Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
18 Aug 2010
From the Field Tom Hinkel 2 Comments

State regulators adopting FDIC pre-exam questionnaire… (Update)

…at least in Georgia.  The most recent Georgia State IT examinations are using a carbon copy of the FDIC 12/07 pre-examination IT questionnaire.  If your primary federal regulator is the FDIC, this makes filling out the State questionnaire much easier.  If not however, you’ll want to familiarize yourself with the format.

There are 5 parts to the questionnaire:

  1. Risk Assessment
  2. Operations Security and Risk Management
  3. Audit/Independent Review Program
  4. Disaster Recovery and Business Continuity Management
  5. either…
    1. Vendor Management and Service Provider Management (newer version), or
    2. Gramm-Leach-Bliley Act/FDIC Rules and Regulations – 12 CFR Part 364 Appendix B (older version)

Also, we’ve definitely seen increased State examiner activity in general.  I’ve seen more State exam questionnaires this month than I’ve seen in the past 4 months.

UPDATE:  Add the State of Maryland to this list, with Vendor Management as Part 5.

16 Aug 2010
Hot Topics Tom Hinkel 7 Comments

SSAE 16 replaces SAS 70 – UPDATE

Starting next year (or this year for Type II engagements that extend beyond 6/11), the traditional SAS 70 is being phased out in favor of the SSAE 16. The biggest difference is that the “A” no longer stand for “Audit”, but “Attestation”:  Management of the service provider asserts that controls relative to security, availability, integrity, confidentiality and privacy are both adequate and effective, and the auditor attests to the assertion.

The other difference is that the SSAE 16 is actually a series of reports.  Financial institutions should become familiar with the format of the new reports, and be prepared when your service providers present you with the new document. You may also want to check whether your current contract with your critical service providers require that a SAS 70 report be provided at least annually. If so, make sure that one of the other service auditor reports (SOC 1, SOC 2 or SOC3) are referenced.  The FFIEC will likely still consider these new reports as the best assurance that your service provider is adhering to your security standards.  According to the AICPA web site:

Q. – May SSAE 16 be used for reporting on controls over subject matter other than financial reporting?

A. — No. SSAE 16 (as well as SAS 70) does not apply to examinations of controls over subject matter other than financial reporting.

Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70 for all financial institution vendors.  Stay tuned, we are expecting additional guidance from the AICPA later this fall.

11 Aug 2010
Resources Tom Hinkel 0 comment

About the FFIEC

The Council is a formal inter-agency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

11 Aug 2010
Hot Topics Tom Hinkel 0 comment

WHO declares H1N1 pandemic over

The head of the World Health Organization (WHO) today declared the H1N1 influenza pandemic over, saying worldwide flu activity has returned to typical seasonal patterns and many people have immunity to the virus.   WHO Director-General Margaret Chan said “The H1N1 virus has largely run its course.”

This likely means that you are unlikely to encounter any additional scrutiny in this area from your examiner, however the FFIEC still requires that all financial institutions have plans in place to detail how they will manage through a pandemic event.   This includes incorporating pandemic into all 4 phases of the planning process.  (See Appendix D of the Business Continuity Planning IT Examination Handbook for additional guidance.)

09 Aug 2010
Hot Topics Tom Hinkel 1 Comment

FDIC can now step in regardless of primary regulator (part 2)

Further to the previous post, the memorandum requires the FDIC opinion to prevail in the event that an institutions’ PFR (primary federal regulator) CAMELS rating differs from the FDIC:

If the FDIC’s CAMELS ratings for an institution differ from a PFR’s assigned ratings, the FDIC is required to provide the PFR with an explanation of the basis for the FDIC’s position. In the event of a disagreement, the matter must be referred to the FDIC Director of the Division of Supervision and Consumer Protection (Director), or other designee, and the appropriate supervision official of the PFR. Any decision by the FDIC to use an assigned rating different than the PFR’s rating must be made by the Director (or other designee), after consultation with the Chairman of the FDIC.

Again, best advice is to adopt the FDIC interpretation of FFIEC regulations, regardless of your PFR.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy