Dr. Waldemar Grudzien, Association of German Banks
Dirk Venzke, Commerzbank AG
Dr. Horst Walther, Kuppinger Cole
Wolfgang Zwerch, MunichRe
April 18, 2012 12:00
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Dr. Waldemar Grudzien, Association of German Banks
Dirk Venzke, Commerzbank AG
Dr. Horst Walther, Kuppinger Cole
Wolfgang Zwerch, MunichRe
April 18, 2012 12:00
Dr. Waldemar Grudzien, Association of German Banks
Dirk Venzke, Commerzbank AG
Dr. Horst Walther, Kuppinger Cole
Wolfgang Zwerch, MunichRe
April 18, 2012 12:00
You obviously invited to stay on for the upcoming panel discussion on, on how to address regulatory needs fast and lean. And I would also like to invite VO from the association of German banks, to the panel, Dirk SK from Kuma bank Alda, from co and coal and from Munich re I hope you have enough chairs on it. I don't know. How is it intended? How we do this? Shall I just hand around the micro or what's the best way to be with it? Probably. Yes. Yeah. Or keep it on and I just give it to the others. Okay. Okay. Okay. Do you wanna take a seat or yeah.
Ah, this one. Okay. You don't have one, so then you get one for me. Yeah. You share. All right. Yeah. So we have three micros in one shared one. Very good. So the topic is again, how to address the regulatory requirements in a lean way. And I would like to ask as, as a very first question is implementing regular requirements in a lean way. Is this actually a contradiction or, or other smart ways to go about it?
I, I, I see you nodding. So let's start with horse too. First start.
My, my, yes, well, lean is a quite often misunderstood term. It comes from lean management. So from manufacturing, but I once heard the claim that we got so lean, we can't move any longer. So this means stripping of resources. This is not lean management, lean management is meaning avoiding waste. So the Japanese word mood us seven kinds of, of, of waste to avoid it. So this means fulfilling the, the goals should be possible in a lean way. And now we have to, to look at the question, are there regulatory requirements part of the game? Are they part of the business?
So are, are there any waste on top that can be avoided? So if we accept the fact that the regulatory body defines our environment and so, and defines our requirements, then of course it can be done in a lean way, can be done as a ultimate goal without having any waste carrying with us. So not doing too much, not investing into the wrong spot and so on. And on the other hand, the regulatory bodies offer some space for decision for personal decision so that we have a possibility to adjust.
We, we, I think you pointed it out that the minimum requirements for risk management, for example, leave some opening clause where you can put in your own decisions. And if, if it's even meant like that, that you have first to set up your dual business organization and this, by the way, should just comply with the minimum requirements. So my statement is yes, it's possible. The next statement of course, is how it's done best, perhaps someone. Thank you.
Next question, to, to perhaps, as you obviously not only represent the very big ones, but also the smaller banks and, and coming back to the question, which was asked earlier, how do let's say smaller midsize banks deal with these kind of requirements? I think this is easy to, to answer. They tried to, they concentrate the need to, to the, we call it publishing courses. Larga so the, the publishing houses in Germany, they are four publishing courses. They do all the it strategy, risk compliance issues for the smaller banks like Mr.
I can speak for the commercial publishing house, such is bank and cologne. They have something like 45 midsize and smaller banks, and they do the whole it portfolio for this 45 banks.
That was, yeah. And this is, this works somehow because I do not hear too, too much complaints about it. What does not work? And maybe this is the second question then is what you try to find out from Mr. Marcos held. It was your last question. Would it be possible to simplify somehow? I don't know how completely, but to simplify somehow the, the whole big picture of the needs regulations, lost standards and whatever else and, and how do you call it?
Yeah, the micro, not Microsoft MasterCard bulletins of the bulletins. We get two, three bulletins per week from MasterCard, one pager S and it's a really hard job, even for the experts and the, for example, publishing houses to become, to know what is now actual, the regulation, what do we need to, to fulfill and what we don't need to fulfill as to Mr. KTZ spoken with Klotz. And one thing could be one way for possible solution. I think the first step for the S for European S or the other names, I don't know the other names.
And as a member states is to try to cooperate somehow and to establish a common European regulation framework. As you, as you mentioned it, maybe this could be one step because we, as banks and insurance companies are also forced by our own to cooperate European white.
