Jan 19 2023

What Banks Should Know About Segregation of Duties Regulations

Sarbanes-Oxley rules require SOD framework compliance. Here’s how to stay on the right side of the law.

To reduce the risk of accidental breaches or intentional fraud, banks must implement segregation of duties (SOD) processes that ensure no single person has complete control over a critical task.

Failure to do so could lead to compliance failures under the Sarbanes-Oxley Act of 2002, commonly known as SOX. Designed to increase oversight and limit fraud, SOX requires banks to segregate duties of key processes among more than one employee. Here’s what financial firms need to know about compliance.

From Recommendation to Requirement: The Role of Sarbanes-Oxley

Segregation of duties frameworks are common in many organizations, including technology companies, law firms and energy providers. The number of staff necessary for a process increases with the complexity of the process. While specific applications differ based on the industry, the goal is the same: reducing overall risk by building in a buffer among staff.

For banks, however, SOD frameworks aren’t simply a good idea; they’re required by Sarbanes-Oxley regulations. In practice, this means that if banks lack solid SOD practices, they could be at risk of audits, fines and sanctions.

Under Section 302 of Sarbanes-Oxley, each bank must designate a signing officer who is responsible for establishing and maintaining internal controls designed to limit financial fraud risk. The signing officer creates and submits a yearly report detailing the effectiveness of these controls, which must be evaluated within 90 days of the report being written.

Click the banner to unlock exclusive security content when you register as an Insider.

How SOD Works in Practice

Conceptually, SOD is straightforward. By ensuring that key financial processes require more than one staff member to complete, risk is naturally reduced.

Consider a loan application. If a single staff member is responsible for collecting applicant data, reviewing application details, and making the approval or rejection decision, this creates multiple points of risk. The data collected might contain errors that aren’t caught during the review process, or approvals may not meet the guidelines laid out by financial firms. This could result in high-risk loans being issued, leading to bank losses.

By placing two other staff members into this process, risk is reduced. For example, banks might assign one employee the task of collecting applicant data, another the job of reviewing this data, and a third the role of decision-maker. While the overall process remains the same, risk is naturally reduced by segregating process steps.

EXPLORE: Learn why businesses need solid cloud governance.

Best Practices to Comply with SOX Regulations

While SOX lays out requirements around controls, audits and reports, it doesn’t offer specific guidelines for creating effective SOD frameworks. This puts banks in a tough position: They understand the need for improved SOD, but they don’t know what this looks like in practice. When it comes to ensuring SOD compliance, three best practices can help.

  • Conduct process assessments. Before designing and implementing internal controls, banks need to pinpoint potential process problems. By conducting a complete assessment of current operations, they can separate processes into high-, medium- and low-risk categories, allowing them to prioritize SOD efforts.
  • Find the balance. Just as single-person processes pose risk, so do operations that are overstuffed with staff. In other words, at a certain point, adding more people has the opposite effect of what is intended. This is because each step in the process requires a handoff of data from one employee to another. If some of these employees are working from home and others are in the office, there’s potential for attackers to eavesdrop on data exchanges or compromise operations. As a result, it’s important to find a balance by regularly reviewing SOD procedures to strike a balance between security and complexity.
  • Recognize what you don’t know. Banks also need to understand where their existing knowledge and skills may come up short. In part, these gaps stem from rapidly evolving regulations, and they’re tied to ongoing challenges in finding and keeping talented staff. The quickest way to solve for a shortfall is to turn to trusted advisers with industry experience. CDW’s experts can help financial institutions create SOD roadmaps.

The bottom line? With time and talent in short supply, it’s worth bringing in expert help to ensure banks’ SOD compliance is current and capable, and to keep processes properly segregated.

This article is part of BizTech's EquITy blog series. Please join the discussion on Twitter by using the #FinanceTech hashtag.


Pattanaphong Khuankaew / Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.