-
“Data-flow diagrams”
This request was seen in a recent State examiners pre-examination questionnaire, and although I usually like to see a request a couple of times from different examiners before identifying it as a legitimate trend, this one could prove so potentially problematic that I thought I needed to get ahead of it. Before we go much…
-
Online Transactions – Defining “Normal”
I’ve gotten several inquiries about this since I last posted so I thought I’d better address it. The new FFIEC authentication guidance requires you to conduct periodic risk assessments, and to apply layered controls appropriate to the level of risk. Transactions like ACH origination and interbank transfers involve a generally higher level of risk to…
-
Interpreting The New FFIEC Authentication Guidance – 5 Steps to Compliance
We’ve all now had a couple of weeks to digest the new guidance, and what has emerged is a clearer understanding of what the guidance requires…and what it doesn’t. But before we can begin to formulate the specific compliance requirements, we have to interpret what the guidance is actually saying…and what it isn’t. And along…
-
AICPA finalizes SAS 70 replacement
I wrote about this here as well, but it’s now official: The AICPA has clarified the SAS 70 replacement reports. They are actually officially being referred to as “Service Organization Control Reports (formerly SAS 70 reports)”. The new SOC reports provide a framework for auditors to examine controls and to help senior management understand the…
-
Corporate account takeovers – responsibility vs. liability
In all remote merchant services (RDC, remote ACH, remote wire origination, etc.) there are three main parties responsible for securing the transaction: