 |
 |
 |
 |
 |
|
The Federal Deposit Insurance Corporation (FDIC) today approved the final rule implementing the Advanced Approaches of the Basel II Capital Accord. The new rules are a significant change in regulatory practice, in that they require some large banks to calculate capital requirements using their own internal, model-driven risk estimates.
The Federal Reserve Board on Friday approved final rules to implement new risk-based capital requirements in the United States for large, internationally active banking organizations. The new advanced capital adequacy framework, known as Basel II, more closely aligns regulatory capital requirements with actual risks and should further strengthen banking organizations’ risk-management practices.
The Office of Thrift Supervision (OTS) today urged thrifts in areas affected by Southern California wildfires to consider all reasonable steps to meet customers’ financial needs. OTS will work with thrifts to identify ways to assist in the recovery efforts of their customers and communities. To facilitate recovery efforts while maintaining standards of safety and soundness, OTS encourages all thrifts in affected areas
This GAO announcement has highlights of GAO-08-36, a report to congressional requesters. An outbreak of pandemic flu would require close cooperation between the public and private sectors to ensure the protection of our nation’s critical infrastructure, such as drinking water and electricity. Because over 85 percent of the nation’s critical infrastructure is owned and operated by the private sector, it is vital that both sectors effectively coordinate to successfully protect these assets. The Department of Homeland Security (DHS) is responsible for coordinating a national protection strategy and government and private sector councils have been created as a collaborating tool. GAO was asked to assess how the federal and private sectors are working together at a national level to protect the nation’s critical infrastructure in the event of a pandemic, the challenges they face, and opportunities for addressing these challenges. GAO reviewed 5 of the 17 critical infrastructure sectors. These 5 sectors are energy (electricity), food and agriculture, telecommunications, transportation (highway and motor carrier), and water.
Summary: The Department of the Treasury's Office of Foreign Assets Control has added new entries to its Specially Designated Nationals and Blocked Persons list.
The federal financial institution regulatory agencies and the Federal Trade Commission have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft
DRAFT SP 800-39, Managing Risk from Information Systems: An Organizational Perspective NIST announces the release of the initial public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective.
The National Credit Union Administration (NCUA) has activated its disaster relief policy to assist credit unions and their members affected by the wildfires in California. President George W. Bush has declared an emergency exists in the state of California and ordered federal aid to supplement state and local response efforts.
Nearly All Participants Find Critical Gaps in Plans The Treasury Department, the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, and the Securities Industry and Financial Management Association today released the preliminary results of the industry-wide pandemic flu exercise.
Consumers need to keep five tips in mind for managing their checking accounts and safeguarding their funds from unauthorized transfers by criminals, according to a new Federal Reserve Board publication.
The Office of the Comptroller of the Currency today issued a proclamation allowing national bank offices affected by the wildfires in southern California to close at their discretion.
Interfaces for Personal Identity Verification (4 parts): 1- Card Application Namespace, Data Model & Representation 2- Card Appl. Card Command Interface 3- Client Appl. Programming Interface 4- Transitional Interfaces & Data Model NIST Special Publication 800-73-2, Interfaces for Personal Identity Verification , is now available for a 30 day public comment period.
DRAFT NIST IR 7328: Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems.
The FDIC Advisory Committee on Economic Inclusion (ComE-IN) will convene on October 24 to examine money services businesses (MSBs) and their access to banking services. The committee will hear from experts on the challenges facing the MSB industry as well as from bankers who have successful relationships with MSBs.
What GAO Found The inherent problems of measuring the costs and benefits of regulation make it difficult to assess the extent to which regulations may be unduly burdensome to U.S. financial services firms, particularly in comparison to firms in other countries.
NIST announces the release of five publications: Draft SP 800-110, Information System Security Reference Model, Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers, Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, and Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security.
NIST announces the release of five publications: Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security,Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers, Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, and Draft SP 800-110, Information System Security Reference Model.
NIST announces the release of five publications: Computer Security Incident Handling Guide, Draft SP 800-82,Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers, Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Guide to Industrial Control Systems (ICS) Security, and Draft SP 800-110, Information System Security Reference Model.
NIST announces the release of five publications: Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security, Draft SP 800-110, Information System Security Reference Model, and Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers.
NIST announced the release of five publications: Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers, Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security, and Draft SP 800-110, Information System Security Reference Model.
The federal bank and thrift agencies issued final rules on Friday expanding the range of small institutions eligible for an extended 18-month on-site examination cycle. The final rules allow well-capitalized and well-managed banks and savings associations with up to $500 million in total assets and a composite CAMELS rating of 1 or 2 to qualify for an 18-month (rather than a 12-month) on-site examination cycle.
Summary: The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Illinois that suffered major damage from storms and flooding.
Summary: In an update to FIL-75-2007, the Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in additional areas of Ohio and Wisconsin that are suffering from storms and flooding.
Summary: In an update to FIL-61-2007 and FIL-68-2007, the Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in additional areas of Oklahoma that are suffering from storms and flooding.
Summary: The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Minnesota, Wisconsin and Ohio that have suffered major damage from storms and flooding.
Fraudulent letters claiming to be from the Office of the Comptroller of the Currency are being sent to U.S. bank customers in an attempt to elicit funds. The Office of the Comptroller of the Currency (OCC) has notified the Federal Deposit Insurance Corporation (FDIC) that fraudulent letters are in circulation that concern the release of funds supposedly under the control of the International Monetary Unit (IMU) of the European Commission in Belgium. The letter is being sent to U.S. bank customers and indicates that in accordance with international monetary policy, monies are being held until the recipient can produce the necessary documents, which include a Money Laundering/Drug Free Clearance Certificate and an Anti-Terrorist Clearance and Capital Transfer Certificate. According to the European Commission's recent warning, victims are directed to pay approximately $25,000 (U.S. dollars) to obtain these bogus documents.
In an update to FIL-61-2007, dated July 6, 2007, the Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in additional areas of Texas and Oklahoma that are suffering from storms and flooding. Highlights: * Severe storms, tornadoes and flooding have caused significant damage to areas of Texas and Oklahoma. * In Texas, 33 counties have now been declared federal disaster areas, with the addition of Guadalupe, Henderson, Nueces, Van Zandt, Walker and Zavala counties on August 7, 2007.
The Office of the Comptroller of the Currency is encouraging national banks to participate in a U.S. Treasury-sponsored exercise that is intended to test the financial sector’s ability to respond to a pandemic like crisis, such as an influenza pandemic. The exercise provides an excellent opportunity for organizations to test their pandemic plans and to identify opportunities for improvement,
NIST announces that the following draft Special Publications (SP) are now available for public comment: SP 800-113, Guide to SSL VPNs.
NIST announces that the following draft Special Publications (SP) are now available for public comment: SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth.
NIST is pleased to announce the release of Special Publication 800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been modified to enhance interoperability, simplify the development of relying party applications, and enhance alignment with the National Security Agency's Suite B Cryptography.
This alert is about fraudulent correspondence regarding the release of funds supposedly under the control of the International Monetary Unit (IMU) of European Commission (EC) in Belgium. Correspondence, allegedly issued by the Office of the Comptroller of the Currency (OCC) regarding restricted funds purportedly under the control of the European Commission, is in circulation. The item is a hoax. Attached is a copy of this fraudulent correspondence, which is being sent to United States bank customers in an attempt to elicit funds from them. This letter indicates that, in accordance with international monetary policy, monies are being held until the recipient can produce the necessary documents, which include a Money Laundering/Drug Free Clearance Certificate and an Anti-Terrorist Clearance and Capital Transfer Certificate. According to the European Commission’s recent warning, which can be viewed at EU Warning and is also attached, victims of this fraud are directed to pay approximately $25,000 USD to obtain these bogus documents.
Computer interconnectivity has produced enormous benefits but has also enabled criminal activity that exploits this interconnectivity for financial gain and other malicious purposes, such as Internet fraud, child exploitation, identity theft, and terrorism. Efforts to address cybercrime include activities associated with protecting networks and information, detecting criminal activity, investigating crime, and prosecuting criminals.
FDIC Chairman Sheila C. Bair today commented on an agreement in principle that has been reached between The Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Deposit Insurance Corporation regarding the implementation of Basel II in the United States. The agreement resolves major outstanding issues and will now lead to finalization of a rule implementing the advanced approaches for computing large banks' risk-based capital requirements.
The Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Deposit Insurance Corporation reached an agreement today regarding the implementation of Basel II in the United States. The agreement resolves major outstanding issues and will now lead to finalization of a rule implementing the advanced approaches for computing large banks' risk-based capital requirements.
The Office of the Comptroller of the Currency announced the launch of HelpWithMyBank.gov, a new Web site dedicated to providing answers and assistance to national bank customers. "We created HelpWithMyBank.gov with national bank customers in mind," Comptroller of the Currency John C. Dugan said. "Our goal was to build a site that makes it easier for people to get answers and submit concerns about their bank because we are committed to ensuring fair access to financial services and equal treatment for national bank customers." HelpWithMyBank.gov provides answers to common questions based on thousands of calls made to the OCC Customer Assistance Group each year. While targeted to national bank customers, the site answers many questions common to all banking consumers and provides useful information about contacting regulators of institutions other than national banks.
DHS has issued a national plan aimed at providing a consistent approach to critical infrastructure protection, ensured that all 17 sectors have organized to collaborate on protection efforts, and worked with government and private sector partners to complete all 17 sector-specific plans.Nevertheless, our work has shown that sectors vary in terms of how complete and comprehensive their plans are. Furthermore, DHS recognizes that the sectors, their councils, and their plans must continue to evolve. As they do, and as the plans are updated and annual implementation reports are provided that begin to show the level of protection achieved, it will be important that the plans and reports add value, both to the sectors themselves and to the government as a whole. This is critical because DHS is dependent on these plans and reports to meet its mandate to evaluate whether gaps exist in the protection of the nation’s most critical infrastructure and key resources and, if gaps exist, to work with the sectors to address them.
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Oklahoma and Texas that suffered major damage from storms and flooding that started in May and continued through June
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of Nebraska, Missouri and Kansas that suffered major damage from storms and flooding that started in May and have continued into early July
The following GAO report highlights GAO-07-737, a report to congressional requesters.In recent years, many entities in the private, public, and government sectors have reported the loss or theft of sensitive personal information.
Fraudulent correspondence bearing the FDIC's name continues to be mailed, faxed and e-mailed. This correspondence is being used in illegal schemes to collect sensitive personal information, such as bank account numbers, and to steal money and other assets.
The Office of the Comptroller of the Currency reports fraudulent letters that appear to be faxed by the Federal Deposit Insurance Corporation are circulating to financial institutions worldwide.
In February 2007, the GAO issued its opinions on the calendar year 2006 financial statements of the Deposit Insurance Fund (DIF) and the FSLIC Resolution Fund (FRF). It also issued its opinion on the effectiveness of the Federal Deposit Insurance Corporation’s (FDIC) internal control over financial reporting (including safeguarding assets) and compliance as of December 31, 2006, and its
Starting July 9, 2007, the FDIC will provide participating state bank regulators access to the FDICconnect Examination File Exchange system.
FDIC Chairman Sheila C. Bair today issued the following statement about Treasury Secretary Henry Paulson’s Remarks on Protecting the Financial System and Effective Implementation of the Bank Secrecy Act at the offices of the Financial Crimes Enforcement Network (FinCEN)
The National Institute of Standards and Technology (NIST) announces the release of Draft Federal Information Processing Standard (FIPS) 180-3 Publication, Secure Hash Standard (SHS)
The National Institute of Standards and Technology (NIST) announces the release of Draft Federal Information Processing Standard (FIPS) 198-1 Publication, The Keyed-Hash Message Authentication Code (HMAC).
The Financial Crimes Enforcement Network issued today the latest edition of the SAR Activity Review – By The Numbers that introduces a number of visual enhancements aimed at providing financial institutions with more information on the geographical dispersion of the Suspicious Activity Report filings.
Topics addressed in this issue include: A discussion of the risks associated with third-party relationships and the effect failure to manage those risks can have on a financial institution An overview of factors that have led to an increase in mortgage fraud, highlights of actual mortgage fraud cases in FDIC-insured institutions and mitigation steps t
How banks can manage risks associated with third-party arrangements for products and services is reported in the FDIC's summer 2007 issue of Supervisory Insights, released today. Other topics covered are the need for vigilance toward mortgage fraud, challenges in maintaining wind insurance, the electronic exchange of documentation in bank examinations, and recent decisions affecting the accounting for split-dollar life insurance.
The Office of the Comptroller of the Currency will host workshops for national community bank directors at the Arrowwood Conference Center, Alexandria, Minnesota, July 10-12. The workshops provide practical information that expands bank directors' skills and understanding of issues facing their banks.
Comptroller of the Currency John C. Dugan testified before Congress that current credit card disclosure rules should be changed to improve consumers’ ability to make well-informed decisions about the credit cards they choose.
Statement Of Sheila C. Bair, Chairman, Federal Deposit Insurance Corporation on Improving Credit Card Consumer Protection: Recent Industry And Regulatory Initiatives before the Subcommittee On Financial Institutions and Consumer Credit of the Financial Services Committee,
Federal agencies have recently reported a spate of security incidents that put sensitive data at risk. Personally identifiable information about millions of Americans has been lost, stolen, or improperly disclosed, thereby exposing those individuals to loss of privacy, identity theft, and financial crimes.
Fraudulent correspondence regarding the release of funds supposedly under the control of Office of the Comptroller of the Currency (OCC) officials.
Fraudulent letters that claim to be from the FDIC are being faxed to financial institutions. The letters request that the financial institution provide a copy of its certification of foreign correspondent accounts.
Comptroller of the Currency John C. Dugan recently established the Enterprise Governance unit to support the Office of the Comptroller of the Currency’s strategic planning, risk management, quality management, assurance testing, and business process improvement efforts.
On December 21, 2006, the Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) was revised. The revisions are the result of their continuing efforts to reduce paperwork and respondent burden. The form was revised and reformatted to standardize suspicious activity reports, enhance the clarity of instructions, allow for joint filing of Suspicious Activity Reports, and to improve the usefulness of the Suspicious Activity Report to law enforcement.
This bulletin is intended to provide guidance to national banks on a number of disclosure and marketing issues presented by gift cards, so that national banks that issue gift cards do so in a manner in which both purchasers and recipients of gift cards are fully informed of the terms and conditions of the product. A gift card is a type of prepaid or stored value card that is designed to be purchased by one consumer (purchaser) and presented as a gift to a second consumer (recipient). The terms and conditions of different gift card products can vary significantly, but gift cards are generally divided into two main categories: retail gift cards and bank-issued gift cards.
The following items were recently posted to the Federal Deposit Insurance Corporation’s (FDIC) Office of Inspector General (OIG) Web site: http://www.fdicig.gov/ under Publications. In cases where an OIG report includes sensitive or confidential information, the OIG may redact certain information in the report, and the report will be marked as such. In some instances because of the highly sensitive nature of the entire report, the OIG may not make the report publicly available and instead, a brief summary of the report is posted to the Web site.
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in areas of South Dakota that suffered major damage from storms and flooding, which started on May 4, 2007.
Banker Education Announcement This is a reminder about the Office of the Comptroller of the Currency’s workshops for national community bank directors. Our next workshop on credit risk will be held in Cape May, New Jersey at the historic Congress Hall Hotel. Set amidst a sweeping lawn overlooking the Atlantic Ocean, this hotel is a classic in America’s oldest seashore resort town. Workshops cost $65 each. Attendees receive a pre-course reading package, course materials, an OCC telephone seminar CD, other appropriate superviso
The U.S. Departments of Treasury, Justice, and Homeland Security have jointly released the 2007 National Money Laundering Strategy, which responds directly to the first U.S. Money Laundering Threat Assessment, released in December 2005.
Highlights of GAO-07-351, a report to the Chief Financial Officer and Chief Operating Officer, Federal Deposit Insurance Corporation The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. As part of its audit of the calendar year 2006 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of FDIC’s system integrity controls to protect the confidentiality and availability of its financial information and information systems. To do this, GAO examined pertinent security policies, procedures, and relevant reports. In addition, GAO conducted tests and observations of controls
FinCEN has issued a SAR Activity Review report for financial institutions to use. Click to read the SAR Activity Review: Trends, Tips and Issues Update.
United States Department of the Treasury Financial Crimes Enforcement Network FinCEN Advisory
Subject:Transactions Involving Nigeria
This Advisory is being issued to inform banks and other financial institutions operating in the United States that Financial Crimes Enforcement Network (FinCEN) Advisory Issue 32, regarding the Federal Republic of Nigeria, is hereby withdrawn.
Since the issuance of Advisory 32, and as reflected in its June 23, 2006 decision, the Financial Action Task Force on Money Laundering has removed Nigeria from its list of countries that are non-cooperative in the fight against money laundering, recognizing the progress Nigeria has made in implementing anti-money laundering reforms. Nigeria has enacted significant reforms to its counter-money laundering system, addressing the deficiencies listed in Advisory 32, and has taken concrete steps to bring these reforms into effect. Because of the enactment of new laws and the beginning of effective implementation, the enhanced scrutiny called for in Advisory 32 with respect to transactions invol
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in Kiowa County, Kansas, which suffered major damage from tornadoes on May 4, 2007.
The U.S. Departments of Treasury, Justice, and Homeland Security joined together in issuing the 2007 National Money Laundering Strategy, a report detailing continued efforts to dismantle money laundering and terrorist financing networks and bring these criminals to justice. "The 2007 National Money Laundering Strategy is a direct result of close cooperation by the Departments of Justice, Treasury and Homeland Security, along with our foreign counterparts, and signifies our collective commitment to fight money laundering," said Assistant Attorney General Alice S. Fisher of the Justice Department's Criminal Division. "Implementation of this strategy will greatly assist in efforts to seize and forfeit millions in illegal proceeds that flow through the international financial system."
