Regulators Target Risk Management Negligence in Small to Mid-Sized Firms
Steven Minsky | April 13, 2016
Last month, the Consumer Financial Protection Bureau (CFPB) investigated Dwolla, an e-commerce and online-payment company. It found Dwolla guilty of risk management negligence regarding data security practices.
The investigation has some significant implications. Before we take a deeper look, here are a few key takeaways:
- Dwolla payed a civil penalty of $100,000, despite the fact that it did not suffer a data breach. This indicates “a broader trend among regulators to change the focus of enforcement from post-scandal investigation to prevention and risk management effectiveness disclosure adequacy.” The company’s damaged reputation will likely result in lost customers, which could have an even greater impact than the penalty did.
- This is the CFPB’s first application of something similar to the SEC disclosure standards. It foreshadows additional enforcement activity for integrated risk management negligence, according to Data Protection Report.
- The lack of a data breach makes it clear that even small private companies like Dwolla are on the bureau’s radar. Any company (large, medium, or small) is at risk of similar action.
- This enforcement action indicates risk managers are being held increasingly accountable for a) risk assessments of their organization’s control adequacy and b) their companies’ risk disclosures all the way down to the front lines.
The Facts of the Dwolla Case
Dwolla claimed to use “safe” and “secure” transactions to protect consumer data from unauthorized access. On its website, Dwolla claimed its data security practices exceeded industry standards. It also indicated that all sensitive personal information was encrypted and mobile applications were safe and secure.
However, the company didn’t live up to its marketing; its ERM efforts did not match industry standards, and its data security practices fell short. Deception about risk management capabilities is illegal, and regulators across the board are enforcing related standards.
Dwolla’s risk management negligence was discovered because it failed to:
- Actually implement the data security policies it claimed were in fully in place.
- Conduct risk assessments, evaluate control adequacy, and monitor risk effectiveness. These steps should have occurred across the organization out to the front lines.
- Implement an ERM system to support its risk management claims.
How Significant Is This Development?
Again, Dwolla wasn’t attacked and didn’t suffer a data breach. It suffered for misrepresenting the strength of its risk management program, systems, and capabilities. This means regulations requiring organizations to disclose the effectiveness of their risk management programs (initiated by the SEC in 2010) have spread to other regulatory agencies. It’s similar to Sarbanes Oxley spreading from the SEC to all federal and state regulators.
Above all, the Dwolla case should serve as a warning to smaller and/or private organizations. It’s time to take either of two roads:
- Up the ante on risk programs and practices, or
- Chance a publicized callout for risk management negligence and suffer the associated regulatory enforcement action.
The CFPB has very broad supervision – it oversees banks, credit unions, and many other financial institutions – meaning a huge number of organizations could find themselves in Dwolla’s shoes.
Additionally, company size is no longer a good predictor of who might be looked at next. In essence, the “not me” excuse is no longer valid. Compounding this is the fact that it doesn’t take a data breach or other security failure for there to be serious trouble.
As a result of all the above, this development is very significant. Claiming best practices without meeting those standards is considered misrepresentation and negligence.
Risk management isn’t about the “what if.” It’s about how effective your program and systems are. To assess the effectiveness of your ERM program, take this free RIMS Risk Maturity Model exercise. Any score less than “repeatable” is considered risk management negligence by the SEC, CFPB, and many other regulators. Evaluate your capabilities before auditors and regulators use the assessment to do the same.