Hacker News new | ask | show | jobs
I am an inspector at a globally significant bank, what should I ask
1 points by mr_inspector 996 days ago
Imagine you had the ability to ask a bank any question youd like, request any member of staff to walk you through any process, what kind of questions would you raise?

I am an inspector at a globally significant bank. We are investigating their IT landscape and their ability to accurately aggregate their data.

What parts of the IT landscape, systems, infrastructure would you be most interested in?
3 comments
rurcliped 996 days ago
What data is stored about an employee's justification for viewing a customer account? Is there an enumerated set of justifications such as "direct customer inquiry" versus "to be used for upselling other banking products" versus "IT debugging" etc. or is it free-form text? Is the justification process more complex if the bank knows that the customer is a public figure, celebrity, or maybe anyone who meets Wikipedia'a notability requirements?
link
mr_inspector 995 days ago
that is a very interesting question to raise. thank you, we'll consider it!
link
pledess 996 days ago
How is data related to Bank Secrecy Act requirements (or similar requirements in a non-U.S. jurisdiction) stored? For example, a U.S. bank must contact regulators about a cash payment of more than $10,000. The payment itself is not information that must be kept secret from the customer, e.g., the bank can share information with the customer about the specific amount, date, etc. However, the act of reporting to regulators cannot be shared with the customer. The question is, from an IT perspective, is the act of reporting part of a "customer data structure"? Is it possible for IT staff to do simple database queries such as "date_that_customer_began < 2022-01-01 and large_cash_payments > 0"? Or is Bank Secrecy Act reporting data segregated into separate database tables or even separate IT systems?
link
mr_inspector 995 days ago
Also very interesting to consider!

Why do you think it matters if the information is stored in completely different IT systems.

link
pledess 995 days ago
It possibly matters because (at least in the U.S.) this specific data element has substantially different legal obligations than anything else that might be placed into a customer data structure: https://www.govinfo.gov/content/pkg/CFR-2012-title12-vol1/xm...

"(i) General rule. No national bank, and no director, officer, employee, or agent of a national bank, shall disclose a SAR or any information that would reveal the existence of a SAR. Any national bank, and any director, officer, employee, or agent of any national bank that is subpoenaed or otherwise requested to disclose a SAR, or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, ..."

A bank might not want to aggregate data, within one IT system, if part of the data has the very unusual property that a subpoena must be declined.

link
bwestergard 996 days ago
How do the relevant teams rehearse restoring systems from backups? How and when are credentials for departing employees revoked?
link
mr_inspector 996 days ago
Thank you, the second question I have raised today. I have also asked if access is granted to individuals or roles.

You can imagine that things are quite archaic..

regarding site recovery, that is sadly out of scope of our inspection..

link