| Gramm-Leach-Bliley
Act |
Privacy
requirements for customers’ financial
data. Mandates the publication of
privacy standards used by financial
institutions and restricts the use and
transfer of data between organizations. |
Security
solutions
Act-specific software - solutions
Database; Customer management systems |
Operational
Operational
and integrated IT solutions anticipated. |
| SEC Rule
17a-4 |
The
retention of internal and external
e-mail communications in line with the
SEC Rule 17a-4. |
E-mail data
management solutions
Storage
Solutions Worm
Database
Server & Networking |
Operational
Operational
and IT solutions demand started. |
| USA Patriot
Act |
US
Government Act to widen existing
Anti-Money Laundering requirements that
will affect all financial institutions. |
Tools to
enhance knowledge management
AML infrastructure tools
Integration of transactional-processing
systems |
Operational
Part of worldwide initiative for AML is
operational and IT solutions to reduce
cost and risk emerging. |
| Basel II
Accord |
Regulation to introduce a standardized risk-sensitive capital framework in international financial institutions. |
Data collection
Analysis
Monitoring or Tracking Solutions
Risk Identification Technology (operational, credit and market) |
Operational
Continuing compliance in stages and IT investments started usually as part of an integrated regulatory and compliance infrastructure. |
|
Sarbanes-Oxley Act (SOX) |
Act (part of 2002, Sarbanes-Oxley Act) which
mandates that all auditing firms retain
records relevant to audits and reviews
also has significant implications on
companies’ IT resources. |
Document
Retention Systems
Email Management Systems
Content Management Storage Solutions |
Operational
SOX 404 deadline for non-accelerated filers and foreign private issuers in 2007 opening IT solutions for automated reporting including US owned off-shore corporations. |
| Universal Market Integrity Rules (UMIR) |
UMIR was introduced in 2003 to provide a common set of rules for all equity markets in Canada. The rules cover a wide range of activities from manipulative or deceptive forms of trading to order entry. |
Trading Packages & Systems
Risk Management
Risk Profiling and Monitoring
Networking
Database
Storage
Audit Trail
Disaster Recovery
Security
AML Systems
Processor Systems. |
Operational
A review is underway and expected to lead to changes in the regulations. |
| National
Association of Securities Dealers (NASD)
3010 |
Rule 3010
requires members to establish and
maintain supervisory systems for each of
their associated persons. It outlines
the need for each member to establish
and maintain a system to supervise the
activities of each registered
representative and associated person. |
CRM
Content Management Archiving |
Operational
Operational and IT solutions emerging. |
| National
Association of Securities Dealers (NASD)
3110 |
Rule 3110
outlines the control of customer account
information. It’s provisions require
members to ‘make and preserve books,
accounts, records, memoranda, and
correspondence.’ |
Storage
Data Management
Data Collection |
Operational
Operational and IT solutions emerging. |
| Check 21 |
Check
Clearing for the 21st Century (Check
21), allows banks to replace paper
checks with electronic images of the
check to speed clearing and distribution
of funds. |
Imaging
equipment
Image
handling and verification software
Security
Communications-equipment
Image database
Processing power
Disaster recovery
Backup
ILM |
Operational
Operational
and IT solutions emerging. |
| Financial Services Authority [FSA]
Reporting Rules |
New Capital Requirements Directive [CRD] requires new financial reporting by credit institutions and investment firms in addition to existing returns, using the FSA online Early Reporting System [ERS]. |
Online reporting
infrastructure
including security, information
management and web interface. |
Operational
Operational and IT requirements are high priority. |
Multilateral Instrument 52-111 -
Reporting on Internal Control over
Financial Reporting
Canadian Securities Administrators (CSA) |
The
proposed requirements are expected to
continue the harmonization of Canadian
regulatory reporting and certification
rules with Sarbanes-Oxley. Under the
proposed rules, reporting issuers on the
Toronto Stock Exchange (TSX) will have
to adhere to the following:- Management
will be required to issue a report on
the effectiveness of internal control
over financial reporting- An external
auditor will be required to issue an
audit report on management's assessment. |
Document
management systems
Email management systems
Content management Storage & Security
solutions
Disaster recovery
Updates to accountancy systems and ERP
systems
Processing power, server and network |
Operational
Implementation of IT to reduce cost and
risk of reporting. |
| Personal
Information Protection and Electronic
Documents Act (PIPEDA) Canada |
PIPEDA is
described as an act to “promote the use
of electronic commerce by protecting
personal information that is collected”.
In doing so, PIPEDA prohibits the use of
personal data without the explicit
permission of the individual involved.
It places requirements on the collector
of the information to identify the use
for the data, obtain permission for
collecting the data and to hold it
securely. Beyond this it must be shown
that the data that has been stored has
only been used in the way in which it
was intended. Individuals may also
request to be shown what has been stored
and the uses to which it has been put. |
Storage
Audit Trail
Backup
Disaster Recovery
Security
Database
Electronic signature technologies |
Operational
Operating and IT solutions emerging. |
| CAN-SPAM
Act of 2003 (Controlling the Assault of
Non-Solicited Pornography and Marketing
Act) US |
The Act
provides controls on the way email is
used for commercial purposes. It
requires that unsolicited commercial
emails are clearly labelled and offer the
recipient the ability to opt out. It
prohibits the use of deceptive subject
lines and false headers. It also
stipulates that emails are not sent to
automatically generated addresses or
addresses gained through underhand ways. |
Audit Trail
Email Systems
CRM Systems
Authentication Technologies |
Operational
Operating and IT solutions emerging. |
| 58-201
Effective Governance and Proposed
Multilateral Instrument |
This law
and attendant instrument are in the
final discussion stages in Canada. Based
on the Toronto Stock Exchange’s (TSX)
existing rules for corporate governance,
these are expected to be passed for
national (Canadian) policy. At the same
time the TSX is expected to repeal its
own laws to adopt 58-201. |
Document
retention systems
Email management systems
Content management storage solutions |
Operational
Fully operational and demand for IT
solutions still expected to reduce cost
and risks. |
| California
Database Breach Act. State Bill SB 1386 |
Applies to
all individuals and organizations
wishing to do business in California.
This bill is designed to protect
consumers from identity theft. It builds
on existing privacy laws and mandates
notice of breach of security or any
other exposure. |
IT security
applications and services
Customer data handling |
Operational
Fully operational and demand for IT
solutions still expected to reduce cost
and risk. |
| Privacy Act |
The purpose
of this Act is to extend the present
laws of Canada that protect the privacy
of individuals with respect to personal
information about themselves held by a
government institution and that provide
individuals with a right of access to
that information. |
Storage
Security
Data Management
Data Consolidation
Database
Data Mining
Disaster Recovery
Document Management |
Operational
In operation and is continually being
updated. |
| Do-Not–Call Registry |
The Federal
Trade Commission (FTC) has amended the
Telemarketing Sales Rule (TSR) to give
consumers a choice about whether they
want to receive most telemarketing
calls. It will be illegal for most
telemarketers or sellers to call a
number listed on the registry. Similar
standards and laws in UK, Direct
Marketing Association ‘Preferred
Services’. |
Data
Storage
CRM |
Operational
Adapting contact and call centre IT
systems. |
| Corporate
Information Security Accountability Bill |
Currently a
draft bill that calls for US publicly
listed firms to adhere to minimum IT
security standards that would be set by
the Securities and Exchange Commission
(SEC). Proposes an annual audit with
results to be submitted with annual
reports and SoX submissions. |
Affects a
wide range of security products to help
companies comply with ‘industry
standard’ security practices. Also
requires tools to assist with gap
analysis, scooping, audit. |
Potential
Draft bill. |
|
PCI
[Payment Card Industry] Data Security
Standard |
The PCI Data Security Standard is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including Visa, MasterCard, American Express, Discover Financial Services and JCB, to help facilitate the broad adoption of consistent data security measures on a global basis. |
The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer account data. |
Operational
Adopted and
IT infrastructure solutions being implemented. |
ISO 20000
IT Service Management Standard |
ISO 20000 comprises two parts: ISO 20000-1 is the 'Specification for Service Management, and ISO 20000-2 is the 'Code of practice for Service Management'.
Together, these form a top-down framework to define the features of service management processes that are essential for the delivery of high quality services.
ISO 20,0000 allows IT organizations to formally certify their IT services, using ITIL [Information Technology Infrastructure Library] global best practice for IT service delivery. |
Security Management
Storage Management
Business Application Management
Server, Network & Device Management |
Operational
Rapidly adopted as the international standard for IT Service Management based upon ITIL based upon substantial TCO reduction as business case. |
|
ISO 27001
Information Security Standard |
ISO 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems to reduce businesses’ information security vulnerability. |
ERP solutions
IT Security Applications and services |
Operational
Rapidly being adopted worldwide as the
standard for business’ information
security. |
|
IAS (International Accounting Standards) |
International standards on accounting and the regulation of financial result calculation. Designed to improve transparency and represent a step towards a common global accounting standard. |
Enterprise
integration systems
Data gathering systems. |
Operational
The legislation will require significant
investment in appropriate systems to
facilitate internal reporting and data
gathering. |
| Order Audit
Trail System (OATS) NASD Rules 6950 to
6957 |
The
National Association of Securities
Dealers (NASD) has established the Order
Audit Trail System (OATS) to create an
audit trail of order, quote, and trade
information for Nasdaq securities. This
information is passed to OATS to provide
an audit trail for each deal. Members
must synchronize business clocks for
recording the date and time of each deal. |
Networking
Security
Specialist trading-applications
Backup
Time-stamping technology
Document management
Database |
Operational
Operational
and IT investment necessary to reduce cost and
risk. |
| Straight
Through Processing (STP) |
STP aims to
reduce trade settlement timescales by
implementing technology to allow
straight through processing of trades.
STP still faces challenges to allow for
time differences around the World. |
Middleware
Upgrade Messaging
Transformation
Data Enrichment and Routing
Database Integration
Integrating
internal applications to automate
internal processing. |
Operational
Operational
and IT solutions necessary to integrate
process. |
| Sound
practices to strengthen the resilience
of the US Financial System |
Standards
introduced to improve all finance
organizations’ disaster recovery and
business resilience capabilities in the
post September 11th high-risk
environment. Also to combat the effects
of major virus attacks and natural
disasters. |
Data/content management
Digital security
Remote storage
Network management - services
Disaster recovery
Backup
Storage management
Business continuity |
Operational
Operational
and IT solutions starting. |
| Enhancing
Services Through the Innovative Use of
Information and Technology |
This
enshrines Canada’s e-Government
initiatives taking a 10-year strategic
vision of the steps and initiatives
needed to deliver access to government
services. |
Communications
Internet Services and Technologies
Security and user identification
Storage
Document Management
Data Consolidation |
Operational
Steady demand for integrated IT
solutions. |
| T+1 (Settling securities in one day) |
Regulation aimed at shortening the settlement of traded securities from 3 days to 1 day. |
Middleware Upgrade
Messaging
Transformation
Data Enrichment and Routing Database Integration
Integrating internal applications to automate internal processing. |
Potential
The Securities Industry Association (SIA) pushing a set of objectives based on Straight Through Processing (STP) that supersede T+1 in time. |
