Understanding Dodd-Frank IT Requirements

How to bring your network and data into compliance with the Dodd-Frank Wall Street Reform and Consumer Protection Act

Background

This document provides a brief overview of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”) and its impact on IT Departments. Aiming to promote the financial stability of the United States by improving accountability and transparency in the financial system, the Dodd-Frank Act is a federal law signed by President Barack Obama on July 21, 2010.

Requiring management of all companies to systematically evaluate and improve the effectiveness of risk management, control, and governance processes, Dodd-Frank affects nearly every aspect of financial services, from hedge fund and investment advising to proprietary trading, consumer protection and capital reserve limits.

The Dodd-Frank Act also expands upon Sarbanes Oxley (SOX) and covers both publicly traded companies and private subsidiaries or affiliates of publicly traded companies whose financial information is included in consolidated financial statements. Because SOX compliance rules are similar to the Dodd-Frank Act, rather than duplicating efforts, companies can consolidate those compliance requirements and reduce their operating costs.

Key IT Requirements

The following is a table containing sections of the Dodd-Frank Wall Street Reform and Consumer Protection Act for and explanations describing how Varonis solutions can help with them.

Requirement Description Varonis Product/Feature
TITLE I – FINANCIAL STABILITY: OFFICE OF FINANCIAL RECORDS Sec 154 ORGANIZATIONAL STRUCTURE; RESPONSIBILITIES OF PRIMARY PROGRAMMATIC UNITS There are established within the Office, to carry out the programmatic responsibilities of the Office— (1) the Data Center:The Data Center, on behalf of the Council, shall collect, validate, and maintain all data necessary to carry out the duties of the Data Center General Duties:• Authority: Require the submission of reports that poses a threat to the financial stability of the United States• Collection of Financial Transaction and Position Data Responsibilities:• Confidentiality – The Data Center shall not publish any confidential data Information Security – The Director shall ensure that data collected and maintained by the Data Center are kept secure and protected against unauthorized disclosure Collecting and Validating Data For the Data Center carry out its general duties, it must have a clear understanding of where data is stored, who owns it, who is responsible for it and who is authorized to use it.Varonis DatAdvantage monitors and stores in a searchable format, all aspects of data use for information stored on file servers and Network Attached Storage (NAS) devices. Varonis provides a detailed record of files server contents and how they are used including: filenames, folders, access privileges to files and folders (i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), a list of the likely business owners of data – all of which are easily reportable. DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs. Confidentiality Part of the Data Center’s general duties is to ensure that sensitive data remains confidential and unpublished. Appointed to uphold this responsibility is the Information Security Director. The Varonis IDU Classification Framework helps identify sensitive content within the unstructured data of the Data Center, determine who has access to it, who is using it, and who should be responsible (data owners) – all of which are also reportable.
TITLE IV – REGULATION OF ADVISERS TO HEDGE FUNDS AND OTHERS SEC. 404. COLLECTION OF SYSTEMIC RISK DATA; REPORTS; EXAMINATIONS; DISCLOSURES. ‘‘(6) EXAMINATION OF RECORDS.—‘‘(A) PERIODIC AND SPECIAL EXAMINATIONS.—The Commission—‘‘(i) shall conduct periodic inspections of the records of private funds maintained by an investment adviser registered under this title in accordance with a schedule established by the Commission; and‘‘(ii) may conduct at any time and from time to time such additional, special, and other examinations as the Commission may prescribe as necessary and appropriate in the public interest and for the protection of investors, or for the assessment of systemic risk.‘‘(B) AVAILABILITY OF RECORDS.—An investment adviser registered under this title shall make available to the Commission any copies or extracts from such records as may be prepared without undue effort, expense, or delay, as the Commission or its representatives may reasonably request.(7) INFORMATION SHARING.—(A) IN GENERAL.—The Commission shall make available to the Council copies of all reports, documents, records, and information filed with or provided to the Commission by an investment adviser under this subsection as the Council may consider necessary for the purpose of assessing the systemic risk posed by a private fund.CONFIDENTIALITY – The Council shall maintain the confidentiality of information received under this paragraph in all such reports, documents, records, and information, in a manner consistent with the level of confidentiality established for the Commission pursuant to paragraph (8).‘‘(B) PROPRIETARY INFORMATION.—For purposes of this paragraph, proprietary information includes sensitive, nonpublic information regarding—‘‘(i) the investment or trading strategies of the investment adviser;‘‘(ii) analytical or research methodologies;‘‘(iii) trading data;‘‘(iv) computer hardware or software containing intellectual property; and‘‘(v) any additional information that the Commission determines to be proprietary.‘‘(11) ANNUAL REPORT TO CONGRESS.—The Commission shall report annually to Congress on how the Commission has used the data collected pursuant to this subsection to monitor the markets for the protection of investors and the integrity of the markets.’’. Inspection and Availability of the Record sLocating and retrieving all relevant data without undue effort, expense, or delay for periodic inspections and special examinations can be daunting. With an efficient, incremental data classification and indexing engine like Varonis’ IDU Classification Framework and Varonis DatAnswers, you’ll be able to pass inspections and examinations smoothly.DatAnswers maintains an index so that electronic information containing specific terms can be found at any time.The IDU Classification Framework can automatically locate financial records and other sensitive data based on a multitude of criteria: keywords, patterns, date created, date last accessed, date modified, user access, owner, and many more making it possible for IT to prepare for inspections and examinations.Information Sharing DatAnywhere instantly enables mobile access, file synchronization, and secure 3rd party sharing for your existing file shares. Files, particularly confidential files can stay exactly where they are—on existing SMB file servers or NAS.Third party access is monitored and can be revoked at any time. Third party links can contain expiration dates and pin codes for extra security and can be revoked at any time. Third parties do not require an entry in the organizations Active Directory or LDAP system.Private cloud benefits:• Definitive copies of files are always stored on corporate storage• No one gets permissions to shared data unless they already have it• Users authenticate to Active Directory or LDAP and there is no need to reconfigure or replicate permissions• IT controls speed, availability, and security
TITLE VII – WALL STREET TRANSPARENCY AND ACCOUNTABILITY: REGULATION OF SWAP MARKETS SEC. 728. SWAP DATA REPOSITORIES DATA IDENTIFICATION.—‘‘(A) IN GENERAL.—In accordance with subparagraph (B), the Commission shall prescribe standards that specify the data elements for each swap that shall be collected and maintained by each registered swap data repository.‘‘(B) REQUIREMENT.—In carrying out subparagraph (A), the Commission shall prescribe consistent data element standards applicable to registered entities and reporting counterparties.‘‘DATA COLLECTION AND MAINTENANCE.—The Commission shall prescribe data collection and data maintenance standards for swap data repositories.‘‘(c) DUTIES.—A swap data repository shall—‘‘(1) accept data prescribed by the Commission for each swap under subsection (b);‘‘(2) confirm with both counterparties to the swap the accuracy of the data that was submitted;‘‘(3) maintain the data described in paragraph (1) in such form, in such manner, and for such period as may be required by the Commission;‘‘(4)(A) provide direct electronic access to the Commission (or any designee of the Commission, including another registered entity); and‘‘(B) provide the information described in paragraph (1) in such form and at such frequency as the Commission may require to comply with the public reporting requirements contained in section 2(a)(13);‘‘(5) at the direction of the Commission, establish automated systems for monitoring, screening, and analyzing swap data, including compliance and frequency of end user clearing exemption claims by individual and affiliated entities;‘‘(6) maintain the privacy of any and all swap transaction information that the swap data repository receives from a swap ‘‘(7) on a confidential basis pursuant to section 8, upon request, and after notifying the Commission of the request, make available all data obtained by the swap data repository, including individual counterparty trade and position data, to—‘‘(A) each appropriate prudential regulator;‘‘(B) the Financial Stability Oversight Council;‘‘(C) the Securities and Exchange Commission;‘‘(D) the Department of Justice; and‘‘(E) any other person that the Commission determines to be appropriate, including—‘‘(i) foreign financial supervisors (including foreign futures authorities);‘‘(ii) foreign central banks; and‘‘(iii) foreign ministries; and‘‘(8) establish and maintain emergency procedures, backup facilities, and a plan for disaster recovery that allows for the timely recovery and resumption of operations and the fulfillment of the responsibilities and obligations of the organization.‘‘(d) CONFIDENTIALITY AND INDEMNIFICATION AGREEMENT.— Before the swap data repository may share information with any entity described in subsection (c)(7)—‘‘(1) the swap data repository shall receive a written agreement from each entity stating that the entity shall abide by the confidentiality requirements described in section 8 relating to the information on swap transactions that is provided; and‘‘(2) each entity shall agree to indemnify the swap data repository and the Commission for any expenses arising from litigation relating to the information provided under sectionDESIGNATION OF CHIEF COMPLIANCE OFFICER.—‘‘(1) IN GENERAL.—Each swap data repository shall designate an individual to serve as a chief compliance officer.‘‘(2) DUTIES.