsible for the performance of their institutions and business areas and to face prison sentences for reckless banking.

Under the new rules senior bankers will be legally accountable if the bank breaches any industry regulations or doesn’t manage to prevent reckless actions perpetrated by its employees.  

Moreover, financial organisations will be required to prove that they have taken all reasonable steps to prevent insider threats and other forms of professional misconduct to avoid legal action.  

These changes will place a stronger focus on controlling the risks associated with professional malpractice and misconduct, and will force banks to improve accountability into how those issues are dealt with. And given that access violations are one of the root causes of many banking scandals, strengthening access control will be a key area of concern for financial organisations.

The rogue trading scandals with UBS and Socetie Generale are two recent examples of how poor control of access risk can cost financial organisations billions of pounds in financial losses. Not to mention the reputational damage and ruined stakeholder relationships.

But deliberate misuse of access privileges is only one side of the coin.

Quite often professional malpractice can result from lack of understanding of internal compliance standards or involuntary misuse of sensitive information. Moreover, large financial organisations comprise of multiple divisions spread across different geographies and they have thousands of employees leaving, joining or moving within the organisation. This significantly complicates the management of access risk, making it almost impossible to get a clear view of where the greatest vulnerabilities lie and how user privileges are changing.

To address these issues, financial organisations need to rethink how they control and police access risk. What is required is a more intelligent and robust approach that enables real time view into access risk and allows banks to act upon access risk issues as soon as they occur. This approach will allow financial organisations to track changes in user privileges in almost real time and automatically detect abnormal user behaviour to prevent data misuse. Another significant benefit from implementing such an approach is the ability to automatically enforce compliance and security standards across the organisation. By analysing access risk in near real time, financial organisations will be able to evaluate multiple risk factors and identify not only existing but also potential areas of concern. This will significantly limit the chances of insider threats and professional malpractice, while enabling financial institutions to better link business risk to access risk.

It is yet to be seen how the Government will legislate on these new rules and whether senior banking executives including CIOs and Chief Compliance Officers fall foul of new sanctions against laws on reckless banking.

Regardless of what actually happens next, the idea that not taking seriously instances of mistakes and malpractice may put C-level executives at risk of facing jail time is going to concentrate minds about reinforcing good banking processes and systems, including identity and access management.