State Examination System (SES) Agency FAQs

Frequently Asked Questions about State Examination System (SES).

What is the purpose of SES?

The purpose of SES is to support the supervision, enforcement, investigation and complaints processes for state regulators and the companies they supervise. The main goals of SES are as follows:
  • Standardize the supervisory process. SES will be the first nationwide system of its kind, powered by technology that will allow for greater information sharing amongst state regulatory agencies. The promotion of best practices across state agencies will result in the standardization of supervisory practices which will in turn reduce the volume of state examinations, and save time, costs, and travel for regulators and the industry.
  • Foster collaboration amongst state agencies. SES will encourage multi-state supervision and allow regulators to eliminate duplicative supervisory efforts. In addition, state agencies will have the ability in the system to access one another’s supervisory schedules which will allow them to make better use of their time and resources.
  • Offer readily available risk-based data. SES will offer state regulators an impressive uniform and nationwide set of data they can use to analyze macro and micro trends in the financial system. The Risk-based analytics approach in SES will allow state agencies to respond to risks, tailor supervision programs across industries, and continually refine the supervision process through informed metrics.
  • Safeguard sensitive information. SES has safeguards in place to protect the sensitive information that is stored and exchanged in the system. Using a single, secure platform to exchange supervisory information will improve the overall security of the state regulatory process.

Would you be able to provide me any documentation for justification for the States using SES system?

Each agency’s justification for using SES will differ somewhat, but the benefits listed above will apply to most agencies. CSBS firmly believes that state agencies using the system will greatly benefit from reduced costs, reduced travel, and time / resource-saving advantages as they will be using a standardized, no-cost system which will give them unique access to nationwide supervision information, risk-based data, and the ability to share best practices. Beyond benefits to state agencies, SES will bring transparency, consistency, and accountability to the supervisory process, all of which will reduce burden experienced by supervised companies. These benefits will only be enhanced as more agencies continue to implement SES as their primary supervision system.

Are there any laws or regulatory requirements for States using this system like NMLS?

Unlike the Nationwide Multistate Licensing System & Registry (NMLS), state agencies are not required to pass state legislation or regulation to use the system. The use of the system by state agencies is discretionary.

Does SES have any data backup and recovery procedures in place in case of a disruption of services?

Yes. SES was developed with industry-standard backup and recovery requirements. Due to security considerations, details are available upon request.

Will state agencies be able to backup it their own data out of SES?

Each agency (or agencies if it is a Multi-state Examinations) will have full access to the documents uploaded to SES from the supervised company subject to the examination. Exam data entered into the SES system on screens is currently not available for export. While an examiner could take a screenshot of every related screen, we are well aware that is an unacceptable answer. This is a feature that is on our roadmap but is not in the immediate pipeline and still being researched for how to best implement. Each agency will be able to extract, in bulk, any documentation related to a particular exam in which they participate. Documentation includes workpapers, information request responses, and the Report of Examination (ROE).

How long are documents kept in SES? Is there a document retention schedule?

The document retention schedule in SES is governed by the interim SES Documents and Data retention policy. Documents in SES are retained in the system according to the following schedules:
  • Category A Schedule. Documents in Category A will be retained for a period of ten years. This retention time period will begin to run as of the date and time the supervisory activity or complaint is closed in the system, or when the last Matters Requiring Attention (MRA) is closed, whichever is later. This is referred to as the ‘ClosedMilestone in SES. The Supervisory Activity or Complaint reach theClosed Milestone when the examiner has conducted its review of the Supervisory Activity or complaint and determines that there is no further action to be taken with that SA or Complaint. Documents will be permanently deleted from the system at the conclusion of the retention period. The attachment files under the Category A schedule are set forth below.
    1. All documents uploaded to the system by a regulatory agency user during a Supervisory Activity or handling of a Complaint. This includes the exchange of Information Request (IR) in the system between agency and company users.
    2. Documents uploaded to the system by a company user uploaded to the system in response to the following activities only:
      1. A ROE transmitted by a regulatory agency.
      2. MRA as a result of a state Examination.
      3. An Investigation.
      4. A Complaint.
  • Category B Schedule. Documents in Category B will be retained for a period of ninety days. This retention time period will begin to run as of the date and time the Supervisory Activity concludes and reaches the ‘ClosedMilestone in the system or when the last MRA is closed in the system, whichever is later. Documents will be permanently deleted from the system at the conclusion of the retention period.

    Generally, documents subject to the Category B Schedule are any company user documents that are uploaded to the system, with the exception of documents uploaded to the system in response to a ROE, MRA, Investigation or Complaint, which are subject to the Category A Schedule as defined above.

How long are data kept in SES? Is there a data retention schedule?

Currently, data are being retained indefinitely in the System. We are working on a retention schedule for all data in the System.

.

Are there fees or costs for using SES?

No. SES development and operating costs are currently covered by NMLS processing fees. Changes to this approach would be decided by the SRR Board of Managers and the CSBS Board of Directors.

Are there any hidden costs, such as a data extraction or ‘disconnect’ fee?

No. There are no fees, hidden or otherwise, to use SES. All agencies can export exam data and records as they need to and when they need to. There is no fee for this functionality. If an agency chooses to stop using SES for any reason, they can download needed records at any time.

Who is liable for the information in the system in the event of a security breach?

Refer to the State Agency Terms of Use, specifically Section 14 (c) which states:

(C) In the event of a security or privacy breachState Agency authorizes SRR and SRR agrees to be solely responsible for any notification to affected individuals and any public communications regarding such breach. State Agency will assist SRR in complying with state law and SRR agrees to so comply. State Agency will be responsible, with coordination from SRR, for communications within its respective state agency or government (e.g. governor, attorney general).
,

What assurances do I have that SES is appropriately safeguarding my agency’s information?

SES was designed and tested to exceed the stringent security standards of a FedRAMP/FISMA Moderate-level system. Individual components are built and monitored using industry best practices, including the Center for Internet Security (CIS) and vendor best practices. Multi-factor authentication and TLS 1.2-only encrypted connections are required for access.

For more information or support, contact the Regulatory Users Group (RUG) of the NMLS Call Center at the phone number or email provided on our secure portal. Secure Portal (requires agency login).

Our IT staff has specific questions about the system’s security controls. Who should we contact?

SES is implemented through a combination of FedRAMP-authorized Appian Cloud (PaaS, Package ID: F1210011608) and CSBS-managed systems located in FedRAMP-authorized AWS (IaaS, Package ID: AGENCYAMAZONEW). The system is integrated with the CSBS FedRAMP-authorized Single Sign-On platform, Okta (SaaS, Package ID: F1512167750), which enforces the use of multifactor authentication (MFA) for all users. All access is via TLS v1.2-encrypted connections requiring MFA.

Accounts are used for separating out the various environments for development, testing, training, production, and management. They allow for granular separation of duties and access controls. Each account also uses multiple subnets to further restrict and manage traffic.

SES systems are configured to a tailored CIS baseline. Operating systems include Windows 2016, CentOS Linux 7.6 and Red Hat Linux 7.6. AWS itself is configured against CIS Web Services Foundation v1.2, as well as Amazon’s own AWS Best Practices.

The system was assessed by an Accredited Third-Party Auditor to NIST 800-53 rev 4, at a FISMA Moderate level.

Does SES have a mobile application?

SES is developed on the Appian platform, which may be accessed via a mobile app. There is no separate SES app available for download.

Where can I find the technical requirements to use SES?

  • SES is a web-based application, developed on the Appian platform. For end users, all that is required is a browser and internet access.
  • Additional information on the technical requirements can be found on the State Examination System Technology Requirements knowledge article.

Which agencies have agreed to use SES to supervise companies and process their consumer complaints?

The agency participation map available on www.csbs.org/aboutSES will be updated regularly to reflect current participation for both.

How does the SES Consumer Complaints System differ from the CFPB consumer complaints portal?

The systems are different in many ways because the role of state regulators in the complaints process is different from the role of federal regulators. SES Consumer Complaints supports the work that both state regulators and companies do to together resolve consumer complaints. Further, there is no publicly available data from the SES Consumer Complaints system.

Does SES Consumer Complaints connect with the CFPB complaints portal?

No, not currently. If the situation calls for it, there is a way for an agency to enter a CFPB ID unique identifier for a complaint originating from the CFPB.

Does the SES Consumer Complaints System have consumer-facing functionality?

No, not currently. Consumers will continue to notify and communicate with agencies outside of SES.

Can state agencies enter and process complaints on non-depositories and depositories under their supervision?

Yes, SES receives a nightly feed of non-depository company data from theNMLS. The data source for depository-only institutions is not NMLS, but MicroStrategy and the National Information Center (NIC) database.

Does a company need to exist in NMLS in order to process a complaint? Some of my complaints are on unlicensed and unresponsive entities.

In order to communicate with a company in SES via the IR process, the company must have an account in NMLS. If the entity is unreachable or unresponsive to your requests to create an account in NMLS, you may follow the “Non-NMLS Entity Entity” workflow in the system. This functionality will allow you to create the Entity, associate a Complaint to this Entity, and then close the Complaint.