 |
 |
 |
 |
 |
|
The FDIC, the other federal financial institution regulatory agencies, the Securities and Exchange Commission, and the Federal Trade Commission have jointly published the attached final rules to implement the affiliate marketing provisions of the Fair Credit Reporting Act (FCRA) as amended by the Fair and Accurate Credit Transactions Act (FACT Act.) The final rules implement Section 214 of the FACT Act, which generally prohibits a person from using information received from an affiliate to make a solicitation for marketing purposes to a consumer, unless the consumer
The Federal Deposit Insurance Corporation (FDIC) today approved the final rule implementing the Advanced Approaches of the Basel II Capital Accord. The new rules are a significant change in regulatory practice, in that they require some large banks to calculate capital requirements using their own internal, model-driven risk estimates.
Summary: The FDIC is requesting comments on the attached proposed amendments to Part 363 of its regulations, which sets forth annual independent audit and reporting requirements for insured institutions with $500 million or more in total assets.
Summary: The Department of the Treasury's Office of Foreign Assets Control has added new entries to its Specially Designated Nationals and Blocked Persons list.
The federal financial institution regulatory agencies and the Federal Trade Commission have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft
Final Regulation R-Exceptions and Exemptions for Banks from the Definition of "Broker" FIL-92-2007, October 25, 2007 Summary: On October 3, 2007, the Board of Governors of the Federal Reserve System (Board) and the U.S. Securities and Exchange Commission (SEC) published the attached final rules that implement provisions of the Gramm-Leach-Bliley Act (GLBA) that except banks from the definition of "broker" under the Securities Exchange Act of 1934 when they conduct certain securities transactions.
The federal financial regulatory agencies issued final rules today that provide consumers with an opportunity to "opt out" before a financial institution uses information provided by an affiliated company to market its products and services to the consumer. The final rules on affiliate marketing implement section 214 of the Fair and Accurate Credit Transactions Act of 2003, which amends the Fair Credit Reporting Act (FCRA).
The FDIC Advisory Committee on Economic Inclusion (ComE-IN) will convene on October 24 to examine money services businesses (MSBs) and their access to banking services. The committee will hear from experts on the challenges facing the MSB industry as well as from bankers who have successful relationships with MSBs.
The federal bank and thrift agencies issued final rules on Friday expanding the range of small institutions eligible for an extended 18-month on-site examination cycle. The final rules allow well-capitalized and well-managed banks and savings associations with up to $500 million in total assets and a composite CAMELS rating of 1 or 2 to qualify for an 18-month (rather than a 12-month) on-site examination cycle.
Summary: The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Illinois that suffered major damage from storms and flooding.
Summary: In an update to FIL-75-2007, the Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in additional areas of Ohio and Wisconsin that are suffering from storms and flooding.
Summary: In an update to FIL-61-2007 and FIL-68-2007, the Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in additional areas of Oklahoma that are suffering from storms and flooding.
Summary: The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Minnesota, Wisconsin and Ohio that have suffered major damage from storms and flooding.
Fraudulent letters claiming to be from the Office of the Comptroller of the Currency are being sent to U.S. bank customers in an attempt to elicit funds. The Office of the Comptroller of the Currency (OCC) has notified the Federal Deposit Insurance Corporation (FDIC) that fraudulent letters are in circulation that concern the release of funds supposedly under the control of the International Monetary Unit (IMU) of the European Commission in Belgium. The letter is being sent to U.S. bank customers and indicates that in accordance with international monetary policy, monies are being held until the recipient can produce the necessary documents, which include a Money Laundering/Drug Free Clearance Certificate and an Anti-Terrorist Clearance and Capital Transfer Certificate. According to the European Commission's recent warning, victims are directed to pay approximately $25,000 (U.S. dollars) to obtain these bogus documents.
Summary: The Federal Financial Institutions Examination Council (FFIEC) released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual on August 24, 2007. Highlights:
Summary: The federal financial regulatory agencies have issued the attached statement setting forth the policy for enforcing specific anti-money laundering (AML) requirements of the Bank Secrecy Act (BSA). Highlights:
In an update to FIL-61-2007, dated July 6, 2007, the Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in additional areas of Texas and Oklahoma that are suffering from storms and flooding. Highlights: * Severe storms, tornadoes and flooding have caused significant damage to areas of Texas and Oklahoma. * In Texas, 33 counties have now been declared federal disaster areas, with the addition of Guadalupe, Henderson, Nueces, Van Zandt, Walker and Zavala counties on August 7, 2007.
FDIC Chairman Sheila C. Bair today commented on an agreement in principle that has been reached between The Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Deposit Insurance Corporation regarding the implementation of Basel II in the United States. The agreement resolves major outstanding issues and will now lead to finalization of a rule implementing the advanced approaches for computing large banks' risk-based capital requirements.
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Oklahoma and Texas that suffered major damage from storms and flooding that started in May and continued through June
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Nebraska, Missouri and Kansas that suffered major damage from storms and flooding that started in May and have continued into early July
Fraudulent correspondence bearing the FDIC's name continues to be mailed, faxed and e-mailed. This correspondence is being used in illegal schemes to collect sensitive personal information, such as bank account numbers, and to steal money and other assets.
The Office of the Comptroller of the Currency reports fraudulent letters that appear to be faxed by the Federal Deposit Insurance Corporation are circulating to financial institutions worldwide.
The Financial Crimes Enforcement Network (FinCEN) has issued guidance to financial institutions to address law enforcement agency requests to keep open particular accounts.
The Financial Crimes Enforcement Network (FinCEN) has issued guidance reminding financial institutions to provide all documentation supporting the filing of a Suspicious Activity Report (SAR) upon request by FinCEN, appropriate law enforcement or a supervisory agency.
Starting July 9, 2007, the FDIC will provide participating state bank regulators access to the FDICconnect Examination File Exchange system.
FDIC Chairman Sheila C. Bair today issued the following statement about Treasury Secretary Henry Paulson’s Remarks on Protecting the Financial System and Effective Implementation of the Bank Secrecy Act at the offices of the Financial Crimes Enforcement Network (FinCEN)
Topics addressed in this issue include: A discussion of the risks associated with third-party relationships and the effect failure to manage those risks can have on a financial institution An overview of factors that have led to an increase in mortgage fraud, highlights of actual mortgage fraud cases in FDIC-insured institutions and mitigation steps t
How banks can manage risks associated with third-party arrangements for products and services is reported in the FDIC's summer 2007 issue of Supervisory Insights, released today. Other topics covered are the need for vigilance toward mortgage fraud, challenges in maintaining wind insurance, the electronic exchange of documentation in bank examinations, and recent decisions affecting the accounting for split-dollar life insurance.
The Financial Crimes Enforcement Network (FinCEN) has announced delayed implementation of the revised Suspicious Activity Report by Depository Institutions (SAR-DI) form. The revised form was scheduled to take effect on June 30, 2007, and become mandatory on December 31, 2007.
Statement Of Sheila C. Bair, Chairman, Federal Deposit Insurance Corporation on Improving Credit Card Consumer Protection: Recent Industry And Regulatory Initiatives before the Subcommittee On Financial Institutions and Consumer Credit of the Financial Services Committee,
Fraudulent letters that claim to be from the FDIC are being faxed to financial institutions. The letters request that the financial institution provide a copy of its certification of foreign correspondent accounts.
The following items were recently posted to the Federal Deposit Insurance Corporation’s (FDIC) Office of Inspector General (OIG) Web site: http://www.fdicig.gov/ under Publications. In cases where an OIG report includes sensitive or confidential information, the OIG may redact certain information in the report, and the report will be marked as such. In some instances because of the highly sensitive nature of the entire report, the OIG may not make the report publicly available and instead, a brief summary of the report is posted to the Web site.
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of South Dakota that suffered major damage from storms and flooding, which started on May 4, 2007.
The U.S. Departments of Treasury, Justice, and Homeland Security have jointly released the 2007 National Money Laundering Strategy, which responds directly to the first U.S. Money Laundering Threat Assessment, released in December 2005.
New technologies are constantly adding speed, convenience and flexibility to practically everything we do -- including how we bank and pay for goods and services. The latest FDIC Consumer News (Spring 2007), published by the Federal Deposit Insurance Corporation, features a look at some revolutionary new ways to conduct daily financial transactions using high-tech cards and cell phones, along with tips for choosing and using these services. Also in this issue: advice for adjustable-rate mortgage (ARM) borrowers that may help them avoid losing their home if they are unable to make monthly payments when the interest rate goes up, and tips for avoiding inappropriate or fraudulent investments. Speed Banking and Paying: The newsletter focuses on three new forms of technology that can make paying and banking faster and easier -- cards with a pre-loaded value, such as gift cards for purchases at stores and pre-paid debit cards for use at businesses as
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in Kiowa County, Kansas, which suffered major damage from tornadoes on May 4, 2007.
Summary: The Wolfsberg Group and The Clearing House Association L.L.C. have issued the attached joint statement endorsing measures to enhance the transparency of international wire transfers. Financial Institution Letter FIL-37-2007 Highlights: To promote the effectiveness of global anti-money laundering and anti-terrorist financing programs, The Wolfsberg Group and The Clearing House Association L.L.C. have announced a statement for change in international wire transfer practices.
Letters fraudulently claiming to be from the FDIC are requesting that financial institutions deposit official or cashier's checks into customer accounts.
The Federal Deposit Insurance Corporation (FDIC) has become aware of letters that appear to be sent from the FDIC to financial institutions in the United States and other countries. The letters instruct the financial institution to deposit an enclosed official or cashier's check into a customer's account. The letters include "DEPOSIT ACCLERATION" directly below the letterhead and display the forged signatures of "Sandra L. Thompson, Director" and "Christopher J. Spoth, Acting Director 2." The letters are fraudulent and were not sent by the FDIC.
The Federal Deposit Insurance Corporation (FDIC), a participant in the government-wide Identity Theft Task Force, will provide a direct link to the new, centralized government Web site on identity theft.
The new site, www.idtheft.gov, was launched today. Initially, the site will provide the Task Force's Strategic Plan. The Plan, which represents the input of 17 Federal agencies, including the FDIC, sets out recommendations to prevent identity theft, to assist identity theft victims in recovering from those crimes, and to prosecute and punish identity theft-related criminals. The Plan will be made public today. The taskforce was created on May 10, 2006, by Executive Order to strengthen Federal efforts to protect against identity theft.
For more information on the site, you can visit either www.idtheft.gov or www.fdic.gov.
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in counties most affected by recent severe storms and tornadoes in eastern New Mexico. Highlights:
* Severe storms and tornadoes that occurred on March 23 and 24 have resulted in significant damage in Curry County and Quay County, New Mexico.
* Curry County and Quay Country were declared Federal Disaster Areas on April 2.
* The FDIC is encouraging banks to work constructively with borrowers who are experiencing difficulties beyond their control because of damage caused by the storms.
* Extending repayment terms, restructuring existing loans or easing terms for new loans, if done in a manner consistent with sound banking practices, can contribute to the health of the community and serve the long-term interests of the lending institution.
* The FDIC will also consider regulatory relief from certain filing and publishing requirements for banks in the affected areas.
Summary: The FDIC, the other federal financial institution regulatory agencies, the Securities and Exchange Commission, the Federal Trade Commission, and the Commodity Futures Trading Commission (the agencies) have jointly published the attached Notice of Proposed Rulemaking (NPR) seeking comment on a model privacy form that financial institutions could use to satisfy the privacy notice requirements of the Gramm-Leach-Bliley Act (GLBA). The proposed privacy form would also provide consumers with the opportunity to limit certain information-sharing practices, as permitted by the GLBA and the Fair Credit Reporting Act. Comments on the proposed rule are due by May 29, 2007.
Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly. 1 This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.
The federal bank and thrift agencies on Tuesday requested public comment on proposed interim rules expanding the range of small institutions eligible for an extended 18-month on-site examination cycle. The proposed interim rules allow well-capitalized and well-managed banks and savings associations with up to $500 million in total assets and a composite CAMELS rating of 1 or 2 to qualify for an 18-month (rather than a 12-month) on-site examination cycle. Until recently, only institutions with less than $250 million in total assets could qualify for an extended 18-month on-site examination cycle. The proposed interim rules also revise the provisions governing the on-site examination cycle for the U.S. branches and agencies of foreign banks.
Highlights: - Severe thunderstorms and tornadoes have resulted in significant damage in Sumter County, Georgia, and Coffee County, Alabama. - The FDIC is encouraging banks to work constructively with borrowers who are experiencing difficulties beyond their control because of damage caused by the storms. - Extending repayment terms, restructuring existing loans or easing terms for new loans, if done in a manner consistent with sound banking practices, can contribute to the health of the community and serve the long-term interests of the lending institution. - The FDIC will also consider regulatory relief from certain filing and publishing requirements.
The Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced Thursday that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) has been revised to support a new joint filing initiative, which will reduce the number of duplicate SARs filed for a single suspicious transaction. The revisions are the result of a joint effort by FinCEN and the federal banking agencies.
Eight federal regulators on Wednesday released a notice of proposed rulemaking (NPR) requesting comment on a model privacy form that financial institutions can use for their privacy notices to consumers required by the Gramm-Leach-Bliley Act (GLB Act). The privacy notices must describe an institution's information sharing practices, and, for certain types of sharing, consumers have the right to opt out. The notices must be provided when a consumer first becomes a customer of a financial institution and then annually for as long as the customer relationship lasts. Last October, President Bush signed into law the Financial Services Regulatory Relief Act of 2006, amending the GLB Act to require the agencies to propose a model form that is succinct and comprehensible to consumers, allows consumers easily to compare privacy practices of financial institutions, and uses easily readable type font.
The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the Agencies) are proposing amendments to their rules that implement the privacy provisions of the Gramm-Leach-Bliley Act (GLB Act), Title V, Subtitle A. These rules require financial institutions to provide initial and annual privacy notices to their customers. As required under Section 728 of the Financial Services Regulatory Relief Act of 2006 (Regulatory Relief Act or Act), the Agencies are proposing a safe harbor model privacy form that financial institutions may use to provide disclosures under the privacy rules.
Summary: The federal bank and thrift regulatory agencies are seeking comment on the attached proposed guidance describing current agency expectations for banking organizations that would adopt the Advanced Internal Ratings-Based Approach (IRB) for credit risk and the Advanced Measurement Approaches (AMA) for operational risk under the proposed new Basel II capital framework. The proposed guidance also establishes the process for supervisory review and the implementation of the capital adequacy assessment process under Pillar 2 of the Basel II framework. The FDIC will accept comments on the proposed guidance through May 29, 2007.
The Federal Deposit Insurance Corporation (FDIC) recognizes the serious impact of the recent severe storms and tornadoes in central Florida on the operations of financial institutions and will provide regulatory assistance to institutions subject to its supervision. These initiatives are being taken to provide regulatory relief and facilitate recovery. The FDIC encourages depository institutions in the affected disaster areas to meet the financial service needs of their communities.
E-mails fraudulently claiming to be from the FDIC or VeriSign, Inc. are attempting to deceive financial institutions in to installing unknown software on their computer networks. The Federal Deposit Insurance Corporation (FDIC) has become aware of e-mails that appear to be sent from the FDIC or VeriSign, Inc. and ask recipients to run a "security guard script" to secure Web sites. Currently, the e-mails are purportedly from "FDIC Legal Information Technology," "FDIC Information Security," or "Verisign Inc." and the subject lines include the phrase "Regular Security Maintenance" or "Regular Hosting Security Maintenance." The e-mails are fraudulent and were not sent by the FDIC or VeriSign, Inc.
The federal bank and thrift regulatory agencies on Thursday announced that they will seek public comment on three proposed supervisory guidance documents related to the September 2006 notice of proposed rulemaking (NPR) on new risk-based capital requirements in the United States for large, internationally active banking organizations. The September 2006 NPR detailed the agencies' proposal for implementing the new capital framework issued by the Basel Committee on Banking Supervision in 2004 (Basel II). The proposed U.S. Basel II capital framework would be mandatory for large, internationally active U.S. banking organizations and optional for other institutions. The Basel II NPR includes requirements that banking organizations would need to satisfy to calculate their risk-based capital under the proposed new capital framework. The proposed supervisory guidance provides information to assist bankers, as well as supervisors, in addressing the Basel II qualification requirements.
The federal financial regulatory agencies have jointly issued the attached reminder of Supervisory Guidance for Financial Institutions Affected by Hurricane Katrina (Katrina Guidance Reminder). The Katrina Guidance Reminder reemphasizes that working constructively with borrowers is in the long-term best interest of both the financial institution and the customer. Highlights: The Katrina Guidance Reminder recognizes that many communities and families may need an extended period of time to recover from the unprecedented magnitude of the devastation caused by Hurricane Katrina.
The FDIC is notifying FDIC-supervised banks of the attached joint proposed rulemaking by the Securities and Exchange Commission (SEC) and the Board of Governors of the Federal Reserve System that would implement the statutory exceptions from the definition of "broker" contained in the Gramm-Leach-Bliley Act (GLBA). The proposed regulation was drafted in consultation with the FDIC, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, and is designed to protect investors in a manner that does not unduly disrupt current bank business practices. Comments are due to the SEC or the Federal Reserve by March 26, 2007.
Summary: The FDIC has revised its Compliance Examination Handbook. The new handbook contains the FDIC's compliance examination policies and procedures in effect as of June 2006. It also includes revised Community Reinvestment Act (CRA) examination procedures and performance evaluations. The handbook will be available in electronic format only and can be accessed on the FDIC's Web site at http://www.fdic.gov/regulations/compliance/handbook/index.html.
The Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) has prepared an assessment of mortgage loan fraud, which it based on its analysis of Suspicious Activity Reports (SARs). Financial institutions offering mortgage loan products may find the assessment useful. The assessment, entitled "Mortgage Loan Fraud," is available on FinCEN's Web site at http://www.fincen.gov/mortage_fraud.html.
Summary: The FDIC, along with the other federal banking agencies and the Securities and Exchange Commission, is issuing the attached final Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities (Final Statement). The Final Statement describes the types of internal controls and risk-management policies and procedures that the agencies have found to be useful in identifying, managing and addressing the potentially heightened legal or reputational risks that may arise from certain complex structured finance transactions.
How a financial institution can create an effective incident response program to mitigate a data security breach is reported in the FDIC's winter 2006 edition of Supervisory Insights, released today. Other topics covered in today's edition are: an update on CRE lending nationwide, with a look at best practices in CRE concentrations, particularly for identifying, monitoring and controlling risk in this lending area; the increasing number of unfair or deceptive acts or practices, and how examiners identify and address those violations; and highlights of recent USA PATRIOT Act changes and the types of Bank Secrecy Act (BSA)-related violations that examiners are citing.
The FDIC Board of Directors has approved the attached final rule to amend Part 327 of the FDIC Rules and Regulations. The amendments are being made simultaneously with amendments implementing the Federal Deposit Insurance Reform Act of 2005, and are intended to make the deposit insurance assessment system react more quickly and more accurately to changes in institutions' risk profiles and to ameliorate several causes for complaint by insured depository institutions. The final rule takes effect on January 1, 2007.
The Federal Deposit Insurance Corporation (FDIC) today adopted final regulations that implement the Federal Deposit Insurance Reform Act of 2005 passed by Congress earlier this year to create a stronger and more stable insurance system. Among the final regulations is a new rule on the risk-based assessment system that will enable the FDIC to more closely tie each bank's premiums to the risk it poses to the deposit insurance fund. In addition, the FDIC has new flexibility to manage the deposit insurance fund's reserve ratio within a range, which in turn will help prevent sharp swings in assessment rates that were possible under the design of the former system. "Throughout the FDIC's push for deposit insurance reform, our goals have been to provide for long-term stability and less procyclicality in the deposit insurance system," said FDIC Chairman Sheila C. Bair. "This new system will enable the FDIC to achieve our goals, and also will add incentives for good risk management at insured institutions."
FDIC Chairman Sheila C. Bair announced today that Sandra L. Thompson has been named Director of the Federal Deposit Insurance Corporation's Division of Supervision and Consumer Protection (DSC). In addition, Christopher J. Spoth has been named Senior Deputy Director, Supervisory Examinations; and John Lane will assume leadership of a newly created unit dedicated to large, complex financial institutions. "I am very pleased to make this announcement today," said Chairman Bair. "Sandra Thompson has repeatedly demonstrated her strengths and capability as a senior FDIC executive. Since she was named Acting Director of DSC in February of this year, she has shown exceptional leadership skills and vision. I am confident she will ensure the FDIC continues to fulfill its supervision and consumer protection mandates. Chris and John have also proven themselves to be effective leaders with many years of supervisory experience. Working under Sandra's leadership, they will continue the proud tradition of the FDIC examination corps for excellence and professionalism."
FDIC Chairman Sheila C. Bair today announced the appointment of Jesse O. Villarreal, Jr., as her Chief of Staff, effective October 24, 2006. As Chief of Staff, Mr. Villarreal will oversee all of the day-to-day operations of the Chairman's office. "I am very pleased that Jesse has agreed to serve as my Chief of Staff," said Chairman Bair. "Jesse has served with distinction throughout his career, most recently as Senior Advisor to the Assistant Secretary for Financial Markets at the Department of the Treasury. During my tenure as Assistant Secretary for Financial Institutions at Treasury, Jesse served as my Special Assistant. So I am well aware of his strong leadership skills, sound judgment and extensive government experience, particularly in the financial services field. With these attributes, Jesse will certainly be a valuable asset to me and to our entire management team."
The Federal Deposit Insurance Corporation (FDIC) has become aware of fraudulent e-mails appearing to be from the FDIC. The e-mails ask recipients to click on a hyperlink titled "Take the Corrective Action – Implement the LinkBank System." When accessed, the hyperlink takes the individual to a "spoofed" FDIC Web page. At that point, the individual is directed to provide online banking information, including bank name, username, and password. The fraudulent e-mails appear in "memo format" and are purportedly from "Russell A. Rau, Assistant Inspector General for Audits." The e-mails include a "Subject" line that states: "Division of Supervision and Consumer Protection's Risk-Focused Compliance Examination Process for [recipient's name inserted] (Report No. 05-038)."
The Federal Deposit Insurance Corporation (FDIC) has announced that it will hold its next symposia on the importance of consumer confidence in e-commerce on October 5th in Mesa, Arizona, and on October 25th in Miami Beach, Florida. The half-day meetings will bring together experts from government and the private sector to discuss ways to combat online identity theft and help maintain public confidence in e-commerce. Opening the October 5th meeting will be keynote speaker Kelvin Boston, financial journalist, author and entrepreneur, and host of PBS's Moneywise with Kelvin Boston. Mr. Boston will provide an overview of the challenges and opportunities that businesses and consumers face in e-commerce. Panel discussions will follow with topics that include: Ensuring Integrity in Payment Systems; Building Confidence by Managing Risk in E-Commerce; and Consumer Rights and Resources in an E-Commerce World.
Statement of Sheila C. Bair Chairman Federal Deposit Insurance Corporation on the Interagency Proposal Regarding the Basel Capital Accord; before the Committee on Banking, Housing and Urban Affairs; U.S. Senate; 10:00 A.M.; Room 538, Dirksen Senate Office Building September 26, 2006 Chairman Shelby, Senator Sarbanes and members of the Committee, I appreciate the opportunity to testify on behalf of the Federal Deposit Insurance Corporation (FDIC) concerning the Basel II international capital accord. The U.S. banking system is a network of institutions that are highly leveraged and whose financial health bears directly on the health of our broader economy. Significant problems or a lack of financial flexibility at many small banks, or at one or more large systemically important banks, can have contagion effects that impose significant costs on the deposit insurance funds and the overall economy.
Summary: The federal bank and thrift regulatory agencies have jointly issued the attached notice of proposed rulemaking (NPR) on possible modifications to the risk-based capital standards for market risk. The proposed rule would incorporate improvements to the current trading book regime as proposed by the Basel Committee on Bank Supervision and the International Organization of Securities Commissions in the joint document The Application of Basel II to Trading Activities and the Treatment of Double Default Effects, published in July 2005. The proposed rule would also apply to certain savings associations, which currently are not covered under the rule. The FDIC will accept comments on the NPR through January 23, 2007. Highlights:
- Applies to banks with aggregate trading assets and liabilities equal to 10 percent or more of quarter-end total assets as reported on the most recent quarterly Call Report or Thrift Financial Report, or equal to $1 billion or more.
Summary: The federal bank and thrift regulatory agencies have jointly issued and are seeking comment on the attached notice of proposed rulemaking (NPR) concerning the domestic application of selected elements of the Basel II capital framework. The proposed rule would require some core banks, and permit other banks, to use an internal ratings-based approach to calculate regulatory credit risk capital requirements and an advanced measurement approach to calculate regulatory operational risk capital requirements. The FDIC will accept comments on the proposal through January 23, 2007. Highlights: In the attached NPR, the agencies: - Propose to apply the rule to banking organizations that (i) have consolidated assets equal to $250 billion or more; (ii) have consolidated total on-balance sheet foreign exposures of $10 billion or more; (iii) elect to use the proposed rule; or (iv) are subsidiaries of a bank or bank holding company that uses the proposed rule.
E-mails fraudulently claiming to be from the FDIC are attempting to trick recipients into installing unknown software on personal computers. These e-mails falsely indicate that recipients should install software that was developed by the FDIC and other agencies. The software may be a form of spyware or malicious code and may collect personal or confidential information. The Federal Deposit Insurance Corporation (FDIC) is aware of e-mails appearing to be sent from the FDIC that are asking recipients to install unknown software on personal computers. Currently, the subject line of the e-mail includes the phrase "Urgent Notification - Security Reminder." The e-mail is fraudulent and was not sent by the FDIC.
The federal bank and thrift regulatory agencies announced today that they will request public comment on a notice of proposed rulemaking (NPR) that would implement new risk-based capital requirements in the United States for large, internationally active banking organizations. The NPR details the agencies' plans for implementing the Basel Committee on Banking Supervision's (BCBS) new capital accord (Basel II) that was issued in 2004. The agencies also will request comment on proposed Basel II supervisory reporting templates. The Federal Reserve Board (Board), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Office of Thrift Supervision (OTS) first adopted risk-based capital standards in 1989. Those standards were based on the Basel Capital Accord that the BCBS originally issued in 1988 (Basel I). For banking organizations that meet qualifying criteria, the Basel II NPR would replace U.S. rules implementing Basel I. The proposed framework would be mandatory for large, internationally active banking organizations and optional for others.
The FDIC is enhancing the protection of examination information and other sensitive data, and has issued updated procedures to its examination staff on safeguarding this information. Highlights: The updated procedures provide additional protection to bank data that may be sensitive as defined by the Gramm-Leach-Bliley Act. The procedures specify minimum standards for the technical, physical and administrative safeguards used to protect examination information. The procedures provide guidance for the implementation of an Information Security Incident Response Program.
E-mails to financial institution customers that fraudulently claim to be from the FDIC attempt to obtain highly sensitive personal information, including bank account information. These e-mails falsely indicate that consumers can enroll in an "FDIC protection system" to insure bank accounts against certain types of fraudulent activities. The Federal Deposit Insurance Corporation (FDIC) has received numerous notifications from consumers of an e-mail that has the appearance of being sent from the FDIC. The "From" line of the e-mail displays the name "Federal Deposit Insurance Corporation" and the subject includes the phrase "IMPORTANT: Notification of Federal Deposit Insurance Corporation."
The FDIC Board of Directors is seeking comment on the three attached proposed rules. The first proposed rule would create a new system for risk-based assessments. The second proposed rule would set the designated reserve ratio (DRR) at 1.25 percent. The third proposed rule would govern the penalties for failure to pay assessments. The Federal Deposit Insurance Reform Act of 2005 requires the FDIC to prescribe final regulations by November 5, 2006. Comments on the first two proposed rules are due by September 22, 2006; comments on the third rule are due by September 18, 2006. Assessments Risk Categories: The FDIC proposes to consolidate the existing nine assessment rate categories into four. Small well-capitalized, well-managed institutions: The FDIC proposes to combine CAMELS component ratings with current financial ratios to determine assessment rates applicable to a small well-capitalized, well-managed institution.
The FDIC Board of Directors has approved the attached notice of proposed rulemaking to replace the two separate official FDIC signs - one for insured banks, and the other for insured savings associations - with one new official sign that all FDIC-insured depository institutions would be required to display where deposits are received. The notice of proposed rulemaking would also require both banks and savings associations to use the official advertising statement ("Member FDIC") in advertisements that specifically promote deposit products and services or generally promote banking services. The proposed rulemaking would revise Part 328 of the FDIC Rules and Regulations, which governs official FDIC signs and advertising of FDIC membership. Comments on these proposals and related matters are due by September 15, 2006.
The FDIC's Board of Directors today approved for public comment two proposed rules governing deposit insurance assessments under the Federal Deposit Insurance Reform Act of 2005. One proposal would create a new system that would more closely tie what banks pay for deposit insurance to the risks they pose. It also would adopt a new base schedule of rates that the FDIC Board could adjust up or down, depending upon the revenue needs of the insurance fund. The second proposal issued today would continue to set the designated reserve ratio (DRR) for the fund at 1.25 percent of estimated insured deposits. "The proposed new system of risk-based assessments would allow the FDIC to adhere more closely to sound insurance principles because the safer an institution is, the less it will pay for deposit insurance," said FDIC Chairman Sheila Bair. "We hope that most FDIC-insured institutions will find our proposals reasonable and fair, and we look forward to receiving comments."
"Operational risk management" increasingly viewed as distinct discipline due to growing complexity of the industry, recent large operational losses The increasing importance of banks' "operational risk management" (ORM) processes and how ORM is evolving as a distinct discipline are highlighted in the FDIC's summer 2006 issue of Supervisory Insights released today. Other topics covered include disaster planning for banks, with a look back at some of the challenges banks faced during the hurricane seasons of 2004 and 2005, and enforcement actions taken against individuals in 2005, with a particular focus on bank losses resulting from insider misconduct or fraud.
The tenth (May 2006) issue of The SAR Activity Review – Trends, Tips, & Issues, published by the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), is now available. Highlights: - On May 31, 2006, FinCEN released the tenth edition of The SAR Activity Review – Trends, Tips & Issues. This issue focuses on the money services business (MSB) industry. - Article topics include the use of Suspicious Activity Reports (SARs) to detect unregistered MSBs and guidance on registration and deregistration of a business as an MSB. - This issue also identifies current trends in mortgage loan fraud, as well as filing activity and detection of unlicensed/unregistered MSBs.
Sheila C. Bair was sworn in today as the 19th Chairman of the Federal Deposit Insurance Corporation (FDIC). Martin J. Gruenberg, Vice Chairman of the FDIC, had served as Acting Chairman since Donald E. Powell resigned on November 15, 2005. "I am pleased to be joining the FDIC at such an important time. There are many critical issues facing the agency – from implementation of deposit insurance reform to our ongoing work on Basel II and IA," said Chairman Bair. "I've spent most of my career in the financial services arena, focusing on the banking sector in recent years, so I am very familiar with the FDIC's important work. I am looking forward to the challenges that lie ahead, and working closely with our highly experienced Board and excellent staff.
Financial institutions have traditionally used domestic third-party service providers to handle their technology, data processing and other needs, such as call center services. However, with increasing frequency, institutions have been presented with opportunities to enter into contractual arrangements with foreign-based third-party service providers (FBTSPs) to fulfill those needs. Moreover, U.S.-based third-party service providers are subcontracting substantial portions of their operations to entities located outside of the United States. In its 2004 study of offshore outsourcing of data services to identify both consumer and safety and soundness risks associated with offshore data processing,[1] the FDIC learned that financial institutions may be unaware of such subcontracting arrangements or, if they are aware, are not adequately monitoring the relationship. The increased use of FBTSPs by U.S. financial institutions and U.S. third-party service providers is due, in large part, to the potential cost savings that are achievable as low-wage, yet highly qualified, labor pools are tapped in foreign countries. However, as with any sound business decision, financial institutions cannot accept the benefits while ignoring the potential risks.
The Federal Emergency Management Agency (FEMA) has issued the attached revised Standard Flood Hazard Determination Form, which includes a new Office of Management and Budget (OMB) control number and a revised expiration date of October 31, 2008. The form's format and content have not changed. The updated form must be used beginning July 1, 2006. Highlights: · FDIC-supervised banks must use FEMA's Standard Flood Hazard Determination Form when determining whether a building or mobile home offered as security for a loan will be located in a · Special Flood Hazard Area. This requirement is pursuant to the National Flood Insurance Reform Act of 1994 and FDIC regulations (12 CFR 339.6).
The FDIC received an award June 15 for its innovative use of technology to support employees who telecommute. The Telework Exchange, a public-private partnership focused on eliminating telework gridlock, recognized the FDIC with a 2006 Telework Exchange Tele-Vision Award. The award was conferred in the category of Innovative Application of Technology to Support Telework. The FDIC provides an array of remote access services to support its telecommuting and mobile users. Services include a Remote Client Network (RCN), a Virtual Private Network (VPN) and a dial-up service. A recent addition to the FDIC's services is a "token" employees can use with any computer that has Internet access and a Web browser. This service—the Web Enabled Remote Client Network (WebRCN)—provides employees with secure access to commonly used software applications from their home computers, FDIC-issued laptop computers, conference computer-cafes and cybercafés. The token generates random alphanumeric passwords each time the device is turned on—a password is good for one logon. This feature enables virtually every eligible FDIC employee with access to a computer to participate in the FDIC's Telework Program.
Preparing Your Institution for a Catastrophic Event The member agencies of the Federal Financial Institutions Examination Council (FFIEC) and the Conference of State Bank Supervisors today announced the release of LESSONS LEARNED FROM HURRICANE KATRINA: Preparing Your Institution for a Catastrophic Event. The booklet relays financial institutions' experiences and lessons learned in the aftermath of Hurricane Katrina that other institutions may find helpful in considering their readiness for a catastrophic event.
FDIC Consumer Call Centers in Kansas City, Missouri, and Washington, D.C., have begun receiving a large number of complaints by consumers who received an e-mail that has the appearance of being sent from the FDIC. The e-mail informs the recipient that Department of Homeland Security Director Tom Ridge has advised the FDIC to suspend all deposit insurance on the recipient’s bank account due to suspected violations of the USA PATRIOT Act. The e-mail further indicates that deposit insurance will be suspended until personal identity, including bank account information, can be verified. This e-mail was not sent by the FDIC and is a fraudulent attempt to obtain personal information from consumers. Financial institutions and consumers should NOT access the link provided within the body of the e-mail and should NOT under any circumstances provide any personal information through this media.
The FDIC insures bank and savings association deposits to help ensure stability and public confidence in the U.S. financial system. The deposit insurance funds must remain viable so that adequate funds are available to protect insured depositors if an institution fails. When an insured institution fails, the FDIC is responsible for ensuring that the institution's customers have timely access to their insured deposits.
The Federal Financial Institutions Examination Council (FFIEC) Task Force on Consumer Compliance has approved the attached examination procedures to assess compliance with the medical information regulations that became effective on April 1, 2006. The regulations implement the Protection of Medical Information provisions of the Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The new procedures are effective with the issuance of this FIL. Highlights: - The attached examination procedures for the medical information regulations are the first in a series of amendments to FCRA examination procedures that were released with FIL-18-2006 on February 22, 2006.
Richard W. Hartt has been named Deputy Director of the Federal Deposit Insurance Corporation's (FDIC) Division of Information Technology (DIT). Mr. Hartt will head the division's Enterprise Technology Branch. "Rick has an extensive background in all areas of information technology, including strategic planning, enterprise architecture, data architecture, and performance measurement," said Michael Bartell, CIO and DIT Director. "Rick brings significant experience to the FDIC and the IT division and I am excited to have him on our executive team."
On May 22, 2006, the U.S. Department of Veteran Affairs (VA) published a notice that electronic data on approximately 26.5 million veterans and some spouses may have been compromised. The VA is working with law enforcement, Congress, the media, veteran services, and other government agencies to ensure that veterans and their families are protected against potential misuse of that data. Please refer to the VA Web site at www.va.gov for additional information on this security incident. While no specific fraud related to the VA incident has been detected, the growing trend of data breaches occurring in both the private and public sectors raises concerns that personal information may be used to commit identity theft. The FDIC, as a member of the President's Identity Theft Task Force, urges financial institutions to be vigilant against the misuse of personal information for both new and existing customers. Additionally, financial institutions have an obligation to verify the identity of persons seeking to open new accounts and to safeguard customer information against unauthorized access or use.
In a speech today before the Conference of State Bank Supervisors in Norfolk, Virginia, Federal Deposit Insurance Corporation Acting Chairman Martin Gruenberg outlined overall capital objectives contained in the proposed rule for proceeding with Basel II in the U.S. Basel II is a new, international standard for the way the largest banks calculate their capital levels. "Basel II was intended to bring about technical improvements in the risk-sensitivity of bank capital in the United States while broadly maintaining the overall level of risk-based capital requirements," Acting Chairman Gruenberg told the group. "I think those are both worthy goals, and the achievement of both goals is essential for the safety and soundness of the U.S. banking system."
The FDIC Board of Directors is seeking comment on the attached three proposed rules governing deposit insurance assessments under the Deposit Insurance Reform Act of 2005. The proposed rules would implement a one-time assessment credit, dividends, and procedural and operational changes to the assessment regulations. The Reform Act requires the FDIC to prescribe the credit and dividend regulations by November 5, 2006. Comments on the three proposed rules are due by July 17, 2006. Highlights: - One-Time Assessment Credit: The Reform Act mandates a one-time assessment credit of approximately $4.7 billion to be allocated to each "eligible insured depository institution" or its "successor" to acknowledge contributions by institutions to build up the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF). The first proposed rule would define "successor" as the resulting institution in a merger or consolidation involving an institution that was eligible for the one-time credit. The proposed rule also seeks comment on alternative definitions of successor. The FDIC has developed a Web-based search tool, accessible through www.fdic.gov/deposit/insurance/reform.html, which allows an institution to find its preliminary estimated one-time assessment credit amount based on the notice of proposed rulemaking.
While most people have a pretty good idea about how FDIC insurance works, a surprisingly large number of consumers have potentially costly misconceptions. The biggest concern: Some depositors who believe that their funds are fully insured may inadvertently have some money over the insurance limits and risk losing that portion if their bank fails. The Spring 2006 FDIC Consumer News, published by the Federal Deposit Insurance Corporation, offers a guide to understanding FDIC insurance coverage and making sure that all of a family's accounts are fully protected. It features: The "Top 10" misconceptions about FDIC insurance. The Number 1 fallacy: The most a consumer can have insured is $100,000. In fact, a person may qualify for more than $100,000 in coverage at each insured bank if the funds are deposited in different "ownership categories," such as individual accounts, joint accounts, and certain trust and retirement accounts. Depending on the circumstances, a family of four could have well over $1 million in deposit insurance coverage at the same bank -- and that coverage is separate from what is FDIC-insured at any other institution.
The FDIC, along with the other federal banking agencies and the Securities and Exchange Commission, is issuing the attached statement for public comment. The statement informs financial institutions of the internal controls and risk-management procedures that should be used to identify, manage and address the heightened legal or reputational risks that may arise from their involvement in certain complex structured finance transactions. The FDIC will accept comments on this statement through June 15, 2006. Highlights: The attached interagency statement: - Focuses on complex structured finance transactions entered into by institutions when the transactions > circumvent regulatory or financial reporting requirements or > evade tax liabilities or involve other illegal and/or improper behavior
Fred S. Carns has been named Director of the FDIC's Office of International Affairs (OIA), replacing Michael Zamorski, who retired from the FDIC after 29 years of service. Mr. Carns will be responsible for coordinating the FDIC's international banking activities with a focus on building strong relationships with foreign regulators and deposit insurers, U.S. government entities and international organizations. OIA coordinates the FDIC's technical assistance and outreach activities that are provided to foreign entities in order to promote the development and maintenance of sound banking and deposit insurance systems.
