What Are Financial and Credit Risks?
Financial risk and credit risk are related risks that should often be (and are) considered together but are not wholly interchangeable.
Financial Risk
Financial risk is sometimes considered an operational risk, such as the risk of losing money because of the operations of a business or the way a business is run. While this definition is accurate, it's not very helpful. It's too broad. All business risk is financial risk.
From the standpoint of risk and accounting, a better definition of financial risk is the risk of losing money through the mismanagement or poor administration of money, investments and finances (including financial information). The risk of losses because of bad investments, bad cash management (liquidity and/or illiquidity), poor debt management and overspending on materials, supplies and labor. Generally, financial risk is the risk of making bad decisions in the areas of money, banking and finance, and financial data.
Credit Risk
Credit risk is a subset of financial risk. It pertains to potential losses in the event of a client's, supplier's or partner's (including officers, managers and employees) inability to repay a loan or other extension of credit.
Banks and Wall Street brokers are particularly exposed to credit risk as they are in the business of lending money. For most other businesses, credit risk comes in the form of "accounts receivable," which is the risk that customers can't (or sometimes won't) pay for the goods or services provided to them.
An institution's credit risk is a function of the creditworthiness of its borrowers and customers. The better the customers' credit, the lower the risk companies take when doing business with them.
Also, higher profit margins mitigate credit risk. If a firm makes more money per customer, it can better afford the few customers who don't end up paying.
The Importance of a Credit Card Information Policy
Credit card (and additional credit information) handling risk is one crucial aspect of financial and credit risk. It entails risks — such as identity theft and security breaches — associated with mishandling sensitive financial information.
The mishandling, misappropriation or misuse of client credit card information can cause incredible damage to customers and organizations that collect and maintain credit card data. Data security is the responsibility and legal obligation of companies that accept credit cards and other forms of payment that entail sensitive banking information. Financial and credit risk best practices must include a robust, enforceable credit card information handling policy.
Objectives
The overriding goal of financial and credit risk policies — including credit card data security — is to avoid the financial and reputational (goodwill) losses that are an inevitable consequence of breaches and inadequacies in financial and credit risk procedures.
Credit risk pertains to potential losses in the event of a client's, supplier's or partner's (including officers, managers and employees) inability to repay a loan or other extension of credit.
A sound credit card information handling policy aims to ensure that a vulnerable organization develops, maintains and enforces a strict set of financial and credit risk processes outlining proper procedures for the collection, management, storage and general use of credit and debit information. Sensitive financial information should only be handled by a few people for authorized purposes. In addition, the policy should define who can access this information and under what circumstances.
Mandates
Credit card companies mandate that firms that use their physical and digital platforms maintain a certain minimum level of information security. These standards are known as the payment card industry data security standard or PCI DSS. Compliance with PCI DSS should be a top priority for any firm that extends consumer credit.
Companies who accept credit cards as payment for goods and services should conduct a financial and credit risk assessment as part of the standard, periodic risk and audit cycle. Here are the 12 PCI DSS requirements:
- Firewall Configuration for Card Holder Protection
- Strict Password Parameters
- Stored Data (Cardholder Information) Protection
- Data Encryption During Public Transmission
- Updated, Comprehensive Anti-Virus Software
- Systems and Applications Security
- Strict "Need-to-Know" Access Restrictions
- Unique Identification of Access Personnel
- Physical and Digital Restrictions
- Access Tracking and Monitoring
- Regular Audit and Testing
- Maintenance of a Financial and Credit Risk Policy
Scope
Who Is Covered?
All company partners, third-party service providers, and employees, including officers, directors and law and compliance staff, who handle or may come in contact with confidential or sensitive banking and credit information must be covered by an organization's credit data security policy.
What Is Covered?
The policy should encompass all sensitive cardholder data, whether in hard copy (physical) or digital (electronic) form. It should cover the entire lifecycle of the information, and policy directives should be commensurate with the level of sensitivity. Meaning more sensitive data should be made more secure than less sensitive data.
What Is Considered Sensitive Information?
Sensitive and confidential credit card information should include collected or encountered financial or banking information such as account numbers, PINs, cardholder names, service codes, expiration dates, security codes, access codes, passwords and other information that should only be used at the point of sale or the extension of credit.
Credit Card Information Handling General Guidelines
Collecting Data
To the extent possible, financial data should only be "captured," input (entered) and stored on password-protected, encrypted, company-controlled computer systems. Other methods such as voice recording, note-taking, photos and oral transmission should be highly discouraged and disallowed altogether when secure electronic (computer) methods are available.
Unauthorized Access
Suppose unauthorized staff comes in contact with confidential credit card information. A superior authorized to handle and view this data should take over after becoming alerted. The incident should be considered a breach, and the problematic circumstance should be corrected quickly. If the information was in physical form, it should be properly entered into the secured system and subsequently securely disposed of as soon as possible.
Information Sharing
Financial and credit risk best practices demand that confidential data is not to be shared or provided to any unauthorized party. Proper identification and documentation should be required of anyone claiming to own or have the authorization to view this information before such information is shared.
Enforcement
Data breaches and policy failures — intentional or accidental — should be taken seriously, resulting in disciplinary measures, including employment termination if justified. Criminal breaches, such as data or identity theft, should be reported to law enforcement and industry regulatory authorities, if applicable.