—The chief compliance officer shall—‘‘(A) report directly to the board or to the senior officer of the swap data repository;‘‘(B) review the compliance of the swap data repository with respect to the requirements and core principles described in this section;‘‘(C) in consultation with the board of the swap data repository, a body performing a function similar to the board of the swap data repository, or the senior officer of the swap data repository, resolve any conflicts of interest that may arise;‘‘(D) be responsible for administering each policy and procedure that is required to be established pursuant to this section;‘‘(E) ensure compliance with this Act (including regulations) relating to agreements, contracts, or transactions, including each rule prescribed by the Commission under this section;‘‘(F) establish procedures for the remediation of noncompliance issues identified by the chief compliance officer through any—‘‘(i) compliance office review;‘‘(ii) look-back;‘‘(iii) internal or external audit finding;‘‘(iv) self-reported error; or‘‘(v) validated complaint; and‘‘(G) establish and follow appropriate procedures forthe handling, management response, remediation, retesting, and closing of noncompliance issues. Swap data repositories (“SDRs”) are new entities created by the Dodd-Frank Act in order to provide a central facility for swap data reporting and recordkeeping.1 Swap data repositories are required to comply with data standards set by the CFTC, including real-time public reporting of swap transaction data to a “disseminator” such as a derivatives clearing organization or a swap execution facility.2 Varonis provides an innovative software platform that allows data centers to map, analyze, manage and migrate their unstructured data. Data MaintenanceDatAdvantage monitors and stores all aspects of data use – in a searchable format – for information stored on file servers and Network Attached Storage (NAS) devices, providing assurance that basic preventive controls (permissions) are in place and correctly configured, and detective controls through auditing and analysis of data use. DatAdvantage provides a detailed record of files server contents and how they are used including: filenames, folders, access privileges to files and folders (i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), a list of the likely business owners of data.Sensitive and Confidential DataThe Data Classification Framework incorporates content classification information produced by looking within files to find key words, phrases and patterns (i.e., regular expressions) that are of interest to the organization. The IDU Classification Framework also identifies the highest concentrations of sensitive data that are most at risk and provides a clear methodology to safely remediate that risk without manual effort.Reporting and Access Controls Use DatAdvantage to run reports to identify, prioritize, and remediate excessive access to sensitive, high-risk data.DataPrivilege helps define the policies and processes that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access policy: • it unites all of the parties responsible including data owners, auditors, data users AND IT around the same set of information and • it allows organizations to continually monitor the access framework in order to make changes and optimize both for Dodd Frank and for continuous enforcement of warranted access. With DatAdvantage and DataPrivilege, compliance officers and auditors can receive regular reports of data use and access activity of privileged and protected information to ensure compliant use and safekeeping. Data TransferVaronis Data Transport Engine provides the flexibility to configure complete end-to-end migration rules: define source criteria based on path, and/or content, classification rule, Varonis ownership and follow-up (flag/ tag) criteria, define destination path, folder, and permissions translation, and when the migration will take place. The ability to configure these rules allow for the rapid and safe execution of complex data migrations, and to easily implement and enforce policies for data retention and location based on content, accessibility, and activity. Data Sharing DatAnywhere instantly enables mobile access, file synchronization, and secure 3rd party sharing for your existing file shares. Files can stay exactly where they are—on existing SMB file servers or NAS. Third party access is monitored and can be revoked at any time. Third party links can contain expiration dates and pin codes for extra security and can be revoked at any time. Third parties do not require an entry in the organizations Active Directory or LDAP system. Private cloud benefits: • Definitive copies of files are always stored on corporate storage • No one gets permissions to shared data unless they already have it • Users authenticate to Active Directory or LDAP and there is no need to reconfigure or replicate permissions • IT controls speed, availability, and security
