Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
11 Dec 2012
Hot Topics Tom Hinkel 9 Comments

Technology Service Providers and the new SOC reports

What do all of the 2012 changes to the IT Examination Handbooks have in common?  They are all, directly or indirectly, related to vendor management.  I had previously identified vendor management as a leading candidate for increased regulatory scrutiny in 2012, and boy was it.  (Not all of my 2012 predictions fared as well, I’ll take a closer look at the rest of them in a future post.)

So there is definitely more regulatory focus on vendors, and it’s a pretty safe bet that this will continue into 2013.  It usually takes about 6-12 months before new guidance is fully digested into the examination process, so expect additional scrutiny of your vendor management process during your 2013 examination cycle.  Since guidance is notoriously non-prescriptive we don’t know exactly what to expect, but we can be certain that third-party reviews will be more important than ever.  Third-party audit reports, such as the SAS 70 in previous years, and now the new SOC reports (particularly the SOC 1 & SOC 2), provide the best assurance that your vendors are in fact treating your data with the same degree of care that regulators expect from you.  As the FFIEC stated in their recent release on Cloud Computing:

“A financial institution’s use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors and  management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations.”

Undoubtedly third-party audit reports will still be the best way for you to ensure that your vendors are compliant, but there seems to be considerable confusion about exactly which of the 3 new SOC reports are the “right” ones for you.  In fact, in a recent webinar we hosted with a leading accounting firm, one of the firm’s partners stated that “there are a few instances where you might receive a SOC 1 report where a SOC 2 might be more appropriate”.  And this is exactly what we are seeing, technology service providers are having a SOC 1 report prepared when what the financial institution really wants and needs is a SOC 2.

Why is it important for you to understand this?  Because the SOC 1 (also known as the SSAE 16) reporting standard specifically states that it be used only for assessing controls over financial reporting.  It is their auditor telling your auditor that the information they are feeding into your financial statements is reliable.  On the other hand the SOC 2 reporting standard is a statement from their auditor directly to you, and addresses the following criteria:

  1. Security – The service provider’s systems is protected against unauthorized access.
  2. Availability – The service provider’s system is available for operation as contractually committed or agreed.
  3. Processing Integrity – The provider’s system is accurate, complete, and trustworthy.
  4. Confidentiality – Information designated as confidential is protected as contractually committed or agreed.
  5. Privacy – Personal information (if collected by the provider) is used, retained, disclosed, and destroyed in accordance with the providers’ privacy policy.

If these sound familiar, they should.  The FFIEC Information Security Booklet lists the following security objectives that all financial institutions should strive to accomplish:

  1. Privacy &
  2. Security (elements of GLBA)
  3. Availability
  4. Integrity of data or systems
  5. Confidentiality of data or systems
  6. Accountability
  7. Assurance

As you can see, there is considerable overlap between what the FFIEC expects of you, and what the SOC 2 report tells you about your service provider.  So why are we seeing so many service providers prepare SOC 1 reports when the SOC 2 is called for?  I think there are two reasons; first, because they are functionally equivalent, the SOC 1 is an easier transition if they are coming from the SAS 70.  I can tell you from our transition experience that the SOC 2 reporting standard is not just different, it is substantially broader and deeper than the SAS 70.  So some vendors may simply be taking the path of least resistance.

But the primary reason is that if the vendor provides a service to you that directly impacts your financial statements (like the calculation of interest) they must produce a SOC 1.  But, if they additionally provide services unrelated to your financial statements, should they also produce a SOC 2?  In almost every case, the answer is “yes”, because for all of the above reasons, the SOC 1 simply will not address all of your concerns.

The next couple of years will be transitional ones for most technology service providers as they adjust to the new auditing standards, and for you as you begin to digest the new reports.  But will the examiners be willing to give you a transition period?  In other words, should you wait for your examiner to find fault with your vendor management program to start updating it?  I’m not sure that taking a wait-and-see attitude is prudent in this case.  The regulatory expectations are out there now, the reporting standards are out there, and the risk is real…you need to be pro-active in your response.

