Tag: Risk Assessment

  • Home
  • Risk Assessment
09 Oct 2012
From the Field Tom Hinkel 0 comment

FDIC Institutions still getting UIGEA (Reg GG) findings – UPDATE

Update 1 –  12/5/2011 to add examination procedures*. 

Update 2 – 2/13/2012 to emphasize policy requirements.

Update 3 – 10/8/2012 to add specific courses of action if the FI has “actual knowledge” of restricted transactions.

We first saw this trend back in July 2011, and continue to see it, so I’m calling this a definite trend as opposed to an anomaly.  Here is the background:  The Unlawful Internet Gambling Enforcement Act of 2006 (“UIGEA”) prohibits any person, including a business, engaged in the business of betting or wagering from knowingly accepting payments in connection with the participation of another person in unlawful Internet gambling.  As a result, the Agencies (FDIC, OCC, NCUA, Federal Reserve) issued Reg GG, requiring financial institutions to establish policies and procedures “reasonably designed to identify and block, or otherwise prevent or prohibit, restricted (gambling) transactions” with compliance required as of June 1, 2010.

Most institutions have measures built in to their account opening procedures by their core vendor to comply with this Reg, but the recent examination findings seem to address the lack of a specific UIGEA policy.   This would indicate that procedures alone may not be enough to demonstrate compliance anymore (i.e., “we’re doing it even though we don’t say we are” isn’t enough).  So what are you supposed to do?  Make sure you have a specific written UIGEA policy, and that it is designed to address the following:

  • Don’t assume that just because you have no (or a few) commercial customers you aren’t required to have a policy.  The implementation burden is lessened, but a policy is still required.
  • Designate a person responsible for UIGEA compliance (this was a specific finding in one of the recent examinations).
  • Focus on establishing a due diligence process when initiating a commercial customer relationship.
  • Communicate to your commercial customers contractually up  front (and periodically throughout the relationship) that restricted transactions are prohibited.  Your policy should state that the commercial customer agrees to not originate or receive restricted transactions throughout the customer relationship.  If the risk warrants, a certification from the customer is recommended.
  • Your due diligence obligations do not end once the account is opened.
  • Specify a specific course of action to be followed in case you have “actual knowledge” that a customer has violated the policy.  For example:
    •  Perform an account review
    • Suspend activity on the account
    • Contact the customer
    • Contact legal counsel (if appropriate)
    • Close the account
    • File a SAR, if warranted
    • Contact regulatory authorities
    • Contact law enforcement
    • If cooperating with law enforcement, and so advised by same, continue processing

There are additional regulatory expectations if you actually have customers that are legally allowed to engage in an Internet gambling business, i.e. through U.S. State or Tribal authority.  In fact when I started getting reports of UIGEA policy deficiencies, my first thought was that all the institutions may have had that common denominator…they had customers legally engaging in Internet gambling.  That was not the case, however.  It would appear that this is just the latest regulatory “hot button”.

* Download Full Act, examination procedures in Attachment C

13 Sep 2012
Hot Topics Tom Hinkel 0 comment

BYOD Redux – The Policy Dilemma (Part 1)

Employee-owned mobile devices are everywhere, and they’re being used for everything from email to document storage and editing.  Proper risk management procedures are defined in your policies, but do you need a separate mobile device policy, or can you simply mention them in the same policy sections that address other portable devices?  Or is there another option you need to consider?  Let’s follow the same risk management process for mobile device deployment as you would to deploy any other new technology:

    1. First, before mobile devices are deployed, a decision is made that they should be considered for implementation because they will somehow further the goals and objectives of the strategic plan.
    2. Next, a cost-benefit analysis is done, and the results should reinforce the decision to implement.
    3. Finally, a risk assessment is conducted that identifies potential risk exposure due to unauthorized disclosure of customer, confidential, or sensitive information.

