Category: Hot Topics

27 Oct 2010
Hot Topics Tom Hinkel 0 comment

ID Theft and SAR filings

In the past, authoritative reports on identity theft have used surveys conducted with the general public to collect ID theft related data.  However, in a recent FinCEN report, the data collected came directly from SAR’s filed from the financial institutions themselves, resulting in a much more accurate assessment of the scope of the identity theft problem.

About the SAR: The most recent version of the Suspicious Activity Report (SAR) is dated July 2003, and has required financial institutions to report in the separate category of identity theft since 2004.  (It’s found in Part III, 35 (u), with the narrative in Part V.)  Since the category was made available, the number of SAR filings reporting identity theft has gone from 15,445 in 2004, to 36,210 for 2009.

About ID Theft: The ID Theft/Red Flags Act is actually titled “Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003”, and was approved by the FFIEC and all regulatory bodies in October, 2007 with compliance mandatory by November 2008.  Since then enforcement has been delayed several times, most recently until December, 2010.  This does not extend the requirement for financial institutions to comply with the act, only regulatory enforcement.  All institutions should have (at the very least) and ID Theft policy, as well as established procedures.

About the report findings: There were a number of interesting findings in this report, but the most interesting to me was that the 2 most commonly identified Red Flags (as listed in Supplement A to Appendix A of the act) were #25 and #26;  or

  • 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.
  • 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

These 2 Red Flags accounted for 75% and 23% respectively of all filings.  This is interesting because it appears that the vast majority of the ID theft notifications are coming from the customers themselves.  When combined with the finding that 43% of ID theft related activity is discovered within 4 weeks, perhaps the most effective loss preventive control for institutions to consider is one that delivers account information to the customer more quickly.

23 Oct 2010
Hot Topics Tom Hinkel 0 comment

Dodd-Frank and agency consolidation

Although the specific requirements and burdens of the almost 250 regulations and more than 2000 pages in the Dodd-Frank Act are yet to be clearly defined, one of the major provisions of immediate interest to financial institutions is the elimination of the Office of Thrift Supervision (OTS).  The OTS operations will be merged into the Office of the Comptroller of the Currency (OCC), which will have an immediate impact on thrift chartered banks as they adapt to the safety and soundness compliance requirements of the OCC.  Details are that the OTS regulatory responsibilities will be spread among other regulators. The Federal Reserve will regulate savings and loan holding companies, the OCC will regulate federal savings associations, and the FDIC will regulate State savings associations.

I believe that this consolidation, in combination with the memorandum signed between the FDIC and the other primary federal regulators, will lead to increased safety and soundness scrutiny across the board.  All financial institutions, particularly those regulated by the OTS, are strongly encouraged to monitor regulatory activity closely over the next several months and take a proactive approach to pre-empt surprises during regulatory safety and soundness and  examinations.

18 Oct 2010
Hot Topics Tom Hinkel 0 comment

Reg. E reform and RDC

I recently ran across an excellent post on this topic regarding the fact that even though Reg. E does not currently regard corporate and municipal accounts the same as consumer accounts, they do, in fact, pose the same risk to the financial institution.  As the original post on Krebs’ site points out, why should the proposed changes to Reg. E stop at municipalities?  Corporate accounts are being targeted as well, and recent corporation vs. FI court cases are being decided (or quietly settled) in favor of the corporation.  FI’s would be wise to regard remote capture devices and ACH/Wire origination devices as de-facto extensions of their own network. Once the true risk of these remote devices is understood, how many FI’s would find the residual risk acceptable?

The only alternative is to implement additional controls (beyond a strong contract) designed to educate the customer on security basics, and monitor the security status of their devices.

11 Oct 2010
Hot Topics Tom Hinkel 0 comment

FDIC and State examiners teaming up

I wrote a similar post earlier, but it now seems that perhaps the reason the State of Georgia has adopted the FDIC IT Examination Questionnaire is that the FDIC has been showing up on-site with the State examiners.  I’ve gotten reports that this is happening with increasing frequency, and not just in Georgia.

My advice is to familiarize yourself with the FDIC Questionnaire, even if you are preparing for a State examination.  Be able to answer each question and, most importantly, to justify your answer with the appropriate documentation.

08 Oct 2010
Hot Topics Tom Hinkel 1 Comment

The FFIEC Handbooks and the SAS 70

I’ve written about the 6/15/2011 phase-out of the SAS 70 report in favor of the SSAE 16 series (SOC 1, SOC 2, SOC3) here and here.  The AICPA isn’t expected to update their audit guide until sometime early next year, but financial institutions are anxious to get the FFIEC to comment, as the SAS 70 is mentioned no fewer than 31 times, and in a total of 8 of the 12 IT Examination Handbooks.  It’s mentioned 10 times in the Information Security Handbook alone!

I predict that the FFIEC will remove all references to the SAS 70, or to any specific report for that matter, and replace them with generic references to “audit reviews” or “audit reports”.  It will then fall to the financial institution to determine the most appropriate report for each service provider, based on their risk assessment.  However, the service provider will deliver whatever report they decided to prepare, which may or may not match the report requested.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy