PII policies must extend beyond bank premises into outsourcing arrangements, and downstream to subsequent users of the PII, such as credit bureaus. Banks must perform the proper due diligence and select reliable service providers who have an excellent track record in protecting customer data at the same stringent standards that banks use. Where banks may fail is in including audit rights in the agreements from the outset to ensure that internal auditors can provide regular oversight and monitoring for these third party services.
With more sensitive data being stored on mobile devices and laptops, data loss prevention has become critical. Banks may not have implemented software that can notify the IT department if PII appears to be entering or leaving the bank in an unauthorised manner or to remotely delete sensitive information in mobile devices or laptops which are lost or stolen.
Human error is another potential problem. Banks have to ensure that their employees are well-trained in the proper handling of PII in accordance with their PII policies, and keep them up to date against constantly refined scamming techniques. All employees should also be aware ofcommon mistakes that could lead to information loss. Internal auditors can suggest additional checks and balances to prevent employees from becoming the bank's worst enemy.
While banks are obligated to protect PII, internal auditors have the independence to determine if there are gaps in existing PII policies, and the authority to inform management on new procedures and tools to address emerging threats. It is crucial that the board of directors is kept abreast of such risks, emerging trends and advanced techniques to fight against data loss. The Chief Audit Executive (CAE) can help to educate the audit committee who in turn can support the CAE should management choose to accept undue risk levels. With scamming techniques and technology changing so quickly, it is always good to have another pair of eyes to help secure not just PII but the bank as a whole.
Sign up for CIO Asia eNewsletters.