Since most mobile devices can process, store, and transmit information, this looks very similar to your risk assessment for other portable computing devices like laptops.  (Indeed the FFIEC mentions “…laptops and other mobile devices…” together  in their Information Security Handbook, suggesting the risks are similar.)  Except in this case the risk is magnified by the extreme portability of the devices, the “always-on” and “always-remote” nature of them, and the fact that many more people will use mobile devices than will use laptops.

Once the inherent risk is assessed (most likely higher than your other computing devices), controls are identified to reduce the risk.  Again, since the capabilities are similar, the list of potential administrative and technical controls looks very similar to those on your other computing devices.  Your existing policy probably mandates that there first be a legitimate business reason for the employee to use a portable device.  Once need is established, the employee agrees to a “proper use” policy, i.e.  what is allowed and what isn’t.  Finally, technical controls are applied; 8-10 character complex passwords, encrypted storage, patch management, Anti-virus/Anti-malware software, user rights and permissions restrictions, Active Directory integration, etc.  But even if you’ve followed your risk management procedures to the letter so far, this is where the real challenges begin, because mobile devices simply don’t have the same controls available to them that other portable devices like laptops do.  There are some additional controls available (like remote-wipe capability), but the end result of your risk assessment would most likely be that you have a higher inherent risk and insufficient controls, leading to a higher residual risk.  Under “normal” conditions, this would lead to a decision to NOT deploy mobile devices until risks can be reduced within acceptable levels, right?

And yet they are ubiquitous.

So back to the original question.  I’m not a big believer of writing a new policy to accommodate every new piece of technology you decide to implement unless the technology cannot be accommodated within your existing policy framework.  It is far easier to make a simple policy change by mentioning the new technology, thereby acknowledging that it exists and that it fits within your current policy framework.  But in this case you are not really making a change, you are actually making a policy exception.  You are admitting that the residual risk of BYOD is unacceptably high, but that you are willing to accept the additional risk in return for potential productivity gains.  Since the Board of Directors is responsible for providing “…clear guidance regarding acceptable risk exposure levels…”, and for ensuring that “…appropriate policies, procedures, and practices have been established”, policy exceptions must be approved by the Board as well.   It is your responsibility to make sure they understand exactly what the risks are, and why you feel they are risks worth taking.

Hopefully risk management controls for mobile devices will continue to evolve and mature to the point where they match controls for the other portable devices you currently manage.  But until they do, until they are capable of being risk managed consistent with your existing policies, they (and all policy exceptions) represent an net reduction in your existing security profile.  And you cannot rationalize or justify taking short-cuts just because “everyone else is doing it”…or even worse, “we can’t stop it”.

Next, I’ll discuss possible solutions to this risk management challenge.

03 Jul 2012
From the Field Tom Hinkel 0 comment

“Operational Risk Increasing”

In a recent speech to the Exchequer Club1, Thomas J. Curry, the new head of the OCC, stated that although asset quality has improved, charge-off rates have fallen, and capital now stands at its highest level in a decade, another type of risk is gaining increasing prominence; Operational Risk.

“Some of our most seasoned supervisors, people with 30 or more years of experience in some cases, tell me that this is the first time they have seen operational risk eclipse credit risk as a safety and soundness challenge.  Rising operational risk concerns them, it concerns me, and it should concern you.

In fact, the OCC considers it currently to be at the top of the list of safety and soundness issues for the institutions they supervise.  Earlier this year I wrote about how risk assessments were one of the compliance trends of 2012, and how regulators are now asking about things like strategic risk and reputation risk and operational risk, and expecting that these risks are assessed alongside the more traditional categories like privacy and security.

So the question is:  What exactly is operational risk, and how can financial institutions effectively address it?  The FFIEC defines it this way:

“Operational risk (also referred to as transaction risk) is the risk of loss resulting from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Operational risk is present across all business lines.”

Furthermore, because the implications of operational risk extend to all other risks….

“Management should distinguish the operational risk component from other risks to enable a stronger focus on operational risk mitigation.

