Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
11 Oct 2010
Hot Topics Tom Hinkel 0 comment

FDIC and State examiners teaming up

I wrote a similar post earlier, but it now seems that perhaps the reason the State of Georgia has adopted the FDIC IT Examination Questionnaire is that the FDIC has been showing up on-site with the State examiners.  I’ve gotten reports that this is happening with increasing frequency, and not just in Georgia.

My advice is to familiarize yourself with the FDIC Questionnaire, even if you are preparing for a State examination.  Be able to answer each question and, most importantly, to justify your answer with the appropriate documentation.

08 Oct 2010
Hot Topics Tom Hinkel 1 Comment

The FFIEC Handbooks and the SAS 70

I’ve written about the 6/15/2011 phase-out of the SAS 70 report in favor of the SSAE 16 series (SOC 1, SOC 2, SOC3) here and here.  The AICPA isn’t expected to update their audit guide until sometime early next year, but financial institutions are anxious to get the FFIEC to comment, as the SAS 70 is mentioned no fewer than 31 times, and in a total of 8 of the 12 IT Examination Handbooks.  It’s mentioned 10 times in the Information Security Handbook alone!

I predict that the FFIEC will remove all references to the SAS 70, or to any specific report for that matter, and replace them with generic references to “audit reviews” or “audit reports”.  It will then fall to the financial institution to determine the most appropriate report for each service provider, based on their risk assessment.  However, the service provider will deliver whatever report they decided to prepare, which may or may not match the report requested.

07 Oct 2010
From the Field Tom Hinkel 1 Comment

The 5 trickiest FDIC IT examination questions (part 5).

In my last post, I asked you to weigh in on what question you wanted me to address in this final post of the series.  This one came from a bank that was in the process of actually filling out the questionnaire, and it’s a good one.  It’s found in the Vendor Management section:

“Has the bank identified and reported its service provider relationships (both domestic and foreign-based) to the FDIC (Y/N)?”

At first glance, you may be tempted to interpret this as asking “Has the bank identified and reported its MAJOR or CRITICAL service provider relationships…?”, but the question does not seem to limit your reporting requirement to a particular class or size of service provider.  So are you really obligated to report ALL vendor relationships, from your core provider to your cleaning crew?  Taken a face value it would certainly seem so.

To figure out exactly what is required you have to look at the 2 references listed under the question:

  • “Notification of Performance of Bank Services” FDIC Rules and Regulations 304.3, and
  • 12USC1867 Section 7(c)(2) Bank Service Company Act (BCSA)

In researching this, it appeared at first that it only applied to Banks that owned more than 1% of a bank service provider.  But upon further review (sorry, it’s football season), Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party “shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first.”  So again, this looks like ALL vendor relationships need to be reported.

However, in a recent interview at bankinfosecurity.com with Donald Saxinger  (senior examination specialist with the FDIC), this exact issue was addressed in the context of reporting social media vendors.  Simply put, his response was that only if the vendor provides “banking functions” does it need to be reported to the regulators.   Banking functions are defined in Section 3 of the Bank Service Company Act as:

  • check and deposit sorting and posting,
  • computation and posting of interest and other credits and charges,
  • preparation and mailing of checks, statements, notices, and similar items, and
  • any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution

Using this list as a reference, only core vendors, item processors and outsourced accounting firms fall into these categories.  (Whether or not IT vendors fall into this category will be addressed in a future post.  Mr Saxinger makes the point that IT vendors are one of the dependency layers that supports the business process, and as such MAY fall into one of the categories above, depending on the outcome of your risk assessment.)  To be safe, since there is no penalty for over reporting, it’s best to report all vendor relationships that even come close to fitting the definition of a bank service company.

So the correct answer is “Yes, we report all of our service provider relationships that provide banking functions to us, as well as any vendors providing a critical dependency to those service providers, as determined by our risk assessment.”  Of course, make sure that you do report them.  The FDIC form is here, other regulators may have their own reporting mechanism.

20 Sep 2010
Hot Topics Tom Hinkel 3 Comments

SSAE 16 replaces SAS 70 (…sort of) – UPDATE 2

In my last post I indicated that the AICPA would have additional guidance on this topic this fall.  It appears that we may now have to wait until early 2011.  According to this document from the AICPA,

“The existing (AICPA Audit) guide is being overhauled and rewritten to reflect the requirements and guidance in SSAE No. 16. The revised guide is expected to be available for sale in early 2011”.

This presents a dilemma for service institutions whose existing SAS 70 reports have expired, or are about to expire.  I will address this in greater detail in a future post.  But the much bigger issue is for financial institutions who rely on the SAS 70 reports to validate the adequacy and effectiveness of controls at their service provider.  As I made clear in my last post, the new SSAE 16 reporting standard is not designed to address controls over subject matter other than financial reporting.  According to a recent article:

In the past, many CPAs used SAS no. 70 to report on controls at a service organization that are unrelated to user entities’ internal control over financial reporting, for example, controls over the privacy of customers’ information. However, SAS no. 70 is not applicable to examinations of controls over subject matter other than financial reporting, and neither is SSAE no. 16.

For the vast majority of vendors that provide products and services to financial institutions, the the SSAE 16 is not appropriate unless the product or service provided directly impacts financial reporting.

If you are a financial institution with outsourced IT services, you should be far more interested in the privacy, security, confidentiality, integrity and availability of your (and your customers’) data at the service provider.  The report you want is called a Service Organization Control (SOC) Report. There are 3 different reports:

  • SOC 1 – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
  • SOC 2 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy
  • SOC 3 – Trust Services Report

Your service provider may present you with any one of these (or the SSAE 16), and with either a Type I or Type II.  I believe that the SOC 2, Type II will be adopted as the de-facto standard for organizations that provide IT related services to financial institutions (including managed services like cloud computing).

The guidance we are waiting on from the AICPA is a report called “Reporting on Controls at a Service Provider Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy”.  Again, it’s not expected until early next year, but financial institutions should start planning now.  Ask your service provider to tell you what report they plan to provide to you, and then determine whether or not the report provided sufficiently addresses your concerns.

Bottom line…this is no longer simply a “check-list” item in your vendor management program!

To be continued…

15 Sep 2010
Hot Topics Tom Hinkel 0 comment

FDIC issues guidance on copy machine hard drives

The FDIC issued FIL-56-2010 today, addressing risk posed by sensitive information stored on certain electronic devices (copy machines, fax machines and printers) that utilize internal storage, and how institutions should mitigate that risk.

This guidance only covers those devices that have internal storage, such as a hard drive or flash memory, but according to some reports, every copy machine manufactured since 2002 contains a digital hard drive.

In short, the FIL references GLBA, and states that:

“Financial institutions should implement written policies and procedures to identify devices that store digital images of business documents and ensure their hard drive or flash memory is erased, encrypted or destroyed prior to being returned to the leasing company, sold to a third party or otherwise disposed of.”

Because the FIL refers to existing guidance regarding the proper disposal of customer information, no new policies should be required.  However you should update your existing policies to make sure these new devices are identified and included.  It might also be a good time to re-evaluate your disposal method to make sure it is “sufficiently robust to render the information on the disk unrecoverable”.

(NOTE:  HP addresses the issue for their devices here.)

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy