If you don't know reviewing credit applications for women's first names is a violation of the Equal Credit Opportunity Act, you likely can't work for Zoot Enterprises - even if the job is limited to answering the phone or sorting mail.
The same holds true for failing to know the only legal inquiry type available to creditors ("permissible purpose"), or what the FACT Act governs. Erecting a hurdle normally reserved for CSRs, network administrators or loan officers, Zoot requires all its employees, from administrators to C-levels, to pass an annual certification exam on consumer data privacy regulations. It's no cakewalk, either: the minimum passing score is 90 to gain or maintain employment at the credit decisioning technology firm. "Personally, I thought it was hard," admits Eric Lindeen, Zoot's marketing director. "People have had to take it more than once."
The credit decisioning technology company may be among only a few vendors, or perhaps the only one, taking in-house compliance training this far across the staff roster. But it reflects on the growing issue of third-party vendor accountability at a time when data breaches can be headlines as well as headaches, and reputational security can be a matter of survival.
Analysts say banks are making operational and compliance resiliency a higher priority in vendor reviews, particularly since the FFIEC last year put the responsibility for disclosure of third-party data breaches squarely with banks. Financial institutions are adopting more cross-industry security standards, such as ISO and COBIT, for internal IT and compliance resiliency. But for as detailed, complex or comprehensive those internal audit procedures are, "banks are finding out they haven't necessarily covered all bases" with vendors, says Celent senior analyst Jacob Jegher.
In a first stab at creating benchmarks for banks to measure vendor compliance, the Financial Services Roundtable's sister technology group, BITS, is ushering in a new program that provides shared assessment between bank and service providers The pilot program allows the institutions to freely exchange audit data on vendor capabilities, including security.
When BITS consultant Brian Gist led the program through its technical development stage, assessing a vendor's treatment of data was a top concern from member bank security officers, he says. Banks want to look at the handling of data before it's encrypted, when it's unencrypted, and where it is stored, concerned primarily with the question, "Can customer data at any point be stored on someone's computer?" says Gist.
While encryption and all the data security measures required of Zoot are in place, the Bosman, MT company still saw the need for providing a company-wide compliance training program. For example, Zoot must keep a tight hold on pre-screen credit file information it compiles for banks without direct consumer authorization. Zoot "cannot send the credit file or the data, nor can we send a 'no' decision," says president Dennis Dixon.
With such a lockdown on forbidden fruit and the potential damage to a prized client-Zoot says it serves seven of the top 10 U.S. banks, and three of them deploy Zoot for near enterprise-level risk analysis-the decision to run all workers through a data privacy boot camp seemed all the wiser, says Zoot CTO Tony Rosanova.
Using a training and exam process created by an Atlanta consulting firm, CreditQA, Zoot officials run their employees through a one-day course with assigned reading taking place 30 days before an exam. Only one retake is allowed to meet the passing score.
According to email encryption firm ZixCorp of Dallas, at least three percent of outgoing corporate e-mails carry improper information and unencrypted sensitive customer information. That includes actions like attaching unencrypted spreadsheet files with customer Social Security numbers, down to the inadvertent disclosure of forwarded messages with unseen but improper data buried in earlier iterations of the thread.
"What we'll see is the entire payroll coming from a company into a bank...and somebody will be forwarding that onto a processor with everyone's name and address visible and unencrypted," says Nigel Johnson, ZixCorp's vp of business development and product management.
Zoot's Rosanova says the compliance program in place at Zoot is a good backstop to the automated data protection procedures any responsible vendor or institution has in place. But he also sees the benefits in how the program taps into Zoot employees' sense of responsibility, and empathy. "We saw was a clear understanding [from employees] of why security policies are in place," Rosanova says. "Until they actually saw there was legislation that governed why our policies say or do what they do, it didn't give the general population a context of why those policies were there."
