Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
03 Mar 2011
Hot Topics Tom Hinkel 2 Comments

FDIC issues new FIL…

…and pretty much confirms what most of us already knew; regulatory scrutiny has increased across the board.  FIL-13-2011 entitled “Reminder on FDIC Examination Findings” was just released March 1st, and in spite of the title,  is not so much a reminder but a response.  Here is the one-line summary:

“Recently, the FDIC has received some criticism that its examination findings have been overly harsh.”

Make no mistake, this is NOT a reminder, this is a response to a flurry of criticism from financial institutions who feel that:

  1. Their examiners are finding fault with policies, procedures and practices that they have not had problems with in past examinations, and
  2. The examiners are less willing to “work with them” to resolve the findings during the examination…before they appear in the exit letter.

I have heard the same criticism from our customers, and I think it is highly significant that the FDIC has seen fit to issue an FIL to address this.  This confirms that the problem is not sporadic, it is endemic, and it is the new normal.

The FIL goes on to describe the procedures by which an institution might formally express their concerns, but in the end there is little the institution can do to change the findings.  My attitude is that there are really only 3 ways to respond to an examiner finding:

  1. Admit that the finding is valid, and commit to making the recommended change(s). The vast majority are handled this way.
  2. Contest the finding.  This is a viable option only if you can demonstrate that you’ve made a different interpretation of the underlying guidance, and as a result of your risk analysis, you’ve come to a different conclusion.  If properly documented, this can be a very effective response.
  3. Refuse the finding.  This is an adversarial position and NOT really recommended, but I see this more often than you would think.

Given the new normal, the second option makes the most sense IF you’ve implemented an effective risk management process, because in the final analysis all examiner findings are about one thing…they believe you’ve accepted too much risk.  I’ve addressed effective risk management in detail here.

One other thing caught my eye in the FIL, because the fact that the FDIC felt necessary to address it indicates that it has become an issue:  “Prohibition Against Retaliation”. Apparently some institutions feel that not only are the examiners more critical, but that they have experienced “…retaliation, abuse, or retribution by an agency examiner…”.  This may be because institutions are choosing the adversarial option.  Even more reason to make sure that if and when you do decide to push back on an examiner finding, you do so in a logical, dispassionate way.  Make a risk-based case that focuses on the residual, or remaining, risk.  The vast majority of findings revolve around the examiner’s belief that you haven’t properly recognized that residual risk, and that as a result, it’s unacceptably high.  If you can demonstrate that you do in fact understand the risks, and have decided to accept them as a business decision, you will eliminate the vast majority of examination findings.

22 Feb 2011
Hot Topics Tom Hinkel 1 Comment

AICPA finalizes SAS 70 replacement

I wrote about this here as well, but it’s now official:  The AICPA has clarified the SAS 70 replacement reports.  They are actually officially being referred to as “Service Organization Control Reports (formerly SAS 70 reports)”.

The new SOC reports provide a framework for auditors to examine controls and to help senior management understand the related risks of outsourcing to a service provider.

According to the AICPA:

“Companies had misused SAS 70 to issue reports on controls related to outsourced non-financial data rather than the correct attest standard which was in place. The SOC reports clarify which standard needs to be used and how it should be implemented to meet specific user needs.

  • SOC 1 reports are primarily an auditor-to-auditor communication which addresses the controls at a service organization relevant to financial reporting. These reports are restricted use reports and therefore are not designed for promotional purposes. – (This is the functional replacement for the SAS 70 only where financial controls are concerned.)
  • SOC 2 reports are in response to the rapid growth in cloud computing  and data outsourcing, as well as the marketplace need for clarification on how reports on  non-financial controls regarding information, such as data security, confidentiality and privacy should be structured. – (This will likely be the SAS 70 replacement for the vast majority of service organizations)
  • SOC 3 reports cover the same subject matter as SOC 2, but in a general use, short form format which may be freely distributed.”

Get used to seeing this logo instead of the myriad of SAS 70 logos:

SOC Reports

 

Most importantly, know what it is…and what it isn’t.  Understand why your vendor chose one report over another, and determine if the report is relevant to you, and adequately addresses your concerns.  The term “SAS 70” is mentioned 31 times in 8 of the 12 IT Examination Handbooks, so it is a critical element in how the FFIEC expects you to manage your vendor relationships.  No word yet on how the FFIEC will address this going forward…

22 Feb 2011
From the Field Tom Hinkel 1 Comment

Management of IT reflects overall management

(This is an extract from an article written for Bank Technology News.  The full article is here.)

