Banks can agree on one thing: Losing customer data is bad.
Now they've also agreed on what to do about it, at least for the data-security standards they expect from their service providers. This week, six big banks plus major auditors and service providers will present a common method for assessing service-provider security.
The effort is led by Bank of America, Bank of New York, Citigroup, JPMorgan Chase, U.S. Bancorp, and Wells Fargo. BITS, a consortium backed by the financial-services industry, developed the methodology by doing assessments with service providers including Acxiom, First Data, IBM, Viewpointe Archive Services, and Yodlee.
Getting banks--not to mention auditors--to agree is what makes this plan special. "The problem with security standards is that there are so many of them," says Joe Duffy of PricewaterhouseCoopers' security practice. Deloitte & Touche, Ernst & Young, and KPMG also are involved. It sets out a detailed methodology for banks to test vendors' security. Example: Compare how many wireless networks a service provider says it has with how many are actually on-site.
The goal is to give service providers consistent demands and make them live up to them. Banks are cooperating because they know the alternative: fines, lawsuits, and a tarnished image that can't be fixed with clever commercials.