FINANCIAL MARKET PREPAREDNESS Significant Progress Has Been Made, but Pandemic Planning and Other Challenges Remain Highlights of GAO-07-399, a report to congressional requesters This is GAO’s third report since the September 11 terrorist attacks that assesses progress that market participants and regulators have made to ensure the security and resiliency of our securities markets. This report examined (1) actions taken to improve the markets’ capabilities to prevent and recover from attacks; (2) actions taken to improve disaster response and increase telecommunications resiliency; and (3) financial regulators’ efforts to ensure market resiliency. GAO inspected physical and electronic security measures and business continuity capabilities using regulatory, government, and industry-established criteria and discussed improvement efforts with broker dealers, banks, regulators, telecommunications carriers, and trade associations. What GAO Recommends To improve the readiness of the securities markets to withstand potential disease pandemics, securities and banking regulators should consider taking additional actions, including providing formal expectations that market participants’ plans address even severe pandemic outbreaks and setting a date by which such plans should be completed. Banking and securities regulators indicated they believe organizations are adequately addressing this risk, but will consider taking the recommended actions if progress lags. GAO believes that giving greater consideration now would better assure market readiness.
Letters fraudulently claiming to be from the FDIC are requesting that financial institutions deposit official or cashier's checks into customer accounts.
The Federal Deposit Insurance Corporation (FDIC) has become aware of letters that appear to be sent from the FDIC to financial institutions in the United States and other countries. The letters instruct the financial institution to deposit an enclosed official or cashier's check into a customer's account. The letters include "DEPOSIT ACCLERATION" directly below the letterhead and display the forged signatures of "Sandra L. Thompson, Director" and "Christopher J. Spoth, Acting Director 2." The letters are fraudulent and were not sent by the FDIC.
The Financial Crimes Enforcement Network (FinCEN) today filed a Federal Register notice announcing the delayed implementation of certain revised Suspicious Activity Report (SAR) forms that were scheduled to become effective on June 30, 2007. The agency is withdrawing this effective date for the revised SAR forms for depository institutions, casinos and card clubs, insurance companies, and the securities and futures industries. FinCEN will establish new effective and mandatory compliance dates for these revised forms in a future notice. The delay does not impact ongoing suspicious activity reporting, which will continue using the current forms.
President Bush's Identity Theft Task Force today released its strategic plan for combating identity theft, the top consumer fraud reported to the Federal Trade Commission. It is an identity theft road map of the planned actions of the 17-agency task force. Treasury Deputy Assistant Secretary for Critical Infrastructure Protection and Compliance Policy D. Scott Parsons, who led the Department's efforts with the taskforce, released the following statement today.
The Federal Deposit Insurance Corporation (FDIC), a participant in the government-wide Identity Theft Task Force, will provide a direct link to the new, centralized government Web site on identity theft.
The new site, www.idtheft.gov, was launched today. Initially, the site will provide the Task Force's Strategic Plan. The Plan, which represents the input of 17 Federal agencies, including the FDIC, sets out recommendations to prevent identity theft, to assist identity theft victims in recovering from those crimes, and to prosecute and punish identity theft-related criminals. The Plan will be made public today. The taskforce was created on May 10, 2006, by Executive Order to strengthen Federal efforts to protect against identity theft.
For more information on the site, you can visit either www.idtheft.gov or www.fdic.gov.
The Federal Deposit Insurance Corporation (FDIC) has announced a series of steps intended to provide regulatory relief to financial institutions and to facilitate recovery in counties most affected by recent severe storms and tornadoes in eastern New Mexico. Highlights:
* Severe storms and tornadoes that occurred on March 23 and 24 have resulted in significant damage in Curry County and Quay County, New Mexico.
* Curry County and Quay Country were declared Federal Disaster Areas on April 2.
* The FDIC is encouraging banks to work constructively with borrowers who are experiencing difficulties beyond their control because of damage caused by the storms.
* Extending repayment terms, restructuring existing loans or easing terms for new loans, if done in a manner consistent with sound banking practices, can contribute to the health of the community and serve the long-term interests of the lending institution.
* The FDIC will also consider regulatory relief from certain filing and publishing requirements for banks in the affected areas.
Why GAO Did This Study For many years, GAO has reported that weaknesses in information security are a widespread problem with potentially devastating consequences—such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information. In reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue.
In its decision today in the Watters vs. Wachovia Bank case, the Supreme Court held that federal preemption standards applicable to national banks extend to activities conducted through their operating subsidiaries. Specifically, the Court held that a national bank’s mortgage business, whether conducted by the bank itself or through the bank’s operating subsidiary, is subject to the OCC’s supervision and regulation, and not to state licensing, reporting, and visitorial regimes. We are pleased that the Court’s decision supports the ability of national banks to continue to conduct business activities in their operating subsidiaries as they are now doing.
Summary: The FDIC, the other federal financial institution regulatory agencies, the Securities and Exchange Commission, the Federal Trade Commission, and the Commodity Futures Trading Commission (the agencies) have jointly published the attached Notice of Proposed Rulemaking (NPR) seeking comment on a model privacy form that financial institutions could use to satisfy the privacy notice requirements of the Gramm-Leach-Bliley Act (GLBA). The proposed privacy form would also provide consumers with the opportunity to limit certain information-sharing practices, as permitted by the GLBA and the Fair Credit Reporting Act. Comments on the proposed rule are due by May 29, 2007.
Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly. 1 This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.
The Office of the Comptroller of the Currency will host a compliance risk workshop for national community bank directors at the Omni Charlottesville Hotel, Charlottesville, Virginia, May 2. The workshop entitled, "Compliance Risk: What Directors Need to Know," provides practical information that expands bank directors' skills and understanding of issues facing their banks.
The federal bank and thrift agencies on Tuesday requested public comment on proposed interim rules expanding the range of small institutions eligible for an extended 18-month on-site examination cycle. The proposed interim rules allow well-capitalized and well-managed banks and savings associations with up to $500 million in total assets and a composite CAMELS rating of 1 or 2 to qualify for an 18-month (rather than a 12-month) on-site examination cycle. Until recently, only institutions with less than $250 million in total assets could qualify for an extended 18-month on-site examination cycle. The proposed interim rules also revise the provisions governing the on-site examination cycle for the U.S. branches and agencies of foreign banks.
Because of the integration of voice and data in a single network, establishing a secure VOIP and data network is a complex process that requires greater effort than that required for data-only networks. In particular, start with these general guidelines, recognizing that practical considerations, such as cost or legal requirements, may require adjustments for the organization: 1. Develop appropriate network architecture. • Separate voice and data on logically different networks if feasible. Different subnets with separate RFC 1918 address blocks should be used for voice and data traffic, with separate DHCP servers for each, to ease the incorporation of intrusion detection and VOIP firewall protection
Highlights: - Severe thunderstorms and tornadoes have resulted in significant damage in Sumter County, Georgia, and Coffee County, Alabama. - The FDIC is encouraging banks to work constructively with borrowers who are experiencing difficulties beyond their control because of damage caused by the storms. - Extending repayment terms, restructuring existing loans or easing terms for new loans, if done in a manner consistent with sound banking practices, can contribute to the health of the community and serve the long-term interests of the lending institution. - The FDIC will also consider regulatory relief from certain filing and publishing requirements.
The government’s interest in using technology to detect terrorism and other threats has led to increased use of data mining. A technique for extracting useful information from large volumes of data, data mining offers potential benefits but also raises privacy concerns when the data include personal information. GAO was asked to review the development by the Department of Homeland Security (DHS) of a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement). Specifically, GAO was asked to determine (1) the tool’s planned capabilities, uses, and associated benefits and (2) whether potential privacy issues could arise from using it to process personal information and how DHS has addressed any such issues. GAO reviewed program documentation and discussed these issues with DHS officials.
The Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced Thursday that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) has been revised to support a new joint filing initiative, which will reduce the number of duplicate SARs filed for a single suspicious transaction. The revisions are the result of a joint effort by FinCEN and the federal banking agencies.
Eight federal regulators on Wednesday released a notice of proposed rulemaking (NPR) requesting comment on a model privacy form that financial institutions can use for their privacy notices to consumers required by the Gramm-Leach-Bliley Act (GLB Act). The privacy notices must describe an institution's information sharing practices, and, for certain types of sharing, consumers have the right to opt out. The notices must be provided when a consumer first becomes a customer of a financial institution and then annually for as long as the customer relationship lasts. Last October, President Bush signed into law the Financial Services Regulatory Relief Act of 2006, amending the GLB Act to require the agencies to propose a model form that is succinct and comprehensible to consumers, allows consumers easily to compare privacy practices of financial institutions, and uses easily readable type font.
On December 21, 2006, the Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) was revised. The revisions are the result of their continuing efforts to reduce paperwork and respondent burden. The form was revised and reformatted to standardize suspicious activity reports, enhance the clarity of instructions, allow for joint filing of Suspicious Activity Reports, and to improve the usefulness of the Suspicious Activity Report to law enforcement.
Kmart Corporation has agreed to settle Federal Trade Commission charges that it engaged in deceptive practices in advertising and selling its Kmart gift card. As part of the settlement, Kmart will implement a refund program and publicize it on its Web site. This is the agency’s first law enforcement action involving gift cards. “Consumers have a right to know when gift cards come with strings attached,” FTC Chairman Deborah Platt Majoras said. “If fees or restrictions apply, gift card issuers must fully and clearly disclose them.”
This bulletin is intended to provide guidance to national banks on a number of disclosure and marketing issues presented by gift cards, so that national banks that issue gift cards do so in a manner in which both purchasers and recipients of gift cards are fully informed of the terms and conditions of the product. A gift card is a type of prepaid or stored value card that is designed to be purchased by one consumer (purchaser) and presented as a gift to a second consumer (recipient). The terms and conditions of different gift card products can vary significantly, but gift cards are generally divided into two main categories: retail gift cards and bank-issued gift cards.
In the first 10 months of 2006, over half of the 213 information security breaches reported by financial institutions to the FDIC involved technology service providers (TSP). In accordance with federal laws and regulations, financial institutions must safeguard sensitive customer information against unauthorized disclosure when outsourcing various information technology (IT) operations to TSPs. Interagency guidelines contained in Part 364 of the FDIC Rules and Regulations establish key controls over TSPs, noting that each bank shall (1) exercise due diligence in selecting TSPs, (2) have contractual arrangements with their TSPs that require appropriate measures to safeguard customer information, and (3) provide ongoing monitoring of TSPs to ensure they have satisfied their contractual obligations.
The Office of the Comptroller of the Currency (OCC) has been informed by the Committee on Financial Services of the U.S. House of Representatives that fraudulent correspondence, including e-mails, referring to the Committee and making use of the Committee’s letterhead is in circulation. The communications inform potential victims that they are due to receive large sums of money from an inheritance, but that they must first pay a large fee through lawyers to the Financial Services Committee in order to verify that the funds are not tied to terrorist financing. The Financial Services Committee does not require any person to obtain what the con-artists are calling a “Clean Bill of Record” for receiving inheritance money.
The Office of the Comptroller of the Currency today announced its schedule of workshops for national community bank directors. This year the OCC has added a workshop for community bank directors entitled "A New Director’s Challenge: Mastering the Basics." This two-day program, scheduled in Washington D.C., April 16-18, is geared primarily to directors with less than three years of experience. The workshop should be particularly valuable to directors of new national banks, many of whom are also new to the industry.
Purpose and Scope This document outlines the Office of Thrift Supervision’s (OTS’s) supervisory expectations for savings associations’ gift card programs. The purpose of this guidance is to ensure adequate account administration, marketing, and consumer disclosure practices for gift card programs; to encourage more uniform practices among the thrift institutions that offer gift card programs; and to promote consumer protection while continuing to encourage product innovation. Background A gift card is a payment card with a preloaded value that one consumer typically gives to another as a gift. Like a gift certificate, a consumer may use a gift card to purchase goods or services from one or more merchants.
Comptroller of the Currency John C. Dugan told an audience of bank risk managers today that, because their goals are so closely aligned to those of the regulators, the regulations and guidance issued by the agencies can support them in meeting their firms’ objectives. For example, he said, regulators can highlight concerns that are important to risk managers, but which others in the bank might prefer to ignore for competitive reasons. An example is the interagency guidance on non-traditional mortgages, which establishes expectations for prudent underwriting, taking into account some of the unique features and risks these products present.
The Federal Deposit Insurance Corporation (FDIC) recognizes the serious impact of the recent severe storms and tornadoes in central Florida on the operations of financial institutions and will provide regulatory assistance to institutions subject to its supervision. These initiatives are being taken to provide regulatory relief and facilitate recovery. The FDIC encourages depository institutions in the affected disaster areas to meet the financial service needs of their communities.
E-mails fraudulently claiming to be from the FDIC or VeriSign, Inc. are attempting to deceive financial institutions in to installing unknown software on their computer networks. The Federal Deposit Insurance Corporation (FDIC) has become aware of e-mails that appear to be sent from the FDIC or VeriSign, Inc. and ask recipients to run a "security guard script" to secure Web sites. Currently, the e-mails are purportedly from "FDIC Legal Information Technology," "FDIC Information Security," or "Verisign Inc." and the subject lines include the phrase "Regular Security Maintenance" or "Regular Hosting Security Maintenance." The e-mails are fraudulent and were not sent by the FDIC or VeriSign, Inc.
A wireless local area network (WLAN) enables access to computing resources for devices that are not physically connected to a network. WLANs typically operate over a fairly limited range, such as an office building or building campus, and usually are implemented as extensions to existing wired local area networks to enhance user mobility. This guide seeks to assist organizations in better understanding the most commonly used family of standards for WLANs—Institute of Electrical and Electronics Engineers (IEEE) 802.11—focusing on the security enhancements introduced in the IEEE 802.11i amendment. In particular, this guide explains the security features and provides specific recommendations to ensure the security of the operating environment.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS)1 are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization.
Electronic mail (email) is perhaps the most popularly used system for exchanging business information over the Internet (or any other computer network). At the most basic level, the email process can be divided into two principal components: (1) mail servers, which are hosts that deliver, forward, and store email; and (2) mail clients, which interface with users and allow users to read, compose, send, and store email. This document addresses the security issues of mail servers and mail clients, including Web-based access to mail. Mail servers and user workstations running mail clients are frequently targeted by attackers. Because the computing and networking technologies that underlie email are ubiquitous and well-understood by many, attackers are able to develop attack methods to exploit security weaknesses. Mail servers are also targeted because they (and public Web servers) must communicate to some degree with untrusted third parties.
PURPOSE This bulletin reminds national banks and their technology service providers of the upcoming change in the schedule for Daylight Savings Time. National banks may be exposed to a variety of risks if they do not prepare their systems to reflect this change. BACKGROUND Daylight Savings Time (DST) in the United States will begin earlier and end later in 2007 than in years past. The Energy Policy Act of 2005, signed into law August 2005, moves the beginning of DST from the first Sunday in April to the second Sunday in March. DST will now end the first Sunday in November instead of the last Sunday in October.
Why GAO Did This Study The Federal Deposit Insurance Reform Conforming Amendments Act of 2005 requires GAO to report on the effectiveness of Federal Deposit Insurance Corporation’s (FDIC) organizational structure and internal controls. GAO reviewed (1) mechanisms the board of directors uses to oversee the agency, (2) FDIC’s human capital strategies and how its training initiatives are evaluated, and (3) FDIC’s process for monitoring and assessing risks to the banking industry and the deposit insurance fund, including its oversight and evaluation. To answer these objectives, GAO analyzed FDIC documents, reviewed recommended practices and GAO guidance, conducted interviews with FDIC officials and board members, and conducted site visits to FDIC regional and field offices in three states. What GAO Recommends GAO recommends that FDIC (1) develop outcome-based performance measures for key human capital initiatives and make available such performance results to all employees and (2) develop policies and procedures that define how it will systematically and comprehensively evaluate its risk assessment activities.
If you have a complaint against a thrift institution (or savings association), the Office of Thrift Supervision (OTS) may be able to help. The OTS is an office of the Department of the Treasury that regulates and supervises the nation's thrift industry. The OTS's mission is to ensure the safety and soundness of thrift institutions and their compliance with consumer protection laws. The OTS also supports the important role thrift institutions play as home mortgage lenders and providers of other forms of community credit and financial services. Additionally, the OTS oversees the activities and operations of thrift operating subsidiaries and holding companies that own or control thrift institutions.
The Federal Trade Commission today issued its annual report, "Consumer Fraud and Identity Theft Complaint Data" on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud.
The federal financial regulatory agencies have jointly issued the attached reminder of Supervisory Guidance for Financial Institutions Affected by Hurricane Katrina (Katrina Guidance Reminder). The Katrina Guidance Reminder reemphasizes that working constructively with borrowers is in the long-term best interest of both the financial institution and the customer. Highlights: The Katrina Guidance Reminder recognizes that many communities and families may need an extended period of time to recover from the unprecedented magnitude of the devastation caused by Hurricane Katrina.
The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems. The Personal Identity Verification (PIV) standard for Federal Employees and Contractors, Federal Information Processing Standard (FIPS 201), was developed to establish standards for identity credentials. This document, Special Publication 800-76 (SP 800-76), is a companion document to FIPS 201. It describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card1 itself. It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards. The primary design objective behind these particular specifications is high performance universal interoperability. For the preparation of biometric data suitable for the Federal Bureau of Investigation (FBI) background check, SP 800-76 references FBI documentation, including the ANSI/NIST Fingerprint Standard and the Electronic Fingerprint Transmission Specification. This document does not preclude use of other biometric modalities in conjunction with the PIV card.
Summary: The FDIC has revised its Compliance Examination Handbook. The new handbook contains the FDIC's compliance examination policies and procedures in effect as of June 2006. It also includes revised Community Reinvestment Act (CRA) examination procedures and performance evaluations. The handbook will be available in electronic format only and can be accessed on the FDIC's Web site at http://www.fdic.gov/regulations/compliance/handbook/index.html.
Hurricanes Katrina and Rita destroyed homes and displaced millions of individuals. While federal and state governments continue to respond to this disaster, GAO has identified significant control weaknesses-specifically in the Federal Emergency Management Agency (FEMA)'s Individuals and Households Program (IHP) and in Department of Homeland Security (DHS)'s purchase card program—resulting in significant fraud, waste, and abuse. In response to the numerous recommendations GAO made, DHS and FEMA have reported on numerous actions taken to address our recommendations. Lessons learned from GAO's prior work can serve as a framework for an effective fraud prevention system for federal and state governments as they consider spending billions more on disaster recovery. These lessons are particularly important because funding that is lost to fraud, waste, and abuse reduces the amount of money that could be delivered to victims in need.
Many consumers have become victims of scams involving a fraudulent cashier’s check. A cashier's check is a check that is issued by a bank, and sold to its customer or another purchaser, that is a direct obligation of the bank. Cashier's checks are viewed as relatively risk-free instruments and, therefore, are often used as a trusted form of payment to consumers for goods and services. However, cashier's checks lately have become an attractive vehicle for fraud when used for payments to consumers. Although the amount of a cashier's check quickly becomes "available" for withdrawal by the consumer after the consumer deposits the check, these funds do not belong to the consumer if the check proves to be fraudulent.It may take weeks to discover that a cashier’s check is fraudulent.In the meantime, the consumer may have irrevocably wired the funds to a scam artist or otherwise used the funds - only to find out later, when the fraud is detected - that the consumer owes the bank the full amount of the cashier's check that had been deposited.
The Federal Reserve Banks today announced plans to conduct another round of studies to determine the current composition of the nation's retail payments market, including checks, credit and debit cards, and automated clearing house (ACH) transactions. These two studies will build on information gained from similar studies published by the Reserve Banks in 2001 and 2004. "As the nation continues its migration from paper-based to electronic payments, we believe these studies will provide additional insight to help industry participants plan for the future," said Richard Oliver, an executive vice president with the Federal Reserve Bank of Atlanta and the Federal Reserve System's product manager for retail payments.
The Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) has prepared an assessment of mortgage loan fraud, which it based on its analysis of Suspicious Activity Reports (SARs). Financial institutions offering mortgage loan products may find the assessment useful. The assessment, entitled "Mortgage Loan Fraud," is available on FinCEN's Web site at http://www.fincen.gov/mortage_fraud.html.
The Federal Reserve Board on Friday approved changes to its Policy on Payments System Risk that revise the Board's expectations for systemically important payments and settlement systems subject to its authority and update and clarify the policy with regard to central counterparties. Under the revised policy, systemically important payments and settlement systems subject to the Board's authority are expected to complete and disclose publicly self-assessments against the principles and minimum standards in the policy. The self-assessment should be reviewed and approved by the system's senior management and board of directors upon completion and made readily available to the public. In addition, a self-assessment should be updated following material changes to the system or its environment and, at a minimum, reviewed by the system every two years.
The National Credit Union Administration and the Financial Crimes Enforcement Network today announced that they will jointly host a seminar over the web "BSA: A Year in Review and Setting the Table for 2007." The seminar, known as a webinar, will take place on Tuesday, February 6, 2007 and will be co-hosted by JoAnn Johnson, Chairman of the National Credit Union Administration (NCUA), and Jamal El-Hindi, Associate Director of the Regulatory Policy and Programs Division at the Financial Crimes Enforcement Network (FinCEN).
Summary: The FDIC, along with the other federal banking agencies and the Securities and Exchange Commission, is issuing the attached final Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities (Final Statement). The Final Statement describes the types of internal controls and risk-management policies and procedures that the agencies have found to be useful in identifying, managing and addressing the potentially heightened legal or reputational risks that may arise from certain complex structured finance transactions.
As use of the Internet continues to expand, more credit unions are using it to offer products and services or otherwise enhance communications with members. The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct credit union business, any day, any time. However, members need to make good on-line choices—decisions that may help avoid costly surprises or scams.
The Office of the Comptroller of the Currency issued guidance today warning of the risks posed by scams involving fraudulent bank cashier's checks and describing steps national banks should take to protect themselves and their customers. A cashier's check, which is issued by a bank and sold to a consumer or other purchaser, represents a direct obligation of the bank. The guidance was issued in response to a growing incidence of scams involving cashier's checks. In most of these cases, individuals receive a cashier's check and are asked to deposit the check into their account, wait until funds become available and then wire some part of the funds from their account to a third party, often in a foreign country.
The Agencies are adopting an Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities ("Final Statement"). The Final Statement pertains to national banks, state banks, bank holding companies (other than foreign banks), federal and state savings associations, savings and loan holding companies, U.S. branches and agencies of foreign banks, and SEC-registered broker-dealers and investment advisers (collectively, "financial institutions" or ("institutions") engaged in complex structured finance transactions ("CSFTs"). In May 2004, the Agencies issued and requested comment on a proposed interagency statement ("Initial Proposed Statement"). After reviewing the comments received on the Initial Proposed Statement, the Agencies in May 2006 issued and requested comment on a revised proposed interagency statement ("Revised Proposed Statement").
On May 10, 2006, the President signed an Executive Order establishing an Identity Theft Task Force, and directing it to develop a coordinated strategic plan to combat identity theft. The Task Force was specifically directed to make recommendations on ways to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. The Executive Order directed the Task Force to deliver the strategic plan to the President within 180 days. By further Executive Order, issued November 3, 2006, the President amended the original order to require submission of the strategic plan by February 9, 2007, or as soon as practicable thereafter as the Chairman and Co-Chairman shall determine.
The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations4 and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: • What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
At the request of the Federal Trade Commission, a federal court has shut down a payment processing operation that allegedly helped fraudulent telemarketers take millions of dollars from consumers' bank accounts. According to the FTC's complaint, since at least January 2003 the operation has aided at least nine Canada-based, advance-fee credit card schemes that induce consumers to allow an electronic debit of several hundred dollars from their bank account in exchange for an unsecured credit card; but consumers never receive a credit card or, at best, they receive a "benefits package" containing relatively worthless items.
This document is a tool for financial institutions’ use in assessing and mitigating risks associated with implementation of Remote Deposit Image Capture (RDIC). This paper provides successful strategies that financial institutions (FIs) have employed for managing the risks with RDIC. It does not imply that all of these strategies are necessary for a successful program. This paper also does not address the specific technologies used to implement the RDIC process and/or mitigate the risk, as technology used will often be determined by other factors such as the compatibility of the clients’ and FIs’ equipment. This paper identifies potential risks as they pertain to product distribution, equipment and software, information system security, images and image quality, and processes.
Unauthorized access to sensitive customer information threatens to undermine customer confidence and the reputations of both individual financial institutions and the financial services industry. This threat is aggravated by the patchwork of state laws and federal regulations that govern unauthorized access or breach response incidents. Despite these challenges, financial institutions are strengthening data security programs and developing or improving customer notification programs. The “BITS/ABA Key Considerations for Responding to Unauthorized Access to Sensitive Customer Information” is a tool that may assist some financial institutions in developing and executing response programs when sensitive information is accessed and misused by unauthorized individuals.
This BITS Consumer Confidence Toolkit provides information to support consumer confidence in the safety, soundness and security of financial services. Originally published in September 2005, this is a revised and updated edition. This is intended to be an educational resource—whether for use by consumers, policy makers, financial institutions or others with interest in the subject matter. Special attention is placed on information security as well as online financial services transacted through the Internet. Data in support of the safety of online financial transactions is provided. Information about the proactive leadership of the financial services industry is included, as well as a description of the current environment and tips for consumers to help protect their financial security, including in the online environment. Recommendations for government agencies are also provided.
This Regulatory Alert is to inform you about revisions to Part 748 of the NCUA Rules and Regulations. The revised rule describes in greater detail Suspicious Activity Report (SAR) reporting and filing requirements. The rule became effective November 27, 2006. There are six changes to Part 748 which are summarized below. 1. Notification to board of directors
A digital signature is an electronic analogue of a written signature; the digital signature can be used to provide assurance that the claimed signatory signed the information. In addition, a digital signature may be used to detect whether or not the information was modified after it was signed (i.e., to detect the integrity of the signed data). Each signatory has a public and private key and is the owner of that key pair. The private key is used by the owner to generate a digital signature; the public key is used in the signature verification process. Entities participating in the generation or verification of digital signatures depend on the authenticity of the process. This Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures: assurance of domain parameter validity, assurance of public key validity, assurance that the key pair owner actually possesses the private key, and assurance of the identity of the key pair owner.
Computer security incident response has become an important component of information technology (IT) programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
Why GAO Did This Study
Today's testimony will address whether FEMA provided improper and potentially fraudulent (1) rental assistance payments to registrants at the same time it was providing free housing via trailers and apartments; (2) duplicate assistance payments to individuals who claimed damages to the same property for both hurricanes Katrina and Rita; and (3) IHP payments to non-U.S. residents who did not qualify for IHP. This testimony will also discuss (1) the importance of fraud identification and prevention, and (2) the results of our investigation into property FEMA bought using DHS purchase cards.
The Honorable William M. Thomas Chairman, Committee on Ways and Means House of Representatives Dear Mr. Chairman: During recent congressional hearings and in public speeches, statements made by the National Credit Union Administration's (NCUA) Chairman and another board member raised congressional interest in the ability of NCUA to collect and objectively analyze data on credit union membership and executive compensation. More generally, these statements also raised issues about the agency's overall vigilance as a regulator and the independence and objectivity of NCUA's board and senior staff from the industry being regulated.
The FDIC Board of Directors has approved the attached final rule to amend Part 327 of the FDIC Rules and Regulations. The amendments are being made simultaneously with amendments implementing the Federal Deposit Insurance Reform Act of 2005, and are intended to make the deposit insurance assessment system react more quickly and more accurately to changes in institutions' risk profiles and to ameliorate several causes for complaint by insured depository institutions. The final rule takes effect on January 1, 2007.
National Credit Union Administration (NCUA) Executive Director J. Leonard Skiles has selected John E. Kutchey as Director of Risk Management. As Director of Risk Management, Kutchey is responsible for overseeing NCUA's credit union problem resolution program. Kutchey graduated Magna Cum Laude from the University of Baltimore in 1990 with a Bachelor's Degree in Business Administration with an Accounting Concentration. Kutchey joined NCUA in 1990 as an Examiner in Baltimore, MD. During his career with NCUA, Kutchey has served as an Examiner; Problem Case Officer; Supervisory Examiner; and most recently the Director of Supervision in Region II.
Welcome to the seventh issue of The SAR Activity Review – By the Numbers, a compilation of numerical data gathered from Suspicious Activity Reports filed by depository institutions since April 1996, by certain money services businesses since January 2002, by casinos and card clubs since August 1996, and by certain segments of the securities and futures industries since January 2003. By the Numbers serves as a companion piece to The SAR Activity Review - Trends, Tips & Issues, which provides information about the preparation, use, and utility of Suspicious Activity Reports.
Why GAO Did This Study
GAO was asked to evaluate the extent to which agencies have adequately designed and effectively implemented policies for testing and evaluating their information security controls.
Why GAO Did This Study
The Office of the Comptroller of the Currency (OCC) and the Conference of State Bank Supervisors (CSBS) announced agreement today on procedures for the exchange of consumer complaint information between state banking departments and the OCC. The agreement recognizes that consumers do not always know which regulatory agency - state or federal - supervises their bank, and provides a model Memorandum of Understanding to ensure misdirected complaints are sent to the appropriate agency. The MOU, which is intended to be executed by state banking departments and the OCC on a state-by-state basis, provides a two-way street for the sharing of such complaints, including information on how complaints are resolved.
The Federal Reserve Board announced the appointment of the chairmen and deputy chairmen of the twelve Federal Reserve Banks for 2007. Each Reserve Bank has a nine-member board of directors. The Board of Governors in Washington appoints three of these directors and each year designates one of its appointees as chairman and a second as deputy chairman.
Introduction This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger¬Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements.
The Federal Deposit Insurance Corporation (FDIC) today adopted final regulations that implement the Federal Deposit Insurance Reform Act of 2005 passed by Congress earlier this year to create a stronger and more stable insurance system. Among the final regulations is a new rule on the risk-based assessment system that will enable the FDIC to more closely tie each bank's premiums to the risk it poses to the deposit insurance fund. In addition, the FDIC has new flexibility to manage the deposit insurance fund's reserve ratio within a range, which in turn will help prevent sharp swings in assessment rates that were possible under the design of the former system. "Throughout the FDIC's push for deposit insurance reform, our goals have been to provide for long-term stability and less procyclicality in the deposit insurance system," said FDIC Chairman Sheila C. Bair. "This new system will enable the FDIC to achieve our goals, and also will add incentives for good risk management at insured institutions."
Research and development (R&D) of cyber security technology is essential to creating a broader range of choices and more robust tools for building secure, networked computer systems in the federal government and in the private sector. The National Strategy to Secure Cyberspace identifies national priorities to secure cyberspace, including a federal R&D agenda. GAO was asked to identify the:
FDIC Chairman Sheila C. Bair announced today that Sandra L. Thompson has been named Director of the Federal Deposit Insurance Corporation's Division of Supervision and Consumer Protection (DSC). In addition, Christopher J. Spoth has been named Senior Deputy Director, Supervisory Examinations; and John Lane will assume leadership of a newly created unit dedicated to large, complex financial institutions. "I am very pleased to make this announcement today," said Chairman Bair. "Sandra Thompson has repeatedly demonstrated her strengths and capability as a senior FDIC executive. Since she was named Acting Director of DSC in February of this year, she has shown exceptional leadership skills and vision. I am confident she will ensure the FDIC continues to fulfill its supervision and consumer protection mandates. Chris and John have also proven themselves to be effective leaders with many years of supervisory experience. Working under Sandra's leadership, they will continue the proud tradition of the FDIC examination corps for excellence and professionalism."
The Office of Thrift Supervision (OTS) is issuing updated versions of the Directors' Responsibility Guide and the Directors' Guide to Management Reports to highlight our supervisory expectation for a strong, consistent approach towards sound corporate governance practices, as well as the importance of strong, independent boards of directors.
The updated Director's Guide adds a new section on statutory and regulatory responsibility and clarifies the issue of blurred lines of responsibility between the board and management. We have also added a chart on the applicability of selected Sarbanes-Oxley requirements. The streamlined, restructured Guide to Management Reports consolidates some existing reports and adds additional red flags to monitor internal controls and financial performance.
FDIC Chairman Sheila C. Bair today announced the appointment of Jesse O. Villarreal, Jr., as her Chief of Staff, effective October 24, 2006. As Chief of Staff, Mr. Villarreal will oversee all of the day-to-day operations of the Chairman's office. "I am very pleased that Jesse has agreed to serve as my Chief of Staff," said Chairman Bair. "Jesse has served with distinction throughout his career, most recently as Senior Advisor to the Assistant Secretary for Financial Markets at the Department of the Treasury. During my tenure as Assistant Secretary for Financial Institutions at Treasury, Jesse served as my Special Assistant. So I am well aware of his strong leadership skills, sound judgment and extensive government experience, particularly in the financial services field. With these attributes, Jesse will certainly be a valuable asset to me and to our entire management team."
The proposed information collection requirement described below has been submitted to the Office of Management and Budget (OMB) for review and approval, as required by the Paperwork Reduction Act of 1995. OTS is soliciting public comments on the proposal. DATES: Submit written comments on or before November 20, 2006.
NCUA is issuing a final rule to describe in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and to address prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also is changing the heading for this part so it more accurately describes its scope. NCUA seeks to enhance credit union compliance with SAR reporting requirements by providing greater detail in its rule on the thresholds and procedures for filing a SAR. DATES: This rule is effective [insert date 30 days after published in the FEDERAL REGISTER]. FOR FURTHER INFORMATION CONTACT: Linda K. Dent, Staff Attorney, Office of General Counsel, at (703) 518-6540.
"An ontology is an explicit specification of a conceptualization. The term is borrowed from philosophy, where Ontology is a systematic account of Existence. For Artificial Intelligence (AI) systems, what "exists" is that which can be represented. When the knowledge of a domain is represented in a declarative formalism, the set of objects that can be represented is called the universe of discourse. This set of objects, and the describable relationships among them, are reflected in the representational vocabulary with which a knowledge-based program represents knowledge. Thus, in the context of AI, we can describe the ontology of a program by defining a set of representational terms. In such an ontology, definitions associate the names of entities in the universe of discourse (e.g., classes, relations, functions, or other objects) with human-readable text describing what the names mean, and formal axioms that constrain the interpretation and well-formed use of these terms. Formally, an ontology is the statement of a logical theory. We use common ontologies to describe ontological commitments for a set of agents so that they can communicate about a domain of discourse without necessarily operating on a globally shared theory." [GRUBER]
The Federal Deposit Insurance Corporation (FDIC) has become aware of fraudulent e-mails appearing to be from the FDIC. The e-mails ask recipients to click on a hyperlink titled "Take the Corrective Action – Implement the LinkBank System." When accessed, the hyperlink takes the individual to a "spoofed" FDIC Web page. At that point, the individual is directed to provide online banking information, including bank name, username, and password. The fraudulent e-mails appear in "memo format" and are purportedly from "Russell A. Rau, Assistant Inspector General for Audits." The e-mails include a "Subject" line that states: "Division of Supervision and Consumer Protection's Risk-Focused Compliance Examination Process for [recipient's name inserted] (Report No. 05-038)."
GAO continues to have concerns about restatements to federal agencies' previously issued financial statements. During fiscal year 2005, at least 7 of the 24 Chief Financial Officers (CFO) Act agencies restated certain of their fiscal year 2004 financial statements to correct misstatements. To study this trend, GAO reviewed the nature and causes of the restatements made by certain CFO Act agencies in fiscal year 2004 to their fiscal year 2003 financial statements. Eleven CFO Act agencies had restatements for fiscal year 2003. Nine of those 11 received unqualified opinions on their originally issued fiscal year 2003 financial statements. GAO’s view is that users of federal agencies' financial statements and the related audit reports need to be provided at least a basic understanding of why a restatement was necessary and its effect on the agencies' previously issued financial statements and related audit reports. This report communicates GAO's observations on the transparency and timeliness of the 9 federal agencies' and their auditors' restatement disclosures.