TITLE IX – INVESTOR PROTECTIONS AND IMPROVEMENTS TO THE REGULATION OF SECURITIES: INCREASING REGULATORY ENFORCEMENT AND REMEDIES SEC. 929I. PROTECTING CONFIDENTIALITY OF MATERIALS SUBMITTED TO THE COMMISSION. RECORDS OBTAINED FROM REGISTERED PERSONS.—‘‘(1) IN GENERAL.—Except as provided in subsection (f), the Commission shall not be compelled to disclose records or information obtained pursuant to section 17(b), or records or information based upon or derived from such records or information, if such records or information have been obtained by the Commission for use in furtherance of the purposes of this title, including surveillance, risk assessments, or other regulatory and oversight activities.‘‘(d) LIMITATIONS ON DISCLOSURE BY THE COMMISSION.—Notwithstanding any other provision of law, the Commission shall not be compelled to disclose any records or information provided to the Commission under section 204, or records or information based upon or derived from such records or information, if such records or information have been obtained by the Commission for use in furtherance of the purposes of this title, including surveillance, risk assessments, or other regulatory and oversight activities. Nothing in this subsection authorizes the Commission to withhold information from the Congress or prevent the Commission from complying with a request for information from any other Federal department or agency requesting the information for purposes within the scope of jurisdiction of that department or agency, or complying with an order of a court of the United States in an action brought by the United States or the Commission. For purposes of section 552 of title 5, United States Code, this subsection shall be considered a statute described in subsection (b)(3)(B) of such section 552. Collection of information pursuant to section 204 shall be an administrative action involving an agency against specific individuals or agencies pursuant to section 3518(c)(1) of title 44, United States Code.’’. Varonis help organizations protect confidential materials and reduce risk by telling them where their data is and who should/shouldn’t have access to it. Our flagship product, DatAdvantage identifies, prioritizes, reports, and remediates areas of risk by highlighting where sensitive information is overexposed and at risk, where employees have oversubscribed access, and alerts on abnormal behavior and potential abuse. DatAdvantage also provides data owners with detailed reports, including: data use (i.e. every user’s every file-touch), user activity on sensitive data, permission changes that affect the access of a given file or folder, a detailed record of permission revocations including the users and the data for which permissions were revoked. With DataPrivilege, we can help you implement a cohesive data entitlement environment, thereby raising accountability and reducing risk.
TITLE IX – INVESTOR PROTECTIONS AND IMPROVEMENTS TO THE REGULATION OF SECURITIES: IMPROVEMENTS TO THE REGULATION OF CREDIT RATING AGENCIES SEC. 932. ENHANCED REGULATION, ACCOUNTABILITY, AND TRANSPARENCY OF NATIONALLY RECOGNIZED STATISTICAL RATING ORGANIZATIONS. ‘‘(3) INTERNAL CONTROLS OVER PROCESSES FOR DETERMINING CREDIT RATINGS.—‘‘(A) IN GENERAL.—Each nationally recognized statistical rating organization shall establish, maintain, enforce, and document an effective internal control structure governing the implementation of and adherence to policies, procedures, and methodologies for determining credit ratings, taking into consideration such factors as the Commission may prescribe, by rule.‘‘(B) ATTESTATION REQUIREMENT.—The Commission shall prescribe rules requiring each nationally recognized statistical rating organization to submit to the Commission an annual internal controls report, which shall contain—‘‘(i) a description of the responsibility of the management of the nationally recognized statistical rating organization in establishing and maintaining an effective internal control structure under subparagraph(A);‘‘(ii) an assessment of the effectiveness of the internal control structure of the nationally recognized statistical rating organization; and‘‘(iii) the attestation of the chief executive officer,or equivalent individual, of the nationally recognized statistical rating organization.’’; Varonis provides a comprehensive system for meeting internal control objectives.Risk Assessment Varonis DatAdvantage identifies and prioritizes areas of risk by highlighting where sensitive information is overexposed and at risk, where employees have oversubscribed access, and alerts on abnormal behavior and potential abuse.Control Environment Varonis DatAdvantage also recommends the revocation of permissions to data for users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege.Information & Communication Varonis DatAdvantage provides data stewards with detailed reports, including: data use (i.e. every user’s every file-touch), user activity on sensitive data, permission changes that affect the access of a given file or folder, a detailed record of permission revocations including the users and the data for which permissions were revoked.Control Activities Varonis DataPrivilege is a web-based application that controls, monitors and administers a user’s requests to unstructured data (files, emails, SharePoint, etc.)MonitoringVaronis DatAdvantage monitors every user’s file touch and stores in a searchable format, all aspects of data use for information stored on file servers and Network Attached Storage (NAS) devices.AttestationsDatAdvantage and DataPrivilege gives the means to conduct a full in depth data entitlement review by which all user privileges to data is reported. It also provides reports of historical access rights to data sets showing any trends toward overly permissive access.
TITLE IX – INVESTOR PROTECTIONS AND IMPROVEMENTS TO THE REGULATION OF SECURITIES: IMPROVEMENTS TO THE MANAGEMENT OF THE SECURITIES AND EXCHANGE COMMISSION SEC. 963. ANNUAL FINANCIAL CONTROLS AUDIT. (a) REPORTS OF COMMISSION.—(1) ANNUAL REPORTS REQUIRED.—Not later than 6 months after the end of each fiscal year, the Commission shall publish and submit to Congress a report that—(A) describes the responsibility of the management of the Commission for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and(B) contains an assessment of the effectiveness of the internal control structure and procedures for financial reporting of the Commission during that fiscal year.(2) ATTESTATION.—The reports required under paragraph (1) shall be attested to by the Chairman and chief financial officer of the Commission.(b) REPORT BY COMPTROLLER GENERAL.—(1) REPORT REQUIRED.—Not later than 6 months after the end of the first fiscal year after the date of enactment of this Act, the Comptroller General of the United States shall submit a report to Congress that assesses— (A) the effectiveness of the internal control structure and procedures of the Commission for financial reporting; and (B) the assessment of the Commission under subsection (a)(1)(B).(2) ATTESTATION.—The Comptroller General shall attest to, and report on, the assessment made by the Commission under subsection (a). With Varonis, organizations can conduct data security reviews (attestations) at will and generate access reports with a mouse click. This information can focus narrowly on data of a particular type or access by a particular group or it can focus broadly on access activity trends for the organization (i.e. active users, inactive users, active data, stale data, data business ownership reports etc.). It gives auditors the power to determine whether the appropriate security policies are in place and being enforced.
TITLE X BUREAU OF CONSUMER FINANCIAL PROTECTION SEC. 1017. FUNDING; PENALTIES AND FINES. SEC. 1017. FUNDING; PENALTIES AND FINES.(D) ASSERTION OF INTERNAL CONTROLS.—The Director shall provide to the Comptroller General of the United States an assertion as to the effectiveness of the internal controls that apply to financial reporting by the Bureau, using the standards established in section 3512(c) of title 31, United States Code. DatAdvantage helps organizations examine and audit the use of privileged access accounts to detect and prevent abuse. With a continual audit record of all file, email, SharePoint, and Directory Services activity, DatAdvantage provides visibility into administrative users’ actions. The log can be viewed interactively or via email reports.DatAdvantage can also identify when users have administrative rights they do not use or need and provides a way to safely remove excess privileges without impacting the business. Through DataPrivilege, membership in administrative groups can be tightly controlled, audited and reviewed.DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs.
TITLE XI – FEDERAL RESERVE SYSTEM PROVISIONS SEC. 1102. AUDITS OF SPECIAL FEDERAL RESERVE CREDIT FACILITIES. AUTHORITY FOR AUDITS AND EXAMINATIONS.—Subject to paragraph (3), and notwithstanding any limitation in subsection (b) on the auditing and oversight of certain functions of the Board of Governors of the Federal Reserve System or any Federal reserve bank, the Comptroller General of the United States may conduct audits, including onsite examinations, of the Board of Governors, a Federal reserve bank, or a credit facility, if the Comptroller General determines that such audits are appropriate, solely for the purposes of assessing, with respect to a credit facility or a covered transaction— ‘‘(A) the operational integrity, accounting, financial reporting, and internal controls governing the credit facility or covered transaction ‘‘(B) the effectiveness of the security and collateral policies established for the facility or covered transaction in mitigating risk to the relevant Federal reserve bank and taxpayers;‘‘(C) whether the credit facility or the conduct of a covered transaction inappropriately favors one or more specific participants over other institutions eligible to utilize the facility; Varonis ensures the success of audits and examinations and can demonstrate effectiveness of security, operational integrity in a number of ways: • Varonis recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege• Varonis generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced•Varonis DataPrivilege provides a mechanism via a web-based application by which to monitor, administer (allow/deny) all access requests to unstructured data. Requestors, data owners, technical controllers, financial controllers are all united in communication and action through this system. With regard to requests to access unstructured data on file shares, all actions taken and rationale for them are recorded. Further, a workflow is enforced (i.e. requests to financial folders go straight to the business owner). Via these capabilities, entities can demonstrate a historical and sustained enforcement of least privilege access and its effects.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767