In February 2016, a UK stockbroker was fined £1.2m by the FCA for its weak and ineffective Chinese wall, which was supposedly separating the public and private sides of its business. The regulator also banned the company’s corporate broking division from taking on clients for 72 days. A simple error has proven to be an expensive mistake.
Financial regulation mandates that institutions put up Chinese walls to safeguard against insider trading, but in the fast-paced, high turnover environment of banking and finance it can be genuinely challenging for organisations to constantly ensure the strength of the walls stand up to scrutiny.
This disconnect can often be located between the boardroom and the facilities or security office. It’s straightforward for a group of directors to request the erection of a physical wall that separates teams or individuals engaged in conflicting activities, but the day-to-day challenges of maintaining these barriers are tougher.
With staff turnover so high and employees switching between teams so frequently, there is typically a time lag between someone’s job role changing and the updating of their access credentials. This can lead to breaches in information barriers as well as serious compliance issues.
For fast growing financial institutions, a related issue is ensuring that Chinese walls can be quickly dismantled and reconstructed to accommodate teams that grow in size or are relocated into different parts of the premises. Too often, there are periods of ‘downtime’ where walls are compromised by changes to a building’s layout.
The key to impregnable information barriers is investing in access control technology that is capable of enforcing the wall, as well as providing reports that prove the organisation’s compliance with Sarbanes Oxley.
Access control technology can ‘seal’ an area off by ensuring only employees with a certain level of clearance can move from one part of a building to another. Typically used for the purposes of security – keeping intruders out, stopping contractors accessing sensitive areas – it is an important tool in ensuring that companies are compliant and don’t fall foul of the FCA.
In addition, security can be strengthened further by linking the access control system to IT access rights to sensitive parts of the IT infrastructure, meaning that personnel can only log on to the IT system if they have first badged in to a particular room or area. These access rights not only need the access pass itself, but can also include passwords and biometric data to maximise security.
One of the most important features of any access control solution is its ability to link with HR systems and update an individual’s credentials instantly. These systems can guarantee that the minute an employee moves into a conflicting team or leaves the organisation completely, their access rights will be revoked.
Another advantage of access control solutions is the ability to reprogram them in a matter of minutes if a team gets moved to a different floor or grows and annexes extra parts of the office.
One of the major reasons investment bank Nomura invested in a state of the art security system supplied by Honeywell and installed by CornerStone CRG was to ensure it could separate and isolate individuals making investment decisions from those privy to undisclosed information which may influence those decisions.
Nomura’s system integrates with the company’s intranet which means it is simple for line managers to request changes to access rights for those in their department. Access rights are managed so that separate groups are created for employees in the corporate-advisory area and the brokering department to help further solidify the Chinese walls.
Andy Williams, Head of Security, EMEA for Nomura commented at the time: “Integrating [the system] with our own PeopleSoft® human resource system and intranet saves us significant administrative time by eliminating repetitive data entry associated with managing and aligning cardholder information and access rights.”
Robust reporting is also a critical part of guaranteeing compliance and the best access control systems make reporting straight-forward by ensuring that historical data can be accessed quickly and easily. This data can prove where an individual was at a certain time, identify if a breach occurred and ensure reports are detailed enough for regulatory investigation.
The large fines that can be incurred prove just how expensive a lapse in security can be for a financial institution. It’s a compelling case for investing in a high quality access control system capable of enforcing information barriers and protecting an organisation from a regulatory investigation.
By James Somerville-Smith, Honeywell.