Category: Hot Topics

24 Jan 2013
Hot Topics Tom Hinkel 0 comment

FFIEC Issues Proposed Social Media Guidance

(UPDATED – Added link to public comments)

Just out, this document is really a request for comments on the proposed guidance, but final guidance is likely to follow this very closely…and very quickly.  As many financial institutions are probably getting their social media policies together now (or updating existing policies), this is a must read.  Here is an executive summary (and please respond to the poll at the bottom):

  • First of all, the guidance does not impose additional obligations on financial institutions.  The responsibility to properly manage the potential risks associated with social media usage and access is no different than that which is required for any new product, service or process.
  • The FFIEC defines social media as the “…a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video”.  Also, “Social media can be distinguished from other online media in that the communication tends to be more interactive.”
  • Institutions are expected to have a risk management program in place that allows it to identify, measure, monitor, and control the risks related to social media…again, an expectation that exists for every other risk an institution faces.
  • It should be designed with participation and involvement from specialists in compliance, technology, information security, legal, human resources, and marketing.
  • Components of the program should include:
    • Board and senior management approval and involvement, including strategic justification of a social media strategy.
    • Policies and procedures (either stand-alone, or incorporated into other existing policies) addressing the proper use and management of social media.
    • Proper vendor management of social media providers.
    • Employee training, including both proper and improper activities.
    • A process to monitor all social media activity, whether initiated by the institution, or a contracted third-party.
    • Audit oversight.
    • Periodic reporting to the Board and senior management as to whether or not social media activities are meeting strategic goals.
  • Policies and procedures must address the following risks:
    • Consumer Compliance & Legal/Regulatory Risks, including:
      • Truth in Savings Act/Regulation DD and Part 707
      • Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3 and Fair Housing Act
      • Truth in Lending Act/Regulation Z
      • Real Estate Settlement Procedures Act
      • Fair Debt Collection Practices Act
      • Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)
      • Deposit Insurance (FDIC) or Share Insurance (NCUA)
      • Electronic Fund Transfer Act/Regulation E
      • Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML)
      • Community Reinvestment Act (CRA)
      • GLBA Privacy Rules and Data Security Guidelines
      • CAN-SPAM Act and Telephone Consumer Protection Act
      • Children’s Online Privacy Protection Act
      • Fair Credit Reporting Act
    • Reputation Risk, including:
      • Fraud and Brand Identity
      • Third Party Concerns where social media activities are outsourced
      • Privacy Concerns arising from the public posting confidential information
      • Consumer Complaints and Inquiries
      • Employee Use of Social Media Sites, including through employees’ own personal social media accounts
    • Operational Risk, paying particular attention to the requirements in the FFIEC booklets “Outsourcing Technology Services” and “Information Security”

As you can see, whether you have separate social media policies, or incorporate the elements into other policies, the requirements have expanded considerably.  Use this summary as a checklist as you draft your new, or update your existing, policies.

I have written before about the unique challenges presented by social media, and how it doesn’t easily lend itself to traditional risk management techniques.  This new guidance recognizes that, and makes it crystal clear that although it is difficult, you must still follow the same basic risk management procedures you use for everything else…Identify, Measure, Control and Monitor.

One final thought…you are expected to tailor your efforts to the breadth of your involvement in this area.  The standard “size and complexity” considerations apply here.  But even if you decide not to engage in a formal social media effort, you must still have a policy because you cannot completely avoid the risks of employees posting on their personal accounts, and third parties posting negative comments.  Unlike other endeavors, risk avoidance is not an effective control!

[poll id=”7″]

Comments are now closed.  If you would like to view comments, here is the link:  http://www.regulations.gov/#!docketDetail;D=FFIEC-2013-0001

03 Jan 2013
Hot Topics Tom Hinkel 0 comment

FDIC Files Record Number of Lawsuits in 2012 – 2015 UPDATE

UPDATE 2: We in fact did see a significant decrease in O&D lawsuits in the past few years:

O&D 2015

 

[pullquote]“The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation.”[/pullquote]

UPDATE: Apparently one of the most common requests of the FDIC from bankers is for more technical assistance and training.  The FDIC has responded, and I do not believe it is coincidental that the first set of new videos released is a new series titled “New Director Education Series” aimed at bank Directors.

The numbers are in for 2012, and for the fourth year in a row the FDIC has filed a record number of officer and director lawsuits. According to the Statement Concerning the Responsibilities of Bank Directors and Officers adopted in 1992, the FDIC may sue professionals who they believe played a role in the failure of the institution. These individuals can include officers and directors, attorneys, accountants, appraisers, brokers, or others.

 

2012 FDIC Lawsuits

 

The FDIC regulations defining officer and director obligations are explained here, and the key concept to understand is something called the “duties of loyalty and care.”

 “The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.”

So how can your officers and directors (and others) demonstrate the “duties of loyalty and care” and avoid liability claims?  The FDIC spells it out, and it isn’t really that difficult:

“The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation.”

Let’s break that last sentence down a bit.  Officers and directors must demonstrate that they made…

  1. …reasonable business judgments…
  2. …on a fully informed basis, and…
  3. …after proper deliberation.

So working backwards, the key to proper deliberation is that you be fully informed, and that requires accurate, timely and relevant information.   Not just data, but actionable information.

The key then, is that financial institutions must take steps to ensure that officers and directors have the information necessary to carry out their responsibilities, and that the deliberation process is appropriately documented.  I’ve written before (Using Technology to Drive Compliance) about how technology (specifically automation) can enable and/or enhance your compliance efforts.  Technology can help extract useful information from mountains of data, and then present that information in a consistent, easy to understand format.

Management committees like the IT committee and the audit committee can provide both a forum for both the exchange of information, and documentation that the exchange took place.  Make sure all functional units are represented in the committee, and designate someone as the Board representative if possible.  Make sure the committee reports to the Board periodically (preferably quarterly, but at least annually), and don’t underestimate the value of having outside expertise on those committees.  Not only can it add a different perspective, it can also help document that you are truly making an effort to be “fully informed” and that you are “properly deliberating”.

Given the right information, in the right format, and the right setting, perhaps we’ll see this trend slow or even reverse itself in 2013!

11 Dec 2012
Hot Topics Tom Hinkel 9 Comments

Technology Service Providers and the new SOC reports

What do all of the 2012 changes to the IT Examination Handbooks have in common?  They are all, directly or indirectly, related to vendor management.  I had previously identified vendor management as a leading candidate for increased regulatory scrutiny in 2012, and boy was it.  (Not all of my 2012 predictions fared as well, I’ll take a closer look at the rest of them in a future post.)

So there is definitely more regulatory focus on vendors, and it’s a pretty safe bet that this will continue into 2013.  It usually takes about 6-12 months before new guidance is fully digested into the examination process, so expect additional scrutiny of your vendor management process during your 2013 examination cycle.  Since guidance is notoriously non-prescriptive we don’t know exactly what to expect, but we can be certain that third-party reviews will be more important than ever.  Third-party audit reports, such as the SAS 70 in previous years, and now the new SOC reports (particularly the SOC 1 & SOC 2), provide the best assurance that your vendors are in fact treating your data with the same degree of care that regulators expect from you.  As the FFIEC stated in their recent release on Cloud Computing:

“A financial institution’s use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors and  management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations.”

Undoubtedly third-party audit reports will still be the best way for you to ensure that your vendors are compliant, but there seems to be considerable confusion about exactly which of the 3 new SOC reports are the “right” ones for you.  In fact, in a recent webinar we hosted with a leading accounting firm, one of the firm’s partners stated that “there are a few instances where you might receive a SOC 1 report where a SOC 2 might be more appropriate”.  And this is exactly what we are seeing, technology service providers are having a SOC 1 report prepared when what the financial institution really wants and needs is a SOC 2.

Why is it important for you to understand this?  Because the SOC 1 (also known as the SSAE 16) reporting standard specifically states that it be used only for assessing controls over financial reporting.  It is their auditor telling your auditor that the information they are feeding into your financial statements is reliable.  On the other hand the SOC 2 reporting standard is a statement from their auditor directly to you, and addresses the following criteria:

  1. Security – The service provider’s systems is protected against unauthorized access.
  2. Availability – The service provider’s system is available for operation as contractually committed or agreed.
  3. Processing Integrity – The provider’s system is accurate, complete, and trustworthy.
  4. Confidentiality – Information designated as confidential is protected as contractually committed or agreed.
  5. Privacy – Personal information (if collected by the provider) is used, retained, disclosed, and destroyed in accordance with the providers’ privacy policy.

If these sound familiar, they should.  The FFIEC Information Security Booklet lists the following security objectives that all financial institutions should strive to accomplish:

  1. Privacy &
  2. Security (elements of GLBA)
  3. Availability
  4. Integrity of data or systems
  5. Confidentiality of data or systems
  6. Accountability
  7. Assurance

As you can see, there is considerable overlap between what the FFIEC expects of you, and what the SOC 2 report tells you about your service provider.  So why are we seeing so many service providers prepare SOC 1 reports when the SOC 2 is called for?  I think there are two reasons; first, because they are functionally equivalent, the SOC 1 is an easier transition if they are coming from the SAS 70.  I can tell you from our transition experience that the SOC 2 reporting standard is not just different, it is substantially broader and deeper than the SAS 70.  So some vendors may simply be taking the path of least resistance.

But the primary reason is that if the vendor provides a service to you that directly impacts your financial statements (like the calculation of interest) they must produce a SOC 1.  But, if they additionally provide services unrelated to your financial statements, should they also produce a SOC 2?  In almost every case, the answer is “yes”, because for all of the above reasons, the SOC 1 simply will not address all of your concerns.

The next couple of years will be transitional ones for most technology service providers as they adjust to the new auditing standards, and for you as you begin to digest the new reports.  But will the examiners be willing to give you a transition period?  In other words, should you wait for your examiner to find fault with your vendor management program to start updating it?  I’m not sure that taking a wait-and-see attitude is prudent in this case.  The regulatory expectations are out there now, the reporting standards are out there, and the risk is real…you need to be pro-active in your response.

(NOTE:  This will be covered more completely in a future post, but the CFPB has also recently issued guidance on vendor management…and they are staffing up with new examiners.  Are there three scarier words to a financial institution than “entry-level examiners”?!)

01 Nov 2012
Hot Topics Tom Hinkel 0 comment

FFIEC Updates Technology Service Provider Guidance

Just posted, the new Booklet rescinds and replaces the previous one issued in March 2003, and is the first Booklet replacement since Retail Payment Systems in 2010.  In general this is not so much a complete re-write as a reinforcement of the importance the agency places on strong vendor management, which is a concept that we’ve seen from other recent FFIEC releases and updates.

So with all the similarity between this new publication and the one almost 10 years ago, I think it’s instructive to focus on the differences between the two to see how the FFIEC’s thinking has evolved.  It also allows the institutions affected to know exactly what they need to change or adjust to remain in compliance.

First of all, both Booklets state the following:

A financial institution’s use of a TSP (technology service provider) to provide needed products and services does not diminish the responsibility of the institution’s board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations…”

and perhaps for extra emphasis the new Booklet adds the following verbiage:

“…just as if the institution were to perform the activities in-house.”

Nothing new here, all institutions are acutely aware that they bear full responsibility for the confidentiality, integrity and availability of their customer’s data regardless of where it may reside.  This re-statement is perhaps insignificant by itself, but interesting when taken in combination with the next sentence:

Old guidance – “Financial institutions should have a comprehensive outsourcing risk management process to govern their TSP relationships.”

New guidance“Agencies expect financial institutions to have a comprehensive, enterprise risk management process in place that addresses vendor management for their relationships with TSPs.”

What is significant here is the addition of the word “enterprise” to the risk management process, indicating that you must acknowledge that vendors carry multidimensional risks.  These risks include not just operational risk (risk of failure), but strategic risk, regulatory risk and reputation risks as well.

However to me the most significant change in the guidance is in the sentence beginning with “…(the risk management) process should include…”, because this is what the regulators will expect from you.  Compare these:

Old guidance “Such processes should include risk assessment, selection of service providers, contract review, and monitoring of service providers.”

New guidance“The risk management process should include risk assessments and robust due diligence for the selection of TSPs, contract development, and ongoing monitoring of all TSPs’ performance.”

It’s clear that regulators will expect much more from your vendor risk management process going forward.  Not simply selecting a service provider, but robust due diligence in the selection process.  Not just contract review, but contract development.  And not just basic monitoring, but ongoing monitoring of all TSP’s performance.

The new guidance goes on to state that federal regulators expect technology service providers to be familiar with, and adhere to, not just this Booklet, but all 11 Booklets in the IT Examination Handbook series.  One more reinforcement that there are not 2 standards of measurement…one for financial institutions and one for vendors…but only one.  And that one same standard will be enforced by the same federal regulators that currently examine you.

The guidance goes on to describe how they will classify service providers (by size and criticality of the services they provide), and how that classification will determine who will examine them, and how often they can expect to be examined.   As far as who can expect to be examined, any service provider that provides any of the following services:

  • Core application processors
  • Electronic funds transfer switches
  • Internet banking providers
  • Item processors
  • Managed security servicers
  • Data storage servicers
  • Business continuity providers

So pretty much anyone that provides an application, system, or process that is vital to the successful continuance of a critical business activity, or anyone that interfaces with a critical business system, can expect to be examined.

Aside from being more comprehensive, the actual examination process hasn’t changed much.  Examiners will still scrutinize the AMDS (Audit, Management, Development and Acquisition, and Support and Delivery) components, and will still assign a 1 through 5 numerical score to each component with 1 representing the highest or best, and 5, the lowest rating or worst.  Examiners will then use the component scores to determine the overall composite rating.  Again, nothing new there.

So in summary, not a drastic change as much as a reiteration with amplification and clarification.  Simply put, more of the same…more regulatory expectations for your vendor management program, which means more scrutiny by the examiners (for you and for your vendors), all of which means more effort on everyone’s part!

02 Oct 2012
Hot Topics Tom Hinkel 0 comment

BYOD Redux – The Policy Solution (Part 2)

In the previous post, I suggested that because mobile devices (smart phones and PDA’s) were not that functionally different in how they process, transmit, and store information than other mobile computing devices like laptops, a separate policy wasn’t necessary.  Since data security, confidentiality and integrity concerns were the same as other devices, you should be able to simply extend your existing policy to include them.  But in fact the risks are greater, and often more difficult to control, resulting in substantially higher residual risk (risk remaining after the application of controls) than other computing devices.  Because of this, employee-owned mobile devices really represent an exception to your policies as opposed to an extension of them.  And because all policy exceptions must be approved by your Board, perhaps separate policies and procedures are appropriate.

The FFIEC is fairly silent on this topic, but fortunately the NIST is in the process of formulating several pieces of guidance on risk managing BYOD, and it is always useful to see where they are on this issue as very often we’ve seen NIST guidelines make their way into other federal regulations.

NIST Special Publication 800-124 entitled “Guidelines for Managing and Securing Mobile Devices in the Enterprise” is currently in draft status, and is an update to a 2008 document “Guidelines on Cell Phone and PDA Security”.  The updated guidance recognizes the evolution of the technology over the past few years, as well as the unique security challenges inherent in both corporation and employee-owned mobile computing devices.  They advise institutions to implement the following guidelines to improve the security of their mobile devices:

  1. Develop system threat models for mobile devices and the resources that are accessed through the mobile devices.  Recognize that these devices are not the same as your other computing devices.  The threats are not the same and the available controls are not the same, therefore both the probability and the impact of an attack on these devices is likely greater.  Make sure your threat model understands how the device will connect to your network, and what data it will transmit and store.  Data-flow diagrams can be very helpful in this modeling process.
  2. Once the threat is understood, deploy only those devices that offer the minimum threat required given the job requirements of the employee.  This will be one of the biggest challenges for institutions, as many employees will want the latest devices with all the bells and whistles.  Prior to deploying, make sure you have centralized mobile device management that offers the following minimum capabilities:

•  Ability to enforce enterprise security policies, such as user rights and permissions, as well as the ability to report policy violations.
•  Data communication and storage should be encrypted, with the ability to remotely wipe the device.
•  User authentication should be required before the device can access enterprise resources, with incorrect password lockout periods consistent with your other computing devices.
•  Restrict which applications may be installed, and have procedures in place for updating the applications and the operating system.

  1. Have a separate mobile device policy.  The policy should define which types of mobile devices are permitted to access the institution’s resources, the degree of access that mobile devices may have, and how they will be managed.  It should differentiate between institution-owned and employee-owned devices, and be as consistent as possible with your policy for non-mobile devices.
  2. Test the policy initially, and periodically thereafter, to verify management capabilities.  Perform either passive (log review) or active (PEN testing) assessments to confirm that the mobile device policies, procedures and practices are being followed properly.
  3. Secure each device prior to deployment.  This is slightly easier for institution-owned devices, much harder (but arguably more important) for already deployed, employee-owned devices.

I’m sure you can already hear the howls of protest for this last one, but the guidance actually states that for employee-owned (BYOD) devices organizations should recover them, restore them to a known good state, and fully secure them before returning them to their users.

So when it comes to BYOD you basically have two choices; you can properly manage the devices and the risks consistent with your other computing devices, or you can recognize that they represent a deviation from your risk management policies and get Board approval for the exception.  And if you choose to classify them as policy exceptions, you should be prepared to explain the potential impact of the higher risk to the organization, and exactly how the higher risk is justified.

20 Sep 2012
Hot Topics Tom Hinkel 0 comment

New cyber attack targeting small to medium-sized financial institutions

The FBI, in association with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3), recently issued a fraud alert warning that criminals are using a multi-vector attack to compromise financial institution networks and initiate fraudulent wire transfers.  The first thing that struck me about this attack is that although all the recent focus has been on strengthening controls on the merchant side, this is targeted not at the merchant, but directly at the financial institution itself.

Simply put, the attack uses a combination of SPAM and phishing emails (#1 below), keystroke loggers, and remote access software (#2 below) to capture employee authentication credentials.  A successful attack results in the employee’s PC being under the control of the criminal, who will then use the employee’s authority to initiate wires, approve them, and even override built-in transaction limits. The following graphic describes how the attack occurs, with the exception that in #5 the victim is the financial institution, not the on-line banking customer:

(Click here for original document)

It is important to understand that this is not a “proof-of-concept” attack, this is actually occurring, and has resulted in attempted transfers ranging from $400,000 and $900,000.

One of the unique indicators of the attack is that either just prior to or just after the attack, the institution’s website is targeted by a denial of service attack which is designed to slow or deny access to the FI’s website, distracting institution employees and preventing or delaying them from detecting the fraudulent transactions.  They recommend that institutions monitor for spikes in website traffic that may indicate the beginning of the attack.

The alert also lists 17 best practice recommendations for financial institutions designed to prevent and detect this (and similar) attacks.  It is not surprising that the first 5 recommendations address the weakest link; the employee.  I previously identified the employee as the biggest single risk to information security, and employee training as a trend for 2012.  Many of the other recommendations should be familiar to most FI’s; restrict user access rights and login times, review Anti-malware and Anti-virus defenses, implement anomaly detection, and utilize IPS and “white-lists” to prevent connections to suspicious sites.  They also recommend that institutions strongly consider (their words, my emphasis) implementing out-of-band authentication for wire authorization.  This is where the final authentication approval is send back to the originator via a communication channel other than the one used to initiate the transaction.  This was also one of the recommendations from the FFIEC in their authentication supplement released last year.

In my opinion there are 2 controls financial institutions can implement now that will do more than any other to significantly reduce the incidence of fraudulent transactions.  The first is out-of-band authentication, and the other is utilizing a secure DNS service, similar to this.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy