The client is a multinational banking group that operates under a single brand. This group includes 15 international entities across the globe and offers a wide range of banking services (including card issuance and acquiring) to individuals, small and medium-sized enterprises (SMEs), as well as commercial and corporate clients.
The Challenge:
Each international entity is a separate legal entity with its decentralized systems, technology, and business operations that vary both locally and nationally. However, a few critical systems and technologies are centrally hosted and managed by the group's headquarters.
The infrastructure and card-related business operations are not uniform across the different international entities. Each country operates under a unique model influenced by several factors, such as the size of operations and local regulatory requirements.
The Solution:
A team specialized in compliance audits from Panacea Infosec devised a collaborated audit plan for 8 countries in the initial phase as directed by the client. A dedicated team, including a Lead consultant and a certified auditor, was assigned to work in these countries.
During the scoping activity, the auditors identified all central solutions, systems, and technologies managed from the group's headquarters and noted that key card systems were central for most countries, with a few exceptions.
The approach was to first certify the group's headquarters. Once certified, its certification was used to streamline the certification process for other countries, significantly reducing the scope and effort required for individual countries.
A customized web-based tool was developed and provided to facilitate ongoing compliance tracking post-certification, thereby minimizing the need for manual tracking procedures, given the involvement of multiple stakeholders.
The team successfully certified 4 out of the 8 countries within one year. A gap assessment was conducted for all 8 countries within the same timeframe.
The remaining 4 countries are undergoing remediation and are expected to be certified in the next 6 months.