One of the reasons compelling the shift towards increased focus on IT is found in the only non-financial element in the CAMELS ratings: management. Post-mortem reports on the failures of both Washington Mutual and Indy Mac placed the blame equally on management for pursuing overly aggressive growth strategies, as well as on the regulator (OTS) and their inability to effectively identify and assess the risks. The OTS was a regulatory casualty of Dodd-Frank, and I think we can expect (and rightly so) increased focus on all governance issues going forward.  But how does that translate into increased IT focus?

There are twelve factors that go into the CAMELS management rating component, and one of them is a measure of how well the institution manages its information systems. In addition to that, the FFIEC makes it clear in their IT Examination Handbook on Management that

“…effective IT management practices play an integral role in achieving many goals related to corporate governance. The ability to manage technology effectively in isolation no longer exists. Institutions should integrate IT management into the strategic planning function of each line of business within the institution.”

And regarding the relationship between IT and strategic planning;

“…an institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success.”

Clearly IT is so pervasive throughout financial institutions that no enterprise-wide assessment of management and governance is complete without a thorough review of IT.  It also stands to reason that an institution that can not demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide.

Bottom line…more scrutiny of management equals more scrutiny of IT, and deficiencies in IT can lead to lower CAMELS scores.  Solution?  Implement a formal IT management process consisting of a dedicated committee.  Use a standardized agenda, assigning follow-up items to responsible parties with specific time-frames for resolution.  Involve ALL functional units in the committee, and regularly report status updates to the Board.

Then take this same model and apply it to the rest of the organization!

17 Feb 2011
Hot Topics Tom Hinkel 0 comment

Mythbusting on-line security

As I write this (2/2011), we are expecting updated guidance from the FFIEC any day on on-line authentication and security.  It is way overdue, as the last release was way back in 2005.  It is supposed to address the changes in the security landscape since then, and hopefully it will even raise the bar a bit, but I’m afraid that it won’t do enough to dispel the 5 biggest myths regarding on-line security:

  • “My software vendor provides all the security I need.”
  • “My multi-factor hardware tokens provide all the security I need.”
  • “If I follow FFIEC guidelines, my measures will be considered ‘commercially reasonable'”.
  • “Multi-factor authentication is adequate”.
  • “The customer assumes partial responsibility for security (at least contractually)”.
  • “Unless Reg E is extended to commercial accounts, my financial liability is limited”.

I’m going to address why all these are false in future posts, but for now make sure your risk assessment doesn’t rely on any of them.

09 Feb 2011
Hot Topics Tom Hinkel 0 comment

Top 5 Compliance Trends for 2011 – Part 5

As I write this, the only case to go to trial of a Bank suing the Merchant over account takeover losses is awaiting the jury’s decision.  The result may redefine the liability, and by definition the roles and responsibilities, of both the financial institution and the merchant when it comes to securing electronic transactions.  It may also finally determine what is considered “commercially reasonable” security, or (I hope) even toss out the use of this murky term altogether.  I believe there is a perfect storm brewing over this issue, with several factors converging simultaneously to produce my final compliance trend for 2011:

Corporate Account Security (merchant capture, remote ACH and remote wire transfer).

Here are all the converging elements and their implications:

  1. The aforementioned lawsuit between EMI and Comerica- The trial just ended on 1/26 and it’s now in the hands of the jury.  We’ll see how this plays out, but it will have implications either way particularly if (as I suspect) the merchant prevails.
  2. The upcoming FFIEC update to authentication guidance – We are expecting final guidance on this from the FFIEC any day, but whatever the final requirements, increased scrutiny of authentication mechanisms will be the result.  New guidance always results in increased regulator focus, even if it is only an update to existing guidance.  Additionally, I suspect that the update won’t go far enough to address preventive measures.
  3. The tendency for affected institutions to under report incidents – Because of the potential for reputation risk, financial institutions are reluctant to report account takeover incidents.  That is the primary reason that most institutions choose to settle with customers rather than take the case to court (there have been only 2 cases brought to court so far).  In the meantime, we know that online crime complaints have increased substantially each year since 2005, resulting in losses of hundreds of millions of dollars.
  4. A fundamental misunderstanding by both merchants and financial institutions of their respective responsibilities – BankInfoSecurity.com recently interviewed a bank CEO affected by an account takeover incident.  In the interview, he reveals that he believes that remote transactions should carry a lower degree of perceived protection than transactions carried out inside the Bank’s security perimeter.  He also expected the third-party vendor that provided the remote ACH software to have done more to keep the bank secure.  In the meantime, merchants expect the transactions they initiate remotely to be just as secure as those initiated inside the physical confines of the bank.

Here is how this trend differs from the others...regardless of whether or not regulators increase focus on this issue in 2011, I believe institutions absolutely must.  The guidance is behind the curve on this issue, and institutions simply have too much to lose.  It is clear that the minimum requirement is not sufficient, you must go further.  Implement additional preventive controls at the merchant side, and educate everyone on basic security best practices.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy