The FFIEC has previously issued a statement on Windows XP and the regulatory expectations for both financial institutions and TSP’s beyond April 8th, but so far the regulators have not weighed in on the implications to e-banking and RDC customers. According to some estimates, as many as 30-40% of your business customers may still be using Windows XP. Since Microsoft will discontinue support for WinXP after April 8th of this year, leaving these devices potentially exposed, what is your obligation to your high-risk Internet banking and RDC customers? What do the regulators expect of you in this situation and better yet, what do your customers expect of you? Would knowingly allowing your e-banking and RDC software to run on potentially insecure systems be considered “commercially reasonable” security?
According to the FFIEC E-Banking Handbook, financial institutions have an obligation to understand and manage the risks of the electronic banking environment, which includes the customer location. Similarly, Remote Deposit Capture guidance makes it clear that institutions are required to understand how the risks of using the customer’s systems to engage in RDC impacts your legal, compliance, and operational risks. That is why most institutions include site visits to the customer location as a part of the customer suitability process prior to approving them for RDC or commercial banking software. But if your on-site assessment indicated the customer was using an insecure operating system, would you even allow your software to be installed?
Again, examiners may not be looking for this specifically (although I know of at least one auditor that has added it to their IT controls scope of work). However I recommend that you at least make the effort to reach out to your high risk e-banking and RDC customers and remind them that according to the terms of their contract, you share responsibility for creating and maintaining a secure computing environment for electronic banking. And then extend your awareness effort to ALL electronic banking customers.
UPDATE – Here is what Microsoft has to say about this. You may want to reference this in your communications with customers:
Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.