And this, this sinks, maybe it's as a counterpart European S maybe also with the us fin and Singapore, and the main markets could try to establish a framework. Somehow. I don't know how I do not speak about 1000 pages of the framework. I'm speaking about what you do, like say Emma risk, which is 10 page seven page or five page, maybe 25 page, where you just tell us very, very, the surface. There's a famous expression. You have to meet the current it technology. And that is maybe, maybe some more in details as you tries to, to, to get it from the ING during your last question.
So I, I, I spoke to four questions. I think we, we, we probably ask a lot from, from the regulators. On the one hand, we ask them to, to be generic enough, which allows us whether big or small to come up with our strategy and then align our control framework to the size of complexity. So that's how I understood you on the other hand. And that was my comment earlier. And your comment, now, we ask you to be a bit more concrete, which helps us to yeah.
To, to align our, our, our measures, basically in a better way. And, and thirdly, we ask you to align with each other so that we have can implement one me globally and not just one for Germany, one for the us, the UK, etcetera, et cetera. That brings me to another question perhaps to, to, to you, Doug, as a representative from another bigger bank, definitely global, obviously you will get the same questions over, over again from different regulators. Yeah. How do you make sure that you give same answers and, and how do you do that in an efficient way? Yeah. Thanks for that question.
I think it's important and essential for us to go into the dialogue with the different regulators. And this is our experience I can share with you. Cause during integration, we had done with dress the bank. In the last years, we set up a program called authorization management. And in this program, we set up a quarterly talks per annual with the regulators and with the auditors to ex exchange the different sides of you and yeah, to, to, to find out what are the different needs.
We, we have to fulfill either on business side and on the one hand side for, for the regulatory mandatory needs. Okay. Coming to you, Wolfgang being a representative from an insurance company, re-insurance company, the biggest one, I guess, still, are there similar challenges in the insurance industry or is it pretty much the same as in the banking industry? I think it's the same and we are facing the same problems from my side. I'm responsible for the identity management system and we are just asking what regulations we have to tier to.
And even if we go to the, to the business side, we just ask them which rules we should implement. And it's always a question, okay. Hmm. We have policies. We have some strategic documents located somewhere, but I think the main goal or the main problem is to translate this strategic words, sentence papers into, yeah. For both sides, understandable sustainable format for the, for the applications down to the, really, to the technical application side. And especially to the business side that say also understand what they have to do. And I think we are going here.
You agree to, to speed up this process a little bit, to get more in touch with the business and to translate this policies into an understandable format. And we want to reach this in a way that we define and, you know, define and service, which we have some, some people with such good knowledge of both sides of the regulation side of the strategic documents and also for the business side. And they are responsible for translating the, the requirements. And we hope this role will work in future. Thank you.
One of the topics of the conference also is, is the usage or introduction of governance, risk and compliance tools. One feature of, of some of these tools is to capture internal policies and also to provide mapping mechanisms to international regulation. So there are service providers who offer these kind of capabilities, cetera, perhaps question to your host from a consultants perspective, have you seen these kind of tools being used?
And if so, are there any, any experiences around that? Well, the use of these compliance supporting tools, so GRC tools is quite recent development. The market is quite hot. So lots of companies are looking for support, which indeed is some of the prerequisites to fulfill these requirements in a lean way. So it comes back to the topic. If you don't automate, you will not be able to support these processes in a lean way, but the hard work still has to be done with the corporation. So the day to day work will be supported.
Once you have defined your regulations, once you have to identify the links to some international regulations, you have to follow like BA two or three and so on. But the hard work is still with the corporations. And this is quite often underestimated it's of, of course it's clear, at least at this point of the discussion that it's not longer longer an it topic, just to introduce the tool in the it environment. This is still it task, but to make use of it, to make it a meaningful tool within the corporation, it's far beyond it.
And this is, this has not yet arrived in all corporations at the business level. This is my observation. So the tools are there, they are becoming more and more mature. They are really helpful, some of them, but the problem is somewhere else. Thank you. Talking about regulation. There is always this notion of it's a burden it's takes a lot of effort. It's costly. Cetera question. Is this talking about experience in your companies?
Is this, is this really the case? Or can you think of examples where you followed regulation, where it made sense that you were forced to do so and where this E even added value to the business, perhaps to you starting first and then we've come to follow?
Yes, of course. On the, on the one hand side, as Marcos explained, it is said to us by, by the regulators, yes, we have to do this. This is the one point of, of the show. But the other point is I think it is our, or it has to be driven by, by our own needs. Cause we are dealing with data of our customers day by day and terabytes. And we have to protect these data and the money behind the data to, to provide it for, for misuse. And so it's our one need of, of ourselves to be driven by this.
And for giving you an example, by doing a re-certification on account level, looking on dozen employee of our company does really need this account to, or li or sissy system for doing his job properly. And then we recognize, perhaps you will not need this anymore. We can give back the depending license on this account when we don't need it any longer. So we will save costs in it in the end too. Yeah. A very good example.
Any, any examples from Munich re here? Yes, but only I can say it makes absolutely sense to follow the regulations, but as always, you have to take care that you think about what makes really sense for your, for your application where the, the really the business need and how do this regulation could be, could be checked that advertise, this is a tier tool. And we have seen it many times that we have some, some documents in some folders and some SharePoint folders in, in, in the internet and think, okay, from the, from the policies point of view, everything is okay.
But with some time something happens, the guys are well, the business people are not, remember not this document will not follow this policy. And nobody sees see as the effect on the, on the business process. And so you have to make some automation, some, some, some, some it stuff just to check if the policies are tiered to, and if you don't have this checks, I think you can forget all this paperwork because this is trust for satisfying the auditors and will not really walk.
And right now you are just searching for every policy or for every regulation for certain, such an automatic check on the, on the system. So You prove, so you have, for that, that when implementing regulatory requirements to do it in a way that it makes sense for the company, not just to fulfill yes, absolutely. Formally the requirements, right?
Yeah, absolutely. We have trust on the SAP side and, and, and requirement that at least every month, the, the batch input processing should be checked that no old batch input data is, is lying in the system. And this is just staying in a document. And after three or four months, we just checked it on the system and see, oh, there are some batch input, some old batch input files. And now we have implements an automatic check every month just to look at this folder and see, okay, is there something in this folder? And now it work.
And I think this is the only possible way to, to take care of this regulations and to see, okay, this Regulation Will be adhered to. Okay, thank you.
Well, mind in your presentation, you, at least I sensed that there was a little bit of, of criticism. I would say again, overregulation coming from Brussels and elsewhere. Etcetera. Now we have micro here with us. If you could present a wish to regulators, what would it be? Okay. Could I firstly add a positive example as, as the others of regulation, it's a famous second letter from Z Bian from the 5th of December, 2001. I know it still know it. And it's dealing with two-factor certification in online banking was a second factor to be dynamic weed for.
We had it since 1990, but it was very important that bar has pointed it out once again. So in Germany, German banks need two factors for online banking. And one of the, the second one is to be dynamic. It's a very positive example for regulation. Okay. And for the, for, for getting a stamp regulation. And of course we deal with trust. We need trust. And now the wish, the wish I would have a small wish trust to it will be possible to organize a conference, a symposium, a symposium like this here for one day in Frankfurt, please.
In Frank, maybe in Munich, was it three hosts? ECB, no, firstly bathroom ECB and bonus bank. And where the three, the three policy makers, regulators will give us. And a first overview of the main, let me say made main 10 to 15 regulation bodies of the ECV, B and S. This is my personal version. I hope you take it with you.
Well, I can assure you that we have regular meetings with other supervisory authorities, for instance, the European banking authority at the level. We also have contacts to, to those authorities are not involved in the supervision, for example, the, the European central bank, but it's depends on what you want to achieve in, in progress and regulation. And if you want to make a conference like that, or, or let's say other forms of communication, but I can assure you that we will go on with upcoming regulation in a very say in a very sensitive way.
And I think I can speak for both the national regulation and for the European regulation. Okay. That's a very concrete outcome. I have not hoped for that before I close the session looking around. Is there any question from the audience coming to one of the panelists again, Thanks outside of banking.
When you talk to IC security people over the past years, they've been thankful for in many times thankful for regulations for essentially pushing their organizations to do what they would actually really like their organization to do anyway, from a security point of view, the question is, is that role also action, you know, actionable within the German regulatory systems.
Do you, do you as security or it people help and, or use your regulator to help communicate to your upper management, or is that not necessary as it is maybe in some other industries to sort of get done what you would think should be done? You mentioned the multifactor authentication regulation. Most it security people for 10 years ago would say password only authentication is a bad idea.
And so the regulation becomes useful because then upper management has to pay attention, is that, you know, something that's, that's, you know, actively happening in the banking regulations, that approach Who wants, who would like to answer the question, thank you. Yeah. Perhaps for our house, I can say yes. Sometimes it is helpful to bring with a regulator on my side, the pressure to the right point. But on the other side, I think driven by, by the integration with, with ner bank, our business sites are quite aware of, of the needs in, in the security efforts.
They, they have to fulfill and we set up a scenario and I will talk about a bit later on after lunch and in my presentation about it involving business sites, like Beka told this morning for, for German bank, with role managers and am offers in the business sites for keeping an eye on, on these topics. Yeah. I think perhaps also I can answer to your question.
I think, yes, we, we, we regulation helps with the communication to upper management and of course it security people or information security. People are not always hurt in the organization.
And, and sometimes the organization needs to be forced by regulation to good practices. However, we have to be really careful. So I liked what, what micro said that it, everything you do has to be aligned with, with your strategy and the complexity of the organization and has to be risk based. And you have to be able to explain what you're doing to, to regulators. If regulators go over the top. Yeah. It starts to hurt. So for example, you have one and I won't name the regulated itself, which explicitly asks just to take one example that open USB ports under load at all.
I mean, is this really helpful? If this is a one size fits all requirement, I'm not sure, but there was another question.
Hello, my name is Stein from MSK systems and we are consultancy from breakdown of regulatory requirements to somehow technical solutions or processes. And when we answer customers, right, there is not only the question, which of all the regulatory requirements have to be done. And whether there is, let me say some prioritization on the customer side. So question is, is there a prioritization within the regulatory requirements? So is there something which is more important and something which is less important because you cannot sometimes do everything at the actual point of time.
You need to, to have, let me say a ization, Any volunteer who would like to answer other question? Well, Go ahead. I can try to get near to it.
Well, we had some quite similar question first to start with that at a customer side where they had some audit findings by the regulatory bodies. So there were, That's a little bit louder, speak louder, a little bit Speak. Yeah. Can you hear me? Yes. Oh yeah. Now it's better. So there were no attestation processes in place, or you can say re-certification processes. And the question was okay, we have to introduce them. How often should we do that? And then we came up with short cycle and, but the outlook was at the same time at the station. What does it do?
It detects flaws in the administrative processes and the administrative processes themselves have to be enhanced and secured and deliver a better performance. And so setting on top, the attestation processes means you switch on the light, you detect the lacking quality and indeed the quality costs on top. And this gives you a mechanism to optimize the administrative processes, which are underlying. And by the time that they are optimized and you will not have many findings in your attestation ones, you can decrease the intervals.
The, the cycle can be longer. And so this gives you a handle on, on the costs on the quality costs. So the costs for bad quality, but in general, this was an example. And then we thought can be generalized that in general, it all boils down to operational risk. And this is the only justification you can use. I know it's theoretical and it's hard to do in practice, but it's the only way to tie security measures to the risk relevancy that's underlying.
And this is also mentioned in the regulations that the risk relevance is the, the guideline that guides you to the right measures and lining up the operational risks can give you a handle on prior priorities. Did It help? Okay. Thank you. So I would like to wrap up the session since we are a little bit over time anyway, already. I think we started off with the question lean implementation of regulatory requirements.
Marco explained that that from a re regulatory perspective, at least from, from Baffin perspective, there is quite a large scale of flexibility dependent on, on, on strategy and organizational complexity. We also agreed, I think as a group that lean implementation is possible and that many regulatory requirements make a lot of sense and even add value to the business.
And I think at the end, we came to the point that we said there is one big wish, two regulators to better reconcile with each other and align their approaches in Europe, but also globally, that would be helpful and very appreciated. I would like to thank you all for your, for attending this morning session. I would like to thank the panelists for giving their views and I close the session and hope you enjoy lunch.