Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
04 Nov 2010
From the Field Tom Hinkel 2 Comments

Archiving vs. retention of email and other electronic data

There is no specific FFIEC regulatory mandate for archiving, just retention1.  However, there are three reasons why you might want to consider archiving, which I will address shortly.  First though, the issue of retention.  The key to complying with legal and regulatory guidelines regarding retention is to consider all electronic information (including email) exactly the same as paper documents for the purposes of retention and destruction in your policies and procedures.  Make sure your retention periods are the same regardless of the physical or electronic nature of the information.  Of course if you’re archiving email, the challenge is in being able to separate the financial emails, from the loan documentation emails, from the customer communication emails, from the jokes.  All could have different (or non-existent) retention requirements, but there is no technology available to automatically classify each message by data type.  Lacking that, most banks simply opt to archive all email communication regardless of the nature of the message.  Simply put, there are 3 potential approaches to data retention:  Save everything, save selectively, and save nothing.  Given the current technical limitations, the least risky of the 3 is to save everything.

Now, retention vs. archiving: Think of an archive as a non-alterable backup.  Some archive solutions also add a search feature, but the key is that the data cannot be deleted or modified in any way.  So why consider archiving instead of simple retention?  Three reasons:

First, a public company is subject to SOX regulation as well as GLBA.  SOX is much more stringent in its retention requirements in the sense that the data must not only be retained, but the Bank must reasonably assure the integrity (non-alterability) and availability (search ability) of the data as well.  This can be done in several ways, but archiving is the most common.

Second, does your institution still have TARP funds?  If so, there could be retention implications in 3 areas:

•             Accountability and transparency mandates

•             Specific or implied record-keeping requirements

•             Heightened public scrutiny

Taken in order, the accountability and transparency mandates were established via the Recovery Accountability and Transparency Board, which will coordinate and conduct oversight of recovery spending to ensure taxpayer dollars are not wasted, abused, or used fraudulently.  The over-arching record requirement of this act is the broad, discretionary powers given to the inspectors general to review and examine any records related to covered funds as cited in Sec. 1515 of the act.  Again, archiving is not required, but it is the best solution to assure data integrity and availability.

Third, the Federal Rules for Civil Procedures, which govern the conduct of all civil actions brought in Federal district courts (and most state courts), require the disclosure of any “electronically stored information” during the discovery process.  The only exception to this is if the “electronically stored information is lost as a result of the routine, good-faith operation of an electronic information system”,  OR if the data were destroyed in accordance with the institutions’ reasonable and customary data retention and destruction policy.

1The Operations Handbook mentions data retention only with regard to digital imaging systems.  The Handbook was written in 2004, when electronic documents were much less ubiquitous.

02 Nov 2010
Hot Topics Tom Hinkel 0 comment

Mobile devices and information security

The key to addressing the risk of mobile devices is to think of them as functionally equivalent to a PC (with all the information security risks therein), PLUS the added risk of mobility.   In fact, the FFIEC combines workstations, laptops and hand-held devices together in their Information Security Examination Procedures for the purposes of determining compliance with user equipment security guidelines.

SO if we consider that all these devices should have equivalent security considerations, the information security risk assessment should determine the institutions’ risk exposure regardless of the location of the data:

  • Processing (in-house or at a third party)
  • Transit and Transmission
  • Handling and Storage
  • Destruction / Disposal

Mobile devices have issues in each of these categories and the institution must identify them, and apply layered controls designed to reduce or eliminate them.  For example, processing includes email applications as well as third party apps.  Do any of these third-party apps process or have access to customer information?  Is the application approval process the same as for in-house applications?  What about social networking issues?  These are easy to control through the internal network, but almost impossible in a mobile device.  How will the device handle authentication, and is a reduced password/PIN acceptable?

Transmission presents a particular challenge for mobile devices, as data can traverse multiple platforms such as cellular and Internet in  addition to the local area network.  The FFIEC requires that “…policies and procedures address the protections for data that is sent outside the institution.”  Encryption is the most common control here.

Handling and storage presents the biggest challenge to mobile devices, and again encryption plus remote wipe capability is key to addressing these risks.

Finally, how are mobile device taken out of service at end-of-life?

These are only a few considerations, but at the end of the process the institution must assess the residual risk and decide if it is acceptable.  That shouldn’t mean accepting a higher level of residual risk just because of the difficulty of controlling it, but perhaps a slightly higher level is acceptable if the added productivity of mobile devices justifies it.

27 Oct 2010
Hot Topics Tom Hinkel 0 comment

ID Theft and SAR filings

In the past, authoritative reports on identity theft have used surveys conducted with the general public to collect ID theft related data.  However, in a recent FinCEN report, the data collected came directly from SAR’s filed from the financial institutions themselves, resulting in a much more accurate assessment of the scope of the identity theft problem.

About the SAR: The most recent version of the Suspicious Activity Report (SAR) is dated July 2003, and has required financial institutions to report in the separate category of identity theft since 2004.  (It’s found in Part III, 35 (u), with the narrative in Part V.)  Since the category was made available, the number of SAR filings reporting identity theft has gone from 15,445 in 2004, to 36,210 for 2009.

About ID Theft: The ID Theft/Red Flags Act is actually titled “Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003”, and was approved by the FFIEC and all regulatory bodies in October, 2007 with compliance mandatory by November 2008.  Since then enforcement has been delayed several times, most recently until December, 2010.  This does not extend the requirement for financial institutions to comply with the act, only regulatory enforcement.  All institutions should have (at the very least) and ID Theft policy, as well as established procedures.

About the report findings: There were a number of interesting findings in this report, but the most interesting to me was that the 2 most commonly identified Red Flags (as listed in Supplement A to Appendix A of the act) were #25 and #26;  or

  • 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.
  • 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

These 2 Red Flags accounted for 75% and 23% respectively of all filings.  This is interesting because it appears that the vast majority of the ID theft notifications are coming from the customers themselves.  When combined with the finding that 43% of ID theft related activity is discovered within 4 weeks, perhaps the most effective loss preventive control for institutions to consider is one that delivers account information to the customer more quickly.

23 Oct 2010
Hot Topics Tom Hinkel 0 comment

Dodd-Frank and agency consolidation

Although the specific requirements and burdens of the almost 250 regulations and more than 2000 pages in the Dodd-Frank Act are yet to be clearly defined, one of the major provisions of immediate interest to financial institutions is the elimination of the Office of Thrift Supervision (OTS).  The OTS operations will be merged into the Office of the Comptroller of the Currency (OCC), which will have an immediate impact on thrift chartered banks as they adapt to the safety and soundness compliance requirements of the OCC.  Details are that the OTS regulatory responsibilities will be spread among other regulators. The Federal Reserve will regulate savings and loan holding companies, the OCC will regulate federal savings associations, and the FDIC will regulate State savings associations.

I believe that this consolidation, in combination with the memorandum signed between the FDIC and the other primary federal regulators, will lead to increased safety and soundness scrutiny across the board.  All financial institutions, particularly those regulated by the OTS, are strongly encouraged to monitor regulatory activity closely over the next several months and take a proactive approach to pre-empt surprises during regulatory safety and soundness and  examinations.

18 Oct 2010
Hot Topics Tom Hinkel 0 comment

Reg. E reform and RDC

I recently ran across an excellent post on this topic regarding the fact that even though Reg. E does not currently regard corporate and municipal accounts the same as consumer accounts, they do, in fact, pose the same risk to the financial institution.  As the original post on Krebs’ site points out, why should the proposed changes to Reg. E stop at municipalities?  Corporate accounts are being targeted as well, and recent corporation vs. FI court cases are being decided (or quietly settled) in favor of the corporation.  FI’s would be wise to regard remote capture devices and ACH/Wire origination devices as de-facto extensions of their own network. Once the true risk of these remote devices is understood, how many FI’s would find the residual risk acceptable?

The only alternative is to implement additional controls (beyond a strong contract) designed to educate the customer on security basics, and monitor the security status of their devices.

13 Oct 2010
From the Field Tom Hinkel 1 Comment

DR Plans – Compliant or Recoverable?

When addressing the issue of your disaster recovery plan, the ultimate goal is both.  But if you’re faced with limited resources (time, personnel, and money), and need to decide whether you’ll conduct a test or re-write your existing plan, what should you do?  A successful test demonstrates that you can recover if you have to.  Isn’t that the point of a DR plan?  Why waste limited resources tweaking your plan when the tests validate your recovery capability?

Because if your plan doesn’t follow the FFIEC guidance, you may fail an audit or examination regardless of how many successful tests you’ve conducted.  It may seem like a case of misplaced priorities, but it does make sense.  The March 2006 IT Examination Handbook is (unlike most of the other handbooks) pretty prescriptive in it’s guidance.  It “encourages” financial institutions to adopt a 4-phase process consisting of:

  • Business Impact Analysis
  • Risk Assessment
  • Risk Management
  • Risk Monitoring & Testing

I put “encourages” in quotes, because whenever the FFIEC uses that word what they really mean is that you better have a very very good reason NOT to adopt this process.  In fact, since 12/07 the FDIC has made the Business Impact Analysis mandatory, and recent audits have faulted plans for not having a Risk Assessment.  So the first reason you should focus on bringing your plan into alignment with current regulatory guidance is to avoid audit and examination deficiencies.  You may never experience an actual emergency severe enough to activate your plan, but you are virtually guaranteed to have it audited and examined, and repeatedly so.

But the most important reason to focus on having a compliant plan is that the prescribed process actually makes sense.  Each phase specified in the Handbook flows logically to the next phase, with the end result being a comprehensive program that:

  1. Identifies and prioritizes all critical business process and their inter-dependencies (Phase 1)
  2. Identifies threats to those processes (Phase 2)
  3. Develops recovery procedures in the event the threats affect the processes (Phase 3), and
  4. Tests all assumptions to validate all previous phases (Phase 4)

Unless you’ve completed Phases 1 & 2, how do you know your test results are valid, i.e. that you are recovering the processes that are most important to you?  If you haven’t done the analysis and assessment steps, you really don’t know.

So, complaint AND recoverable is the goal, but if the question is compliant OR recoverable, you should always opt for compliant.  Because if compliant is done correctly, recoverable will be the result.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy