Guest Blog by Tony Schwarz, Director of Risk Management, Affiliates Management Company
Is your credit union fully compliant with the new FFIEC authentication guidance? Your internet banking provider likely has a variety of security controls you can choose from to help protect your members’ accounts and transactions. However, another aspect of compliance is the NCUA exam. You will want to make sure you have an executed awareness program for your members and that you have performed a risk assessment based on the FFIEC guidance. After completing your risk assessment your credit union should be clear on what additional changes you may need to make internally with your credit union procedures, and which security/authentication options to implement with your internet banking site. The risk assessment will help you find the balance between too much security and not enough.
Building a risk assessment can be done in several ways. You may have incorporated the FFIEC analysis into your annual enterprise risk assessment process. Or maybe you’ve built a new document using a framework like the NIST 800-30 from the National Institute of Standards and Technology for IT risk assessments. If you are a smaller credit union or you just haven’t had the time to do it, you may need to outsource the risk assessment. Hopefully you’ve not ignored it because you will find that the examiners are certainly looking for it. The value of working through the process can help protect your members and also help highlight other changes that may be necessary in your internet banking security.
In collaboration with PolicyWorks, I recently worked with a credit union that needed their internet banking risk assessment completed. Our completed document included a variety of recommendations that helped the credit union finalize decisions and move towards a more secure internet banking site for their members. Although our process may be more detailed, at a very high level your own risk assessment process may look something like this:
- Select the risk assessment framework you will use (like NIST 800-30 found at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf) and study the structure.
- Gather the input information such as credit union policies, internet banking vendor documentation/options, decisions the credit union has made, documentation on processes performed by the credit union related to internet banking, specific information about which transactions (ACH, wires, bill pay) can be performed on the internet banking site, and what personally identifiable information is available on the site or on linked sites like bill pay.
- Document the threats, vulnerabilities, risks (that are present due to those threats and vulnerabilities), the controls that are in place (like out-of-band-authentication), the residual risk, and what recommendations exist for control improvements to address the residual risk.
In summary, credit unions should be ready to provide their internet banking risk assessment to NCUA as they will likely ask for it in your 2012 exam.
/ READ MORE
I don’t know about you, but I can’t believe it is 2012 already. FinCEN is starting the new year with some guidance on identifying “account takeover” suspicious activity. FinCEN defines “account takeover” as the act of using computer intrusion to target a member holding an account at a credit union to remove, steal, procure or otherwise affect the member’s funds.
A common misconception is that a credit union’s IT department is the only line of defense, which is not the case. FinCEN provides the following “red flags” for this type of activity; unusual ATM activity, clustered ACH transactions in different geographical areas, sudden wire transfers, and changes to a member’s account or profile.
/ READ MORE
This is Part 2 of the ongoing “Are we completing our GFEs correctly?” series.
“Are we completing our Good Faith Estimates (GFEs) correctly?” This is how I started out my blog back on November 17th and if you read it, you discovered that most credit unions are not completing the GFEs correctly. As you can imagine, there are more common mistakes being made on the GFE than just those I described in my previous blog.
/ READ MORE
The holidays have definitely been a busy time for everyone. Buying presents and groceries and planning for holiday parties, it can really make things hectic. Showing no signs of slowing down during the holidays, the CFPB has recently released new prototype forms through the “Know Before You Owe” initiative. These forms represent the second release of forms that combine the HUD Settlement Statement and Truth-in-Lending disclosures to be given at consummation.
/ READ MORE
Just in time for the holidays, the CFPB is pulling out its wrapping paper and tape and presenting the credit union community with refurbished regulations. They may look like the old regulations but they have shiny new citations.
Title X of the Dodd-Frank Act transferred rulemaking authority for numerous regulations to the CFPB on July 21, 2011. The CFPB is now in the process of republishing the transferred regulations and implementing those laws with technical changes. Last Friday it was Regulation F, I, and N. This week its C, G, H, M, B, V, J, K, L, P, and X. Each regulation is effective December 30, 2011.
No substantive changes to the regulations are expected as they are published; but who knows what we will unwrap in the next few weeks!
/ READ MORE
If you conduct the BSA training in your credit union and you haven’t heard about Frank Mendoza, you must read this post.
/ READ MORE
Everyone knows what Regulation E is but are you in compliance when it comes to your error resolution procedures? Recently, a bank in Indiana was slapped with civil money penalties of $82,500 by the FDIC for Reg E violations. So, you are probably asking yourself, what did the bank do? Well, one thing they didn’t do was follow the error resolution notice requirements.
This particular bank was requiring the customer to provide a police report on claims of unauthorized use of debit/atm cards. The error resolution protections afforded by Reg E, Section 205.11 prohibit you from requiring a member to file a police report as a condition of you providing the protections afforded by Reg E. So if are looking for an end of the year compliance project, I would suggest taking a look at your Reg E error resolution procedures to ensure you are providing your members with their rights and protections under the rule.
/ READ MORE