Minority banks can play an important role in serving the financial needs of historically underserved communities and growing populations of minorities. For this reason, the Financial Institutions, Reform, Recovery, and Enforcement Act of 1989 (FIRREA) established goals that the Federal Deposit Insurance Corporation (FDIC) and the Office of Thrift Supervision (OTS) must work toward to preserve and promote such institutions (support efforts). To evaluate their efforts, as well as those of the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, GAO (1) reviewed the profitability of minority banks, (2) identified the regulators' support and assessment efforts, and (3) obtained the views of minority banks on the regulators' efforts.
Like any new technology, RFID presents new security and privacy risks that must be carefully mitigated through management, operational, and technical controls in order to realize the numerous benefits the technology has to offer. When practitioners adhere to sound security engineering principles, RFID technology can help a wide range of organizations and individuals realize substantial productivity gains and efficiencies. These organizations and individuals include hospitals and patients, retailers and customers, and manufacturers and suppliers throughout the supply chain. This guidance document provides an overview of RFID technology, the associated security and privacy risks, and recommended practices that will enable organizations to realize productivity improvements while safeguarding sensitive information and protecting the privacy of individuals. Radio frequency identification (RFID) is a form of automatic identification and data capture (AIDC) technology that uses electric or magnetic fields at radio frequencies to transmit information. An RFID system can be used to identify many types of objects, such as manufactured goods, animals, and people.
Organizations have information technology (IT) plans in place, such as contingency and computer security incident response plans, so that they can respond to and manage adverse situations involving IT. These plans should be maintained in a state of readiness, which should include having personnel trained to fulfill their roles and responsibilities within a plan, having plans exercised to validate their content, and having systems and system components tested to ensure their operability in an operational environment specified in a plan. These three types of events can be carried out efficiently and effectively through the development and implementation of a test, training, and exercise (TT&E) program. Organizations should consider having such a program in place because tests, training, and exercises are so closely related. For example, exercises and tests offer different ways of identifying deficiencies in IT plans, procedures, and training. This document provides guidance on designing, developing, conducting, and evaluating TT&E events so that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse events that may affect their missions. The scope of this document is limited to TT&E events for single organizations, as opposed to large-scale events involving multiple organizations, involving internal IT operational procedures for emergencies.
A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network. Many logs within an organization contain records related to computer security. These computer security logs are generated by many sources, including security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; and applications. The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems.
Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the clearance level of the user accessing those documents. This publication explains some of the commonly used access control services available in information technology systems.
Why GAO Did This Study In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government's response to those events. On July 19, 2006, GAO testified on the results of its purchase card work. This report summarizes the testimony and provides recommendations. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane relief operations. GAO analyzed transactions between June and November of 2005 to determine if (1) DHS's control environment and management of purchase card usage were effective; (2) DHS's key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive purchase card activity existed at DHS.
The Federal Deposit Insurance Corporation (FDIC) has announced that it will hold its next symposia on the importance of consumer confidence in e-commerce on October 5th in Mesa, Arizona, and on October 25th in Miami Beach, Florida. The half-day meetings will bring together experts from government and the private sector to discuss ways to combat online identity theft and help maintain public confidence in e-commerce. Opening the October 5th meeting will be keynote speaker Kelvin Boston, financial journalist, author and entrepreneur, and host of PBS's Moneywise with Kelvin Boston. Mr. Boston will provide an overview of the challenges and opportunities that businesses and consumers face in e-commerce. Panel discussions will follow with topics that include: Ensuring Integrity in Payment Systems; Building Confidence by Managing Risk in E-Commerce; and Consumer Rights and Resources in an E-Commerce World.
Alexandria, VA, September 27, 2006 - National Credit Union Administration (NCUA) Chairman JoAnn Johnson met recently with senior Administration officials to share recommendations with the President's Identity Theft Task Force. Based upon these recommendations, the Task Force will deliver a final strategic plan to President Bush in early November. During a September 19 Task Force meeting, Chairman Johnson joined U.S. Attorney General Alberto Gonzalez; Clay Johnson III, Deputy Director of the White House Office of Management and Budget, Michael Chertoff, Secretary of the Department of Homeland Security, Carlos M. Guiterrez, Secretary of Commerce; and other senior government officials to discuss recommendations to the President in key areas.
Why GAO Did This Study In 2005, Hurricanes Katrina and Rita caused unprecedented damage. FEMA’s Individuals and Households Program (IHP), provides direct assistance (temporary housing units) and financial assistance (grant funding for temporary housing and other disaster-related needs) to eligible individuals affected by disasters. Our objectives were to (1) compare the types and amounts of IHP assistance provided to Hurricanes Katrina and Rita victims to other recent hurricanes, (2) describe the challenges FEMA faced by the magnitude of the requests for assistance following Hurricanes Katrina and Rita, and (3) determine the vulnerability of the IHP program to fraud and abuse. GAO determined the extent to which the program was vulnerability to fraud and abuse, by conducting statistical sampling, data mining and undercover operations.
The Federal Trade Commission (FTC) is responsible for economic issues that affect both consumers and businesses. Its primary function is to help maintain a competitive market environment that benefits both sides and in this respect, identity theft is seen as negatively affecting both consumers and businesses. In an effort to combat this problem, the FTC provides information and resources that enables the development of effective countermeasures against identity theft. The FTC has developed a website that gives information on how to deter the threat of identity theft, which it refers to as a "one stop national resource" to learn about identity theft. The website provides material that defines identity theft and procedures to deal with it if it occurs.
The purpose of this document is to present recommendations for Personal Identity Verification (PIV) card readers in the area of performance and communications characteristics to foster interoperability. This document is not intended to re-state or contradict requirements specifically identified in Federal Information Processing Standard 201 (FIPS 201) or its associated documents. It is intended to augment existing standards to enable agencies to achieve the interoperability goal of Homeland Security Presidential Directive 12 (HSPD-12). The document provides requirements that facilitate interoperability between any card and any reader. Specifically, the recommendations are for end-point cards and readers designed to read end-point cards.
E-mails fraudulently claiming to be from the FDIC are attempting to trick recipients into installing unknown software on personal computers. These e-mails falsely indicate that recipients should install software that was developed by the FDIC and other agencies. The software may be a form of spyware or malicious code and may collect personal or confidential information. The Federal Deposit Insurance Corporation (FDIC) is aware of e-mails appearing to be sent from the FDIC that are asking recipients to install unknown software on personal computers. Currently, the subject line of the e-mail includes the phrase "Urgent Notification - Security Reminder." The e-mail is fraudulent and was not sent by the FDIC.
The Office of the Comptroller of the Currency was named one of the 50 best places in America to start a career by Business Week magazine. "The Business Week ranking confirms what we've long known: that the OCC is a great place to start - and build - a career," said Comptroller of the Currency John C. Dugan. The OCC ranked 48th on Business Week's list of top employers for new college graduates.
U.S. Treasury Deputy Assistant Secretary D. Scott Parsons will speak about the financial sector's preparedness for a disaster or attack September 12, 2006 at 9:00 a.m. at the Financial and Banking Information Infrastructure Committee / Financial Services Sector Coordinating Council meeting. He will give remarks at the City University of New York's Graduate School and University Center.
This bulletin provides guidance for national banks and examiners on managing the risks of automated clearing house (ACH) activity. National banks may be exposed to a variety of risks when originating, receiving, or processing ACH transactions, or outsourcing these activities to a third party. This bulletin outlines the key components of an effective ACH risk management program. Each bank should use this guidance to develop an ACH risk management program that reflects the nature and complexity of the bank's activities. This bulletin supplements guidance on ACH activities contained in the FFIEC IT Examination Handbook on Retail Payment Systems,[1] dated March 2004, and National Automated Clearinghouse Operating Rules[2] and replaces OCC Bulletin 2002-2 (ACH Transactions Involving the Internet).
Electronic mail (email) is perhaps the most popularly used system for exchanging business information over the Internet (or any other computer network). At the most basic level, the email process can be divided into two principal components: (1) mail servers, which are hosts that deliver, forward, and store mail; (2) clients which interface with users and allow users to read, compose, send, and store email messages. This document addresses the security issues of both mail servers and mail clients. Mail servers and user workstations running mail clients are frequently targeted by attackers. Because the computing and networking technologies that underlie email are ubiquitous, it is well understood and attackers are able to develop attack methods to exploit the technology. Mail servers are also targeted because they (and public Web servers) must communicate to some degree with untrusted third parties. Additionally, email clients have been targeted as an effective means of inserting malware into machines and of propagating this code to other machines.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of potential incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected potential incidents. Intrusion detection and prevention (IDP) systems are primarily focused on identifying potential incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPs have become a necessary addition to the security infrastructure of nearly every organization. IDPs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDP stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), Simple Object Access Protocol (SOAP), and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. Web services technology can be implemented in a wide variety of architectures, can co-exist with other technologies and software design approaches, and can be adopted in an evolutionary manner without requiring major transformations to legacy applications and databases. The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy (lack of human intervention) are at odds with traditional security models and controls.
The Office of the Comptroller of the Currency advised national banks today that registration for two conference calls on the revised FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual will close on September 6. The conference calls are sponsored by the five federal banking agencies and the Financial Crimes Enforcement Network (FinCEN). The Office of Foreign Assets Control will also be participating in these calls. The banking industry calls will be held September 13 and 14, 2006. All calls will be from 11:00 a.m. to 12:00 noon (EDT).
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. The corporation relies extensively on computerized systems to support and carry out its financial and mission-related operations. As part of the audit of the calendar year 2005 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of the corporation's information system controls to protect the confidentiality, integrity, and availability of its key financial information and information systems.
The Federal Reserve System's Federal Reserve Banks (FRB) serve as fiscal agents of the U.S. government when they are directed to do so by the Secretary of the Treasury. In this capacity, the FRBs operate and maintain several mainframe and distributed-based systems-including the systems that support the Department of the Treasury's auctions of marketable securities-on behalf of the department's Bureau of the Public Debt (BPD). Effective security controls over these systems are essential to ensure that sensitive and financial information is adequately protected from inadvertent or deliberate misuse, disclosure, or destruction. In support of its audit of BPD's fiscal year 2005 Schedule of Federal Debt, GAO assessed the effectiveness of information system controls in protecting financial and sensitive auction information on key mainframe and distributed-based systems that the FRBs maintain and operate for BPD. To do this, GAO observed and tested FRBs' security controls.
The FDIC is enhancing the protection of examination information and other sensitive data, and has issued updated procedures to its examination staff on safeguarding this information. Highlights: The updated procedures provide additional protection to bank data that may be sensitive as defined by the Gramm-Leach-Bliley Act. The procedures specify minimum standards for the technical, physical and administrative safeguards used to protect examination information. The procedures provide guidance for the implementation of an Information Security Incident Response Program.
1.1 Background Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. The human factor is so critical to success that the Computer Security Act of 1987 (Public Law [P.L.] 100-235) required that, "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency." In accordance with P.L. 100-235, the National Institute of Standards and Technology (NIST), working with the U.S. Office of Personnel Management (OPM), was charged with developing and issuing guidelines for Federal computer security training. This requirement was satisfied by NIST's issuance of "Computer Security Training Guidelines" (Special Publication [SP] 500¬172) in November 1989. In January 1992, OPM issued a revision to the Federal personnel regulations which made these voluntary guidelines mandatory. This regulation, 5 CFR Part 930, is entitled "Employees Responsible for the Management or Use of Federal Computer Systems" and requires Federal agencies to provide training as set forth in NIST guidelines.
NIST Special Publication 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the Federal Information Security Management Act (FISMA) of 2002 and the Office of Management and Budget (OMB) Circular A-130, Appendix III. A strong IT securityprogram cannot be put in place without significant attention given to training agency IT users on securitypolicy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources. In addition, those in the agency who manage the IT infrastructure need to have the necessary skills to carry out their assigned duties effectively. Failure to give attention to the area of security training puts an enterprise at great risk because security of agencyresources is as much a human issue as it is a technology issue.
E-mails to financial institution customers that fraudulently claim to be from the FDIC attempt to obtain highly sensitive personal information, including bank account information. These e-mails falsely indicate that consumers can enroll in an "FDIC protection system" to insure bank accounts against certain types of fraudulent activities. The Federal Deposit Insurance Corporation (FDIC) has received numerous notifications from consumers of an e-mail that has the appearance of being sent from the FDIC. The "From" line of the e-mail displays the name "Federal Deposit Insurance Corporation" and the subject includes the phrase "IMPORTANT: Notification of Federal Deposit Insurance Corporation."
Purpose The staffs of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (the Agencies) have jointly developed the attached frequently asked questions (FAQs) to assist financial institutions and their technology service providers in understanding the Federal Financial Institutions Examination Council's (FFIEC's) guidance entitled Authentication in an Internet Banking Environment (the guidance). Overview The guidance, issued on October 12, 2005, updates the FFIEC's guidance entitled Authentication in an Electronic Banking Environment issued in 2001. It addresses the need for risk based assessments, customer awareness, and enhanced security measures to authenticate customers using Internet-based products and services that process high risk transactions involving access to customer information or the movement of funds to other parties. The attached FAQs are a representation of questions the Agencies have received from financial institutions, Agency examiners, and technology service providers and they address the scope of the guidance, risk assessments, the time frame for implementation, and other issues.
The mandatory dissemination of certain information by financial institutions is a key aspect of consumer protection law. It offers two significant advantages for consumer protection in the financial area over the alternative of direct government intervention into product pricing and content. First, information disclosure is compatible with competition, a significant market force already at work to protect consumers by keeping price rises in check. Because of competition, institutions already have incentives to make their products known, to reveal favorable pricing and product features, and to treat consumers fairly by keeping them generally informed about what they want and need to know. When a financial institution employs these strategies, it generates a good business reputation that will produce referrals and repeat customers. Actions that firms use to accomplish these goals include advertising their prices and supplying clients and potential customers with useful information about product prices and features. The requirements for disclosures assist in the dissemination of financial information by standardizing concepts and terminology, such as the finance charge and annual percentage rate under the Truth in Lending Act and the annual percentage yield under the Truth in Savings Act. Such standardization advances consumers; knowledge about pricing and features of the financial products and institutions and lowers consumers; transactions costs by making shopping easier. The standard format of required disclosures helps highlight the performance of the best institutions and exposes the inadequacies of the poorer ones. Well-informed shoppers help keep markets competitive, which benefits buyers of products and services by minimizing the spread between
producers’ production costs and market price.
NIST is pleased to announce the release of draft Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist. SP 800-69 provides guidance to home users, such as telecommuting Federal employees, on improving the security of their home computers that run Windows XP Home Edition. Home computers face many threats from people wanting to cause mischief and disruption, commit fraud, and perform identity theft. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security. It also emphasizes the importance of performing regular backups to ensure that user data is available after an adverse event such as an attack against the computer, a hardware failure, or human error. The publication contains detailed step-by-step directions for securing Windows XP Home Edition computers that can be performed by experienced Windows XP Home Edition users. NIST requests comments on NIST SP 800-69 by August 31, 2006. Please submit comments to itsec@nist.gov with "Comments SP800-69/XPHome" in the subject line.
Why GAO Did This Study The Internet protocol (IP) provides the addressing mechanism that defines how and where information such as text, voice, music, and video move across interconnected networks. IP version 4 (IPv4), which is widely used today, may not be able to accommodate the increasing number of global users and devices that are connecting to the Internet. As a result, Internet version 6 (IPv6) was developed to increase the amount of available address space. In August 2005, the Office of Management and Budget (OMB) issued a memorandum specifying activities and time frames for federal agencies to transition to IPv6. GAO was asked to determine (1) the status of federal agencies' efforts to transition to IPv6; (2) what emerging applications are being planned or implemented that take advantage of IPv6 features; and (3) key challenges industry and government agencies face as they transition to the new protocol.
THE NEED FOR SECURITY CONTROLS TO PROTECT INFORMATION SYSTEMS The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations and assets of an IT organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: - What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
Why GAO Did This Study Hurricanes Katrina, Rita, and Wilma (the Gulf Coast hurricanes) caused more than $118 billion in estimated property damages across the Gulf Coast region in 2005. The Small Business Administration (SBA) helps individuals and businesses recover from disasters through its Disaster Loan Program. GAO initiated work to determine how well SBA provided victims of the Gulf Coast hurricanes with timely assistance. This report, the first of two, focuses primarily on the Disaster Credit Management System (DCMS) and disaster loan process. Here, GAO evaluates (1) what affected SBA's ability to provide timely disaster assistance and (2) actions SBA took after the disasters to improve its response to disaster victims. In conducting this study, GAO analyzed data on loan applications and assessed key aspects of SBA's acquisition and implementation of DCMS. What GAO Recommends GAO recommends four actions including reassessing DCMS's maximum user capacity based on such things as lessons learned from the Gulf Coast hurricanes, a review of information available from catastrophe risk modeling firms and disaster simulations, and related cost considerations. In comments on a draft of this report, SBA generally agreed with our recommendations but said more credit should have been given to its improvement efforts.
The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes. The security of financial institutions' systems and information is essential to maintaining the privacy of customer information and safe and sound operations. The Information Security Booklet describes how an institution should protect and secure the systems and facilities that process and maintain information. The booklet calls for financial institutions and technology service providers (TSPs) to maintain effective security programs tailored to the complexity of their operations.
The Offıce of Thrift Supervision (OTS), along with the other federal banking agencies, has released the revised Information Security Booklet and an Executive Summary of the Federal Financial Institutions Examination Council's (FFIEC) Information Technology Examination Handbook. The revised Information Security Booklet, which replaces the 2003 version of the booklet, provides updated guidance for examiners, savings associations, and technology service providers to use in identifying information security risks and evaluating the adequacy of controls and risk management practices. The revised guidance addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance.
Why GAO Did This Study
GAO was asked to examine (1) financial institutions' use of resellers; (2) federal privacy and security laws applicable to resellers; (3) federal regulators' oversight of resellers; and (4) regulators' oversight of financial institution compliance with privacy and data security laws. To address these objectives, GAO analyzed documents and interviewed representatives from 10 information resellers, 14 financial institutions, 11 regulators, industry and consumer groups, and others.
The FDIC Board of Directors is seeking comment on the three attached proposed rules. The first proposed rule would create a new system for risk-based assessments. The second proposed rule would set the designated reserve ratio (DRR) at 1.25 percent. The third proposed rule would govern the penalties for failure to pay assessments. The Federal Deposit Insurance Reform Act of 2005 requires the FDIC to prescribe final regulations by November 5, 2006. Comments on the first two proposed rules are due by September 22, 2006; comments on the third rule are due by September 18, 2006. Assessments Risk Categories: The FDIC proposes to consolidate the existing nine assessment rate categories into four. Small well-capitalized, well-managed institutions: The FDIC proposes to combine CAMELS component ratings with current financial ratios to determine assessment rates applicable to a small well-capitalized, well-managed institution.
Why GAO Did This Study Federal regulation is one of the basic tools of government used to implement public policy. In 1980, the Regulatory Flexibility Act (RFA) was enacted in response to concerns about the effect that regulations can have on small entities, including small businesses, small governmental jurisdictions, and certain small not-for-profit organizations. Congress amended RFA in 1996, and the President issued Executive Order 13272 in 2002, to strengthen requirements for agencies to consider the impact of their proposed rules on small entities. However, concerns about the regulatory burden on small entities persist, prompting legislative proposals such as H.R. 682, the Regulatory Flexibility Improvements Act, which would amend RFA. At the request of Congress, GAO has prepared many reports and testimonies reviewing the implementation of RFA and related policies. On the basis of that body of work, this testimony (1) provides an overview of the basic purpose and requirements of RFA, (2) highlights the main impediments to the Act’s implementation that GAO's reports identified, and (3) suggests elements of RFA that Congress might consider amending to improve the effectiveness of the Act. GAO's prior reports and testimonies contain recommendations to improve the implementation of RFA and related regulatory process requirements.
The federal financial institution regulatory agencies and the Federal Trade Commission are soliciting comments on a Notice of Proposed Rulemaking (NPRM) concerning identity theft "red flags" and address discrepancies. The NPRM, which has been reviewed and approved by each of the listed agencies, implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The regulations that the agencies are jointly proposing would require each financial institution and creditor to develop and implement an identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft in connection with account openings and existing accounts. The proposed regulations include guidelines listing patterns, practices, and specific forms of activity that should raise a "red flag" signaling a possible risk of identity theft. Under the proposed regulations, an identity theft prevention program established by a financial institution or creditor would have to include policies and procedures for detecting any "red flag" relevant to its operations and implementing a mitigation strategy appropriate for the level of risk.
The FDIC Board of Directors has approved the attached notice of proposed rulemaking to replace the two separate official FDIC signs - one for insured banks, and the other for insured savings associations - with one new official sign that all FDIC-insured depository institutions would be required to display where deposits are received. The notice of proposed rulemaking would also require both banks and savings associations to use the official advertising statement ("Member FDIC") in advertisements that specifically promote deposit products and services or generally promote banking services. The proposed rulemaking would revise Part 328 of the FDIC Rules and Regulations, which governs official FDIC signs and advertising of FDIC membership. Comments on these proposals and related matters are due by September 15, 2006.
Highlights of GAO-06-954T, a testimony before the Subcommittee on Management, Integration, and Oversight, Committee on Homeland Security, U.S. House of Representatives Why GAO Did This Study
The FDIC's Board of Directors today approved for public comment two proposed rules governing deposit insurance assessments under the Federal Deposit Insurance Reform Act of 2005. One proposal would create a new system that would more closely tie what banks pay for deposit insurance to the risks they pose. It also would adopt a new base schedule of rates that the FDIC Board could adjust up or down, depending upon the revenue needs of the insurance fund. The second proposal issued today would continue to set the designated reserve ratio (DRR) for the fund at 1.25 percent of estimated insured deposits. "The proposed new system of risk-based assessments would allow the FDIC to adhere more closely to sound insurance principles because the safer an institution is, the less it will pay for deposit insurance," said FDIC Chairman Sheila Bair. "We hope that most FDIC-insured institutions will find our proposals reasonable and fair, and we look forward to receiving comments."
The Homeland Security Presidential Directive (HSPD) 12 mandated the creation of new standards for interoperable identity credentials for physical and logical access to Federal government locations and systems. Federal Information Processing Standard 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, was developed to establish standards for identity credentials [FIPS201-1]. This document, Special Publication 800-78-1, specifies the cryptographic algorithms and key sizes for PIV systems and is a companion document to FIPS 201. 1.1 Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
Inspectors General In our role as principal auditor of the consolidated financial statements of the U.S. government (CFS), we plan to use the work of the inspectors general and contracted independent public accountants who audit the agency-level financial statements. The development of the joint PCIE/GAO Financial Audit Manual (FAM) has provided a common framework and methodology for federal financial statement auditing. Adherence to the FAM will enable us to readily review the work of other auditors as a basis for using that work under auditing standards. We want to all be on the same page so that we are in the position to use your work. Certain CFS line items that will be subject to our concurrent review because of their significance, such as the federal employee and veteran benefits payable line item, involve federal agencies’ significant actuarial estimations. Statement on Auditing Standards (SAS) No. 57, Auditing Accounting Estimates applies to such estimations. In addition, Statement of Federal Financial Accounting Standard (SFFAS) No. 5 requires that federal agencies disclose specific information in their financial statements for pensions, other retirement benefits, and other postemployment benefits.
"Operational risk management" increasingly viewed as distinct discipline due to growing complexity of the industry, recent large operational losses The increasing importance of banks' "operational risk management" (ORM) processes and how ORM is evolving as a distinct discipline are highlighted in the FDIC's summer 2006 issue of Supervisory Insights released today. Other topics covered include disaster planning for banks, with a look back at some of the challenges banks faced during the hurricane seasons of 2004 and 2005, and enforcement actions taken against individuals in 2005, with a particular focus on bank losses resulting from insider misconduct or fraud.
Before the U.S. House of Representatives Committee on Financial Services Subcommittee on Oversight and Investigations Thank you Chairwoman Kelly, Ranking Member Gutierrez, and Members of the Subcommittee. I appreciate the opportunity to speak to you about the Treasury Department's contribution to pandemic planning within the financial services sector. Though the Treasury's efforts are just a small part of the enormous Federal effort, we have been very active. President Bush stated, "Together we will confront this emerging threat and together, as Americans, we will be prepared to protect our families, our communities, this great Nation, and our world." I would like to begin my remarks by telling you about the sector's general state of preparedness and then tell you about the Treasury's leadership on pandemic planning within the financial services sector.
The Office of the Comptroller of the Currency today issued a proclamation allowing national bank offices affected by severe weather in the northeast to close at their discretion. In issuing the proclamation, Timothy Long, Senior Deputy Comptroller for Mid-Size/Community Bank Supervision, said he expects that only those bank offices directly affected by the severe weather will close. Those offices should make every effort to reopen as quickly as possible to address the banking needs of their customers, he added.
The tenth (May 2006) issue of The SAR Activity Review – Trends, Tips, & Issues, published by the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), is now available. Highlights: - On May 31, 2006, FinCEN released the tenth edition of The SAR Activity Review – Trends, Tips & Issues. This issue focuses on the money services business (MSB) industry. - Article topics include the use of Suspicious Activity Reports (SARs) to detect unregistered MSBs and guidance on registration and deregistration of a business as an MSB. - This issue also identifies current trends in mortgage loan fraud, as well as filing activity and detection of unlicensed/unregistered MSBs.
Sheila C. Bair was sworn in today as the 19th Chairman of the Federal Deposit Insurance Corporation (FDIC). Martin J. Gruenberg, Vice Chairman of the FDIC, had served as Acting Chairman since Donald E. Powell resigned on November 15, 2005. "I am pleased to be joining the FDIC at such an important time. There are many critical issues facing the agency – from implementation of deposit insurance reform to our ongoing work on Basel II and IA," said Chairman Bair. "I've spent most of my career in the financial services arena, focusing on the banking sector in recent years, so I am very familiar with the FDIC's important work. I am looking forward to the challenges that lie ahead, and working closely with our highly experienced Board and excellent staff.
Please note that the following rule is the version that was approved by the NCUA Board. The official version is published in the Federal Register approximately one week after Board approval. There may be some minor numbering or format differences between the two versions. The proposed rule describes in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and addresses prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also proposes to change the heading for this part so it more accurately describes its scope. While retaining cross-references in the rule to the SAR form and instructions, these changes will enhance credit union compliance by providing greater detail in the rule on the thresholds and procedures for filing a SAR.
The Office of the Comptroller of the Currency will host workshops for national community bank directors at the Millennium Knickerbocker Hotel, Chicago, on July 25-26. The workshops provide practical information that expands bank directors' skills and understanding of issues facing their banks. This year's workshops cover risk assessment and compliance risk.
The Federal Reserve Board on Thursday requested comment on proposed revisions to Part I of its Policy on Payments System Risk (PSR policy), which addresses risk management in payments and settlement systems. The proposed revisions update and revise the policy in several ways. First, the Board is proposing to incorporate into its PSR policy the international risk management standards for central counterparties recently developed by the Committee on Payment and Settlement Systems (CPSS) of the central banks of the Group of Ten countries and the Technical Committee of the International Organization of Securities Commissions (IOSCO). These standards, published by the Bank for International Settlements in a report titled Recommendations for Central Counterparties (Recommendations for CCP), will serve as the Board's minimum standards for central counterparties identified as systemically important and subject to the Board's authority. This proposed change is consistent with past revisions that incorporated into the PSR policy the Core Principles for Systemically Important Payment Systems (Core Principles) and Recommendations for Securities Settlement Systems (Recommendations for SSS), developed by the CPSS and CPSS-IOSCO, respectively.
Financial institutions have traditionally used domestic third-party service providers to handle their technology, data processing and other needs, such as call center services. However, with increasing frequency, institutions have been presented with opportunities to enter into contractual arrangements with foreign-based third-party service providers (FBTSPs) to fulfill those needs. Moreover, U.S.-based third-party service providers are subcontracting substantial portions of their operations to entities located outside of the United States. In its 2004 study of offshore outsourcing of data services to identify both consumer and safety and soundness risks associated with offshore data processing,[1] the FDIC learned that financial institutions may be unaware of such subcontracting arrangements or, if they are aware, are not adequately monitoring the relationship. The increased use of FBTSPs by U.S. financial institutions and U.S. third-party service providers is due, in large part, to the potential cost savings that are achievable as low-wage, yet highly qualified, labor pools are tapped in foreign countries. However, as with any sound business decision, financial institutions cannot accept the benefits while ignoring the potential risks.
The Federal Emergency Management Agency (FEMA) has issued the attached revised Standard Flood Hazard Determination Form, which includes a new Office of Management and Budget (OMB) control number and a revised expiration date of October 31, 2008. The form's format and content have not changed. The updated form must be used beginning July 1, 2006. Highlights: · FDIC-supervised banks must use FEMA's Standard Flood Hazard Determination Form when determining whether a building or mobile home offered as security for a loan will be located in a · Special Flood Hazard Area. This requirement is pursuant to the National Flood Insurance Reform Act of 1994 and FDIC regulations (12 CFR 339.6).
The Treasury Department in cooperation with the FloridaFIRST regional financial coalition will sponsor the first U.S. pandemic flu response exercise focused on the financial sector Thursday, June 22 in Miami, Fl. Treasury Deputy Assistant Secretary for Critical Infrastructure Protection and Compliance Policy Scott Parsons and will join 70 participants from Florida financial services firms and health, police and fire officials from local, state and federal agencies to test the local industry's preparedness for such a crisis.
Why GAO Did This Study
GAO was asked to testify on VA's information security program, ways that agencies can prevent improper disclosures of personal information, and issues concerning notifications of privacy breaches. In preparing this testimony, GAO drew on its previous reports and testimonies, as well as on expert opinion provided in congressional testimony and other sources.
Submission for OMB review; joint comment request In accordance with the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. chapter 35), FinCEN, OCC, OTS, FDIC, and NCUA (collectively, the "agencies") hereby give notice that they have submitted to the Office of Management and Budget (OMB) requests for review of the information collections described below.
OCC, OTS, FDIC, NCUA, and FinCEN are submitting the Suspicious Activity Report (SAR) information collection to OMB for extension with revision. The Board of Governors fo the Federal Reserve System (the Board) alos participated in this review. However, the Board, under its Paperwork Reduction Act (PRA) delegated authority, will publish a separate final notice and submit its SAR inforamtion collection to OMB.
The Federal Deposit Insurance Corporation (FDIC) announced that it will hold a symposium on the importance of continued consumer confidence in e-commerce in San Francisco on June 23, 2006 at the Hyatt Regency Hotel. The half-day meetings will bring together experts from the government and private sector to discuss ways to combat on-line identity theft and help find ways to maintain public confidence in e-commerce. The meeting will run from 7:30 a.m. to 1:00 p.m. Key note speaker Charlene Zettel, Director, California Department of Consumer Affairs will set the stage for the day's event. The first panel will focus on Ensuring Integrity in Payment Systems while the second panel will address Building Confidence by Managing Risk in E-Commerce. The third panel will address Consumer Rights and Resources in an E-Commerce World. The symposium is free of charge and open to both industry and the public participants.
The FDIC received an award June 15 for its innovative use of technology to support employees who telecommute. The Telework Exchange, a public-private partnership focused on eliminating telework gridlock, recognized the FDIC with a 2006 Telework Exchange Tele-Vision Award. The award was conferred in the category of Innovative Application of Technology to Support Telework. The FDIC provides an array of remote access services to support its telecommuting and mobile users. Services include a Remote Client Network (RCN), a Virtual Private Network (VPN) and a dial-up service. A recent addition to the FDIC's services is a "token" employees can use with any computer that has Internet access and a Web browser. This service—the Web Enabled Remote Client Network (WebRCN)—provides employees with secure access to commonly used software applications from their home computers, FDIC-issued laptop computers, conference computer-cafes and cybercafés. The token generates random alphanumeric passwords each time the device is turned on—a password is good for one logon. This feature enables virtually every eligible FDIC employee with access to a computer to participate in the FDIC's Telework Program.
This publication is not from one of the Federal or State Banking Agencies, but given our extremely diverse audience, this will be of interest to organizations and individuals responsible for developing and maintaining security plans and programs. This Recommendation specifies techniques for the generation of random bits that may then be used directly or converted to random numbers when random values are required by applications using cryptography.
There are two fundamentally different strategies for generating random bits. One strategy is to produce bits non-deterministically, where every bit of output is based on a physical process that is unpredictable; this class of random bit generators (RBGs) is commonly known as non-deterministic random bit generators (NRBGs). The other strategy is to compute bits deterministically using an algorithm; this class of RBGs is known as Deterministic Random Bit Generators (DRBGs).
Preparing Your Institution for a Catastrophic Event The member agencies of the Federal Financial Institutions Examination Council (FFIEC) and the Conference of State Bank Supervisors today announced the release of LESSONS LEARNED FROM HURRICANE KATRINA: Preparing Your Institution for a Catastrophic Event. The booklet relays financial institutions' experiences and lessons learned in the aftermath of Hurricane Katrina that other institutions may find helpful in considering their readiness for a catastrophic event.
FDIC Consumer Call Centers in Kansas City, Missouri, and Washington, D.C., have begun receiving a large number of complaints by consumers who received an e-mail that has the appearance of being sent from the FDIC. The e-mail informs the recipient that Department of Homeland Security Director Tom Ridge has advised the FDIC to suspend all deposit insurance on the recipient’s bank account due to suspected violations of the USA PATRIOT Act. The e-mail further indicates that deposit insurance will be suspended until personal identity, including bank account information, can be verified. This e-mail was not sent by the FDIC and is a fraudulent attempt to obtain personal information from consumers. Financial institutions and consumers should NOT access the link provided within the body of the e-mail and should NOT under any circumstances provide any personal information through this media.
NIST is pleased to announce the release of draft Special Publication (SP) 800-97, Guide to IEEE 802.11i: Robust Security Networks. SP 800-97 provides detailed information on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard for wireless local area network (WLAN) security. IEEE 802.11i provides security enhancements over the previous 802.11 security method, Wired Equivalent Privacy (WEP), which has several well-documented security deficiencies. IEEE 802.11i introduces a range of new security features that are designed to overcome the shortcomings of WEP. This document explains these security features and provides specific recommendations to ensure the security of the WLAN operating environment. It gives extensive guidance on protecting the confidentiality and integrity of WLAN communications, authenticating users and devices using several methods, and incorporating WLAN security considerations into each phase of the WLAN life cycle. The document complements, and does not replace, NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices.
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. In addition, the handbook provides guidance for facilitating a more consistent approach to information security programs across the federal government. Even though the terminology in this document is geared toward the federal sector, the handbook can also be used to provide guidance on a variety of other governmental, organizational, or institutional security requirements.
Treasury Secretary John W. Snow today designated George S. Hender as Sector Coordinator and Chairman of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC). The FSSCC works closely with the Treasury and other federal financial
regulators to coordinate the private sector's preparation for events
including natural disasters and terrorist attacks, which could disrupt
the normal business of the financial services industry. Hender,
Management Vice Chairman of The Options Clearing Corporation, served
as FSSCC Vice Chairman since September 2004.
PREPARED REMARKS BY DEPUTY ASSISTANT SECRETARY DANIEL GLASER TERRORIST FINANCING AND FINANCIAL CRIMES -- BEFORE THE FINANCIAL CRIMES FORUM FOR ASIA/PACIFIC -- HONG KONG – I am pleased to be here speaking today at the Financial Crime Forum
on behalf of the Treasury Department of the United States. I want to
commend the organizers of this event for assembling professionals from
multiple sectors, as this parallels the strategy we take at Treasury
to engage all stakeholders: financial sector regulators, policy
makers, financial crimes investigators, financial sector specialists,
bankers, compliance officers, and others. It is only through our
collaborative efforts that we can create highly effective Anti-Money
Laundering/Counter-Financing of Terrorism (AML/CFT) regimes, and all
efforts that enhance our communication across these sectors help us
achieve our collective goals.
Procedures for Cooperation Between the Federal Financial Institution Regulatory Agencies and the Department of Labor in the Enforcement of the Employee Retirement Income Security Act of 1974 The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency and Office of Thrift Supervision (the federal financial institution regulatory agencies) as part of their supervision of the institutions regulated by them, conduct examinations and perform other functions which occasionally disclose possible violations of the Employee Retirement Income Security Act of 1974 (ERISA). The Department of Labor (DOL) is charged with the administration, interpretation and enforcement of standards of conduct and responsibility of fiduciaries of employee benefit plans under ERISA.
The FDIC insures bank and savings association deposits to help ensure stability and public confidence in the U.S. financial system. The deposit insurance funds must remain viable so that adequate funds are available to protect insured depositors if an institution fails. When an insured institution fails, the FDIC is responsible for ensuring that the institution's customers have timely access to their insured deposits.
The Federal Financial Institutions Examination Council (FFIEC) Task Force on Consumer Compliance has approved the attached examination procedures to assess compliance with the medical information regulations that became effective on April 1, 2006. The regulations implement the Protection of Medical Information provisions of the Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The new procedures are effective with the issuance of this FIL. Highlights: - The attached examination procedures for the medical information regulations are the first in a series of amendments to FCRA examination procedures that were released with FIL-18-2006 on February 22, 2006.
Richard W. Hartt has been named Deputy Director of the Federal Deposit Insurance Corporation's (FDIC) Division of Information Technology (DIT). Mr. Hartt will head the division's Enterprise Technology Branch. "Rick has an extensive background in all areas of information technology, including strategic planning, enterprise architecture, data architecture, and performance measurement," said Michael Bartell, CIO and DIT Director. "Rick brings significant experience to the FDIC and the IT division and I am excited to have him on our executive team."
On May 22, 2006, the U.S. Department of Veteran Affairs (VA) published a notice that electronic data on approximately 26.5 million veterans and some spouses may have been compromised. The VA is working with law enforcement, Congress, the media, veteran services, and other government agencies to ensure that veterans and their families are protected against potential misuse of that data. Please refer to the VA Web site at www.va.gov for additional information on this security incident. While no specific fraud related to the VA incident has been detected, the growing trend of data breaches occurring in both the private and public sectors raises concerns that personal information may be used to commit identity theft. The FDIC, as a member of the President's Identity Theft Task Force, urges financial institutions to be vigilant against the misuse of personal information for both new and existing customers. Additionally, financial institutions have an obligation to verify the identity of persons seeking to open new accounts and to safeguard customer information against unauthorized access or use.
National Credit Union Administration (NCUA) Board Member Gigi Hyland represented the agency yesterday at the inaugural meeting of President Bush's Identity Theft Task Force. On May 10, 2006, the President signed an Executive Order for the purpose of strengthening federal efforts to protect against identity theft. The Order establishes the Task Force and provides that it will be co-chaired by the Attorney General and the Chairman of the Federal Trade Commission. Task Force membership includes representatives from the other executive branch departments as well as representatives from all of the federal financial regulatory agencies.
Why GAO Did This Study Since 1979, Egypt has received about $80 billion in military and economic assistance with about $34 billion in the form of foreign military financing (FMF) grants that enable Egypt to purchase U.S.-manufactured military goods and services. In this report, GAO (1) describes the types and amounts of FMF assistance provided to Egypt; (2) assesses the financing arrangements used to provide FMF assistance to Egypt; and (3) evaluates how the U.S. assesses the program's contribution to U.S. foreign policy and security goals. What GAO Recommends
We recommend that the Secretaries of State and Defence conduct: (1) an assessment of the impact of potential shifts in appropriations on the Egypt FMF program; and (2) periodic program-level evaluations of the program. Specifically, the agencies should define the current and desired levels of modernization and interoperability the U.S. would like to achieve.
The FDIC Board of Directors is seeking comment on the attached three proposed rules governing deposit insurance assessments under the Deposit Insurance Reform Act of 2005. The proposed rules would implement a one-time assessment credit, dividends, and procedural and operational changes to the assessment regulations. The Reform Act requires the FDIC to prescribe the credit and dividend regulations by November 5, 2006. Comments on the three proposed rules are due by July 17, 2006. Highlights: - One-Time Assessment Credit: The Reform Act mandates a one-time assessment credit of approximately $4.7 billion to be allocated to each "eligible insured depository institution" or its "successor" to acknowledge contributions by institutions to build up the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF). The first proposed rule would define "successor" as the resulting institution in a merger or consolidation involving an institution that was eligible for the one-time credit. The proposed rule also seeks comment on alternative definitions of successor. The FDIC has developed a Web-based search tool, accessible through www.fdic.gov/deposit/insurance/reform.html, which allows an institution to find its preliminary estimated one-time assessment credit amount based on the notice of proposed rulemaking.
The Internet is the world's largest computing network, with hundreds of millions of users. From the perspective of a user, each node or resource on this network is identified by a unique name - the domain name - such as www.nist.gov. However, from the perspective of network equipment that routes communications across the Internet, the unique identifier for a resource is an Internet Protocol (IP) address, such as 172.30.128.27. To access Internet resources by user-friendly domain names rather than IP addresses, users need a system that translates domain anme to IP addresses and back. This translation is the primary task of the Domain Name System (DNS).
The DNS infrastructure is made up of computing and communication entities that are geographically distributed throughout the world. There are more than 250 top-level domains, such as .gov and .com, and several million second-level domains, such as nist.gov and ietf.org. Accordinaly, there are many name servers in the DNS infrastructure, which each contain information about a small portion of the domain name space. The DNS infrastructure functions through collaboration among the various entities involved. The domain name data provded by DNS is intended to be available to any computer located anywhere in the Internet.
While most people have a pretty good idea about how FDIC insurance works, a surprisingly large number of consumers have potentially costly misconceptions. The biggest concern: Some depositors who believe that their funds are fully insured may inadvertently have some money over the insurance limits and risk losing that portion if their bank fails. The Spring 2006 FDIC Consumer News, published by the Federal Deposit Insurance Corporation, offers a guide to understanding FDIC insurance coverage and making sure that all of a family's accounts are fully protected. It features: The "Top 10" misconceptions about FDIC insurance. The Number 1 fallacy: The most a consumer can have insured is $100,000. In fact, a person may qualify for more than $100,000 in coverage at each insured bank if the funds are deposited in different "ownership categories," such as individual accounts, joint accounts, and certain trust and retirement accounts. Depending on the circumstances, a family of four could have well over $1 million in deposit insurance coverage at the same bank -- and that coverage is separate from what is FDIC-insured at any other institution.
The FDIC, along with the other federal banking agencies and the Securities and Exchange Commission, is issuing the attached statement for public comment. The statement informs financial institutions of the internal controls and risk-management procedures that should be used to identify, manage and address the heightened legal or reputational risks that may arise from their involvement in certain complex structured finance transactions. The FDIC will accept comments on this statement through June 15, 2006. Highlights: The attached interagency statement: - Focuses on complex structured finance transactions entered into by institutions when the transactions > circumvent regulatory or financial reporting requirements or > evade tax liabilities or involve other illegal and/or improper behavior
Fred S. Carns has been named Director of the FDIC's Office of International Affairs (OIA), replacing Michael Zamorski, who retired from the FDIC after 29 years of service. Mr. Carns will be responsible for coordinating the FDIC's international banking activities with a focus on building strong relationships with foreign regulators and deposit insurers, U.S. government entities and international organizations. OIA coordinates the FDIC's technical assistance and outreach activities that are provided to foreign entities in order to promote the development and maintenance of sound banking and deposit insurance systems.
Five federal agencies today requested public comment on a revised proposed statement on the complex structured finance activities of financial institutions. The revised statement describes the types of internal controls and risk management procedures that should help financial institutions identify, manage and address the heightened legal and reputational risks that may arise from certain complex structured finance transactions. The agencies have modified the revised statement in several important respects in light of the comments received on the original proposed statement, which was issued for comment on May 19, 2004. For example, the agencies have reorganized, streamlined and modified the statement to make the document more principles-based and focused on those complex structured finance transactions that may pose heightened levels of legal or reputational risk to a financial institution.
Pursuant to the provisions of the "Government in the Sunshine Act" (5 U.S.C. 552b), notice is hereby given that the Federal Deposit Insurance Corporation's Board of Directors will meet in open session at 2:00 p.m. on Tuesday, May 9, 2006, to consider the following matters: Summary Agenda: No substantive discussion of the following items is anticipated. These matters will be resolved with a single vote unless a member of the Board of Directors requests that an item be moved to the discussion agenda. - Disposition of minutes of previous Board of Directors' meetings. - Summary reports, status reports, and reports of actions taken pursuant to authority delegated by the Board of Directors. - Memorandum and resolution re: Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities.
This publication focuses on developing and implementing information security metrics for an information security program. The processes and methodologies described in this guidance link information security performance to agency performance by leveraging agency-level strategic planning processes. The performance metrics developed according to this guide will enhance the ability of agencies to respond to a variety of federal government mandates and initiatives, including the Federal Information Security Management Act (FISMA) and the President's Management Agenda (PMA).
The goal of each agency information security program is to provide the appropriate level of protection to the agency's information resources. Information security has become an essential business function, critical to enabling agencies to conduct their operations and eliver services to the public. Each agency's information security pgrogram provides direct support to the agency mission. Information security performance metrics provide a means for the monitoring and reporting of agency implementation of security controls. They also help assess the effectiveness of these controls in appropriately protecting agency information resources in support of the agency's mission.
Interagency Advance Notice of Proposed Rulemaking: Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies Under Section 312 of the Fair and Accurate Credit Transactions Act. Summary
The OCC, Board, FDIC, OTS, NCUA, and FTC (the Agencies) request comment to gather information useful for developing the guidelines and regulations required by section 312 of the Fair and Accurate Credit Transactions Act (FACT Act). Pursuant to section 312, the Agencies, acting in consultation and coordination, must: Establish guidelines for use by persons that furnish information to consumer reporting agencies (furnishers) regarding the accuracy and integrity of the consumer information that they furnish to those agencies; and prescribe regulations that require furnishers to establish resonable policies and procedures for implementing the guidelines. Section 312 also requires the Agencies jointly to prescribe regulations that identify the circumstances under which a furnisher shall be required to reinvestigate a dispute concerning the accuracy of information contained in a consumer report on a consumer based on a direct request of the consumer.
Summary: This Regulatory Bulletin transmits Examination Handbook Section 341, Information Technology Risks and Controls. The Office of Thrift Supervision substantially revised and reorganized this section of the Examination Handbook. This handbook section replaces existing guidance found in Thrift Activities Handbook Section 341, Technology Risk Controls. This bulletin rescinds RB 32-21 dated January 7, 2002.
The rapid growth and extensive deployment of information technology (IT) requires a thorough assessment of the risks inherent in such activities. The Examination Handbook section issued today outlines OTS expectations that savings associations fully address the risks and challenges posed by using technlology, and establish effective risk management practices commensurate with the association's size and complexity. Use this Handbook section and its examination procedures in conjunction with other Handbook sections that provide guidance for reviewing an association's internal control environment.
The Federal Reserve Board announced Wednesday the consolidation of two internal advisory committees on payments system matters. The duties of the Payments System Policy Advisory Committee will be expanded to encompass the responsibilities and activities of the Payments System Development Committee, including its public outreach efforts. The Payments System Development Committee will be discontinued. The Payments System Policy Advisory Committee was formed in July 1986 to advise the Board on a range of issues, including risk-management issues, primarily in wholesale payment and settlement systems, and the relationship between wholesale payment systems and financial markets. The Payments System Development Committee was formed in July 1999 to advise on medium- and long-term public policy issues surrounding innovation in the retail payments system. The expanded Payments System Policy Advisory Committee will provide the Board with a coordinated view of developments in both wholesale and retail payments at a time of significant overall change in the U.S. payments system and help coordinate Federal Reserve work involving domestic and international payments and settlement systems.
Summary: The FDIC has issued revised compliance examination procedures that update the procedures issued in 2003. The new examination procedures incorporate banker feedback and results of internal reviews. Highlights:
- The FDIC also gathered information about how well the procedures were meeting its objectives. - These included focusing increased attention on a bank's compliance management system, and conducting more of the review process off-site, where appropriate. - Bankers were generally pleased with the revised procedures issued in 2003, particularly the focus on compliance management systems. However, they made several suggestions to improve the examination process while reducing burden. - As a result of banker input, the FDIC has made a number of changes to the compliance examination procedures. - Revised worksheets have been distributed to examiners to support the latest version of the compliance examination procedures.
As the nation's 76 million "baby boomers" (born between 1946 and 1964) enter their sixties, they will come face-to-face with the challenges of financing their retirement and will reshape U.S. markets for housing and financial services, according to the Spring 2006 issue of the FDIC Outlook. Taking the long view on forces shaping the financial services landscape, FDIC analysts report on how long-run demographic trends are affecting the funding of pension plans; how a large and relatively affluent baby boom generation is influencing the demand for housing; and how demographic shifts may also alter the mix of financial products and services offered by FDIC-insured institutions.
Beginning June 1, 2006, the Federal Deposit Insurance Corporation (FDIC) will change its primary method of distributing Special Alerts (SAs) to insured financial institutions from paper-copy delivery through the U.S. Postal Service to electronic delivery through the FDIC's free secure Web site, FDICconnect. The change is expected to provide institutions with a number of benefits, including: - An immediate e-mail notification that a SA has been issued. There will be no need for routine manual checks of FDICconnect to determine whether a new SA has been issued. - The immediate availability of the SA. Through the traditional mail system, receipt of the paper copy typically takes a week or longer. - Secure transmission of the SA attachments, which are often electronic copies of fraudulent and genuine instruments.
National Credit Union Administration (NCUA) Vice Chairman Rodney E. Hood joined fifty credit union CEOs in Boston for a roundtable dialogue during which he outlined his regulatory focus for 2006. "Regulatory flexibility will be a top priority of mine in 2006," said Vice Chairman Hood. He discussed the recent final rule empowering an additional 413 federal credit unions with RegFlex eligibility by allowing well-managed, well-capitalized credit unions with a qualifying net worth requirement of 7% rather than 9% for earned regulatory flexibility. "This rule demonstrates the Board’s belief that the agency should not micro-manage, well-managed institutions," said Vice Chairman Hood. "This year, I will look for ways to reduce unnecessary regulatory burdens on credit unions."
The FDIC, the other federal financial institution regulatory agencies and the Federal Trade Commission have jointly published the attached Advance Notice of Proposed Rulemaking (ANPR) inviting comment to gather information that is useful for developing guidelines and regulations to implement section 312 of the Fair and Accurate Credit Transactions Act (FACT Act). Comments are due by May 22, 2006. The Fair Credit Reporting Act (FCRA) contains a number of provisions designed to enhance the accuracy and integrity of data in consumer reports. In 2003, the FCRA was amended by the FACT Act to, among other things, enhance the ability of consumers to combat identity theft and increase the accuracy of consumer reports. Section 312 of the FACT Act requires the federal financial institution regulatory agencies and the Federal Trade Commission to issue guidelines and regulations concerning the accuracy and integrity of information furnished to credit bureaus.
The Homeland Security Presidential Directive HSPD-12 called for a common identification standard to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems. The Personal Identity Verification (PIV) of Federal Employees and Contractors, Federal Information Processing Standard 201 (FIPS 201) [4] was developed to establish standards for identity credentials. This document, Special Publication 800-73 (SP 800-73), specifies interface requirements for retrieving and using the identity credentials from the PIV Card and is a companion document to FIPS 201. Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
The FDIC established and implemented C&A policies, procedures, and practices that were satisfactory and consistent with federal standards and guidelines. The FDIC continued to build its C&A program during 2005 in response to evolving National Institute of Standards and Technology guidance, and additional improvements were underway at the close of our field work. Further, the FDIC had undertaken action to address certain C&A-related matters previously identified in the OIG’s September 2005 security evaluation report required by FISMA. The FDIC can further strengthen its C&A program by: - enhancing system sensitivity assessment guidance to describe how final security categorizations are determined; - ensuring that application security plans adequately describe how common security controls and general support systems critical to the security of the application are considered in the application's C&A; - ensuring the cost-benefit of alternative control solutions for reducing or eliminating vulnerabilities; - enhancing written procedures for defining the nature and scope of testing, managing system-level plans of action and milestones, accepting risks associated with system security weaknesses, and issuing interim systems authorizations; and - establishing formal milestone reviews at key points in the C&A process to ensure that critical documentation is current, accurate, and complete. These program enhancements will provide FDIC management with greater assurance that system security risks are effectively managed and that C&A practices are consistently applied throughout the Corporation. We also performed benchmarking with other federal agencies and included the results in this report.
This report presents the results of our audit of the FDIC’s consideration of risk in determining the deposit insurance premiums paid to the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF). To assess semiannual premiums on financial institutions, the FDIC uses the Risk-Related Premium System (RRPS) and considers capital levels, safety and soundness examination results, and other pertinent information to assign insured institutions to one of three Capital Groups and to one of three Supervisory Subgroups for the purpose of determining an insurance assessment risk classification.[ 1 ] The audit objective was to determine whether the insurance assessment system is adequately tied to the results of examinations of financial institutions by the primary federal regulators and to other information relevant to the institutions’ financial condition. Appendix I of this report discusses our objective, scope, and methodology in detail. BACKGROUND
The final agenda for the April public hearings on the proposed Wal-Mart Bank's federal deposit insurance application is now available on the FDIC's Web site. The agenda includes the names of parties who are scheduled to give oral presentations as well as the speaking times and the locations where the parties are scheduled to speak. FDIC Chief Operating Officer and Deputy to the Chairman John F. Bovenzi will serve as Presiding Officer at the hearings. In addition, Douglas H. Jones, Acting General Counsel of the FDIC, and Sandra L. Thompson, Acting Director of the FDIC's Division of Supervision and Consumer Protection, will serve as hearing officers.
The purpose of this letter is to provide NCUA’s IT Security Compliance Guide for Credit Unions. The guide offers information to assist credit unions in complying with the NCUA Rules and Regulations, Part 748, Appendix A; Guidelines for Safeguarding Member Information, and Appendix B; Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. Each section of the guide relates to specific parts of Appendixes A and B of Part 748 of the NCUA Rules and Regulations. Section III provides additional guidance on the risk-assessment process necessary to identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.
Despite regional disparities in job growth and a high degree of reliance on real estate, the economy and the banking industry both continue to perform well across most areas of the nation, FDIC analysts reported in the spring 2006 editions of FDIC Regional Profile and FDIC State Profiles released today. "Moderate to strong job growth across much of the nation is helping to support loan growth and credit quality at federally insured banks and thrifts," said FDIC Chief Economist Richard A. Brown. "However, heavy dependence on mortgage and construction lending is making some banks more vulnerable to regional downturns in real estate activity."
Chairman Shelby, Ranking Member Sarbanes and other distinguished members of the Committee, thank you for the opportunity to speak to you today about our progress in combating terrorist financing and money laundering. In the last four months, we have seen assessments of our progress in both of these arenas - the 9/11 Commission Public Discourse Project's evaluation of our terrorist financing efforts and the U.S. Government's first-ever Money Laundering Threat Assessment. These assessments and this hearing provide an opportunity to take stock of how we are doing with respect to two of the leading concerns of my office. I welcome this committee's ongoing focus on these threats, and your continued support for our efforts to help stop illicit flows of money. Terrorist Financing The 9/11 Commission's Public Discourse Project awarded its highest grade, an A-, to the U.S. Government's efforts to combat terrorist financing. This praise truly belongs to the dozens of intelligence analysts, sanctions officers, regional specialists, and regulatory experts in the Treasury's Office of Terrorism and Financial Intelligence (TFI) who focus on terrorist financing, along with their talented colleagues in other agencies - law enforcement agents who investigate terrorism cases, Justice Department prosecutors who bring terrorist financiers to justice, foreign service officers in embassies around the world who seek cooperation from other governments and many others from the intelligence community. You will not find a more talented and dedicated group of people, with no trace of ego and a total focus on the mission.
National Credit Union Administration (NCUA) Chairman JoAnn Johnson announced the extension of the application deadline for the Community Development Revolving Loan Fund’s (CDRLF) disaster relief grants from March 31, 2006 to September 30, 2006. Qualifying credit unions in areas affected by the Gulf Coast hurricanes may apply for up to $2,500 for assistance in resuming operations.
The NCUA’s Community Development Revolving Loan Fund (CDRLF) was established by Congress to support credit unions that serve low-income communities by providing loans and technical assistance grants (TAGs) to qualifying institutions. The programs are designed to further the safety and soundness of low income credit unions while stimulating economic growth. Qualifying credit unions may also apply for CDRLF loans of up to $300,000. Loans have a maturity of 5 years and an interest rate of 1 percent.
Federal regulators today released Evolution of a Prototype Financial Privacy Notice, a report by Kleimann Communication Group summarizing consumer research commissioned by the regulators as part of their ongoing efforts to develop improved financial privacy notices.
The report's release concludes the first phase of an interagency project by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission to explore alternatives for financial privacy notices that would be easier for consumers to read, understand, and use than many of the notices consumers currently receive from financial institutions. These six agencies were among those that jointly issued regulations in 2000 implementing the financial privacy provisions of the Gramm-Leach-Bliley Act, but survey data indicate that many consumers neither read nor understand the notices financial institutions provide under those regulations.
The Office of Thrift Supervision (OTS) is encouraging savings institutions to take advantage of a new Treasury Department program to educate their customers on identity theft prevention and remedies. The program, available to institutions on a DVD, entitled Identity Theft: Outsmarting the Crooks, informs consumers on protecting themselves against identity theft. The Treasury Department launched the DVD, created by the Department's Critical Infrastructure Protection Office, on January 26th. The DVD educates consumers on what identity theft is, how they can protect themselves, and what they should do if they become victims of identity theft. It covers topics such as: online safety, access to credit reports, taxpayer vulnerabilities to identity theft, and how to deal with debts and debt collectors in connection with identity theft.
The purpose of this Letter to Credit Unions (LTCU) is intended to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services. It further advises credit unions and their service providers to consider this and similar threats in their event response and contingency strategies (business continuity and disaster recovery plans). This LTCU discusses the National Strategy for Pandemic Influenza (National Strategy) and the roles and responsibilities it outlines for financial institutions.
On November 1, 2005, the White House issued the National Strategy, which discusses the threat and potential impact of a pandemic influenza event. It also identifies the roles and responsibilities for the federal government, the private sector, and others.
The Northeast Region is conducting a second series of one-day Technology Managers Seminars focusing on IT issues of interest to our regulated financial institutions. Feedback from our 2004 Seminars indicated that attendees found it an excellent vehicle providing practical guidance for managing technology risks.
This year's topics will include:
The Office of the Comptroller of the Currency will host workshops for national community bank directors at the Westin Great Southern Hotel, Columbus, Ohio, on April 25-26. The workshops provide practical information that expands bank directors' skills and understanding of issues facing their banks. This year's workshops cover risk assessment and compliance risk. Workshops cost $65 each. Attendees receive pre-course reading and course materials, an OCC telephone seminar CD, a community bank supervision handbook, other supervisory material, a continental breakfast and lunch. Workshops are limited to the first 50 registrants and are geared primarily to outside directors of national community banks with assets of less than $1 billion. Management directors may also find the workshop beneficial. For information or to register online, visit http://www.occ.gov/conference.htm
The Financial Crimes Enforcement Network (FinCEN) today issued an Advance Notice of Proposed Rulemaking seeking comments from both the money services business industry and the banking industry on the issue of money services businesses obtaining appropriate access to banking services. Today's action is part of FinCEN's ongoing efforts to address continued concerns about the ability of money services businesses to open and maintain accounts and obtain other services at banks and depository institutions as well as the caution of the banking industry in dealing with money services businesses. "Money services businesses play an important role in America's economy by providing valuable financial services to many Americans who do not, or cannot yet, take advantage of typical savings or checking accounts," said Robert W. Werner, FinCEN's Director. "It is critical for the health and safety of the U.S. financial system that MSBs obtain and maintain banking services and not be driven underground."
A draft agenda for the April public hearings on the proposed Wal-Mart Bank's application for federal deposit insurance is now available on the FDIC's Web site, www.fdic.gov. The agenda includes the names of parties who are currently scheduled to give oral presentations, as well as the speaking times and the locations where the parties are scheduled to speak. The final agenda will be posted to the FDIC's Web site no later than April 5, 2006. - The first hearing, to be held at the FDIC's Virginia Square Auditorium in Arlington, Virginia, will now be held from 9:00 a.m. to approximately 4:00 p.m. on Monday, April 10, and from 9:00 a.m. to approximately 11:15 a.m. on Tuesday, April 11. - The second hearing, to be held at the Overland Park Convention Center, Overland Park, Kansas, will now be held on one day only – Tuesday, April 25 – from 9:00 a.m. to approximately 4:15 p.m.
During the second half of 2005, OO staff spoke with 791 financial industry representatives through visits and telephone calls, industry-sponsored conferences and FDIC events. Approximately 82 percent reported overall satisfaction with the FDIC's regulatory process, three percent were dissatisfied, and the remaining 15 percent expressed no opinion. The following are examples of comments and suggestions expressed by bankers during outreach activities: Regulations: Of the 218 comments received about regulations affecting banks, 178 involved some degree of dissatisfaction. Of the latter group, 52 percent characterized regulations as burdensome and another 35 percent viewed some regulations as unfair or outdated. The Bank Secrecy Act (BSA) continued to be the subject of greatest concern among bankers, primarily because of the high cost of compliance with what many banker contacts perceived as little benefit. Of the BSA comments, 84 percent were negative. The BSA regulation is almost universally described as "burdensome." Rural community bankers stated that they do not want to be measured by the same gauge used for money center banks. One banker said that BSA procedures seemed like "searching babies at airports." Another banker believed in the spirit of the law, but did not want to be a "watchdog for society." In addition, doing business with money services businesses continued to provide challenges, but "zero tolerance" of filing errors appeared to be less of a concern.
The "Insider Activities" booklet is one of several booklets in the Comptroller's Handbook that will be published under the theme of corporate governance. This booklet provides guidance on how banks may legally and prudently engage in transactions with insiders and implement risk management processes that provide for the appropriate control and monitoring of insider activities. This booklet also provides guidance on how examiners will review and assess insider activities during the supervisory process.
A bank should engage in safe and sound business and personal transactions with its insiders, consistent with law and regulation. Transactions between a bank its insiders can address legitimate banking needs and serve the interests of both parties. The challenge is to separate legitimate insider financial relationships from those that are, or could become, abusive, imprudent, or preferential. Studies of bank failures have found that insider abuse, including excessive or poor quality loans made, and unjustified fees paid, to directors and officers, is often a contributing factor to the failure. Because of the significant risks that insider activities can pose, activities are subject to strict laws and ethical guidelines.
Rich Spillenkothen, the director of the Division of Banking Supervision and Regulation, will retire on June 30 after thirty years of service with the Federal Reserve Board, including nearly fifteen years as the director of the division. "Rich has led the Board’s supervision program during periods of unparalleled growth, innovation, deregulation, and consolidation in the American banking system, as well as through a number of financial system and banking shocks,” said Federal Reserve Board Chairman Ben S. Bernanke. “During Rich’s tenure, the Federal Reserve’s approach to banking supervision has evolved significantly. His leadership in the supervision of risk management and capital adequacy form a sound basis for the future work of financial supervisors everywhere."
For many years, GAO has reported that ineffective information security is a widespread problem that has potentially devastating consequences. in its reports to COngress since 1997, GAO has identified information security as a governmentwide high-risk issue - most recently in January 2005.
Concerned with accounts of attacks on commercial systems via the Internet and reports of significant weaknesses in federal computer systems that make them vulnerable to attack, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the federal information security program, evaluation, and reporting requirements established for federal agencies.
Purpose The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and Office of Thrift Supervision are issuing this interagency advisory to financial institutions and their technology service providers. This advisory is intended to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services. It further advises financial institutions and their service providers to consider this and similar threats in their event response and contingency strategies. This issuance discusses the National Strategy for Pandemic Influenza (National Strategy) and the roles and responsibilities it outlines for financial institutions.
The Federal Deposit Insurance Corporation (FDIC) Board of Directors today approved final rules that will raise the deposit insurance coverage on certain retirement accounts at a bank or savings institution to $250,000 from $100,000. The increase, the result of a new law boosting federal deposit insurance coverage for the first time in more than 25 years, will become effective on April 1. The basic insurance coverage for other deposit accounts, however, will remain at $100,000. "The increase in deposit insurance coverage on certain retirement accounts is a significant change," said Martin J. Gruenberg, Acting Chairman of the FDIC. "The FDIC is committed to helping depositors understand clearly the change that has been made and how it will affect the deposit insurance coverage for which they are eligible."
National Credit Union Administration (NCUA) Vice Chairman Rodney E. Hood joined Federal Deposit Insurance Corporation (FDIC) Acting Chairman Martin Gruenberg today for an update to consumer organizations and financial services associations regarding the impending changes to federal deposit insurance coverage. “I was pleased that the NCUA and FDIC joined together for such an important forum to discuss the implementation of deposit insurance changes recently signed into law by President Bush,” said Vice Chairman Hood. “It is vital that credit unions have accurate information available for members. We look forward to the assistance of those within the credit union system and consumer affairs in outreach efforts concerning enhancements to deposit insurance.”
Sites have been selected for the FDIC's April public hearings on the proposed Wal-Mart Bank's application for federal deposit insurance, the FDIC announced today. The first hearing, scheduled for Monday and Tuesday, April 10 and 11, will be held at the FDIC's Virginia Square auditorium (Building C), located at 3501 Fairfax Drive, Arlington, Virginia. The second hearing, scheduled for Tuesday and Wednesday, April 25 and 26, will be held at the Overland Park Convention Center (Courtyard Rooms four and five), 6000 College Boulevard, Overland Park, Kansas. The hearings in both locations are scheduled to begin at 9:00 a.m. and conclude no later than 5:30 p.m. each day. More detailed information relating to the hearing locations can be found on the FDIC's Web site, www.fdic.gov. Parties making oral presentations as well as those wishing to attend the hearings should plan to arrive early. Admission for those not making oral presentations will be based on a first-come, first-served basis as space permits. Parties attending the hearings will be subject to security screening.
Comptroller of the Currency John C. Dugan applauded the work of independent banks and said America needs community institutions that are strong enough to help out in times of emergency, but also there in ordinary times to help people achieve their lives' dreams. In a taped speech to the annual convention of the Independent Community Banks of America, Mr. Dugan said that independent banks are at the heart of the OCC’s mission, noting that 90 percent of the institutions supervised by the agency have less than $1 billion in assets. The Comptroller added that it is vital that regulators strike a balance that preserves safety and soundness without sapping the industry’s strength. “Sensible regulation is essential to the industry’s safety and soundness,” he said. “But we have to be careful that the sheer volume of our regulations doesn’t overwhelm you, stifling initiative and chipping away at your ability to compete. Preserving that balance is a challenge I take very seriously.”
The Treasury Department this week launched the first meeting of the newly created Consumer Financial Protection Forum which was established to focus exclusively on financial consumer concerns and to provide a permanent forum for communication between federal and state regulators on these issues. The Forum is chaired by the Treasury Department and participants include the federal banking and credit union regulators, the Federal Trade Commission, and representatives from state supervisory organizations. "The strength of our economy and financial services sector depends on confidence in the system on the part of consumers," said Assistant Secretary for Financial Institutions Emil Henry, Jr. "The goal of the Forum is straightforward - bring federal and state regulators together to share information and discuss ways to address evidence of consumer financial abuse by financial institutions."
The Federal Deposit Insurance Corporation (FDIC) today announced that the Corporation has received its fourteenth consecutive set of unqualified audit opinions on the financial statements of the three funds that it manages. Comprehensive income (net income plus current period unrealized gains/losses on available-for-sale (AFS) securities) for the Bank Insurance Fund (BIF) decreased 32% to $680 million in 2005 from $1.004 billion in 2004. For the second consecutive year, comprehensive income has declined as a result of several factors. The year-over-year reduction of $324 million was primarily due to an increase in unrealized losses on AFS securities of $279 million, lower recoveries of prior years' provisions for insurance losses of $143 million, an increase in operating expenses of $25 million, and a decrease in assessment revenues of $43 million, offset by an increase of $161 million in interest revenue on U.S. Treasury obligations. As of December 31, 2005, BIF's fund balance was $35.5 billion (including $298 million in net unrealized gains on AFS securities), up from $34.8 billion at year-end 2004.
Summary: The FDIC is pleased to announce that its 2005 Annual Report is now available on the FDIC's Web site. Highlights: - The Annual Report provides an overview of the FDIC's activities and operations during the year. - It also reports on the FDIC's success in achieving the goals established for fiscal year 2005.
This document describes the mission, goals, and performance results of the Office of Thrift Supervision. It also provides OTS’s FY 2006 approved budget and strategies. Although OTS receives no appropriated funds from Congress, OTS provided this budget information to the Department of the Treasury for inclusion in the Justification for Appropriations and Performance Plans that Treasury submitted to Congress on February 6, 2006. OTS Strategic Priorities OTS’s FY 2006 budget totals $215.5 million. The budget directly supports OTS’s strategic and performance goals that provide for proactive supervision of the industry, reduced regulatory burden and improved credit availability. The FY 2006 budget enables OTS to continue tailoring supervisory examinations to the risk profile of the institutions, while effectively allocating resources to oversee and assess the safety and soundness and consumer compliance record of the thrift industry.
As Director of the Financial Crimes Enforcement Network, this nation’s financial intelligence unit, I am proud that our skilled professionals are at the forefront of this country’s efforts to protect our financial system from abuse by criminals and terrorist financiers. Under authorities granted to us by the Bank Secrecy Act and the USA PATRIOT Act, our role is to prevent and detect terrorist financing, money laundering, and other financial crime. These are times of rapid change in the financial arena. Internet-based financial activity, changing methodologies for money laundering and terrorist financing, and the sheer number and variety of worldwide financial transactions make tracking illicit financial activity increasingly challenging. In the face of these developments, the Financial Crimes Enforcement Network needs to become more sophisticated, agile, and creative in assessing and responding to financial system risks. Approaches that addressed the needs of the past must give way to policies, processes, and analytical techniques that meet present and future realities.
In our Letter to Credit Unions #04-CU-12 Phishing Guidance for Credit Union Members, we highlighted the need to educate your membership about phishing activities. As the number and sophistication of phishing scams continues to increase, we would like to emphasize the importance of educating your employees and members on how to avoid phishing scams as well as action you and/or your members may take should they become a victim. Appendix A of this document contains information you may share with your members to help them from becoming a victim of phishing scams. Appendix B contains information you may share with your members who may have become a victim of phishing scams. Background Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords, account, credit card details, etc. by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an e-mail or an instant message. Often the message includes a warning regarding a problem related to the recipient’s account and requests the recipient to respond by following a link to a fraudulent website and providing specific confidential information. The format of the e-mail typically includes proprietary logos and branding, such as a “From” line disguised to appear as if the message came from a legitimate sender, and a link to a website or a link to an e-mail address. All of these features are designed to assure the recipient that the e-mail is from a legitimate business source when in fact, the information submitted will be sent to the perpetrator.
The Federal Reserve and the other financial institutions regulatory agencies published on February 9, 2006, the attached Advisory to address safety and soundness concerns that may arise when financial institutions enter into external audit contracts (typically referred to as "engagement letters") that limit the auditors' liability for audit services. The Advisory informs financial institutions that it is unsafe and unsound to enter into engagement letters for audits of financial statements, audits of internal control over financial reporting, or attestations on management's assessment of internal control over financial reporting which include provisions that (1) indemnify the external auditor against all claims made by third parties, (2) hold harmless or release the external auditor from liability for claims or potential claims that might be asserted by the client financial institution (other than claims for punitive damages), or (3) limit the remedies available to the client financial institution (other than punitive damages).