Five federal agencies today requested public comment on a revised proposed statement on the complex structured finance activities of financial institutions. The revised statement describes the types of internal controls and risk management procedures that should help financial institutions identify, manage and address the heightened legal and reputational risks that may arise from certain complex structured finance transactions. The agencies have modified the revised statement in several important respects in light of the comments received on the original proposed statement, which was issued for comment on May 19, 2004. For example, the agencies have reorganized, streamlined and modified the statement to make the document more principles-based and focused on those complex structured finance transactions that may pose heightened levels of legal or reputational risk to a financial institution.
Pursuant to the provisions of the "Government in the Sunshine Act" (5 U.S.C. 552b), notice is hereby given that the Federal Deposit Insurance Corporation's Board of Directors will meet in open session at 2:00 p.m. on Tuesday, May 9, 2006, to consider the following matters: Summary Agenda: No substantive discussion of the following items is anticipated. These matters will be resolved with a single vote unless a member of the Board of Directors requests that an item be moved to the discussion agenda. - Disposition of minutes of previous Board of Directors' meetings. - Summary reports, status reports, and reports of actions taken pursuant to authority delegated by the Board of Directors. - Memorandum and resolution re: Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities.
Summary: The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued the attached advisory to U.S. financial institutions to guard against potential money laundering threats involving the smuggling of bulk U.S. currency into Mexico and the possible abuse of their financial services by certain Mexican financial institutions, including Mexican "casas de cambio." Highlights: - On April 28, 2006, FinCEN issued the attached advisory to U.S. financial institutions about a potential money laundering threat concerning the smuggling of U.S. currency into Mexico and the potential misuse of relationships with U.S. financial institutions by certain Mexican financial institutions, including Mexican casas de cambio.
Summary: The Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) is seeking public comment on the attached Advance Notice of Proposed Rulemaking (ANPR) regarding the impact of Bank Secrecy Act (BSA) regulations on the ability of money services businesses (MSBs) to open and maintain accounts and obtain other banking services at banks and other depository institutions. Highlights: - FinCEN has issued the attached ANPR seeking comments from the public, MSBs, and the banking industry regarding the BSA's impact on MSBs ' ability to obtain appropriate access to banking services. - MSBs have experienced obstacles in opening and maintaining deposit accounts with banks.
FinCEN is soliciting updated facts about this issue as well as feedback on whether additional guidance or regulatory action under the BSA might address these concerns.
Summary: The Financial Crimes Enforcement Network (FinCEN) has issued the attached final rule extending, in part, the applicability dates for implementing the international correspondent banking provisions and the private banking provisions of Section 312 of the USA PATRIOT Act. Highlights: On January 4, 2006, FinCEN issued a final regulation implementing Section 312 of the USA PATRIOT Act. The final rule took effect on February 3, 2006, and superseded the interim final rule issued on July 23, 2002. The final rule requires U.S. financial institutions to apply due diligence to correspondent accounts maintained for certain foreign financial institutions and private banking accounts maintained for foreign individuals. Regarding correspondent banking, generally, the rule establishes the scope of U.S. financial institutions to which the rule applies and outlines general due diligence requirements to mitigate exposure to potential money-laundering activities.
Summary: The FDIC has issued revised compliance examination procedures that update the procedures issued in 2003. The new examination procedures incorporate banker feedback and results of internal reviews. Highlights:
- The FDIC also gathered information about how well the procedures were meeting its objectives. - These included focusing increased attention on a bank's compliance management system, and conducting more of the review process off-site, where appropriate. - Bankers were generally pleased with the revised procedures issued in 2003, particularly the focus on compliance management systems. However, they made several suggestions to improve the examination process while reducing burden. - As a result of banker input, the FDIC has made a number of changes to the compliance examination procedures. - Revised worksheets have been distributed to examiners to support the latest version of the compliance examination procedures.
As the nation's 76 million "baby boomers" (born between 1946 and 1964) enter their sixties, they will come face-to-face with the challenges of financing their retirement and will reshape U.S. markets for housing and financial services, according to the Spring 2006 issue of the FDIC Outlook. Taking the long view on forces shaping the financial services landscape, FDIC analysts report on how long-run demographic trends are affecting the funding of pension plans; how a large and relatively affluent baby boom generation is influencing the demand for housing; and how demographic shifts may also alter the mix of financial products and services offered by FDIC-insured institutions.
Beginning June 1, 2006, the Federal Deposit Insurance Corporation (FDIC) will change its primary method of distributing Special Alerts (SAs) to insured financial institutions from paper-copy delivery through the U.S. Postal Service to electronic delivery through the FDIC's free secure Web site, FDICconnect. The change is expected to provide institutions with a number of benefits, including: - An immediate e-mail notification that a SA has been issued. There will be no need for routine manual checks of FDICconnect to determine whether a new SA has been issued. - The immediate availability of the SA. Through the traditional mail system, receipt of the paper copy typically takes a week or longer. - Secure transmission of the SA attachments, which are often electronic copies of fraudulent and genuine instruments.
The FDIC, the other federal financial institution regulatory agencies and the Federal Trade Commission have jointly published the attached Advance Notice of Proposed Rulemaking (ANPR) inviting comment to gather information that is useful for developing guidelines and regulations to implement section 312 of the Fair and Accurate Credit Transactions Act (FACT Act). Comments are due by May 22, 2006. The Fair Credit Reporting Act (FCRA) contains a number of provisions designed to enhance the accuracy and integrity of data in consumer reports. In 2003, the FCRA was amended by the FACT Act to, among other things, enhance the ability of consumers to combat identity theft and increase the accuracy of consumer reports. Section 312 of the FACT Act requires the federal financial institution regulatory agencies and the Federal Trade Commission to issue guidelines and regulations concerning the accuracy and integrity of information furnished to credit bureaus.
The FDIC established and implemented C&A policies, procedures, and practices that were satisfactory and consistent with federal standards and guidelines. The FDIC continued to build its C&A program during 2005 in response to evolving National Institute of Standards and Technology guidance, and additional improvements were underway at the close of our field work. Further, the FDIC had undertaken action to address certain C&A-related matters previously identified in the OIG’s September 2005 security evaluation report required by FISMA. The FDIC can further strengthen its C&A program by: - enhancing system sensitivity assessment guidance to describe how final security categorizations are determined; - ensuring that application security plans adequately describe how common security controls and general support systems critical to the security of the application are considered in the application's C&A; - ensuring the cost-benefit of alternative control solutions for reducing or eliminating vulnerabilities; - enhancing written procedures for defining the nature and scope of testing, managing system-level plans of action and milestones, accepting risks associated with system security weaknesses, and issuing interim systems authorizations; and - establishing formal milestone reviews at key points in the C&A process to ensure that critical documentation is current, accurate, and complete. These program enhancements will provide FDIC management with greater assurance that system security risks are effectively managed and that C&A practices are consistently applied throughout the Corporation. We also performed benchmarking with other federal agencies and included the results in this report.
This report presents the results of our audit of the FDIC’s consideration of risk in determining the deposit insurance premiums paid to the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF). To assess semiannual premiums on financial institutions, the FDIC uses the Risk-Related Premium System (RRPS) and considers capital levels, safety and soundness examination results, and other pertinent information to assign insured institutions to one of three Capital Groups and to one of three Supervisory Subgroups for the purpose of determining an insurance assessment risk classification.[ 1 ] The audit objective was to determine whether the insurance assessment system is adequately tied to the results of examinations of financial institutions by the primary federal regulators and to other information relevant to the institutions’ financial condition. Appendix I of this report discusses our objective, scope, and methodology in detail. BACKGROUND
This report presents the results of our audit of the FDIC’s implementation of the Gramm-Leach-Bliley Act of 1999 (GLBA) Title V and the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The audit objective was to determine whether the FDIC’s Division of Supervision and Consumer Protection (DSC): - provided adequate guidance to FDIC-supervised institutions and examiners for implementing the data privacy and security provisions of the GLBA Title V and the FACT Act, and - implemented the recommendations in Office of Inspector General (OIG) Audit Report No. 03-044, The Federal Deposit Insurance Corporation’s Progress in Implementing the Gramm-Leach-Bliley Act, Title V - Privacy Provisions, dated September 26, 2003.
The final agenda for the April public hearings on the proposed Wal-Mart Bank's federal deposit insurance application is now available on the FDIC's Web site. The agenda includes the names of parties who are scheduled to give oral presentations as well as the speaking times and the locations where the parties are scheduled to speak. FDIC Chief Operating Officer and Deputy to the Chairman John F. Bovenzi will serve as Presiding Officer at the hearings. In addition, Douglas H. Jones, Acting General Counsel of the FDIC, and Sandra L. Thompson, Acting Director of the FDIC's Division of Supervision and Consumer Protection, will serve as hearing officers.
Despite regional disparities in job growth and a high degree of reliance on real estate, the economy and the banking industry both continue to perform well across most areas of the nation, FDIC analysts reported in the spring 2006 editions of FDIC Regional Profile and FDIC State Profiles released today. "Moderate to strong job growth across much of the nation is helping to support loan growth and credit quality at federally insured banks and thrifts," said FDIC Chief Economist Richard A. Brown. "However, heavy dependence on mortgage and construction lending is making some banks more vulnerable to regional downturns in real estate activity."
The Department of the Treasury has designated Commercial Bank of Syria, including its subsidiary, Syrian Lebanese Commercial Bank, as a financial institution of primary money laundering concern and has issued the attached final rule restricting domestic financial institutions' banking relationships with this entity. Highlights: - On March 15, 2006, the Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) issued a final rule announcing the designation of Commercial Bank of Syria, including its subsidiary, Syrian Lebanese Commercial Bank, to be a financial institution of "primary money laundering concern" under Section 311 of the USA PATRIOT Act. For purposes of this document, references to Commercial Bank of Syria include Syrian Lebanese Commercial Bank, and any other branch, office or subsidiary of Commercial Bank of Syria.
The federal financial institution regulatory agencies and the Federal Trade Commission have jointly issued for comment an Advance Notice of Proposed Rulemaking (ANPR) on section 312 of the Fair and Accurate Credit Transactions Act (FACT Act). Comments are invited for the purpose of developing guidelines and rules to implement section 312. Section 312 requires the agencies to: (1) establish guidelines regarding the accuracy and integrity of information furnished to consumer reporting agencies; and (2) prescribe regulations that require the entities that furnish such information to establish reasonable policies and procedures for implementing the guidelines. Section 312 also requires the agencies to prescribe regulations that identify the circumstances under which an entity that furnishes information to consumer reporting agencies will be required to reinvestigate a dispute concerning the accuracy of information contained in a consumer credit report based on a consumer's direct request.
A draft agenda for the April public hearings on the proposed Wal-Mart Bank's application for federal deposit insurance is now available on the FDIC's Web site, www.fdic.gov. The agenda includes the names of parties who are currently scheduled to give oral presentations, as well as the speaking times and the locations where the parties are scheduled to speak. The final agenda will be posted to the FDIC's Web site no later than April 5, 2006. - The first hearing, to be held at the FDIC's Virginia Square Auditorium in Arlington, Virginia, will now be held from 9:00 a.m. to approximately 4:00 p.m. on Monday, April 10, and from 9:00 a.m. to approximately 11:15 a.m. on Tuesday, April 11. - The second hearing, to be held at the Overland Park Convention Center, Overland Park, Kansas, will now be held on one day only – Tuesday, April 25 – from 9:00 a.m. to approximately 4:15 p.m.
During the second half of 2005, OO staff spoke with 791 financial industry representatives through visits and telephone calls, industry-sponsored conferences and FDIC events. Approximately 82 percent reported overall satisfaction with the FDIC's regulatory process, three percent were dissatisfied, and the remaining 15 percent expressed no opinion. The following are examples of comments and suggestions expressed by bankers during outreach activities: Regulations: Of the 218 comments received about regulations affecting banks, 178 involved some degree of dissatisfaction. Of the latter group, 52 percent characterized regulations as burdensome and another 35 percent viewed some regulations as unfair or outdated. The Bank Secrecy Act (BSA) continued to be the subject of greatest concern among bankers, primarily because of the high cost of compliance with what many banker contacts perceived as little benefit. Of the BSA comments, 84 percent were negative. The BSA regulation is almost universally described as "burdensome." Rural community bankers stated that they do not want to be measured by the same gauge used for money center banks. One banker said that BSA procedures seemed like "searching babies at airports." Another banker believed in the spirit of the law, but did not want to be a "watchdog for society." In addition, doing business with money services businesses continued to provide challenges, but "zero tolerance" of filing errors appeared to be less of a concern.
Purpose The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and Office of Thrift Supervision are issuing this interagency advisory to financial institutions and their technology service providers. This advisory is intended to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services. It further advises financial institutions and their service providers to consider this and similar threats in their event response and contingency strategies. This issuance discusses the National Strategy for Pandemic Influenza (National Strategy) and the roles and responsibilities it outlines for financial institutions.
The Federal Deposit Insurance Corporation (FDIC) Board of Directors today approved final rules that will raise the deposit insurance coverage on certain retirement accounts at a bank or savings institution to $250,000 from $100,000. The increase, the result of a new law boosting federal deposit insurance coverage for the first time in more than 25 years, will become effective on April 1. The basic insurance coverage for other deposit accounts, however, will remain at $100,000. "The increase in deposit insurance coverage on certain retirement accounts is a significant change," said Martin J. Gruenberg, Acting Chairman of the FDIC. "The FDIC is committed to helping depositors understand clearly the change that has been made and how it will affect the deposit insurance coverage for which they are eligible."
Sites have been selected for the FDIC's April public hearings on the proposed Wal-Mart Bank's application for federal deposit insurance, the FDIC announced today. The first hearing, scheduled for Monday and Tuesday, April 10 and 11, will be held at the FDIC's Virginia Square auditorium (Building C), located at 3501 Fairfax Drive, Arlington, Virginia. The second hearing, scheduled for Tuesday and Wednesday, April 25 and 26, will be held at the Overland Park Convention Center (Courtyard Rooms four and five), 6000 College Boulevard, Overland Park, Kansas. The hearings in both locations are scheduled to begin at 9:00 a.m. and conclude no later than 5:30 p.m. each day. More detailed information relating to the hearing locations can be found on the FDIC's Web site, www.fdic.gov. Parties making oral presentations as well as those wishing to attend the hearings should plan to arrive early. Admission for those not making oral presentations will be based on a first-come, first-served basis as space permits. Parties attending the hearings will be subject to security screening.
The Financial Crimes Enforcement Network (FinCEN) and the federal bank, thrift and credit union regulatory agencies are soliciting comments on the attached proposed changes to the Suspicious Activity Report (SAR) form. Highlights:
- On February 17, 2006, FinCEN and the federal bank, thrift and credit union regulatory agencies issued the attached notice and request for comments in the Federal Register on proposed changes to the SAR form that is used by depository institutions. The SAR form is being revised and reformatted to standardize it with SARs used by financial institutions in other industries.
The Federal Deposit Insurance Corporation (FDIC) today announced that the Corporation has received its fourteenth consecutive set of unqualified audit opinions on the financial statements of the three funds that it manages. Comprehensive income (net income plus current period unrealized gains/losses on available-for-sale (AFS) securities) for the Bank Insurance Fund (BIF) decreased 32% to $680 million in 2005 from $1.004 billion in 2004. For the second consecutive year, comprehensive income has declined as a result of several factors. The year-over-year reduction of $324 million was primarily due to an increase in unrealized losses on AFS securities of $279 million, lower recoveries of prior years' provisions for insurance losses of $143 million, an increase in operating expenses of $25 million, and a decrease in assessment revenues of $43 million, offset by an increase of $161 million in interest revenue on U.S. Treasury obligations. As of December 31, 2005, BIF's fund balance was $35.5 billion (including $298 million in net unrealized gains on AFS securities), up from $34.8 billion at year-end 2004.
Summary: The FDIC is pleased to announce that its 2005 Annual Report is now available on the FDIC's Web site. Highlights: - The Annual Report provides an overview of the FDIC's activities and operations during the year. - It also reports on the FDIC's success in achieving the goals established for fiscal year 2005.
The Financial Crimes Enforcement Network (FinCEN) has released the attached guidance to clarify the date on which certain U.S. financial institutions must complete recertifications to comply with regulations relating to correspondent accounts established, maintained, administered or managed in the U.S. for, or on behalf of, foreign financial institutions. Highlights: - On February 3, 2006, FinCEN issued guidance to clarify the date that U.S. financial institutions must complete recertifications to comply with regulations relating to correspondent accounts established, maintained, administered or managed in the U.S. for, or on behalf of, foreign financial institutions. - The Bank Secrecy Act prohibits banking institutions from establishing, maintaining, administering or managing a correspondent account in the U.S. for, or on behalf of, foreign banks that do not have a physical presence in any country. The regulations allow covered financial institutions to receive a "safe harbor" for compliance if they use the certification process.
Commercial banks and savings institutions insured by the Federal Deposit Insurance Corporation (FDIC) reported net income of $134.2 billion in 2005, surpassing the previous record by $11.8 billion (9.6 percent) set in 2004 and representing the fifth consecutive year that industry earnings reached a new high. Increased net interest income (stemming from strong growth in loans) and a boost in noninterest income at larger institutions (particularly from trading and servicing activities) were the main factors contributing to the latest annual record. The industry's net income of $32.9 billion in the fourth quarter of 2005, while the fourth highest ever and a $1.7 billion (5.4 percent) increase over the same quarter a year ago, marked a decline of $1.7 billion (5.0 percent) from the record earnings of the third quarter of 2005. The average return on assets (ROA) fell to 1.22 percent in the fourth quarter, down from 1.25 percent a year ago. In a related development, the FDIC also noted that this past weekend the agency reached a milestone for the longest number of days during which it did not provide assistance to a failed or failing institution. The previous record of 609 days spanned between January 1945 and September 1946. “This historic milestone speaks to the favorable economic conditions we have recently experienced as well as to the efforts of bankers and regulators to manage risks in the industry," Gruenberg said.
The Federal Deposit Insurance Corporation (FDIC) has scheduled public hearings in April in the Washington, D.C. area, and the Kansas City, Missouri, metro area on the application for federal deposit insurance filed on behalf of the proposed Wal-Mart Bank. On July 19, 2005, an application for federal deposit insurance was submitted to the FDIC by Wal-Mart Bank, a proposed Industrial Loan Company (ILC) headquartered in Salt Lake City, Utah. ILCs are state banks that are supervised and insured by the FDIC. There has been considerable public interest in the application. The FDIC believes that public participation will provide valuable insight into the issues presented by the application and will serve the public interest. The FDIC is interested in obtaining the views of the general public, the financial services industry and other industry trade groups, public interest groups, state financial institution supervisors, other state authorities, and any other interested parties.
The Federal Financial Institution Examinations Council (FFIEC) Task Force on Consumer Compliance has approved the attached revised Fair Credit Reporting Act (FCRA) examination procedures, which incorporate the new requirements created by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The revised FCRA examination procedures have been reorganized into a new format in which similar requirements are grouped into modules for use in risk-focused compliance examinations. This modular format is also designed to assist financial institutions in organizing compliance programs and internal reviews. The revised procedures separate background information from the examination steps, contained in Appendix A. Appendix B lists the statutory and regulatory requirements in the order in which they are addressed in the examination procedures, according to a financial institution's primary federal regulator.
The FDIC, along with the Federal Reserve Board and the Office of the Comptroller of the Currency, has issued the attached joint final rule clarifying the capital treatment for securities borrowing transactions for banks and bank holding companies that are subject to the Market Risk Capital Rule. Securities borrowing transactions are generally used in conjunction with short sales, securities fails (securities sold but not made available for delivery on the settlement date), and option and arbitrage positions. The final rule takes effect on February 22, 2006.
Summary: The federal financial institution regulatory agencies have issued the attached final interagency advisory on the unsafe and unsound use of limitation of liability provisions in external audit engagement letters. Highlights: - The final advisory applies to all audits of financial institutions, regardless of the size of the financial institution, whether the financial institution is public or not, and whether the audits are required or voluntary.
The Federal Deposit Insurance Corporation (FDIC), in observance of National Consumer Protection Week (NCPW) February 5-11 and its theme of fraud prevention, is reminding the public about the agency's wide range of educational materials designed to help consumers learn how to protect themselves from scams. "Consumers, as well as banking institutions, face significant costs and challenges from fraud," said Christopher Spoth, Acting Director of the Division of Supervision and Consumer Protection. "The FDIC will continue to work to help consumers avoid being victimized by some of the fastest growing crimes in America."
The federal banking, thrift and credit union regulatory agencies and the state supervisory authorities in Alabama, Louisiana and Mississippi have jointly issued the attached examiner guidance outlining the supervisory practices to be followed in assessing the financial condition of institutions affected by Hurricane Katrina. Highlights: The attached Interagency Supervisory Guidance for Institutions Affected By Hurricane Katrina describes examination procedures for institutions adversely affected by the hurricane. In considering any supervisory response, examiners will give appropriate recognition to the extent to which weaknesses are caused by external problems related to the hurricane and its aftermath.
Summary: Highlights: This report is the product of an interagency working group composed of experts from various U.S. government agencies, bureaus and offices that study and combat money laundering. The Money Laundering Threat Assessment is designed to help policymakers, regulators and the law enforcement community better understand the landscape of money laundering in the United States and to support strategic planning efforts to combat money laundering.
Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.
To assure that prudent practices are being followed by banking institutions in their funds transfer activities, examinations should focus, with equal emphasis, on the evaluation of credit risks and operational controls. Deficiencies disclosed in either of these areas and suggestions for improvement should be discussed with management and listed in the Report of Examination. Constructive criticism by the examiners should help the institutions strengthen procedures to minimize the risks associated with funds transfer activities. Refer to the Electronic Funds Transfer (EFT) Examination Documentation module for further guidance.
The Federal Deposit Insurance Corporation (FDIC) today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised. Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. Identity theft is evolving in more complicated ways that make it harder for consumers to protect themselves, and easier for criminals to set up virtual storefronts on the Internet to sell confidential personal information.
The Financial Crimes Enforcement Network and the federal banking agencies – the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision – are issuing the attached guidance to notify institutions when a Suspicious Activity Report (SAR) can be shared with a holding company or other controlling company, or with the head office of a U.S. branch or agency of a foreign bank.
This Small-Entity Compliance Guide is intended to help financial institutions comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines). The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs.
Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.
The FDIC Office of Inspector General issued its semiannual report to Congress, highlighting what the Inspector General considers to be 2005's most taxing management and performance challenges. The report focuses on the need to streamline Information Security initiatives that can "maintain stability and confidence in the nation's banking system." The FDIC's Inspector General's Office comprehends the tremendous risk associated with safe guarding banking clients private information, and has therefore centered his priorities and managerial initiatives accordingly.
WASHINGTON, D.C. (January 13, 2006) – The federal financial regulatory agencies today announced a public service campaign to aid in the financial recovery of victims of last year's hurricanes. Although four months have passed since Hurricanes Katrina and Rita made landfall, some bank customers have not yet been in contact with their lenders. Communication is an essential step in the road to financial recovery. The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration and state financial regulators are encouraging banks, thrifts, and credit unions to continue to work with borrowers affected by the hurricanes. Assistance may include waiving fees, lowering interest rates, extending repayment schedules, or deferring principal or interest for an additional period, where appropriate. For these options to be considered, however, it is essential that the borrower contact his or her lender.
Dr. Robert DeYoung has been named Associate Director of the FDIC's Division of Insurance and Research (DIR), FDIC Acting Chairman Martin Gruenberg announced today. DeYoung will head the division's Research Branch. "Bob DeYoung brings a wealth of experience in the publication of original research and in its application to the banking and financial system," said Art Murton, DIR Director. "We look forward to the contributions he will make to the policy leadership and research efforts at the FDIC."
Dr. DeYoung joins the FDIC from the Federal Reserve Bank of Chicago, where he served as a senior economist and economic advisor in the research department. For the past two years, Dr. DeYoung has played a key role in the advancement of the FDIC's Center for Financial Research as the Coordinator of the Center's Banking Policy and Regulation Program. Dr. DeYoung also serves as an associate editor of the Journal of Financial Services Research and the Journal of Economics and Business, and as a lecturer on economics and finance at the Kellstadt Graduate School of Business at DePaul University in Chicago.
The Financial Crimes Enforcement Network (FinCEN) has announced the final regulation implementing the international correspondent banking provisions and the private banking provisions of Section 312 of the USA PATRIOT Act. Concurrently, FinCEN has released a further notice of proposed rulemaking on one key issue regarding correspondent banking. To view the final and proposed rules, along with a press release and fact sheet from FinCEN, visit FinCEN's Web site at http://www.fincen.gov/section312.pdf.
Highlights: The final regulation takes effect within 90 days from the date the regulation is published in the Federal Register (anticipated by January 4, 2006) for new accounts opened by U.S. financial institutions and 270 days from that date for existing accounts.
The final rule requires certain U.S. financial institutions to apply due diligence to correspondent accounts maintained for certain foreign financial institutions and private banking accounts maintained for foreign individuals.
This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations.
The FDIC is issuing the attached guidance to financial institutions recommendingan effective spyware prevention and detection program based on an institution’s risk profile. This guidance and the attached informational supplement discuss the risks associated with spywarefrom both a bank and consumer perspective and provide recommendations to mitigate these risks.
The federal bank and thrift regulatory agencies have jointly issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The guidelines require the proper disposal of consumer information. The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (agencies) have adopted the attached final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 of the FACT Act is designed to protect a consumer against the risks associated with identity theft and other types of fraud.
Under the final rule, the agencies have amended their "Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by the Gramm-Leach-Bliley Act, to require the proper disposal of consumer information. The guidelines have been renamed "Interagency Guidelines Establishing Information Security Standards."
Executive Summary and Findings Focus of Supplement Identity theft in general and account hijacking in particular continue to be significant problems for the financial services industry and consumers. Recent studies indicate that identity theft is evolving in more complicated ways that make it more difficult for consumers to protect themselves. Recent studies also indicate that consumers are concerned about online security and may be receptive to using two-factor authentication if they perceive it as offering improved safety and convenience.
This Supplement discusses seven additional technologies that were not discussed in the Study. These technologies, as well as those considered in the Study, have the potential to substantially reduce the level of account hijacking (and other forms of identity theft) currently being experienced.
Successful frauds tend to be replicated until they no longer work. Financial institutions can help reduce identity theft, including account hijacking, by encouraging information sharing so that identity theft frauds are thwarted sooner. A number of such information-sharing efforts are noteworthy including those sponsored by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Anti-Phishing Working Group (APWG), the Identity Theft Assistance Corporation (ITAC), and Infragard, in addition to individual financial institution Web sites.
Since 1998, when identity theft first became a federal crime, a number of statutes and regulations have clarified impermissible use of personal information and offered greater tools to law enforcement. However, no law or regulation is focused solely on account hijacking. These changes in federal law have either established standards for protecting information, provided consumers with more information about their credit history so they can be more vigilant in protecting their own identity, or increased criminal penalties for identity theft and enforcement tools in an effort to deter it. Each of these approaches is discussed below.
The purpose of this paper is to provide financial institutions and examiners with background information and guidance on various risk assessment tools and practices related to information security. Institutions using the Internet or other computer networks are exposed to various categories of risk that could result in the possibility of financial loss and reputational harm. Given the rapid growth of the Internet and networking technology, the available risk assessment tools and practices are becoming more important for information security. This paper provides a summary of critical points, discusses components of a sound information security program, and describes the risk assessment and risk management processes for information security. The appendix provides specific information on certain risk assessment tools and practices that may be part of an institution's information security program. The paper and appendix are intended to provide useful information and guidance, not to create new examination standards, impose new regulatory requirements, or represent an exclusive description of the various ways financial institutions can implement effective information security programs.
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision jointly requested comment today on a proposed rule establishing standards for safeguarding confidential customer information. The proposed rule would implement section 501 (b) of the Gramm-Leach-Bliley Act (GLBA).
The law requires the agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer records and information. These safeguards are intended to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of these records and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to a customer.
The federal bank and thrift regulatory agencies have sent to the Federal Register joint guidelines for safeguarding confidential customer information. The guidelines implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), and will be effective on July 1, 2001.
The GLBA requires the agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer records and information. These safeguards are to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of these records, and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to a customer.
The Agencies are jointly issuing final Guidance that interprets the requirements of section 501(b) of the GLBA, 15 U.S.C. 6801, and the Security Guidelines2 to include the development and implementation of a response program to address unauthorized access to, or use of customer information that could result in substantial harm or inconvenience to a customer. The Guidance describes the appropriate elements of a financial institution’s response program, including customer notification procedures. Section 501(b) required the Agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards to: (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
On February 1, 2001, the Agencies issued the Security Guidelines as required by section 501(b) (66 FR 8616). Among other things, the Security Guidelines direct financial institutions to: (1) identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and (3) assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
Periodic security awareness training is specifically mandated by three Federal issuances. On October 30, 2000, the Government Information Security Reform Act (GISRA) was signed into law. One of the requirements of GISRA is that each Federal agency shall develop and implement an agency-wide information security program to provide information security for the operations and assets of the agency. This program shall include security awareness training to inform personnel of information security risks associated with the activities of personnel, and responsibilities of personnel in complying with agency policies and procedures designed to reduce such risk.
OB Circular A-130, Management of Federal Information Resources, ,pestablishes policy for the management of Federal information resources.
Appendix III of OMB Circular A-130 requires that prior to being granted access to Information Technology (IT) applications and systems, all individuals must receive specialized training on their IT security responsibilities and established system rules.
E-mail and Internet-related fraudulent schemes, such as “phishing” (pronounced “fishing”), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false “from” address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.
I. INTRODUCTION Purpose and Scope of the Guide This Small-Entity Compliance Guide1 is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs. Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.
Flawed modeling presents risk to sound management decision-making; rise in online fraud, theft of consumer data dictate need for tighter online banking security Banks' financial modeling, the security of Internet banking transactions, and bank insider misconduct are some of the issues of current focus for the bank regulatory community that are highlighted in the FDIC's Winter 2005 issue of Supervisory Insights, released today. With financial modeling growing in importance as a bank management tool, attention is now focused on a new source of risk - the potential for flawed information to be introduced into the management decision-making process. The article "Model Governance" describes how strong governance procedures can help minimize this risk, and it suggests areas that examiners should target when evaluating a bank's model oversight, control and validation programs. And with incidents of online fraud - including identity theft - on the rise, strengthening security for Internet-based financial transactions continues to be an area of focus for bank supervisors and management. "Online Delivery of Banking Services: Making Consumers Feel Secure" reviews key findings of an FDIC study that evaluated identity authentication technologies. This article also reviews recently issued interagency guidance requiring insured institutions and service providers - as part of the development of Internet banking products and services - to design safeguards to protect sensitive customer data.
The FDIC has updated its Trust Examination Manual. It is now available on the FDIC’s Web site and may also be purchased in a CD-ROM format.
The FDIC has amended Part 363 of its regulations by raising the asset-size threshold from $500 million to $1 billion for internal control assessments by management and external auditors. For institutions between $500 million and $1 billion in assets, only a majority, rather than all, of the members of the audit committee, who must be outside directors, must be independent of management. The final rule is effective December 28, 2005.
In testimony before the Senate Banking Committee this morning, FDIC Chairman Donald Powell underscored the need to maintain Prompt Corrective Action (PCA) regulations, particularly existing U.S. leverage requirements, as part of the U.S. implementation of the Basel II Framework, an international effort to modernize the bank capital regime.
Agencies Release Bank Secrecy Act/Anti-Money Laundering Examination Manual The Federal Financial Institutions Examination Council (FFIEC) today released the Bank Secrecy Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination Manual). The manual’s release marks an important step forward in the effort to ensure the consistent application of the BSA to all banking organizations including commercial banks, savings associations, and credit unions. The FFIEC BSA/AML Examination Manual was developed by the Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS) (collectively referred to as the federal banking agencies) in collaboration with the Financial Crimes Enforcement Network (FinCEN), the delegated administrator of the BSA. In addition, through the Conference of State Bank Supervisors, the state banking agencies played a consultative role. The Office of Foreign Assets Control collaborated on the development of core overview and examination procedures addressing compliance with regulations enforced by OFAC.
The OCC, FRB, FDIC, and OTS are issuing the attached final “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” The guidance was published in the Federal Register on March 29, 2005, and became effective upon publication. The guidance interprets the Interagency Guidelines Establishing Information Security Standards (Security Guidelines)[1] and states that each financial institution should implement a response program to address unauthorized access to customer information maintained by the institution or its service providers. The guidance describes the components that a response program should contain including procedures to notify customers about incidents that involve unauthorized access to sensitive customer information. The guidance provides that, “when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.” However, notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for a delay.
Donald E. Powell today announced that he will be leaving the agency to coordinate the Bush Administration's efforts to rebuild the Gulf Coast areas affected by the recent hurricanes. Mr. Powell became the 18th Chairman of the Federal Deposit Insurance Corporation (FDIC) on August 29, 2001. “I am honored that the President has chosen me for this important effort to help rebuild the Gulf region,” said Powell. “This new position allows me to continue to serve my country and help the many people who have had their lives turned completely upside down.” “In my role as FDIC chairman, I had the opportunity to tour the area and see firsthand what the communities in the Gulf region face. I look forward to this new challenge and appreciate the trust that the President has in me. Of course, I will always have fond memories of my time at the FDIC. I have been afforded the opportunity to work with many wonderful people inside and outside the agency, and I feel truly blessed,” Powell concluded.
Summary: The FDIC has updated its risk-focused information technology (IT) examination procedures for FDIC-supervised financial institutions. Highlights: * The FDIC ‘s new risk-focused IT examination procedures focus on the financial institution’s information security program and risk-management practices for securing information assets. * The IT Examination Officer‘s Questionnaire must be completed and signed by an officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of the examination.
Summary: The FDIC is providing guidance to financial institutions on the security risks • VoIP is susceptible to the same security risks as data networks if security policies and configurations are inadequate.
Guidance on Developing an Effective Pre-Employment Background Screening
Summary: The Federal Deposit Insurance Corporation encourages banks to assist those impacted by Hurricane Katrina by honoring handwritten, typewritten, and laser checks issued by certain Social Security Administration Offices.
In 2001, NCUA amended 12 CFR Part 748 to fulfill a requirement in Section 501 of the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA), in which Congress directed both NCUA and the other Federal Financial Institution Examination Council (FFIEC ) agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (collectively, the “Banking Agencies”) to establish standards for financial institutions relating to administrative, technical, and physical safeguards to...
This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems. BACKGROUND Federal legislation changed the legal framework for electronic records and will likely result in more banks adopting electronic record retention systems. Banks can implement electronic record retention systems in many ways to support different business processes. Some examples of possible electronic record retention systems are loan file imaging, retention of paperless applications and online agreements, and the use of electronic payment systems.
On January 17, 2001, the banking regulatory agencies adopted guidelines implementing Section 501 of the Gramm-Leach-Bliley Act (GLBA). The guidelines require financial institutions to establish a comprehensive and coordinated information security program, appropriate to the size of the bank and the complexity of its operations.
Summary: The FDIC is providing guidance to financial institutions on implementing a fraud hotline to minimize potential and actual fraud risks as part of a bank‘s governance and enterprise risk management program.
Highlights: .
The FDIC encourages financial institutions to consider the benefits of implementing a fraud hotline as a confidential communication channel to identify fraud and reduce fraud-related losses.
The Association of Certified Fraud Examiners – in its “2004 Report to the Nation” – stated that organizations without mechanisms to report fraud suffered financial losses that were more than twice as high as organizations with anonymous fraud-reporting mechanisms.
Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols. Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability. Properly used, encryption can strengthen the security of an institution’s systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti-virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.
Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third-party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include -Altering data, -Deleting production and back up data, -Crashing systems, -Destroying systems, -Misusing systems for personal gain or to damage the institution, -Holding data hostage, and -Stealing strategic or customer data for corporate espionage or fraud schemes.
The four Federal banking agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision) today announced their revised plans for the U.S. implementation of the "International Convergence of Capital Measurement and Capital Standards: A Revised Framework," otherwise known as Basel II. The agencies previously announced on April 29, 2005 that they were delaying issuance of a notice of proposed rulemaking (NPR), pending additional analysis of the quantitative impact study (QIS4) submissions. The agencies intend to move forward with an NPR for domestic implementation of Basel II, but plan to introduce additional prudential safeguards in the NPR to address concerns identified in the analysis of the results of the QIS4 conducted with the industry. The agencies expect that the U.S. Basel II proposal will be available in the first quarter of 2006.
The Board of Directors of the Federal Deposit Insurance Corporation (FDIC) today approved an interagency advance notice of proposed rulemaking (ANPR) to solicit comments on the way that the vast majority of banks and thrifts in the U.S. calculate their minimum capital requirements. This framework is sometimes referred to as Basel I-A because it is anticipated to apply to banks that do not adopt the international Basel II Capital Accord. That standard, which is expected to only cover the largest and most complex banks and thrifts in the U.S., is moving through a separate rulemaking process, with a proposed rule targeted to become available the 1st quarter of 2006. The Basel II standard is intended to strengthen the regulation of large, complex banking companies by making their capital requirements more sensitive to changes in risk. The prospect of reductions in risk-based capital requirements under the Basel II standard has given rise to competitive equity concerns among smaller banks and thrifts. The ANPR that the Board approved today is intended, in part, to provide these institutions an opportunity to comment formally about these competitive issues, and what the federal banking regulators should do about them.
Summary: On September 30, 2005, the FDIC implemented the Relationship Manager Program (RMP) for all FDIC-supervised financial institutions. The RMP is designed to strengthen lines of communication between bankers and the FDIC, as well as improve the coordination, continuity and effectiveness of FDIC supervision. Highlights:
The four federal banking agencies--the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision--today published an interagency advance notice of proposed rulemaking (ANPR) regarding potential revisions to the existing risk-based capital framework. These changes would apply to banks, bank holding companies, and savings associations.
The FDIC is providing the attached guidance to financial institutions to remind them of the importance of an effective internal corporate code of conduct or written ethics policy.
The FDIC has created this webpage to inform and warn consumers about a type of fraud called “phishing.” The term "phishing" – as in fishing for confidential information - refers to a scam that encompasses fraudulently obtaining and using an individual's personal or financial information.
The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidance interprets the agencies’ customer information security standards and states that financial institutions should implement a response program to address security breaches involving customer information. The response program should include procedures to notify customers about incidents of unauthorized access to customer information that could result in substantial harm or inconvenience to the customer. The guidance provides that, "when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused."
>"User names" and passwords should be supported in Internet banking transactions with new and better ways of identifying real customers from fraud artists trying to "highjack" bank accounts, according to an update on identity theft from the Federal Deposit Insurance Corporation (FDIC). "Identity theft, particularly account hijacking, continues to grow as a problem for the financial services industry and for consumers," said FDIC Chairman Don Powell. "Our review illustrates that ID theft is evolving in more complicated ways and that more can and should be done to make online banking more secure." The new findings are in a supplement to an FDIC study issued in December about ways to fight "phishing" scams, in which criminals send fraudulent e-mails to trick consumers into providing confidential financial information that can lead to illegal access to bank accounts. The supplement reviews and responds to public comments that the FDIC received about the original study, identifies the most recent trends in identity theft, and discusses a variety of new technologies that could be used to make Internet banking more secure. In the latest findings, the FDIC concluded that the risk assessment financial institutions are required to perform regarding information security also should address customer authentication. The supplement also said that if an institution offers Internet banking, it has an obligation to properly secure that delivery channel. This extra level of security for online accounts, often referred to as "multifactor authentication," would be used in addition to the traditional passwords. These new security features may include "tokens" issued to customers that generate new passwords every 60 seconds, software that can identify the computer that a customer uses to access online accounts, or contacting a customer by phone to make sure that he or she is the one attempting to access the account.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS SyndicationCopyright © 2007 BankInfoSecurity.com