If you are still a bit confused about exactly what operational risk looks like, you are not alone.  Because it exists in all business lines and manifests itself in every other risk, it is one of the most difficult risks to assess.  In other words, it’s everywhere…and affects everything!

Simply put (and assuming your policies and procedures are adequate), most of the time operational risk can be defined as a failure to adhere to your own internal policies and procedures.  In other words, if you don’t do what you say you will do, or you don’t do it the way you say you’ll do it, something will fail as a result.  Whether a it’s a process, a control, a system, or a risk model…if they are in place and operational, but either flawed or not followed, operational risk is the result.2   But here is the kicker, even if your processes/procedures/models, etc. are flawless and followed to the letter, if you can’t document that they are,  you may still have a high operational risk finding in your next safety and soundness examination.

The best way to address operational risk is to implement an internal control self-assessment process to assure that risk management controls are adequate, in place, and functioning properly.  Reporting will document that your day-to-day practices follow your written procedures.  Finally, make sure all business decisions reflect the goals and objectives of the strategic plan, and report to the Board on a regular basis.

In summary, integrate assessment of operational risk into your risk management process, and expect to hear more about it from the regulators in the future.  And don’t think that because you aren’t regulated by the OCC you won’t see this trend.  After all, as Mr. Curry stated:

“As regulators, one of our most important jobs is to identify risk trends and bring them to the industry’s attention in a timely way. No issues loom larger today than operational risk in all its dimensions, the manner in which all risks interact, and the importance of managing those risks in an integrated fashion across the entire enterprise.”

[poll id=”3″]

1 The Exchequer Club is comprised of senior professionals from trade associations, federal regulatory agencies, law firms, congressional committees and national press with a primary interest in national economic and financial policy.

2 Business Continuity Planning uses a slightly different definition of operational risk.  Since the basic assumption of a BCP is that your processes and systems have already failed because of a disaster, operational risk manifests itself in the additional overhead that the alternative recovery processes and procedures temporarily impose on your organization.  Of course if your BCP is inadequate, failed processes will be the result.

28 Mar 2012
From the Field Tom Hinkel 0 comment

CFPB Examinations Are Coming – UPDATE 2

UPDATE 2 – June 2012:  Memorandum of Understanding issued on CFPB examinations

Examinations are coming, but hopefully they won’t impose too much of an additional burden on you.  At least that is the intent of an MOU was recently signed between the CFPB and the other Federal regulators (Federal Reserve, NCUA, FDIC and OCC).  The MOU provides for information sharing among and between all agencies in order to minimize unnecessary duplication of examination efforts, and provides guidelines for “Simultaneous and Coordinated Examinations” between the agencies.  So expect additional visitors during future examinations, but if they truly expect to achieve the stated objective to “minimize unnecessary regulatory burden on Covered Institutions” they could start by doing away with CFPB examinations entirely.

UPDATE 1  –  May 2012:  Ramping Up…

Coming soon to your financial institution –

Dear Board of Directors:

Pursuant to the authority of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Consumer Financial Protection Bureau (CFPB) performed a risk-focused examination of your institution.  The examination began on April 1, 2012.  The following report summarizes the findings of our examination.

Any matters of criticism, violations of laws or regulations, and other matters of concern identified within this Examination Report require the Board of Director’s and management’s prompt attention and corrective action….

Although by law the CFPB will only  examine large depository institutions (assets greater than $10B) individually, Section 1026 extends coverage to smaller institutions on a sampling basis.  This means all institutions can eventually expect a visit from CFPB examiners (either with or without your primary federal regulator) at some point in the future.  And it is my opinion that the influence of the CFPB will continue to expand to all financial institutions regardless of size.  Consider the following:

  1. The CFPB is now one of the agencies comprising the inter-agency council of the FFIEC (replacing the OTS).  This means that CFPB will have input into all FFIEC guidance going forward.
  2. The head of the CFPB sits on the FDIC Board of Directors
  3. So far, 19 (Regs. B – P, V, X, Z & DD) out of the total of 39 Regulations have been turned over to CFPB for enforcement.  (I wonder if including Reg E will affect all electronic funds transfers, or only those initiated by non-business customers?  I find it hard to believe that there would be 2 sets of standards.)