(NOTE:  This will be covered more completely in a future post, but the CFPB has also recently issued guidance on vendor management…and they are staffing up with new examiners.  Are there three scarier words to a financial institution than “entry-level examiners”?!)

12 Nov 2012
From the Field Tom Hinkel 0 comment

The Financial Institutions Examination Fairness and Reform Act (and why you should care)

Although it’s currently stuck in committee, financial institutions should be aware of this bill and track it closely in the next congressional session.  There are actually 2 bills, a House (H.R. 3461) and a Senate (S. 2160) version, both  containing similar provisions.  The House bill has 192 sponsors and the Senate version has 14 sponsors, and both bills have supporters from both political parties.  Here is a summary of the bill, and why you might want to support it as well:

What it does:

  • Amends the Federal Financial Institutions Examination Council (FFIEC) Act of 1978 to require a federal financial institutions regulatory agency to make a final examination report to a financial institution within 60 days of the later of:
(1) the exit interview for an examination of the institution, or
(2) the provision of additional information by the institution relating to the examination.
  • Sets a deadline for the exit interview if a financial institution is not subject to a resident examiner program.
  • Sets forth examination standards for financial institutions.
  • Prohibits federal financial institutions regulatory agencies from requiring a well capitalized financial institution to raise additional capital in lieu of an action prohibited by the examination standards.
  • Establishes in the Federal Financial Institutions Examination Council an Office of Examination Ombudsman. Grants a financial institution the right to appeal a material supervisory determination contained in a final report of examination.
  • Requires the Ombudsman to determine the merits of the appeal on the record, after an opportunity for a hearing before an independent administrative law judge.
  • Declares the decision by the Ombudsman on an appeal to:
(1) be the final agency action, and
(2) bind the agency whose supervisory determination was the subject of the appeal and the financial institution making the appeal.
  • Amends the Riegle Community Development and Regulatory Improvement Act of 1994 to require:
(1) the Consumer Financial Protection Bureau (CFPB) to establish an independent intra-agency appellate process in connection with the regulatory appeals process; and
(2) appropriate safeguards to protect an insured depository institution or insured credit union from retaliation by the CFPB, the National Credit Union Administration (NCUA) Board, or any other federal banking agency for exercising its rights.

Why you should care:

In addition to the provisions for more expeditious exit interviews and final reports, the Bills provide for certain changes to “examination standards”.   The standards pertain primarily to the non-accrual treatment of commercial loans and their effect on capital, and they also redefine “Material Supervisory Determination” as “any matter requiring attention by the institution’s management or board of directors”.  These are all generally good things for financial institutions, but I think the most significant provisions (and the ones with the biggest positive impact) are the provisions that establish the Office of Examination Ombudsman within the FFIEC.

The current appeal process for contested examination findings was recently re-addressed by the FDIC here (and I reacted to it here).  In summary, if you currently have a disagreement with the FDIC about any “material supervisory determination”, which includes anything that affects CAMELS ratings and IT ratings (the full list is here, search for “D. Determinations Subject to Appeal”) you must stay within the FDIC for resolution.  And this includes the current Office of the Ombudsman, which is also a part of the FDIC.

The agency makes it clear that they believe the appeals process is “independent of the examination function and free of retribution or other retaliation”, but whether it is or isn’t, the fact that the process never leaves the FDIC deters many financial institutions from pursuing the appeals process in the first place.  I believe moving the process to the FFIEC at least improves the perception of independence and objectivity, which may encourage more institutions to be more inclined to challenge examination findings.  What are your thoughts?

[poll id=”6″]

Again, I encourage you to learn about these bills for yourself and take a position. To support the Senate bill, go HERE.  To support the House bill, go HERE.  And feel free to share this post.  If enough people support it perhaps we’ll see some progress in the next congressional session!

01 Nov 2012
Hot Topics Tom Hinkel 0 comment

FFIEC Updates Technology Service Provider Guidance

Just posted, the new Booklet rescinds and replaces the previous one issued in March 2003, and is the first Booklet replacement since Retail Payment Systems in 2010.  In general this is not so much a complete re-write as a reinforcement of the importance the agency places on strong vendor management, which is a concept that we’ve seen from other recent FFIEC releases and updates.

So with all the similarity between this new publication and the one almost 10 years ago, I think it’s instructive to focus on the differences between the two to see how the FFIEC’s thinking has evolved.  It also allows the institutions affected to know exactly what they need to change or adjust to remain in compliance.

First of all, both Booklets state the following:

A financial institution’s use of a TSP (technology service provider) to provide needed products and services does not diminish the responsibility of the institution’s board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations…”

and perhaps for extra emphasis the new Booklet adds the following verbiage:

“…just as if the institution were to perform the activities in-house.”

Nothing new here, all institutions are acutely aware that they bear full responsibility for the confidentiality, integrity and availability of their customer’s data regardless of where it may reside.  This re-statement is perhaps insignificant by itself, but interesting when taken in combination with the next sentence:

Old guidance – “Financial institutions should have a comprehensive outsourcing risk management process to govern their TSP relationships.”

New guidance“Agencies expect financial institutions to have a comprehensive, enterprise risk management process in place that addresses vendor management for their relationships with TSPs.”

What is significant here is the addition of the word “enterprise” to the risk management process, indicating that you must acknowledge that vendors carry multidimensional risks.  These risks include not just operational risk (risk of failure), but strategic risk, regulatory risk and reputation risks as well.

However to me the most significant change in the guidance is in the sentence beginning with “…(the risk management) process should include…”, because this is what the regulators will expect from you.  Compare these:

Old guidance “Such processes should include risk assessment, selection of service providers, contract review, and monitoring of service providers.”

New guidance“The risk management process should include risk assessments and robust due diligence for the selection of TSPs, contract development, and ongoing monitoring of all TSPs’ performance.”

It’s clear that regulators will expect much more from your vendor risk management process going forward.  Not simply selecting a service provider, but robust due diligence in the selection process.  Not just contract review, but contract development.  And not just basic monitoring, but ongoing monitoring of all TSP’s performance.

The new guidance goes on to state that federal regulators expect technology service providers to be familiar with, and adhere to, not just this Booklet, but all 11 Booklets in the IT Examination Handbook series.  One more reinforcement that there are not 2 standards of measurement…one for financial institutions and one for vendors…but only one.  And that one same standard will be enforced by the same federal regulators that currently examine you.

The guidance goes on to describe how they will classify service providers (by size and criticality of the services they provide), and how that classification will determine who will examine them, and how often they can expect to be examined.   As far as who can expect to be examined, any service provider that provides any of the following services:

  • Core application processors
  • Electronic funds transfer switches
  • Internet banking providers
  • Item processors
  • Managed security servicers
  • Data storage servicers
  • Business continuity providers

So pretty much anyone that provides an application, system, or process that is vital to the successful continuance of a critical business activity, or anyone that interfaces with a critical business system, can expect to be examined.

Aside from being more comprehensive, the actual examination process hasn’t changed much.  Examiners will still scrutinize the AMDS (Audit, Management, Development and Acquisition, and Support and Delivery) components, and will still assign a 1 through 5 numerical score to each component with 1 representing the highest or best, and 5, the lowest rating or worst.  Examiners will then use the component scores to determine the overall composite rating.  Again, nothing new there.

So in summary, not a drastic change as much as a reiteration with amplification and clarification.  Simply put, more of the same…more regulatory expectations for your vendor management program, which means more scrutiny by the examiners (for you and for your vendors), all of which means more effort on everyone’s part!

