Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
26 Mar 2013
Hot Topics Tom Hinkel 0 comment

Court rules in favor of Bank in account takeover case

Unlike the PATCO ruling, a district court in Missouri has ruled in favor of the bank in an account takeover case brought by one of its commercial customers.  This case was very similar to the PATCO case with one important exception, which I’ll discuss shortly.  But it also raises some interesting questions that could impact financial institutions.

First, the details.  In March 2010, BancorpSouth received a request via the Internet to execute a wire transfer in the amount of $440,000 on behalf of its customer, Choice Escrow and Land Title.  The Bank wired the funds, and the following day the customer contacted the Bank to notify them that they they in fact did not authorize the wire transfer.  The company filed suit to recover the loss, claiming that the Bank did not use appropriate security measures.  But their claim wasn’t that appropriate security wasn’t made available, but that there were several security options available and the Bank allowed the customer to select an inferior option.  This is quite different from the PATCO case, where strong authentication was available to the Bank from the software vendor, but the Bank in that case decided not to offer it to their customer.  In this case the Bank offered both single and dual-control authentication options, and the customer waived the dual-control option.  This gave any authorized user of the software the ability to initiate and approve a wire without requiring a second user to approve and release the funds.  Using malware, a hacker was able to gain control of the PC, record the user name and password via a keystroke logger, and send the fraudulent wire.

The PATCO case was decided in favor of the customer because the Bank failed to make strong, commercially reasonable, authentication options available to the customer even though the software vendor offered them to the Bank.  But in this case, the judge decided just the opposite; stronger options were made available, but were declined by the customer.  Remember, according to UCC 4A the risk of loss for an unauthorized transaction will lie with a customer if the bank can establish that its security procedure is a commercially reasonable method of providing security against unauthorized payment orders.  So, advantage Bank.  But again, the customer claimed that the Bank should NOT have offered the weaker option to them knowing that it was insufficient to address the risks.  In other words, simply offering the weaker option to the customer was an implicit acknowledgement by the Bank that it was commercial reasonable.  In the end this argument was rejected because the Bank had documentation that it offered, and the customer refused, the stronger option multiple times.

Although this case turned out OK for the Bank, the verdict does raise several questions for financial institutions:

  • Knowing that one option is better than another, should institutions even offer more than one authentication option to their customers?  And what happens when a customer (or product) increases in risk?  Do you require the users to upgrade?
  • Since the judge in both this case and the PATCO case referenced UCC 4A as the legal basis for their decisions, should the FFIEC be more prescriptive about exactly what constitutes “commercially reasonable” (and what doesn’t)?  The 2003 FFIEC E-Banking guidance says that “whether a method is a commercially reasonable system depends on an evaluation of the circumstances.”  But the updated 2011 FFIEC authentication guidance doesn’t mention “commercially reasonable” (or UCC 4A) at all.  Why not?  Specifically, why not include the “…the risk of loss for an unauthorized transaction will lie with a customer if…” language?
  • Are institutions putting too much faith in technical measures, and avoiding simpler, but more effective, controls?   Anomaly detection is getting a lot of attention these days, but in this case Choice had a history of transfers with similar size and quantity, and anomaly triggers were not activated.  Simple dual-authentication would have prevented this fraudulent transfer.
  • On the other hand, are vendors overlooking more effective technologies, such as out-of-band authentication and secure DNS?

In summary, there are still questions, but there are also a couple of lessons financial institutions should take away from this.  First, the court determined that although dual-control was more labor intensive for the customer, it was also the more secure option, and as such Choice should have opted for increased security over the increased inconvenience.  Lesson?  Perhaps you should be less concerned about inconveniencing your customers with increased security requirements, and more focused on convincing (i.e. educating) them on why a little increased effort on their part is justified…i.e. security trumps useability.  Second, customer awareness efforts and documentation made all the difference in this case.  If the Bank had not made, and documented, multiple efforts to implement stronger authentication, this case could easily have gone the other way.

25 Feb 2013
From the Field Tom Hinkel 0 comment

Examination Downgrades Correlated with Poor Vendor Management

According to Donald Saxinger (senior examination specialist in FDIC’s Technology Supervision Branch) in a telephone briefing given to the ABA in December of last year, almost half of all CAMELS score downgrades in 2012 were related to poor vendor management.  The briefing was titled “Vendor Management: Unlocking the Value beyond Regulatory Compliance“, and in it Mr. Saxinger noted that in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor.  He went on to say that although poor vendor management may not have been the prime cause, it was frequently cited as a factor in the downgrade.

Mr. Saxinger recommends that banks request, receive, and review not just financials and third-party audits such as SOC reports and validation of disaster recovery capabilities, but also any examination reports on the provider.  Federal examiners have an obligation and a responsibility to monitor financial institution service providers using the same set of standards required of the institutions themselves, and they are doing so with increasing frequency.

In addition, consider that all of the FFIEC regulatory updates and releases issued last year were either directly or indirectly related to vendor management:

  • Changes to the Outsourcing Handbook to add references to cloud computing vendors, and managed security service providers.
  • Updates to the Information Security Handbook to accommodate the recently released Internet Authentication Guidance (with its strong reliance on third-parties).
  • Changes to all Handbooks to accommodate the phase-out of the SAS 70, and  replace with the term “third-party review”.
  • Updated guidance on the URSIT programs for the supervision and scoring of Technology Service Providers.
  • Completely revised and updated  Supervision of Technology Service Providers Handbook.

So regulators see inadequate vendor management as a contributing factor in examination downgrades, and virtually all new regulations issued by the FFIEC are related to it as well.  As a service provider to financial institutions we are prepared for, and expecting, added scrutiny.  As a financial institution looking to optimize examination results and stay ahead of the regulators, you should be too.

Here is a link to all vendor management related blog posts.

05 Feb 2013
From the Field Tom Hinkel 2 Comments

Implementing the CFPB-required Compliance Management System (Part 2)

CFPB compliance examinations have only just started and the agency has already identified deficiencies in some institutions:

“The CFPB has found one or more situations in which an effective CMS was lacking across the financial institution’s entire consumer financial portfolio, or in which the financial institution failed to adopt and follow comprehensive internal policies and procedures, resulting in a significant breakdown in compliance and numerous violations of Federal consumer financial law.”

By the way, if you were under the impression that the CFPB would only examine institutions above $10B in assets, Section 1026 of the Dodd-Frank Act provides that the agency does have regulatory authority for institutions under $10B as well.  They will likely coordinate the consumer compliance examination through your current primary federal examiner, or they may “spot-check” smaller institutions on their own.  Either way, you’ll have to meet their guidelines.  “…the CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system…”.

So the agency clearly considers the Compliance Management System (CMS) a key component, and it is already an area of focus for regulators.  In fact if you read a bit further in the guidance they state that if a formal CMS is not in place, “…the financial institution has no ability to address risks presented by its lines of business.”

What is interesting about this statement is that although the focus of the CFPB is consumer compliance, they don’t seem to limit the applicability of a CMS to only consumer-oriented lines of business.  This leads me to believe that they believe that a CMS is not just a CFPB requirement, but they consider it a general compliance best-practice.  Furthermore, any attempt to implement a CMS using a “compliance response” approach (i.e. one that address the letter, but not necessarily the spirit, of the regulation) will likely be inadequate.  In a typical CMS examination, the CFPB will evaluate both the understanding and the application of the financial institution’s compliance efforts. The “compliance -response” approach will not work.  Indeed as the earlier quote indicates, the CFPB has already found several institutions that had the correct policies and procedures in place, but they were not being followed.  In other words, while it is important to have the right policies in place, compliance will be determined by how well management understands the policies, and how well the policies are actually being followed.   Simply put…

Compliance = Policies + Procedures + Actual Practices

So how do you implement an effective and compliant CMS?  And more importantly, how do you do it in a cost effective way?  While the exact elements of your CMS will vary according to the scope and complexity of your consumer financial products and services, there will be 6 broad areas of focus for the examiners:

  1. Board of Directors and Management Oversight
  2. Policies and Procedures
  3. Training
  4. Monitoring and Corrective Action
  5. Consumer Complaint Response
  6. Compliance Audit

With the possible exception of #5, you already have a formal process in place to address all of these elements for information security, it’s called your information security program.  Consider this…

  1. You have an IT strategic plan, which integrates with your overall strategic plan, and establishes the business case for technology.  It  assigns overall responsibility to the Board for managing the plan, and requires periodic progress updates back to the Board.  Day-to-day management has been assigned to an IT Steering Committee.
  2. You have a set of policies and procedures, and you update them at least annually.
  3. You train your employees on information security best practices at least annually.
  4. You have periodic meetings of the IT Steering Committee, structured as a control self-assessment, where control adequacy and effectiveness is evaluated.
  5. You conduct periodic independent audits of the process.

So whether you realize it or not, you already have a “compliance management system” in place!  Simply take what you are already doing for information security, add a complaint response capability, and apply it to consumer compliance.  The CFPB Supervision and Examination Manual lists the specific procedures that examiners will use starting on page 36.  Just as Appendix A of the FFIEC Handbooks guided your information security program, you should use this to define the specifics of your CFPB compliance program.*

One final thought…the CFPB has adopted the same 5 point rating system used by the FFIEC to “grade” your adherence to the guidance, wherein a rating of 1 or 2 represents a strong compliance position, and anything less than a 2 is considered sub-optimal.  This is how the CFPB defines an institution rated “1” (bulletized for easier reading), use it as your guide:

  • Management is capable of and staff is sufficient for effectuating compliance.
  • An effective compliance program, including an efficient system of internal procedures and controls, has been established.
  • Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures, and compliance training.
  • The institution provides adequate training for its employees.
  • If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected.
  • There is no evidence of discriminatory acts or practices,  reimbursable violations, or practices resulting in repeat violations.
  • Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.

*I’ve converted the examination procedures section into an easy-to-follow checklist.  For Safe Systems customers, your account manager has a copy and will walk through it with you.

24 Jan 2013
Hot Topics Tom Hinkel 0 comment

FFIEC Issues Proposed Social Media Guidance

(UPDATED – Added link to public comments)

Just out, this document is really a request for comments on the proposed guidance, but final guidance is likely to follow this very closely…and very quickly.  As many financial institutions are probably getting their social media policies together now (or updating existing policies), this is a must read.  Here is an executive summary (and please respond to the poll at the bottom):

  • First of all, the guidance does not impose additional obligations on financial institutions.  The responsibility to properly manage the potential risks associated with social media usage and access is no different than that which is required for any new product, service or process.
  • The FFIEC defines social media as the “…a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video”.  Also, “Social media can be distinguished from other online media in that the communication tends to be more interactive.”
  • Institutions are expected to have a risk management program in place that allows it to identify, measure, monitor, and control the risks related to social media…again, an expectation that exists for every other risk an institution faces.
  • It should be designed with participation and involvement from specialists in compliance, technology, information security, legal, human resources, and marketing.
  • Components of the program should include:
    • Board and senior management approval and involvement, including strategic justification of a social media strategy.
    • Policies and procedures (either stand-alone, or incorporated into other existing policies) addressing the proper use and management of social media.
    • Proper vendor management of social media providers.
    • Employee training, including both proper and improper activities.
    • A process to monitor all social media activity, whether initiated by the institution, or a contracted third-party.
    • Audit oversight.
    • Periodic reporting to the Board and senior management as to whether or not social media activities are meeting strategic goals.
  • Policies and procedures must address the following risks:
    • Consumer Compliance & Legal/Regulatory Risks, including:
      • Truth in Savings Act/Regulation DD and Part 707
      • Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3 and Fair Housing Act
      • Truth in Lending Act/Regulation Z
      • Real Estate Settlement Procedures Act
      • Fair Debt Collection Practices Act
      • Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)
      • Deposit Insurance (FDIC) or Share Insurance (NCUA)
      • Electronic Fund Transfer Act/Regulation E
      • Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML)
      • Community Reinvestment Act (CRA)
      • GLBA Privacy Rules and Data Security Guidelines
      • CAN-SPAM Act and Telephone Consumer Protection Act
      • Children’s Online Privacy Protection Act
      • Fair Credit Reporting Act
    • Reputation Risk, including:
      • Fraud and Brand Identity
      • Third Party Concerns where social media activities are outsourced
      • Privacy Concerns arising from the public posting confidential information
      • Consumer Complaints and Inquiries
      • Employee Use of Social Media Sites, including through employees’ own personal social media accounts
    • Operational Risk, paying particular attention to the requirements in the FFIEC booklets “Outsourcing Technology Services” and “Information Security”

