Tag: Audits

  • FFIEC Cancels E-Banking Handbook

    FFIEC Cancels E-Banking Handbook

    On May 13, 2022, the FFIEC very quietly rescinded the FFIEC Information Technology Examination Handbook (IT Handbook) booklet entitled E-Banking.  The original booklet was released in 2003 and was accompanied by a flurry of activity by financial institutions to come up with a separate E-banking policy and risk assessment.  In effect, the FFIEC is now […]

  • Vlog: Are Bank Regulators Considered Vendors?

    Vlog: Are Bank Regulators Considered Vendors?

    In this special vlog installment of Ask the Guru, Tom Hinkel answers a question asked by an OCC bank examiner, “Are regulators considered vendors for banks?” Watch the video below to hear Tom’s thoughts on the matter.

  • UPDATE – New Proposed Cyber Incident Notification Rules Finalized

    UPDATE – New Proposed Cyber Incident Notification Rules Finalized

    Last updated March 30, 2022. Currently, financial institutions are required to report a cyber event to their primary federal regulator under very specific circumstances. This requirement dates back to GLBA, Appendix B to Part 364 and states that FI incident response plans (IRP’s) should contain procedures for: “Notifying its primary Federal regulator as soon as […]

  • New Proposed Cyber Incident Notification Rules

    New Proposed Cyber Incident Notification Rules

    Update: Since publishing this post, these rules have been finalized. We have a new post covering those details here. We first wrote about incident notification over ten years ago, and based on feedback from our cyber testing experience, financial institutions are still struggling with the issue of whether or not to notify their customers and […]

  • Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

    Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

    One of several changes implemented in the 2019 FFIEC BCM Examination Handbook is a subtle but important differentiation between a BCMP “test” and an “exercise”. I discussed some of the more material changes here, but we’re starting to see examiner scrutiny into not just if, but exactly what and how you’re testing. According to the […]

  • Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

    Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

    Hey Guru! Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that GDPR has placed a higher premium on the protection of a narrower definition of data. So, my question is more about whether FFIEC requirements for […]