SAR – Compliance Guru

09 Jan 2012

From the Field Tom Hinkel 0 comment

Another incident management table-top training exercise

I’ve mentioned before that financial institutions would be wise to use news reports of security incidents as “what if” table-top training exercises. Here is another one that just occurred a couple of days ago:

Test scenario:

You receive a subpoena from a government agency requesting financial information on several customers. The subpoena includes names and social security numbers for the customers involved.

(Your privacy policy probably contains verbiage similar to this: “Social Security numbers may only be accessed by and disclosed to <bank employees> and others with a legitimate business “need to know” in accordance with applicable laws and regulations”, or perhaps you state that you will disclose only if “…responding to court orders and legal investigations”.)

You determine that information disclosure is necessary and appropriate in this case, and you provide the information.
Although there is nothing in your privacy policy that requires it, you then decide that you will notify the affected customers that their information was disclosed pursuant to a legal request.
You send a letter to each affected customer explaining the reasons for the disclosure, as well as what information was disclosed.
You include a copy of the original subpoena in the letter to the affected customers in it’s original form, including the names and social security numbers of all of the affected customers. In other words, you did not redact information pertaining to everyone other than the intended recipient of the letter, all affected customers received everyone else’s information in addition to their own.

Discussion topics:

Does this qualify as a “security incident” as it is defined by your Incident Response Plan? It is clearly not an intrusion, but it does qualify as an irregular or adverse event which negatively impact the confidentiality of customer non-public information.
Is customer or regulator notification required? In order to answer this question, answer the following: “Has misuse of non-public information occurred, or is it reasonably possible that misuse could occur?” If the answer is “yes”, customer and regulator notification is required, as well as credit monitoring services, ID theft insurance, credit freeze activation, and any other remedies the law, and your policies, require.
Is a Suspicious Activity Report filing required? (Perhaps not, but I would err on the side of caution.)
What, if anything, would we do differently? Under what exact circumstances will we disclose customer NPI? If disclosed, will we notify the affected customer? What are the legal implications?

Use these real world examples to fine tune your incident management policies and procedures. Perhaps they will prevent you from becoming someone else’s training exercise!

10 Nov 2010

From the Field Tom Hinkel 2 Comments

Incident response – to report or not?

For the purposes of regulator reporting and customer notification, it is critical that we first define an “incident”. Here is how an incident is defined by the FFIEC: (more…)

27 Oct 2010

Hot Topics Tom Hinkel 0 comment

ID Theft and SAR filings

In the past, authoritative reports on identity theft have used surveys conducted with the general public to collect ID theft related data. However, in a recent FinCEN report, the data collected came directly from SAR’s filed from the financial institutions themselves, resulting in a much more accurate assessment of the scope of the identity theft problem.

About the SAR: The most recent version of the Suspicious Activity Report (SAR) is dated July 2003, and has required financial institutions to report in the separate category of identity theft since 2004. (It’s found in Part III, 35 (u), with the narrative in Part V.) Since the category was made available, the number of SAR filings reporting identity theft has gone from 15,445 in 2004, to 36,210 for 2009.

About ID Theft: The ID Theft/Red Flags Act is actually titled “Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003”, and was approved by the FFIEC and all regulatory bodies in October, 2007 with compliance mandatory by November 2008. Since then enforcement has been delayed several times, most recently until December, 2010. This does not extend the requirement for financial institutions to comply with the act, only regulatory enforcement. All institutions should have (at the very least) and ID Theft policy, as well as established procedures.

About the report findings: There were a number of interesting findings in this report, but the most interesting to me was that the 2 most commonly identified Red Flags (as listed in Supplement A to Appendix A of the act) were #25 and #26; or

25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.
26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

These 2 Red Flags accounted for 75% and 23% respectively of all filings. This is interesting because it appears that the vast majority of the ID theft notifications are coming from the customers themselves. When combined with the finding that 43% of ID theft related activity is discovered within 4 weeks, perhaps the most effective loss preventive control for institutions to consider is one that delivers account information to the customer more quickly.