So they are coming, but believe it or not there is good news.  Not only are they telling you what they are looking for ahead of time, they are giving you lots of helpful templates to fill out in preparation.  True, the templates are for their examiners, but there is no reason why you can’t use them too.  Particularly helpful is the Consumer Risk Assessment Template which CFPB examiners will use to determine inherent risk, which is then reduced by the appropriate controls to arrive at the overall risk (also called residual risk).  This table represents the summary of the consumer risk assessment process:

Notice that if the inherent risk is high, the residual risk can be no lower than moderate, regardless of the strength of the controls.  I think this is significant because of the potential implications for all risk assessments going forward.  Remember, CFPB now has a seat at the FFIEC (and FDIC) table.

But consider this…could we be looking at a fundamental change in how all risk assessments are conducted, and examined, in the future?  One single standardized risk assessment template for all risks?  Inherent risk levels are pre-defined, and control strength is pre-determined, making residual risk a purely objective calculation.  The complete lack of subjectivity means that all examiners evaluate all institutions against the exact same set of standards.  No exit meeting surprises, no unexpected CAMELS score downgrades, no spending hours and hours preparing for one area of compliance, only to have the examiners focus on something else.

So could the influence of the CFPB be a smoother, more predictable examination experience overall?  Or am I dreaming?

22 Dec 2011
From the Field Tom Hinkel 0 comment

FDIC offers “Insight” on Mobile Banking

Although not considered official supervisory guidance, the most recent FDIC Supervisory Insights newsletter offers an instructive early look into how the agency might examine this emerging electronic banking delivery method in the future.  (Before you tune out and decide to wait for the formal guidance, remember it was the Winter 2009 issue that first introduced us to the concept of the Enterprise-wide risk assessment as the preferred replacement for the traditional information security risk assessment.  I consider these Supervisory Insight newsletters to be a pretty accurate peek into the regulatory crystal ball.)

The article is titled “Mobile Banking: Rewards and Risks”, and is a fairly deep dive into this relatively new banking service.  Mobile banking is defined as the use of a mobile device, commonly a cell phone or tablet computer, to conduct banking activities.   The article starts by discussing the current, and estimated future, market for this service, quoting a survey placing the potential adoption of mobile banking at 38 million households by 2015.  Clearly, if institutions have not already considered adopting this delivery method, they certainly will in the near future.  They separate the mobile service offerings into 3 broad categories based on the delivery method:

  • Text messaging/short message service (SMS)
  • Mobile-enabled Internet browser
  • Mobile applications (apps)

They then discuss the channel-specific mobile banking risks, and this was one of the most interesting parts of the article for me:

A recent study looked at the security of four types of mobile applications – financial services, social networking, productivity, and retail.  The study focused on the types of sensitive data that mobile applications store on the device and whether these data were stored securely. Each application was rated “Pass,” “Warn,” or “Fail.” A “Pass” rating means sensitive data are not stored on the device or are encrypted.  A “Warning” rating means certain data are stored on the device, but this does not put the user at significant risk of fraud. A “Fail” rating indicates sensitive data, such as account numbers and passwords, are stored on the device in clear text, placing the user at an increased risk of identity theft or other financial fraud.

As you can see, although financial institutions had the highest “pass” rate for mobile applications, they also had uncomfortably high “warn” and “fail” rates.  (Also note the extremely high “fail” rates for social networking apps…this only confirms my concerns.)  Although they don’t go into great detail on the availability and proper use of controls to mitigate the risks, they do make the point that proper vendor management is key.  This is particularly true for community institutions who rely heavily, and almost exclusively, on the built-in controls provided by their product’s vendor.

But they also refer to the updated FFIEC Authentication guidance, stating that it “applies to mobile banking“.  This is a bit of a news flash, as the term “mobile banking” is not specifically mentioned anywhere in the updated guidance.  In fact this was one of the major criticisms of the update when it was released (although I disagreed).  I think it’s clear now that the FFIEC intended for the updated guidance to be broad enough include new and emerging technology, and that we shouldn’t expect a new update every time technology changes.  This also means that you should include mobile capabilities in your Electronic Banking risk assessment, as well as the associated controls.

So consider this an early Christmas present from the FDIC, and make sure to incorporate the mobile banking risk management concepts discussed in this article into your electronic banking risk assessment.  In summary:

Financial institutions are challenged to ensure their mobile banking service is designed and offered in a secure manner, and customers are made aware of steps they can take to protect the integrity of their mobile banking transactions.  (Edit – so does making customers aware mean mobile banking customer training will be a requirement?)

31 Aug 2011
Hot Topics Tom Hinkel 0 comment

Online Transactions – Defining “Normal”

I’ve gotten several inquiries about this since I last posted so I thought I’d better address it.  The new FFIEC authentication guidance requires you to conduct periodic risk assessments, and to apply layered controls appropriate to the level of risk.  Transactions like ACH origination and interbank transfers involve a generally higher level of risk to the institution and the customer, and as such require additional controls.  But here’s the catch…given the exact same product with the exact same capabilities one customer’s normal activity is another customer’s abnormal.  So defining normal is critical to identifying your abnormal, or “high-risk”, customers.

Most Internet banking software has built-in transaction monitoring or anomaly detection capabilities, and vendors that don’t are scrambling to add it in the wake of the guidance.  As the guidance states:

“Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.

So automated anomaly detection systems can be a very effective preventive, detective and responsive control.  But I think there is a very real risk that a purely automated system may not be enough, and may even make the situation worse in some cases.  For one thing, any viable risk management solution must strike a balance between security and usability.  A highly secure automated anomaly detection and prevention system may be so tightly tuned that it becomes a nuisance to the customer or a burden to the institution.  Customers are already reluctant to accept any constraints on usability, even if they can be presented as in their best interest.  And if your requirements are just a little bit more than your competitor, you risk losing the customer to them.  Interesting paradox…you implement additional controls to protect them, and lose them to a (potentially) less secure competitor!

But another way a purely automated solution may not achieve the desired result is that it may actually lull the institution into a false sense of security.  I’ve already heard this in my discussions with our customers…”My vendor says they will fully comply with the new guidance, so I’m counting on them.”  And indeed the vendors are all saying “Don’t worry, we’ve got this…”.  But do they?  In at least one incident, transaction monitoring did not stop an account take-over because according to the automated systems the fraudulent transactions were all within the range of “normal”.

So what more should you do?  One thing is to make sure that you don’t rely solely on your vendor to define “normal”.  Just as with information security, you can, and (because of your reliance on the vendor) should outsource many of the risk management controls.  But since you can not outsource the responsibility for transaction security, you must take an active role with your vendor by sharing responsibility for monitoring.  One way to do this is to participate in setting the alert triggers.  For example, high account inquiries may trigger an automated anomaly alert, but really don’t carry a high risk of loss.  (However, they could be indicative of the early stages of an account takeover, so they shouldn’t be completely ignored either.)  On the other hand, a slight increase in interbank transfers may not trigger an alert, but could carry a potentially large loss.  Rank the capabilities of each product by risk of loss, and work with your vendor to set anomaly alerts accordingly.

Once you’ve established “normal” ranges for your products by capability, and set the anomaly triggers, your vendor should be able to generate reports for you showing deviations from normal for each product.  The next step is to separately assess each customer that falls outside those normal ranges.  Anomaly triggers for these customers should necessarily be set more tightly, and your vendor should be able to provide deviation reports for those as well.  By regularly reviewing these reports you are demonstrating a shared security responsibility approach, and most of all, demonstrating an understanding of both the letter and spirit of the guidance.

Remember, although your vendor can help, “normal” transaction frequency and dollar amounts must be defined by you based on your understanding of the nature and scope of your on-line banking activities.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy