Information classification role in regulated environment (case study)

March 28, 2020

Introduction

Proper implementation of data classification policy changes the entire work practice within a regulated environment who is in need to adhere to local regulator, and international standards. Data classification is not a single isolated task or practice that can work on an isolated island without incorporation throughout the entire work processes, practices and cross the borders of departmental empires.

It is important to identify the need of establishing practice of information classification, and build that practice within the processes and procedures. When information classification is established properly from a well-written policy and clear guidelines, it becomes a basic component of all work areas; by the time, it transforms itself into a meaningful autopilot task.

For example, the KYC form in a bank, others name it, as ‘Customer Registration Form’, is not a single form; it is an entire booklet, that addresses several regulatory aspects which request the customer to sign consent acceptance, and adhere. A notable part of the booklet is geared towards the US treasury guidelines that are imposed on other countries regulators.

Background

Back to one of my consulting engagements with customers, I was a consultant for a new bank in Iraq; my role was to assist the bank getting its ATM card systems to work, as well fulfilling the requirements to acquire Visa and MasterCard principal licenses. At the same time, I was in charge of handling information security roles for the bank for a while. This bank was converted from an exchange company to a bank, and most of the roles, responsibilities, duties, policies, practices and top processes were inherited from the exchange company. The US treasury is providing great support to the Central Bank of Iraq, in order to control and capture activities that do not align with the US political theme.

The regulator will normally request the newly established banks to reorganize its internal system data to provide better information that can answer the daily queries for activities, transactions and reply to directive circulations. One of the circulations to the newly converted bank was to ensure the bank is putting things in the right order. Few weeks earlier I was discussing with the Chairman and CEO the importance of putting newly written policies into practice in order to refine those policies and know what works in their bank environment and what does not work. Side note: (those policies written by an independent company according to various ISO standards and brought to the bank as a ready-made package, which needs further refinement to make them work). The Chairman picked up the word “Information Classification” from my previous discussion, and he noted similar meanings in the central bank circulation.

The assignment

I picked the circulation of the central bank and read it, to find out that the central bank is looking for an entire process and work cycle improvement, rather than information classification only. I received the instructions to write procedures and distribute them to all departments to adhere to the central bank requirements; the instructions I received were different from the circulation’s intention. I should adhere to the instructions of the Chairman and fulfill the central bank requirements at the same time.

The majority of staff and managers in the bank are fresh people to the banking environment, aside from a few persons who are mandated by central bank appointment to have a minimum number of years’ experience in the banking sector.

Throughout my preparation for the task, I met with all managers in the bank; I concluded that it is really a need to do information classification, beside the other work required by the central bank. The entire process cycle, starting from the customer first entry point, is in need to adhere to several governance, regulations and compliance standards.

The journey

Information collection and survey

Started the work with a form to collect information about the work cycle. The form composed of several sections to capture current work environment, some of them are:

• work requirements,
• information sources,
• risks involved in each process step,
• information access authorization scheme,
• risks of exposing information,
• levels of authorization,
• regulations that influences the work at such process step,
• security imposed on each piece of information across the process,
• the goal of collecting information,
• the software systems that store those information,
• the legal requirements to keep documents,
• access control to information,
• information custodians,
• Etc.

The form to collect information: This is part of the form, the original form is much longer and collects so many details, some of the details will show up in the discussion later.

Preparation lists to classify information

The following are the different lists for categorizing the collected information, at the end of the exercise it will show the number gaps available in risk management, risk profiling, compliance issues, governance requirements, regulations affecting process steps and more. The amount of identified details was large compared to a newly converted bank; the number of processes discovered during the assessment process was more than the management elaboration during the early meetings before starting this exercise.  

Information classification

Categorized into four standard categories:

• Public information, which can be available to anyone inside and outside the bank
• Internal use only, which is available to all employees in the bank
• Restricted, which is available to those who are dealing with this type of details only
• Confidential, which is available only to those authorized to reach them

Regulations and Authority Sources

• Central Bank
• Board of Directors
• Management team
• The Cabinet
• Tax authority
• United Nations
• US Treasury and US Government

Information Sources

• The customer
• Transactions
• Service provider
• Regulation and Authority Sources
• Partners
• Owned companies

Service Providers

• Central bank – RTGS
• Card Processing Company
• Communication companies
• Commercial sector
• Contracting companies

Purpose of information

• Transactions 
• Operational Step
• KYC documents
• Expenses
• Operation step support
• Employee related details
• Work improvement
• Regulatory requirements
• Documenting changes

Legal Form of Information

• Original authentic document
• Copy of system print out
• Original System print out
• Original signed document

Electronic Controls

• Core System
• Special System (not the core system)
• Not available electronically

Information Custodians

• Bank Branch
• Credit Control
• Administration and Human Resources
• Operations
• Internal audit
• Compliance and AML
• Information Technology
• Board of Directors

Access Authorization Process

• General administration
• Branch manager
• CEO
• Department manager
• Operations management
• Finance management
• Credit control management
• Board of directors
• Compliance and AML management
• Information Technology management

Information gathering process

In order to gather, analyze and then profile processes of a bank I needed to go through so many departments, explain the form to many people. For some departments the team was not able to identify what kind of information to provide, in other departments employees were skeptical of exposing some process details. Some managers requested a clear order in writing from the CEO to engage with me and provide the requested details.

