• Articles
    • About Us
    • Contributors
    • Contact Us
    • Links

By Andrea Stritzke

Internet Banking Risk Assessments

By Andrea Stritzke January 5, 2012

Guest Blog by Tony Schwarz, Director of Risk Management, Affiliates Management Company

Is your credit union fully compliant with the new FFIEC authentication guidance?  Your internet banking provider likely has a variety of security controls you can choose from to help protect your members’ accounts and transactions.  However, another aspect of compliance is the NCUA exam.  You will want to make sure you have an executed awareness program for your members and that you have performed a risk assessment based on the FFIEC guidance.  After completing your risk assessment your credit union should be clear on what additional changes you may need to make internally with your credit union procedures, and which security/authentication options to implement with your internet banking site.  The risk assessment will help you find the balance between too much security and not enough.

Building a  risk assessment can be done in several ways.  You may have incorporated the FFIEC analysis into your annual enterprise risk assessment process.  Or maybe you’ve built a new document using a framework like the NIST 800-30 from the National Institute of Standards and Technology for IT risk assessments.  If you are a smaller credit union or you just haven’t had the time to do it, you may need to outsource the risk assessment.   Hopefully you’ve not ignored it because you will find that the examiners are certainly looking for it.  The value of working through the process can help protect your members and also help highlight other changes that may be necessary in your internet banking security. 

In collaboration with PolicyWorks, I recently worked with a credit union that needed their internet banking risk assessment completed.  Our completed document included a variety of recommendations that helped the credit union finalize decisions and move towards a more secure internet banking site for their members.  Although our process may be more detailed, at a very high level your own risk assessment process may look something like this:

  • Select the risk assessment framework you will use (like NIST 800-30 found at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf) and study the structure.
  • Gather the input information such as credit union policies, internet banking vendor documentation/options, decisions the credit union has made, documentation on processes performed by the credit union related to internet banking, specific information about which transactions (ACH, wires, bill pay) can be performed on the internet banking site, and what personally identifiable information is available on the site or on linked sites like bill pay.
  • Document the threats, vulnerabilities, risks (that are present due to those threats and vulnerabilities), the controls that are in place (like out-of-band-authentication), the residual risk, and what recommendations exist for control improvements to address the residual risk. 

In summary, credit unions should be ready to provide their internet banking risk assessment to NCUA as they will likely ask for it in your 2012 exam.

  / READ MORE
Industry Issues, Operations

Frank

By Andrea Stritzke December 20, 2011

If you conduct the BSA training in your credit union and you  haven’t heard about Frank Mendoza, you must read this post.

  / READ MORE
BSA, Uncategorized

A Fair Lending Warning

By Andrea Stritzke November 29, 2011

It’s easy to believe that your credit union does not discriminate in lending. However, you might want to spend some time making sure your belief is accurate given the current focus on fair lending by the NCUA’s Office of Consumer Protection, the Department of Justice and the CFPB.

  / READ MORE
Lending

Proceed with caution

By Andrea Stritzke November 3, 2011

By Guest Blogger, TJ Riha, PayFusion CEO

Community FIs are facing a unique opportunity as frustrated customers trade in their big-bank loyalty for a friendlier (and more affordable) option. But these community FIs must tread lightly as they go about the business of customer growth.

Following is an excerpt from a paper I recently wrote (“Use Caution When Wooing Angry Bank Customers,”) alongside Andrea Stritzke, VP of regulatory compliance for PolicyWorks

As programs like free checking and debit rewards circle the drain at big banks across the country, angry customers are shopping for alternatives.

To be sure, this extraordinary chance at growth can not be squandered. That said, leadership at the nation’s credit unions and community banks must proceed with caution when courting these angry bank customers.

Strings Attached to the Term ‘Free’

Truth in Savings regulations state that advertisements cannot refer to or describe an account as “free” – or even “no cost” – if any maintenance or activity fee may be imposed on the account.  Therefore, it’s extremely important for an FI to fully understand the fee structure behind its “free” checking product when planning to advertise it as such.

Perception is Reality

Community FIs must first do their research to understand exactly what products and services they will be competing against when trying to win business from the big-bank customers in their area. By preparing a competitive analysis on products ahead of time – and taking the time to train front-line staff on the sales strategy – community FIs will be better equipped to answer the challenging questions they’ll undoubtedly receive from prospects.

The Extra Push

 A community FI may consider giving these anxious customers a little nudge in the right direction by offering an incentive for making the switch. Perhaps this is double card rewards during the first six months – or maybe a cash-back incentive for each debit transaction in the first year.  But remember, full disclosure of the promotion is important to satisfy regulatory requirements.

Download a complimentary copy of the paper, “Use Caution When Wooing Angry Bank Customers,” to read more advice on marketing to this new type of consumer.

  / READ MORE
Industry Issues

PolicyAid Available

By Andrea Stritzke November 1, 2011

The first thing examiners usually ask you for is your policies. And when they review them, they expect that they are updated with the most current regulatory changes. We have found that because regulations are changing so rapidly, credit unions have a difficult time keeping policies updated. So, we decided it was time to provide credit unions with a policy solution.

Our new policy resource, PolicyAid, is an online library of credit union policies that allows subscribers access to downloadable policies. The documents are customizable so that credit union staff can quickly adapt the policies to fit their own individual operations. 

PolicyAid will be available to subscribers via a password-protected portion of PolicyWorksLLC.com. The library will be updated on a quarterly basis to reflect new and amended regulations.

So, if you are looking for a resource to help you keep your policies current, check out PolicyAid.

  / READ MORE
Industry Issues

New Resource

By Andrea Stritzke October 25, 2011

I was alerted to a new website by our sister company TMG, so I wanted to share. TMG blogged about the new IDTheftinfo.org website. You can read TMG’s review, or check out the website for yourself. This is a great resource for credit unions and their members. So, add it to your ongoing list!

  / READ MORE
Industry Issues

NCUA October Newsletter

By Andrea Stritzke October 19, 2011

The NCUA recently issued its October newsletter. Included in the newsletter is a convenient “Rulemaking Calendar” which lists, among other things, recent NCUA rules, the stage of the rule, the last action date and the effective date for final rules. Here’s a link to the chart: NCUA Rules.

There are other good articles in the newsletter about risk management and statutory liens. It is worth the read!

  / READ MORE
Industry Issues