| I'm fairly certain this is running against Federal Reserve policies (yes, they do IT-related audits from time to time). And if your bank customer is a public company, this runs against Sarbanes-Oxley (protecting revenue chain; separation of development, UAT, and production environments; routine vulnerability assessments; and many more things...) While you're not the actual bank, your company is probably providing a piece of paper saying they're complying with the requirements the bank has provided (if they indeed have provided them). So, assuming something evil does happen... - Customer complains to state consumer agency - State consumer agency refers to state banking agency - State banking agency follows up with bank - $bank says we have "a letter of compliance/best practices/whatever" from $company. - State banking agency focuses on the information exchanged between $bank and $company, to determine which party was negligent, and maybe even refers case to state attorney general. - The underwriter of your errors and omissions insurance is now royally pissed, and is also crawling through your e-mails and such to determine how much liability they have based on your policy. I'm sure I've left out a few things, but basically, this is a st storm waiting to happen. If management doesn't care about losing the entire company, and possibly going to jail, I dunno. And if you want, replace state consumer agency with FTC, and state banking agency with Federal Reserve. |