As you can see, whether you have separate social media policies, or incorporate the elements into other policies, the requirements have expanded considerably.  Use this summary as a checklist as you draft your new, or update your existing, policies.

I have written before about the unique challenges presented by social media, and how it doesn’t easily lend itself to traditional risk management techniques.  This new guidance recognizes that, and makes it crystal clear that although it is difficult, you must still follow the same basic risk management procedures you use for everything else…Identify, Measure, Control and Monitor.

One final thought…you are expected to tailor your efforts to the breadth of your involvement in this area.  The standard “size and complexity” considerations apply here.  But even if you decide not to engage in a formal social media effort, you must still have a policy because you cannot completely avoid the risks of employees posting on their personal accounts, and third parties posting negative comments.  Unlike other endeavors, risk avoidance is not an effective control!

[poll id=”7″]

Comments are now closed.  If you would like to view comments, here is the link:  http://www.regulations.gov/#!docketDetail;D=FFIEC-2013-0001

15 Jan 2013
From the Field Tom Hinkel 2 Comments

CFPB Examinations To Require “Compliance Management Systems” (Part 1)

We have known for some time that CFPB examinations are coming, and late last year the CFPB released their Supervision and Examination Manual…all 924 pages of it!    There is much to comment on in there, but I want to focus on 2 things that will impact financial institutions right away.

The first is the actual approach the CFPB will take towards examining your institution, and anyone familiar with the risk management process (or who regularly reads this blog) will instantly recognize it.  Before they begin the examination process, they will conduct a risk assessment of your institution.  Of course the concept is nothing new, regulators have been expecting FI’s to conduct risk assessments for years, and for everything they do, so I guess it’s good to see them finally practice what they preach.  However this the first time the concept has been applied to the pre-examination process, and since the depth and breadth of the examination will depend on the result of their assessment, you should definitely be proactive about this.  If their pre-exam assessment determines that your overall inherent risk is low or moderate and likely to remain steady or decrease in the future, and your controls are strong or adequate, the focus and intensity of the exam is likely to be relatively mild.  On the other hand, if inherent risk is high and/or increasing, and controls are judged as weak, I think you can expect a more vigorous examination experience.

So how can you prepare?  In the past, one common approach to new regulations has been to make at least a token effort to comply, then see what the examiner had to say.  Because past regulatory changes have been notoriously non-prescriptive (and as such, open to interpretation), you wait for the examiner to take a look at what you’ve done, and let them suggest changes.  In other words, you would accept examination findings rather than risk misinterpreting examiner expectations.  This has been a common, and frankly rational, approach to compliance.  However this approach may not be optimal with CFPB examinations, because a token compliance effort may actually result in a higher risk rating.

This brings me to the the second big take-away from the examination manual, and the only way to avoid a sub-optimal risk assessment; the implementation of a “Compliance Management System”, or CMS.  According to the CFPB:

“A critical component of a well-run financial institution is a robust and effective compliance management system (CMS), designed to ensure that the financial institution’s policies and practices are in full compliance with the requirements of Federal consumer financial law.  Consequently, one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the compliance management systems employed by the financial institutions.  …Without such a system, serious and systemic violations of Federal consumer financial law are likely to occur.”

The system should be designed to address the following elements:

  • Internal controls and oversight
  • Training
  • Internal monitoring
  • Consumer complaint response
  • Independent testing and audit
  • Third-party service provider oversight
  • Record-keeping
  • Product development and business acquisition, and
  • Marketing practices

At first glance this appears to be a whole new set of potentially burdensome requirements for financial institutions.  The “CMS” term is new, no other regulatory agency specifically requires this.  And they make it clear that having the system in place is not just a best practice, it is a “critical component” of a well-run institution (strongly implying that if you don’t have one in place, you aren’t well-run).  Furthermore, if you don’t have a CMS in place you are likely to incur “serious and systemic violations” of law.

So a CMS is both a requirement in and of itself, and a good way to avoid a sub-optimal CFPB pre-examination risk assessment. The question at this point is not whether you should do it (you should), or when you should do it (ASAP, prior to your first CFPB examination), but rather how can you implement one with minimal internal resource impact?

I mentioned earlier that it may appear at first glance to be an entirely new system, but in my next post I’ll discuss how you can implement a comprehensive CMS that meets regulatory expectations and doesn’t impose an unreasonable burden by utilizing the risk assessment and reporting structure you probably already have in place within your institution.

(Spoiler alert:  The fundamentals of a CMS are nothing we haven’t seen before…understanding the difference between polices, procedures, and practices….utilizing a management committee with a standard agenda…implementing a control self-assessment process…documenting the management reporting process…sound familiar?)

03 Jan 2013
Hot Topics Tom Hinkel 0 comment

FDIC Files Record Number of Lawsuits in 2012 – 2015 UPDATE

UPDATE 2: We in fact did see a significant decrease in O&D lawsuits in the past few years:

O&D 2015

 

[pullquote]“The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation.”[/pullquote]

UPDATE: Apparently one of the most common requests of the FDIC from bankers is for more technical assistance and training.  The FDIC has responded, and I do not believe it is coincidental that the first set of new videos released is a new series titled “New Director Education Series” aimed at bank Directors.

The numbers are in for 2012, and for the fourth year in a row the FDIC has filed a record number of officer and director lawsuits. According to the Statement Concerning the Responsibilities of Bank Directors and Officers adopted in 1992, the FDIC may sue professionals who they believe played a role in the failure of the institution. These individuals can include officers and directors, attorneys, accountants, appraisers, brokers, or others.

 

2012 FDIC Lawsuits

 

The FDIC regulations defining officer and director obligations are explained here, and the key concept to understand is something called the “duties of loyalty and care.”

 “The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.”

So how can your officers and directors (and others) demonstrate the “duties of loyalty and care” and avoid liability claims?  The FDIC spells it out, and it isn’t really that difficult:

“The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation.”

Let’s break that last sentence down a bit.  Officers and directors must demonstrate that they made…

  1. …reasonable business judgments…
  2. …on a fully informed basis, and…
  3. …after proper deliberation.

So working backwards, the key to proper deliberation is that you be fully informed, and that requires accurate, timely and relevant information.   Not just data, but actionable information.

The key then, is that financial institutions must take steps to ensure that officers and directors have the information necessary to carry out their responsibilities, and that the deliberation process is appropriately documented.  I’ve written before (Using Technology to Drive Compliance) about how technology (specifically automation) can enable and/or enhance your compliance efforts.  Technology can help extract useful information from mountains of data, and then present that information in a consistent, easy to understand format.

Management committees like the IT committee and the audit committee can provide both a forum for both the exchange of information, and documentation that the exchange took place.  Make sure all functional units are represented in the committee, and designate someone as the Board representative if possible.  Make sure the committee reports to the Board periodically (preferably quarterly, but at least annually), and don’t underestimate the value of having outside expertise on those committees.  Not only can it add a different perspective, it can also help document that you are truly making an effort to be “fully informed” and that you are “properly deliberating”.

Given the right information, in the right format, and the right setting, perhaps we’ll see this trend slow or even reverse itself in 2013!

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy