Management of cyber risks: FINMA introduces new guidelines for banks

Revised circular on operational risks is published

On 1 November 2016, FINMA published a revised version of circular 2008/21 “Operational risks – banks”. The updated circular’s Principle 4 (on technological infrastructure) includes requirements relating to the management of cyber risks. It applies to all banks, regardless of their size or supervisory category, and will enter into force as of 1 July 2017.

New requirements and guidelines regarding the management of cyber risks are set

Banks must formalise their cyber risk management strategy, including the definition of roles and responsibilities as well as of the processes to cover the following five dimensions:

management_of_cyber_risks

Read more…

 

Contacts:

Reto Haeni
Cyber Security Leader
+41 79 345 01 24
reto.haeni@ch.pwc.com

Yan Borboën
Partner, Cyber Security
+41 79 580 73 53
yan.borboen@ch.pwc.com

Nicolas Vernaz
Leader Cyber Data Protection and Regulatory Compliance
PwC Digital Services
+41 79 419 43 30
nicolas.vernaz@ch.pwc.com

The opportunities opened up by video and online identification


Blog_4_ENThe digitisation of processes is a key issue for the Swiss financial industry. To create and elaborate the necessary regulatory framework, on 18 March this year FINMA issued Circular 2016/7 ‘Video and Online Identification’. We have written a series of blogs addressing the December 2015 draft circular, the opinions expressed in the public consultation, and the risks of implementing video and online identification. In this last blog we’ll compare the final circular published in March with the draft. We’ll also be taking a look at other countries and showing where their practice differs significantly from Switzerland’s. And finally we’ll look at the opportunities that video and online identification creates.

Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. This has enabled FINMA to take account of new technologies designed to assure an equivalent level of security in meeting the relevant due diligence requirements. FINMA also has to make this practice public. This is why it has published Circular 2016/7 ‘Video and Online Identification’, describing the due diligence requirements for intermediaries onboarding clients via digital channels.

Read more about the opportunities here.

Further blogs
Read more about the digitisation of processes in the Swiss financial industry and about other key developments in this field in our previous articles in our blog series on video and online identification.

If you´re interested in this topic or have any questions connected with it, please feel free to contact our experts:

Jens Probst
Director, Systems & Process
Assurance
jens.probst@ch.pwc.com
+41 58 792 29 59

Christian Hug
Senior Manager, Leader Information Governance
christian.hug@ch.pwc.com
+41 58 792 23 66

Marco Schurtenberger
Manager, Cyber security & IT
compliance
marco.schurtenberger@ch.pwc.com
+41 58 792 22 33

The security risks of video and online identification

SicherheitsrisikenThe digitisation of processes is a core issue for the Swiss financial industry. To create and elaborate the necessary regulatory framework, in December 2015 FINMA issued a draft circular governing the video and online identification of clients. In the meantime the final version of the FINMA circular has been published. In our first blog at the beginning of February we presented the draft FINMA circular on video and online identification. In the second we looked at the opinions expressed in the public consultation. In this, our latest entry, we address the concrete challenges involved in video and online identification.

Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. This has enabled FINMA to take account of new technologies designed to assure the requisite level of security in meeting the relevant due diligence requirements. FINMA also has to make this practice public, and has accordingly published the FINMA circular 2016/7 on video and online identification on 17 March 2016. The circular describes the due diligence requirements for intermediaries onboarding clients via digital channels without gaps in the information process. This is an opportunity for the Swiss financial industry to put the digitisation of business processes into practice. Our aim is to show where the risks lie and advise on how to deal with them.

Read more about the security risks here.

Further blogs
Read more about the digitisation of processes in the Swiss financial industry and about other key developments in this field in the next articles in our blog series on video and online identification.

