Does anyone have a sample policy for the EDP Steering Committee that they could share? Or where to get guidance for one? Or something that would show the purpose, functions, and responsibilites?

Thanks for your help.

Look in the FFIEC Information Systems Handbook, 1996, Volumne I, page 9-7. That will give you a starting place.

Maria,

Dorothy makes a great suggestion. But keep in mind that the FFIEC IS Handbook was last updated in 1996. It still presents a good framework to start with, but you should build on it.

For example, the most recent relevant FFIEC issuance on the GLBA Data Protection Provisions requires to you have a written information security program that is approved by the Board of Directors or an “appropriate committee.”

In many institutions, this responsibility may fall to the IS Steering Committee. If it does, the Committee now also must oversee the development, implementation, and maintenance of your information security program. They should also assign specific responsibility for implementing the program and reviewing reports from management.

Therefore, you may now need to expand the purpose, functions, and responsibilities of your IS Steering Committee to also address the GLBA Data Protection Provisions.

As one of the original authors of this new regulation, these opinions are from someone who actually thought about this type of issue during the drafting process.

Thank you so much. What you said about the Information Security Process is what I was looking for. I had thought it was one of their purposes, but I was not sure. Thanks again so much. You made my day!!!!

So how does it feel to be one of the guys that gave us soooooooo much more work?? Only kidding! You also have provided us with much more knowledge. And as I always say, Knowledge is something no one can ever take away from you.

P.S. It is such a priviledge to have your guidance for us to use. Thanks again and please remember to share with us more. I know I speak for all of us when I say we appreciate input and direction.

Opinions are mine and not my employer.

[This message has been edited by Maria (edited 01-31-2002).]

I’m glad you found the additional information helpful.

My good friend Jim Bedsole has been telling me that I should visit BankersOnlines. Now that I have, I plan to hang around. Not only to share insights and engage folks to consider new approaches, but to also gain from the valuable exchange of ideas that I have seen hear. Now that I am an ex-regulator, I can do this kind of stuff.

------------------

I would like to take this opportunity to complain to someone.....Paul, I guess you are a good place to start. GLBA has created so much burden for us as far as privacy goes! Why do banks have to bear the burden here? I go to the doctor's office and they want me to write down my social security number when I sign-in...everyone who comes in after me can see it (I will not) I give them my insurance card to copy (it has my social security number on it) and they make a couple of copies and throw the worse one in the garbage for ANYONE to pick out (I ask for them to fish out of garbage for me to take). I go to purchase a new cell phone and they want me to call out my social security number, home address and phone number for EVERYONE in the store to hear (I refuse) Boy, I would like to see banks get by with this!

These are just a few of the cases we encounter each day. Again, why do banks (financial institutions) have to bear the burden here. Are we just an easy target?
Some of the "stuff" that has come about the last couple of years is unbelievable.

Is there a concern with regulators accessing this site (Paul/2-1) for info and/or participation? Or is your reference to ex-regulator an indication of time availability?

DSmith,

I could be totally off base, but I believe examiners and/or regulators are not permitted to "voice" their opinions. I also believe that is why they usually do not supply us with a written authorization to handle something a certain way since we could use either of these items to support our practices on conducting business.

I remember when I went to Compliance School there were some OCC guys there and I tried to get them to give me comments and they were very hesitate. I just wanted to learn from them. It is a shame we all just can't work together to "do it right", but I understand them. Look at us and how we can not provide the customers with an opinion. They could sue us.

But it sure is nice when we get guidance and knowledge from former examiners, instructors, etc. We need their help. There is soooo much to learn and only sooo much time to do it in. Sometimes I feel guilty for taking time from work to get on bankersonline. But I learn sooo much from everyone.

bwest,

This is my opinion, but I believe banks are usually one of the first to get "hit" with regulations because we "safeguard" other people's money and ultimately our country's finances. What we do in our profession can truly affect our country. We are not limited to individuals when you put all of the banks together. We could have some major affects.

That is why I get upset sometimes when I see employees taking their jobs as a "joke". But I also get upset when management does not want to reflect the salaries accordingly for the responsibility.

Oh, well, what do I know. These are just my opinions and surely not my employers.

Maria, they do access this site and voice their opinions, however, they don't identify themselves. I realized this one day when one of them worded something in a way that gave him/her away and when I ask if they were a regulator they answered "yes" but would not identify with what agency. I know they are not necessarily the bad guys here. They are just doing their jobs like you and me. In my opinion (and mine only) the "bad guys" here are the ones writing these ridiculous laws that you and I and the regulators must comply with. It just makes me feel better to complain every time I get half a chance.

I do admire your positive attitude. Guess I am just the age where I have seen so much C!!! comming from the lawmakers of this country,especially within the last couple of years, and I am just fed up.
Keep that positive attitude Maria!

Wow! I guess I need to check back for follow up comments more frequently.
However, I feel Maria has done a excellent job covering the basis already. I’ll simply add a three additional points:
1) The health care example is a good one. I frequently have the same thoughts. I believe we will begin to see a wave of change in how the health care industry handles our records. HIPPA will require that industry to implement significant changes in the handling and protection of customer information.
2) I am happy to respond to complaints or comments related to the GLBA data protection provisions. I truly believe that is a regulation that we went out of our way to reduce the regulatory burden as much as possible. As for the other aspects of the Privacy law, you are correct – the regulators simply implemented the law, lawmakers defined it.
3) As for participation by the regulators in this form of informal dialogue, you might be surprised. It depends on the agency. But I think if it was presented properly to the regulators, they might enjoy this opportunity to engage bankers under their increasingly popular “outreach programs.” When I was a regulator in Washington, I was always willing to sign my name if I felt I had useful information for someone. Although depending on the topic I might include a note that an official agency position was not final yet, etc. I would be cautious of any answers that don’t carry a personal signature/identify. The name may be absent for a number of reasons, the most of important of which is that the person may not be confident in their answer. If they don’t sign it, you cannot consider it anymore than water-cooler talk. Hence what value does it provide to you.
I hope you find some these thoughts helpful.

Sorry, I've got to speak from the heart here..........You feel that you went out of your way to reduce the regulatory burden as much as possible?!! You have got to be kidding! What about the totally unnecessary burden of annual notification when 1) we notified everyone with the initial mailing and 2) we deliver one to each new customer. Please explain how the annual mailings can "reduce the regulatory burden as much as possible" please? Banks are having a hard enough time to make ends meet these days. The cost of annual mailings alone puts an unnecessary strain on us small banks.

At one time I could see some common sense in regulatory requirements. Some of the things coming out within the last 3 years seen to me to defy all common sense.

bwest,
I was referring to the GLBA DATA PROTECTION PROVISIONS. They are only 4 pages long.

I believe you are referring to the privacy notice mailing requirements. They were not part of the DATA PROTECTION PROVISIONS. Hence, I cannot speak to that requirement.

bwest: I don't think that the regulators can be blamed for the annual notice requirement. Congress, in the GLB act, specifically required disclosure "not less than annually" during the continuation of the customer relationship (in section 503). The agencies have to work within the requirements that Congress establishes.

------------------
This is a personal observation that should not be taken as legal advice nor relied upon for any purpose.