When the new final remittance rule was released by the CFPB, many of you probably assumed it didn’t apply to your credit union because you don’t do traditional remittance transfers. Well, if you do international wire transfers or international ACH transactions, it may apply to you.
/ READ MORE
Guest Blog by Tony Schwarz, Director of Risk Management, Affiliates Management Company
Is your credit union fully compliant with the new FFIEC authentication guidance? Your internet banking provider likely has a variety of security controls you can choose from to help protect your members’ accounts and transactions. However, another aspect of compliance is the NCUA exam. You will want to make sure you have an executed awareness program for your members and that you have performed a risk assessment based on the FFIEC guidance. After completing your risk assessment your credit union should be clear on what additional changes you may need to make internally with your credit union procedures, and which security/authentication options to implement with your internet banking site. The risk assessment will help you find the balance between too much security and not enough.
Building a risk assessment can be done in several ways. You may have incorporated the FFIEC analysis into your annual enterprise risk assessment process. Or maybe you’ve built a new document using a framework like the NIST 800-30 from the National Institute of Standards and Technology for IT risk assessments. If you are a smaller credit union or you just haven’t had the time to do it, you may need to outsource the risk assessment. Hopefully you’ve not ignored it because you will find that the examiners are certainly looking for it. The value of working through the process can help protect your members and also help highlight other changes that may be necessary in your internet banking security.
In collaboration with PolicyWorks, I recently worked with a credit union that needed their internet banking risk assessment completed. Our completed document included a variety of recommendations that helped the credit union finalize decisions and move towards a more secure internet banking site for their members. Although our process may be more detailed, at a very high level your own risk assessment process may look something like this:
- Select the risk assessment framework you will use (like NIST 800-30 found at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf) and study the structure.
- Gather the input information such as credit union policies, internet banking vendor documentation/options, decisions the credit union has made, documentation on processes performed by the credit union related to internet banking, specific information about which transactions (ACH, wires, bill pay) can be performed on the internet banking site, and what personally identifiable information is available on the site or on linked sites like bill pay.
- Document the threats, vulnerabilities, risks (that are present due to those threats and vulnerabilities), the controls that are in place (like out-of-band-authentication), the residual risk, and what recommendations exist for control improvements to address the residual risk.
In summary, credit unions should be ready to provide their internet banking risk assessment to NCUA as they will likely ask for it in your 2012 exam.
/ READ MORE
Holiday shopping is officially underway. ‘Cyber Monday’ was the largest in history. More people than ever are using computers to get their holiday shopping done, keep track of their finances, and store sensitive information. Online traffic is at an all-time high and the Federal Trade Commission (FTC) is taking notice.
The FTC has proposed a new rule under the Child Online Privacy Protection Act (COPPA). Some of the proposed changes could require credit unions to change their approach to parental consent for children under 13 using their online banking system.
/ READ MORE
Are you responsible for the task of policy development at your credit union but struggle with the how and where to start? PolicyWorks is excited to introduce our newest service, PolicyAid. PolicyAid is a comprehensive, online, policy library that will help your credit union develop and maintain policies as regulations change.
/ READ MORE
As you have probably heard me lament in previous posts, I have spent quite a bit of time this past year reviewing various policies for credit unions. Not all policies contain specific language required by the NCUA, but one policy that does have specific NCUA requirements is the Member Business Lending (MBL) policy.
/ READ MORE
There is no regulation that states you must have a succession plan, it’s simply good business practice. A succession plan is also something your regulator may ask to view and the lack of one could impact your Examination Strategic Risk Rating. So if succession planning is on your to do list then here are a few things to consider.
/ READ MORE
It would appear that Fall is truly upon us. You can definitely see the changes in the weather and in leaves turning different colors. There is another change for this Fall season that was just announced last week. The National Labor Relations Board will be delaying the effective date of the new employee rights poster rule to January 31, 2012.
/ READ MORE