If you´re interested in this topic or have any questions connected with it, please feel free to contact our experts:

Jens Probst
Director, Systems & Process
Assurance
jens.probst@ch.pwc.com
+41 58 792 29 59

Christian Hug
Senior Manager, Leader Information Governance
christian.hug@ch.pwc.com
+41 58 792 23 66

Marco Schurtenberger
Manager, Cyber security & IT
compliance
marco.schurtenberger@ch.pwc.com
+41 58 792 22 33

FinTech: Embracing the people opportunity

There has been a lot of talk about Financial Technology (“FinTech”) companies in recent months. The increasing use of technology to deliver financial services is not new, but recent advances in technology, digital security and processing power are unlocking opportunities for companies to completely rethink the way in which these services are provided, disrupting accepted business models along the way.

Many commentators to date have focused on the impact this will have on the provision of services and the structure of the market, but another important issue to consider is the people aspect. It is people, after all, who develop the innovative and groundbreaking solutions that will cause tremors through the industry.

But where should you start? If an organisation is to be successful in this new world, attracting and developing the right talent will be crucial.

People challenge What can HR do?
How do we develop the skills to be successful in this new market? Focus on innovation and agility to react quickly to change.Redesigned performance management to foster teamwork and “fail-fast” mindsets that promote innovation.Rethinking organisation structures to emphasise flatter, team based structures.
How do we remodel our own processes to attract talent? Develop 21st Century HR processes that deliver HR services through digital channels and cloud-based solutions across the employee life cycle.
How do we develop a FinTech-friendly employer brand? Develop a set of values that speak to innovative talent which is looking for a “grand challenge” to solve.Use events such as business incubators or “elevator pitch” investment programmes to engage with potential future talent.

Many of these changes relate to the culture of the business, something currently on the minds of FinTech start-ups as one of the potential barriers to effectively working with traditional businesses.

FinTech

This week sees the release of “Blurred Lines”, PwC’s global survey looking to assess the attitudes and emerging trends associated with FinTech. This survey provides some great food for thought, both for existing FS organisations and for those wanting to get in on the action with their own start-up.

There is a great deal to think about in this area, and we will see significant changes in people processes across the industry in the coming years. This presents an exciting opportunity for HR to be a strategic partner to the business when leadership are defining their response and group strategy for FinTech. You can access our survey here.

If you’d like to discuss your plans for introducing FinTech with an expert, please feel free to contact Stuart Jones.

Electronic invoicing (e-invoicing) – A guide for organisations and institutions

Electronic invoicing (e-invoicing) has considerable advantages over conventional paper-based billing in terms of costs and working capital management. More and more public authorities and organisations from small businesses to multinationals are tapping into these benefits. Organisations that stick with conventional billing increasingly have to pay extra charges or are even barred from doing business with partners who operate electronically. Introducing e-invoicing does entail challenges, uncertainties and risks – but nothing that can’t be addressed with the right planning and implementation.

This brochure is designed as a guide to help people managing SMEs and institutions who are planning and implementing an electronic invoicing system. You’ll find a summary of the most important legal matters to consider, the pros and cons of e-invoicing, and the main risks. We also give recommendations on what to look out for when introducing e-invoicing, as well as the best way to proceed. Rather than addressing all the tax and commercial law implications in exhaustive detail, we’ve deliberately focused on the key matters relevant under Swiss legislation.

We would be happy to assist you and answer any questions you may have about the introduction of e-bills in an international context.

You’ll find the full guide here.

If you’d like to discuss your plans for introducing electronic invoicing with an expert, please feel free to contact our specialists:

Raphael Hasler
Information Governance
Telefon: +41 58 792 17 33
raphael.hasler@ch.pwc.com

Jochen Richner
Tax Technology Solutions Leader
Telefon: +41 58 792 57 55
jochen.richner@ch.pwc.com

Christopher Oehri
Director, Assurance
Telefon: +41 58 792 27 57
christopher.oehri@ch.pwc.com

And there’s more information on how to deal strategically with digitised documentation and data in the latest edition of our web magazine Disclose.

Event – Taxmarc: your cure for the SAP VAT headache

Handling VAT isn’t getting any easier. As if it wasn’t hard enough to ensure the compliant tax classification of transactions, you also have to enter them in SAP. Given that SAP’s tax determination logic was developed 30 years ago at a time when the legislation governing cross-border transactions was far less complex and the reporting requirements a lot less comprehensive, it is no wonder this is a headache for many of our clients.

At our half-day seminar on 21 April we want to show you PwC’s cure for the SAP VAT headache. Our new technology solution, the Taxmarc add-on for SAP, enables you to deal with the problems efficiently in a language users understand.

We will be showing you how you can use Taxmarc to automate your VAT determination and processes and overcome the potential limitations of your SAP system. Among other things you will learn

  • How to automate (complex) incoming and outgoing VAT transactions in your SAP system
  • How to establish an integrated control framework to check whether the VAT treatment of each individual transaction is correct and consistent
  • How to establish and change the tax codes (including extension of tax codes to three characters) flexibly
  • How to handle your VAT, European Sales List and Intrastat reporting efficiently
  • How to use tax data for analytics and controlling purposes.

The seminar is geared to tax and VAT managers, finance function representatives responsible for VAT, and IT people responsible for SAP maintenance and configuration – so as well as a chance to talk to PwC’s VAT and SAP specialists, this will also be a great opportunity to network with your peers.

When?
Thursday, 21 April 2016
8 am to 1 pm

Where?
PwC Zurich I Birchstrasse 160 I 8050 Zurich
Map & directions

Reserve your seat as soon as possible by registering here.

If you have any further questions regarding the event, please do not hesitate to contact Demet Koç.

Cyber savvy: Securing operational technology assets

Business leaders who have security as part of their overall business strategy discussion are better positioned to balance the technologies, processes and resources needed to anticipate constantly evolving cyber risks. The term ‘operational technology’ (OT) refers to the hardware and software used to control industrial processes and infrastructure, particularly in industries such as energy, mining, utilities, manufacturing and transport. A cyber-attack on an OT environment can have serious and wide ranging consequences beyond just financial losses – including prolonged outages of critical services, environmental damage and even the loss of human life. There are highly skilled and motivated adversaries actively seeking to exploit the security weaknesses in OT networks, process control systems and critical infrastructure. Their motivations range from economic benefit and espionage through to malicious disruption and destruction. While many operators in these sectors have recognised the need to increase focus and spending on the security of their corporate IT systems, this has not been matched for OT systems, leading to critical vulnerabilities. We have drawn on our experience conducting cyber security assessments and penetration tests across the globe to identify the 10 most common security flaws in OT networks.

The Swiss Reporting and Analysis Centre for Information Assurance (MELANI) highlights the importance of a cross functional approach to combat cyber threats to Operational Technology and Infrastructure: “The enumerated measures should be embedded in an overarching security process, ensuring that the measures are applied, regularly verified, and continuously improved. Moreover, it is important for operators of systems to know the current threat situation, to monitor that situation regularly, and to incorporate the insights into implementation and improvement of the security measures. For this purpose, close cooperation between risk management, engineering, and operations is of the utmost importance.”

Read the report:
Cyber Savvy securing operational technology assets December 2015

The 10 most likely ways your operation technology network will be compromised:

technology_network_infographic

 

Process Intelligence: better control, better performance, better processes

Be it for procurement, for sales or for insurance claim approvals, processes drive the main cycles in your company. There is, however, often a gap between how processes are intended to be and what they are in reality. Identifying and understanding these gaps is imperative to boosting your operational effectiveness and efficiency, ensuring quality and compliance, standardising workflows, as well as detecting anomalies or fraud.

PwC’s Process Intelligence analyses the data from your IT systems and makes them fully transparent for you. Curious to understand the main propositions and added value of Process Intelligence?

Check out our video, the related blog post and the technical demos in English and French.

Video

Demo

More information here

Process Intelligence: Your processes, transparent

What is the state of your business processes?

There is often a gap between how business processes are intended to be and what they are in reality. There are many reasons for this: the complexity of business and system landscapes; changes that have occurred over time; exceptions to process blueprints for operational reasons; users with too much freedom within the IT systems; and finally, people who often only see some of the processes whilst missing the complete picture.

BlogPIapture

Understanding the real flow of your business processes is paramount when you want to improve process effectiveness or efficiency, ensure quality or compliance, standardise, or detect anomalies or fraud.

The traditional approach to understanding processes is through interviews, workshops, observations and document analyses, possibly accompanied by sample analysis. This method requires a lot of resources and time, and does not guarantee that the model which emerges reflects reality, as information may not be fully objective on the one hand, and incomplete on the other.

PwC’s Process Intelligence offering analyses the data from your IT systems as used by your people from day to day, and unveils what really happens in your business processes. The advantages of such a data-integrated approach are manifold:

  1. It is based on objective information – data doesn’t lie.
  2. It is based on the complete data set describing all transactions performed by the parties involved.
  3. It allows you to look at the process from different perspective (e.g., by process, by product, by person, by area, by company code, by team, etc.).
  4. The results are obtained quickly.
  5. The analyses deep-dive into every process detail.

PwC’s Process Intelligence

Our approach and tools empower us to analyse any process in any industry, as long as the system bookkeeps a “history” of steps carried out during the process execution.

Our approach to discover and analyse processes starts with a workshop to jointly analyse the extent of process automation and the expected level of standardisation within your business processes. This facilitates the identification of key focus areas, which will be further examined during the next phase. In an audit context, in general, we focus on areas where a high level of standardisation is assumed, as these could provide most audit efficiencies going forward.

In the next phase we analyse the selected processes in detail. This phase includes one or more iterations to be able to achieve the right level of process detail thus enabling us to distinguish between planned and unplanned process deviations. We utilise process mining techniques such as those described here:

  • Process discovery establishes how business processes are actually executed by your staff in your system. It enables you to evaluate the level of process standardisation, looking at frequent as well as exceptional activities in the process.
  • Process compliance and benchmarking techniques allow us to measure conformance to organisational rules or regulations and process blueprints, to compare how different entities execute the process, and identify factors causing deviations from the process blueprint.
  • Good practice identification searches for effective paths of process execution, identifies key people and potential training needs as well as success factors. By measuring performance characteristics, such as execution and lead times, and by spotting duplicate or unplanned activities, areas for improvement can be identified.
  • Organisational analyses show how people and teams collaborate, how they comply with segregation of duties, and assigned roles and responsibilities.

How does this work?

Based on the selected processes and the underlying system, we provide you with a set of tables and fields that you need to download for a specific time period. This includes master data, transactional data as well as change tables. If you use SAP, we have a proprietary, open-source download tool that will be made available to you to ensure smooth and efficient extraction of data.

We analyse your data with our Process Intelligence tool, which is paired with our proprietary SAP process and data dictionary knowledge to translate your data into actual business process flows. The output of this analysis is then discussed with the process owners and specialists and refined accordingly. This ensures that we adequately consider all business specifics.

After we arrive at a detailed understanding of your processes, we will share the results with you in a workshop and discuss the real process flows, any potential deviations and related implications for the audit as well as for your business.

For widely-used ERP systems, such as SAP ECC, Microsoft AX and Oracle, we have off-the-shelf scripts to analyse your main processes, e.g., procurement, sales and master data management processes. Further scripts can be developed depending on your needs.

What you get out of it?

The results of our analysis will be made available to you. Our Process Intelligence reports include:

  • Process transparency depicting the processes from various relevant angles.
  • A process health-check dashboard consisting of the top-ten most common or seldom used process paths, the value they generate, the most or least active users, and the most “expensive” paths, for example.
  • Transactional-level process indicators, such as “retrospective purchase orders”, “journals parked over 30 days”, “inventory movements” and “three-way-match configuration”.

For more information on the topic discussed above please contact me or visit our website.