Projects

CSI's Newest Project: Automating the BITS Shared Assessment Program for the Financial Services Industry

The combination of the Gramm-Leach-Bliley and the Sarbanes-Oxley legislation has made the protection of customer information and the assurance of the mechanisms used to secure that information a critical regulatory requirement. As Financial Services Institutions (FSIs) outsource business processes and technical infrastructure, the law makes it clear that "financial institutions can outsource functions but cannot outsource risk." As a result, an increasingly scrutinized piece of this compliance requirement is that firms not only assess and report on their own practices policies and procedures, but also those of all of their vendors who have potential access to sensitive information or operate any portion of their IT infrastructure.

For each money center bank or  bulge-bracket brokerage, this means hundreds of its providers must be assessed. In addition to being an expensive and time-consuming proposition for each FSI, vendors are being required to undergo separate assessment processes for each of the multiple firms they serve. Expense, inefficiencies, and the need
for a common definition of compliance led twenty major firms to band together through BITS, the IT arm of the Financial Services Roundtable, to create the Shared Assessment Program (SAP). The initial, self-administered reporting instrument in the SAP is the Supplemental Information Gathering questionnaire or SIG.

Initially distributed as a document containing thousands of questions (initially distributed as a spreadsheet), adoption of the SIG has been delayed by the vendor need to have many people create, edit and approve the documents and the FSI costs of correcting and transcribing them into operational risk systems once received. Widely available tools for the structured creation and management of SIG documents and an independent means of verifying their completeness and transmitting them system-to-system has been identified as critical to the success of this initiative. The missing link needed for wide scale adoption is the creation of an XML definition of the SIG and the development of community software to create, correct, approve, transmit, receive, inspect, and import those documents. CSI is creating that community project for the financial services industry in collaboration with a few key customer core team members.

For more information, check out the project announcement.