Visiting branches and meeting with branch managers was a bigger task, few branch managers were not willing to accept the meeting request until they received instructions from administration management.

Filling the form was the biggest challenge for most of the people engaged in this task. Few managers delegated the task to their subordinates. I have to request a clear authorization from the administration with a circulation to allow lower level staff to talk with me during the information collection process. Many employees were scared to expose internal processing details.

The process followed was:

• Written signed letter from administration to cooperate in providing required details
• Form distribution with booklet explaining how to fill the form
• Meeting with each department manager to explain the purpose
• Explaining to each department what documents to prepare
• Joining some departments together to understand the interrelated processes
• Going back and forth to get more details on information shared between multiple departments
• Revisiting departments again to explore gaps identified

Information Analysis Process

The collected information analyzed effectively and refined multiple times to ensure effective and accurate captured gaps. Many persons provided a good share of information addressing their concerns on the process steps, roles and responsibilities, authority levels, authorization path and authority grant.

Addressed gaps of missing information and details within each process step discussed and agreed; many persons were denying the gap existence while others easily accepted the addressed gaps and were willing to fix it.

Long time spent drawing process charts for each process as it is, before presenting the ultimate recommended process to fix operational gaps. The process charts showed many overlaps and duplication of information gathering that can reduce the workload.

Responsibility on information collection is a big job to handle, every single person has a different opinion on responsibility. In order to stick to the goal of the assignment, which is finding legal and regulatory gaps, I have to do so many joint meetings to recommend the proper responsibility order and agree on boundaries.

The Chairman played a large role in understanding the gaps that need addressing. He was not willing at all to get a letter of penalty from the central bank. As well, he clearly understood the politics behind each identified gap, and addressed its fixing guidelines.

Some of processes presented as follows:

Opening Bank Account

Collected details

• KYC form is the starting task on the process, the customer will fill a KYC form for each new account opening
• Information source is the customer, screening system and previous history
• Authorized people/departments to deal with customer KYC and account details are: the customer, customer service, branch manager and assistant, compliance, AML, operations and internal audit
• Related regulatory authorities are: central bank regulations and bank internal regulations
• Legal form of documents are accepted only by original signed form by the customer
• Electronic controls are through bank core system and electronic archive system
• The custodian of information is the branch
• Authority to access information can be granted by branch manager and general administration of the bank

Some Addressed Gaps

• Information available to more people than required
• Missing archiving policy and practice
• Electronic archiving was not mandatory 

The Process Outcome

The first and second results were exactly as expected before starting the information collection process, which were duplication of work, and regulatory non-addressed requirements.

The list of gaps addressed from the analysis:

• Duplication of similar work between departments
• Repeated copies of the same work archived by several departments
• Lengthy unrequired process of customer registration
• Missing elements in the booklet of KYC
• Information are not handy to those who need them
• No policy in place for file archiving
• Missing important controls on Swift system
• Undefined custodians for most of the processes
• Missing numbering system across the bank
• Authorization scheme to access information is missing
• Too many general purpose email addresses
• Missing asset management register
• Missing customers entry register
• Customers area is mixed with staff handling sensitive information

Other outcomes addressed by the study:

• Unaddressed risks within the working processes
• Roadmap to consolidate document archiving into an electronic archiving system
• Recommendations for process improvement
• Areas for automation
• Education program to improve employees skills

People’s reactions to the results.

Risk Management Manager

The happiest person on the bank was the risk management manager, although she was a competent person handling her role, she admitted that she has not done such an extensive exercise like. An exercise that drills deep into processes and addresses them through an overall macro and micro study. Addressed risks reported in a joint report to the management and board.

Operations manager

The operations manager, who was also responsible for Swift system management, immediately engaged in the study results, and booked a series of meetings to address missing controls. We worked together to enhance the controls and improve system management, details cannot be drafted here because it is confidential.

Information technology manager

The IT manager who helped me closely was also happy to fix so many gaps, and to use my case study as a proof to his budget requirements. The IT manager was struggling to get approvals for many initiatives to improve the processes of the bank; he managed to get approval for many projects that were usually deferred by the management due to the lack of importance understanding.

Conclusion

Doing deep analysis in operational and organization processes will result in getting enough working gaps to fix. Any work process will grow organically by the time, and need further review periodically.

About the Author: Jawad Alalawi

Information Technology Professional specialized in Financial Payment Services, Risk Management, Information Security, and Compliance. Experienced in solutions development and implementation,. Email contact (sjawada5 at gmail.com)

Technology Specialist & Consultant

(29)