18 Oct 2012
From the Field Tom Hinkel 0 comment

“2 is the new 1″…or is it? (with poll)

UPDATED – October, 2012 – Two institutions in the past ten days have told me that they have been assigned a CAMELS score of “1” in their latest examination.  One institution regained their 1 after slipping to a 2 in their last exam cycle, and the other went up to a 1 for the first time.  The FDIC is the primary federal regulator for both institutions.  What is your experience?  (Original post below the polls)

[poll id=”4″]

And while we’re asking for your input…

[poll id=”5″]

During a panel discussion recently at our annual user conference, we heard this from a banker who was quoting an examiner during their last examination.  They had slipped from a CAMELS 1 rating to a 2, and in discussing the reasoning with the Examiner in Charge they said that they should be satisfied with a 2, because “2 is the new 1”.

Just 3 years ago Tony Plath, a finance professor at the University of North Carolina Charlotte, said that (at least for large banks) a CAMELS score of anything less than “1” was cause for concern.  These days it almost seems that examiners are digging for anything they can find to justify NOT assigning the highest rating.  Indeed I had a recent conversation with an FDIC examiner who said (off the record) “if we find anything at all to document during our examination, that is enough to disqualify them for a “1” rating”.

Unlike the comparatively significant difference between a “2” and a “3”, the differences between a “1”, defined as “Sound in every respect” and a “2”, defined as “Fundamentally sound” are extremely subtle, and there is no clear line of demarcation between them.  Often it comes down to examiner opinion.

So pick your battles and push back where you can, but understand that although you should be familiar with the criteria for a “1” rating, and strive to achieve it, you should be quite satisfied with a “2”…at least for now.

 

09 Oct 2012
From the Field Tom Hinkel 0 comment

FDIC Institutions still getting UIGEA (Reg GG) findings – UPDATE

Update 1 –  12/5/2011 to add examination procedures*. 

Update 2 – 2/13/2012 to emphasize policy requirements.

Update 3 – 10/8/2012 to add specific courses of action if the FI has “actual knowledge” of restricted transactions.

We first saw this trend back in July 2011, and continue to see it, so I’m calling this a definite trend as opposed to an anomaly.  Here is the background:  The Unlawful Internet Gambling Enforcement Act of 2006 (“UIGEA”) prohibits any person, including a business, engaged in the business of betting or wagering from knowingly accepting payments in connection with the participation of another person in unlawful Internet gambling.  As a result, the Agencies (FDIC, OCC, NCUA, Federal Reserve) issued Reg GG, requiring financial institutions to establish policies and procedures “reasonably designed to identify and block, or otherwise prevent or prohibit, restricted (gambling) transactions” with compliance required as of June 1, 2010.

Most institutions have measures built in to their account opening procedures by their core vendor to comply with this Reg, but the recent examination findings seem to address the lack of a specific UIGEA policy.   This would indicate that procedures alone may not be enough to demonstrate compliance anymore (i.e., “we’re doing it even though we don’t say we are” isn’t enough).  So what are you supposed to do?  Make sure you have a specific written UIGEA policy, and that it is designed to address the following:

  • Don’t assume that just because you have no (or a few) commercial customers you aren’t required to have a policy.  The implementation burden is lessened, but a policy is still required.
  • Designate a person responsible for UIGEA compliance (this was a specific finding in one of the recent examinations).
  • Focus on establishing a due diligence process when initiating a commercial customer relationship.
  • Communicate to your commercial customers contractually up  front (and periodically throughout the relationship) that restricted transactions are prohibited.  Your policy should state that the commercial customer agrees to not originate or receive restricted transactions throughout the customer relationship.  If the risk warrants, a certification from the customer is recommended.
  • Your due diligence obligations do not end once the account is opened.
  • Specify a specific course of action to be followed in case you have “actual knowledge” that a customer has violated the policy.  For example:
    •  Perform an account review
    • Suspend activity on the account
    • Contact the customer
    • Contact legal counsel (if appropriate)
    • Close the account
    • File a SAR, if warranted
    • Contact regulatory authorities
    • Contact law enforcement
    • If cooperating with law enforcement, and so advised by same, continue processing

There are additional regulatory expectations if you actually have customers that are legally allowed to engage in an Internet gambling business, i.e. through U.S. State or Tribal authority.  In fact when I started getting reports of UIGEA policy deficiencies, my first thought was that all the institutions may have had that common denominator…they had customers legally engaging in Internet gambling.  That was not the case, however.  It would appear that this is just the latest regulatory “hot button”.

* Download Full Act, examination procedures in Attachment C

02 Oct 2012
Hot Topics Tom Hinkel 0 comment

BYOD Redux – The Policy Solution (Part 2)

In the previous post, I suggested that because mobile devices (smart phones and PDA’s) were not that functionally different in how they process, transmit, and store information than other mobile computing devices like laptops, a separate policy wasn’t necessary.  Since data security, confidentiality and integrity concerns were the same as other devices, you should be able to simply extend your existing policy to include them.  But in fact the risks are greater, and often more difficult to control, resulting in substantially higher residual risk (risk remaining after the application of controls) than other computing devices.  Because of this, employee-owned mobile devices really represent an exception to your policies as opposed to an extension of them.  And because all policy exceptions must be approved by your Board, perhaps separate policies and procedures are appropriate.

The FFIEC is fairly silent on this topic, but fortunately the NIST is in the process of formulating several pieces of guidance on risk managing BYOD, and it is always useful to see where they are on this issue as very often we’ve seen NIST guidelines make their way into other federal regulations.

NIST Special Publication 800-124 entitled “Guidelines for Managing and Securing Mobile Devices in the Enterprise” is currently in draft status, and is an update to a 2008 document “Guidelines on Cell Phone and PDA Security”.  The updated guidance recognizes the evolution of the technology over the past few years, as well as the unique security challenges inherent in both corporation and employee-owned mobile computing devices.  They advise institutions to implement the following guidelines to improve the security of their mobile devices:

  1. Develop system threat models for mobile devices and the resources that are accessed through the mobile devices.  Recognize that these devices are not the same as your other computing devices.  The threats are not the same and the available controls are not the same, therefore both the probability and the impact of an attack on these devices is likely greater.  Make sure your threat model understands how the device will connect to your network, and what data it will transmit and store.  Data-flow diagrams can be very helpful in this modeling process.
  2. Once the threat is understood, deploy only those devices that offer the minimum threat required given the job requirements of the employee.  This will be one of the biggest challenges for institutions, as many employees will want the latest devices with all the bells and whistles.  Prior to deploying, make sure you have centralized mobile device management that offers the following minimum capabilities:

•  Ability to enforce enterprise security policies, such as user rights and permissions, as well as the ability to report policy violations.
•  Data communication and storage should be encrypted, with the ability to remotely wipe the device.
•  User authentication should be required before the device can access enterprise resources, with incorrect password lockout periods consistent with your other computing devices.
•  Restrict which applications may be installed, and have procedures in place for updating the applications and the operating system.

  1. Have a separate mobile device policy.  The policy should define which types of mobile devices are permitted to access the institution’s resources, the degree of access that mobile devices may have, and how they will be managed.  It should differentiate between institution-owned and employee-owned devices, and be as consistent as possible with your policy for non-mobile devices.
  2. Test the policy initially, and periodically thereafter, to verify management capabilities.  Perform either passive (log review) or active (PEN testing) assessments to confirm that the mobile device policies, procedures and practices are being followed properly.
  3. Secure each device prior to deployment.  This is slightly easier for institution-owned devices, much harder (but arguably more important) for already deployed, employee-owned devices.

I’m sure you can already hear the howls of protest for this last one, but the guidance actually states that for employee-owned (BYOD) devices organizations should recover them, restore them to a known good state, and fully secure them before returning them to their users.

So when it comes to BYOD you basically have two choices; you can properly manage the devices and the risks consistent with your other computing devices, or you can recognize that they represent a deviation from your risk management policies and get Board approval for the exception.  And if you choose to classify them as policy exceptions, you should be prepared to explain the potential impact of the higher risk to the organization, and exactly how the higher risk is justified.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy