Data Protection Authority Measure for Banks

The Italian Data Protection Authority (DPA)  (Garante per la protezione dei dati personali) introduced on May 12, 2011 a new compliance directive named “Prescrizioni in materia di circolazione delle informazioni in ambito bancario e di tracciamento delle operazioni bancarie” that will require banking institutions to log and monitor employees activities at the time these involve customer financial information.

How this will this new directive impact banks and financial services firms, given that the it is required to be deployed within 30 months, that is at the end of 2013?

Requirements

According to DPA, banks are required to comply with both technical and organizational requirements. First of all, we can split them between mandatory [M] versus appropriate [A] (i.e. not mandatory) requirements.

Technical Requirements

1. Operations Logging [M]: all applications which allow customer data access by bank employees must produce a log where a minimum set of information is collected;  identification code for the employee who accessed the customer information, operation timestamp, workstation/terminal identification code, customer identification code which the operation refers to, financial product the operation refers to.
2. Logs Retention  [M]: logs must be stored in a secure way for at least 24 months.
3. Alert implementation [M]: alerts must be configured to trigger alarms when anomalies are detected (i.e. too much balance inquiries on the same bank account).

Organizational Requirements

1. Outsourcer Designation [M]: when customer information is exchanged between different branches or third parties, they became responsible and the law requires that evidence and disclosure is provided via a responsible formal designation.
2. Audit  [M]: internal audits must be in place. Audits shall be focused on how customer data is managed, which alerts and alarms were triggered and, moreover, on logs availability and reliability. Periodic checks must be in place (once a year) and specific audits are carried out when anomalies are detected. The Audit organizational function must not be the same function that is in charge (i.e. responsible) of data management. Audit results must be formalized and communicated to the internal organization / to DPA if required
3. Privacy Policy Integration (“Informativa”) [A]: If applicable, customers should be notified that their information is exchanged between different branches,
4. Customer notification [A]: Institutions are required to promptly inform customers of every illicit event in data management
5. DPA notification [A]: Institutions are required to promptly inform DPA of any significant illicit event in data management

The Scenario

The figure below depicts a typical scenario. A current balance inquiry performed on a customer account using an internal application to access customer financial information should produce a minimum set of information (A). These information are collected in logs which must be stored for two years (B). If an anomaly is detected an alert should be  triggered; the customer should be informed (C) about the anomaly. Both periodic and on demand reports are in place (D) to ensure internal staffs reviews (i.e. a Compliance Function) and a fast response to alerts.

How Moviri can help customers to be compliant with the DPA Measure

Moviri managed similar projects in the past using Splunk.

The Moviri – Splunk Inc. partnership started in 2008 has been proved to be the optimal solution in addressing complex compliance requirements, like the one expressed in a previous DPA Measure (the DPA System Administrator Measure ) where, again, both Technical and Organizational requirements were in place.

In my experience, Splunk is one of the most innovative and effective log management solution. Originally designed for IT Operations Management (i.e. incident management, troubleshooting, etc) but it revealed indeed a high degree of flexibility in different fields, not  directly related to Operations. Taking into account Splunk to satisfy compliance requirements, some benefits I’ve immediately appreciated are:

• Data indexing, a paradigm to extract information from different data sources and load data into Splunk flat files. Since the only requirement to data indexing is that it must contain a timestamp, actually every kind of information can be indexed without additional development effort.
• Integrity, generally speaking, a compliance measure that involves logs requires to store them in a secure way (otherwise, think about audits reliability…). One of the most useful features in this case is Data Signing, since it allows  data changes detection, i.e. a log file tampering after it has been stored in the database.
• Reporting can be managed with interactive dashboards or email alerts. I’ve found this very useful. Since people dislike using several tools all the time, it is better for them to investigate in depth only when an alert is raised in the email raised.

Conclusions

Given the centrality of logs in the DPA Measure, I can envision two cases:

1. A log concentrator is in place; for those of them who implemented it with Splunk, a limited effort will be required on the log concentrator side – even if at the moment the deployment is dedicated to IT Operations Management.
2. A log concentrator is not in place or, more generally, existing log concentrators aren’t as flexible as they should be: they could use this as an opportunity to put in place a pilot project with Moviri and Splunk.

In the meanwhile DPA will be asked to provide more explanation on the requirements. We know for instance that home banking is not  included in the directive, but which kind of operations are actually required to be logged? Only branches employees ones? Or are application support teams, system administrators and DBAs included as well?