Commercial banks and savings institutions insured by the Federal Deposit Insurance Corporation (FDIC) reported net income of $134.2 billion in 2005, surpassing the previous record by $11.8 billion (9.6 percent) set in 2004 and representing the fifth consecutive year that industry earnings reached a new high. Increased net interest income (stemming from strong growth in loans) and a boost in noninterest income at larger institutions (particularly from trading and servicing activities) were the main factors contributing to the latest annual record. The industry's net income of $32.9 billion in the fourth quarter of 2005, while the fourth highest ever and a $1.7 billion (5.4 percent) increase over the same quarter a year ago, marked a decline of $1.7 billion (5.0 percent) from the record earnings of the third quarter of 2005. The average return on assets (ROA) fell to 1.22 percent in the fourth quarter, down from 1.25 percent a year ago. In a related development, the FDIC also noted that this past weekend the agency reached a milestone for the longest number of days during which it did not provide assistance to a failed or failing institution. The previous record of 609 days spanned between January 1945 and September 1946. “This historic milestone speaks to the favorable economic conditions we have recently experienced as well as to the efforts of bankers and regulators to manage risks in the industry," Gruenberg said.
Over the past two decades, systematic misappropriation of intellectual property has become a major concern to American businesses, artists, and authors. As the modern economy grows increasingly reliant on intellectual property, the proliferation of computers and computer networks has made the illegal reproduction and distribution of protected material much easier to accomplish. Congress has enacted workable criminal laws prohibiting such misappropriation. This manual begins in Chapter I with an overview of the legal protection of intellectual property. It first provides general background on intellectual property and the legal regimes employed to encourage its creation. It then explains the criminal law's role in addressing intellectual property misappropriation with a special focus on the recent Intellectual Property Rights Initiative.
In the last decade, computers and the Internet have entered the mainstream of American life. Millions of Americans spend several hours every day in front of computers, where they send and receive e-mail, surf the Web, maintain databases, and participate in countless other activities. Unfortunately, those who commit crime have not missed the computer revolution. An increasing number of criminals use pagers, cellular phones, laptop computers and network servers in the course of committing their crimes. In some cases, computers provide the means of committing crime. For example, the Internet can be used to deliver a death threat via e-mail; to launch hacker attacks against a vulnerable computer network; to disseminate computer viruses; or to transmit images of child pornography. In other cases, computers merely serve as convenient storage devices for evidence of crime. For example, a drug kingpin might keep a list of who owes him money in a file stored in his desktop computer at home, or a money laundering operation might retain false financial records in a file on a network server.
The Federal Reserve Board on Monday announced the approval of a final rule that expands the definition of a small bank holding company (BHC) under the Board's Small Bank Holding Company Policy Statement and the Board's risk-based and leverage capital guidelines for bank holding companies. The policy statement facilitates the transfer of ownership of small community banks by permitting debt levels at small BHCs that are higher than what would typically be permitted for larger BHCs. Because small BHCs may, consistent with the policy statement, operate at a level of leverage that generally is inconsistent with the capital guidelines, the capital guidelines provide an exemption for small BHCs.
I meet and work with financial leaders every day, but I can easily say that Credit Unions have the most heart. Your motto rings true to your culture: "not for charity, not for profit, but for service." You do good work: loans to small business, home mortgages, financial education and working in partnership with the government to fight the financial war on terror. You were wonderful in your response to hurricane Katrina, in a time when American's helping each other meant so very much. Each one of these efforts is critical to our country's economic health and strength, and I applaud you for doing good while you do business.
The Federal Deposit Insurance Corporation (FDIC) has scheduled public hearings in April in the Washington, D.C. area, and the Kansas City, Missouri, metro area on the application for federal deposit insurance filed on behalf of the proposed Wal-Mart Bank. On July 19, 2005, an application for federal deposit insurance was submitted to the FDIC by Wal-Mart Bank, a proposed Industrial Loan Company (ILC) headquartered in Salt Lake City, Utah. ILCs are state banks that are supervised and insured by the FDIC. There has been considerable public interest in the application. The FDIC believes that public participation will provide valuable insight into the issues presented by the application and will serve the public interest. The FDIC is interested in obtaining the views of the general public, the financial services industry and other industry trade groups, public interest groups, state financial institution supervisors, other state authorities, and any other interested parties.
The FDIC, along with the Federal Reserve Board and the Office of the Comptroller of the Currency, has issued the attached joint final rule clarifying the capital treatment for securities borrowing transactions for banks and bank holding companies that are subject to the Market Risk Capital Rule. Securities borrowing transactions are generally used in conjunction with short sales, securities fails (securities sold but not made available for delivery on the settlement date), and option and arbitrage positions. The final rule takes effect on February 22, 2006.
The nation’s federally insured credit unions reported strong loan growth as delinquencies remained low according to fourth quarter 2005 Call Report data submitted by the nation’s 8,695 federally insured credit unions. During 2005, the loan to share ratio climbed to 79.4 percent as loans grew nearly $44 billion, delinquencies remained well below 1 percent. “The strong pace of loan growth is an excellent indication that credit unions are fulfilling their mission of being the source of affordable loans for their members,” said Chairman JoAnn Johnson. “What’s more, net worth continues to grow at a consistent, healthy level, which indicates credit unions are effectively managing their balance sheets.”
U.S. Treasury Secretary John W. Snow today named Robert W. Werner as the new Director of the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department. Werner currently serves as the Director of the Treasury's Office of Foreign Assets Control (OFAC). "OFAC and FinCEN are two premier agencies at the heart of an unparalleled campaign to combat terrorist financing and financial crime across the globe. Fortunately, the Treasury will continue to benefit from Bob's talents and vision, as he takes over FinCEN's critical efforts to safeguard the financial sector from illicit activity," said Snow.
"Bob's expertise and steady leadership brought OFAC into the 21st Century by enhancing the Office's administration of economic and trade-based sanctions and highlighting its potential to address a wide range of threats to our national and economic security," Snow continued. "Under Bob's leadership, OFAC has greatly strengthened its relationships with the financial sector and other U.S. Government agencies, as well as with foreign counterparts around the world."
The National Credit Union Administration (NCUA) requests public comment on whether and how to modify its Supervisory Committee audit rules to require credit unions to obtain an “attestation on internal controls” in connection with their annual audits; to identify and impose assessment and attestation standards for such engagements; to impose minimum qualifications for Supervisory Committee members; and to identify and impose a standard for the independence required of State-licensed, compensated auditors. In 1998, the Credit Union Membership Access Act (“CUMMA”), Pub. L. No. 105¬219, 112 Stat. 913 (1998), amended the Federal Credit Union Act to require credit unions having assets of $10 million or more to follow generally accepted accounting principles (“GAAP”) in all reports and statements filed with the NCUA Board. 12 U.S.C. 1782(a)(6)(C). CUMMA further required credit unions having assets of $500 million or more to obtain an annual independent audit of its financial statements (“financial statement audit”) performed in accordance with generally accepted auditing standards (“GAAS”) by an independent certified public accountant or public accountant licensed by the appropriate State or jurisdiction. 12 U.S.C. 1782(a)(6)(D).
Welcome to the fifth issue of the The SAR Activity Review - By the Numbers, a compilation of statistitcal data gathered from Suspicious Activity Report forms submitted by depository institutions since April 1996, casinos and card clubs since August 1996, certain money services businesses since January 2002, and certain segments of the securities and futures industries since January 2003. By the Numbers serves as a companion piece to the publication of The SAR Activity Review - Trends, Tips & Issues, which provides inforamtion about the preparation, use, and utility of Suspicious Activity Reports.
By the Numbers is produced twice a year to cover two filing periods: January 1 to June 30 and July 1 to December 31. The statistical data from the filing periods is available for publication on the FinCEN website after the end of each period, usually in the spring and fall. The last issue of By the Numbers was published in May 2005 and may be accessed through the following link:
This Advisory warns financial institutions about the potential for fraudulent transactions involving hurricane relief monies. To assist law enforcement, we request that financial institutions include key terms in the narrative portions of all Suspicious Activity Reports filed relating to possible hurricane relief fraud schemes. In the wake of the devastating Hurricanes Katrina, Rita, and Wilma that struck during the past year, an unusually large amount of emergency financial assistance has been distributed to storm victims in many parts of the country. The Department of Justice’s Hurricane Katrina Fraud Task Force (“Task Force”), which Attorney General Alberto Gonzales established in September 2005, has been vigorously prosecuting all types of fraud relating to the three hurricanes.
Summary: The federal financial institution regulatory agencies have issued the attached final interagency advisory on the unsafe and unsound use of limitation of liability provisions in external audit engagement letters. Highlights: - The final advisory applies to all audits of financial institutions, regardless of the size of the financial institution, whether the financial institution is public or not, and whether the audits are required or voluntary.
The Office of the Comptroller of the Currency recently announced its 2006 workshop schedule for national community bank directors. The workshops provide practical information that expands bank directors' skills and understanding of issues facing their banks. This year's workshops cover risk assessment, credit risk, and compliance risk. Comptroller of the Currency John C. Dugan said the response to past workshops has been enthusiastic. "Hundreds of directors have attended our workshops, and they have consistently given them high marks," said Mr. Dugan.
The Federal Deposit Insurance Corporation (FDIC), in observance of National Consumer Protection Week (NCPW) February 5-11 and its theme of fraud prevention, is reminding the public about the agency's wide range of educational materials designed to help consumers learn how to protect themselves from scams. "Consumers, as well as banking institutions, face significant costs and challenges from fraud," said Christopher Spoth, Acting Director of the Division of Supervision and Consumer Protection. "The FDIC will continue to work to help consumers avoid being victimized by some of the fastest growing crimes in America."
The federal banking, thrift and credit union regulatory agencies and the state supervisory authorities in Alabama, Louisiana and Mississippi have jointly issued the attached examiner guidance outlining the supervisory practices to be followed in assessing the financial condition of institutions affected by Hurricane Katrina. Highlights: The attached Interagency Supervisory Guidance for Institutions Affected By Hurricane Katrina describes examination procedures for institutions adversely affected by the hurricane. In considering any supervisory response, examiners will give appropriate recognition to the extent to which weaknesses are caused by external problems related to the hurricane and its aftermath.
Comptroller of the Currency John C. Dugan said today that most bank customers don’t find the privacy notices they receive to be especially useful and said an ongoing interagency process to simplify those notices will better serve banks and their customers. That’s partly because the statutory requirements are complex and mandate a host of very specific disclosures, the Comptroller said. In addition, the regulations implementing the law encourage the use of legal terms in notices. Finally, there was no requirement in the law or regulations for uniformity or consistency among institutions in the way the information is presented. “When you combine these three factors, the result is what we have today: notices with too much information, too many legal terms, and too much variability in presentation from institution to institution,” Mr. Dugan said in a speech to a meeting sponsored by the American Law Institute and the American Bar Association.
The federal financial regulatory agencies today announced the issuance of a final advisory that addresses safety and soundness concerns that may arise when financial institutions agree to limit their external auditors' liability. The agencies' primary concern is that limiting the liability of external auditors in engagement letters may reduce the reliability of audits. The Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters informs financial institutions that they should not enter into external audit engagement letters that incorporate unsafe and unsound limitation of liability provisions with respect to audits of financial statements and internal control over financial reporting.
The federal bank and thrift regulatory agencies today announced that they will be hosting a forum in New Orleans for banks and thrifts on March 2 and 3, 2006. The forum, titled “The Future of Banking on the Gulf Coast: Helping Banks and Thrifts Rebuild Communities,” will focus on the short-term and long-term challenges facing banks and thrifts operating in the areas affected by Hurricanes Katrina and Rita and on ways of helping meet the needs of the local communities. Principals from each of the four federal banking agencies will participate in the forum, which will convene at the New Orleans Marriott, 555 Canal Street, New Orleans, Louisiana, at 8:00 a.m. CST on Thursday, March 2, 2006, and close at noon on Friday, March 3, 2006. The FDIC and NeighborWorks of New Orleans will conduct optional bus tours of devastated areas nearby on the afternoons of Wednesday, March 1, and Friday, March 3.
For the security of any system to be strong, the system's owners must consider three fundamental security areas: management controls, operational controls, and technical controls. While technical controls, such as encryption, digital signatures, or firewalls, receive the most attention, inadequate operational controls and the day-to-day administration of technical controls often create the most vulnerabilities. Strong management controls are needed to tie all the aspects of security together into a sensible protection strategy. NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, helps organizations to improve their operational and management controls. This CSL Bulletin explains some of the needs which GSSPs can solve and presents a set of generally accepted system security principles developed by NIST.
Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.
The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:
The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:
Whatever direction the cyberthreat takes, the United States Government will be confronting an increasingly interconnected world in the years ahead. This is the core message of GT2015. We will have to develop, in response, greater communications and collaboration across the agencies of our own Government, with other governments, and with the corporate world. Interagency cooperation will be essential to understanding the cyberthreat, as well as other transnational threats that will crowd our agenda, and to responding effectively with interdisciplinary strategies. Consequence management of a major attack on a critical US infrastructure would involve virtually all agencies of the Federal Government, State, and local governments, foreign governments, law enforcement, the military, the medical community, and the media. NSTISSC and the Intelligence Community clearly have a lot of work to do if we are to understand this evolving threat and to be prepared to deal with it.
To assure that prudent practices are being followed by banking institutions in their funds transfer activities, examinations should focus, with equal emphasis, on the evaluation of credit risks and operational controls. Deficiencies disclosed in either of these areas and suggestions for improvement should be discussed with management and listed in the Report of Examination. Constructive criticism by the examiners should help the institutions strengthen procedures to minimize the risks associated with funds transfer activities. Refer to the Electronic Funds Transfer (EFT) Examination Documentation module for further guidance.
The Federal Deposit Insurance Corporation (FDIC) today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised. Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. Identity theft is evolving in more complicated ways that make it harder for consumers to protect themselves, and easier for criminals to set up virtual storefronts on the Internet to sell confidential personal information.
This Small-Entity Compliance Guide is intended to help financial institutions comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines). The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs.
Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.
The FDIC Office of Inspector General issued its semiannual report to Congress, highlighting what the Inspector General considers to be 2005's most taxing management and performance challenges. The report focuses on the need to streamline Information Security initiatives that can "maintain stability and confidence in the nation's banking system." The FDIC's Inspector General's Office comprehends the tremendous risk associated with safe guarding banking clients private information, and has therefore centered his priorities and managerial initiatives accordingly.
WASHINGTON, D.C. (January 13, 2006) – The federal financial regulatory agencies today announced a public service campaign to aid in the financial recovery of victims of last year's hurricanes. Although four months have passed since Hurricanes Katrina and Rita made landfall, some bank customers have not yet been in contact with their lenders. Communication is an essential step in the road to financial recovery. The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration and state financial regulators are encouraging banks, thrifts, and credit unions to continue to work with borrowers affected by the hurricanes. Assistance may include waiving fees, lowering interest rates, extending repayment schedules, or deferring principal or interest for an additional period, where appropriate. For these options to be considered, however, it is essential that the borrower contact his or her lender.
At the request of the Assistant to the President and Chief of Staff, we have prepared this memorandum to provide guidance for reviewing Government information regarding weapons of mass destruction, as well as other information that could be misused to harm the security of our nation or threaten public safety. It is appropriate that all federal departments and agencies consider the need to safeguard such information on an ongoing basis and also upon receipt of any request for records containing such information that is made under the Freedom of Information Act (FOIA), 5 U.S.C. § 552 (2000). Consistent with existing law and policy, the appropriate steps for safeguarding such information will vary according to the sensitivity of the information involved and whether the information currently is classified.
The attached final rule, published in the Federal Register on August 13, 2003, concerns the removal, suspension, and debarment of accountants from performing annual audit and attestation services. The final rule will become effective on October 1. Section 36 of the Federal Deposit Insurance Act (FDIA) requires that each national bank with $500 million or more in total assets submit an annual report on its financial statements and required management assessments to the Comptroller of the Currency (OCC). An independent public accountant must audit these financial statements to determine whether they are presented in accordance with generally accepted accounting principles.
Dr. Robert DeYoung has been named Associate Director of the FDIC's Division of Insurance and Research (DIR), FDIC Acting Chairman Martin Gruenberg announced today. DeYoung will head the division's Research Branch. "Bob DeYoung brings a wealth of experience in the publication of original research and in its application to the banking and financial system," said Art Murton, DIR Director. "We look forward to the contributions he will make to the policy leadership and research efforts at the FDIC."
Dr. DeYoung joins the FDIC from the Federal Reserve Bank of Chicago, where he served as a senior economist and economic advisor in the research department. For the past two years, Dr. DeYoung has played a key role in the advancement of the FDIC's Center for Financial Research as the Coordinator of the Center's Banking Policy and Regulation Program. Dr. DeYoung also serves as an associate editor of the Journal of Financial Services Research and the Journal of Economics and Business, and as a lecturer on economics and finance at the Kellstadt Graduate School of Business at DePaul University in Chicago.
This bulletin amends OCC Bulletin 2004-50, Enforcement Guidance for BSA/AML Program Deficiencies, dated November 10, 2004, by adding a new Appendix A entitled “Process for Taking Administrative Enforcement Actions Against Banks Based on BSA Violations.” The purpose of this new appendix is to ensure that the OCC’s process for taking administrative enforcement actions based on BSA violations is measured, fair, and fully informed. These procedures set forth the general process to be followed in enforcement cases based on BSA violations. They provide only internal OCC guidance. The OCC may deviate from these procedures in certain cases, e.g., cases in which a developing situation in a bank requires immediate action, other unusual or exigent circumstances are present, or intervening developments require a different course of action.
The Check Clearing for the 21st Century Act (Check 21) was signed into law on October 28, 2003, and became effective on October 28, 2004. Check 21 is designed to foster innovation in the payments system and to enhance its efficiency by reducing some of the legal impediments to check truncation. The law facilitates check truncation by creating a new negotiable instrument called a substitute check, which permits banks to truncate original checks, to process check information electronically, and to deliver substitute checks to banks that want to continue receiving paper checks. A substitute check is the legal equivalent of the original check and includes all the information contained on the original check. The law does not require banks to accept checks in electronic form nor does it require banks to use the new authority granted by the Act to create substitute checks.
Fight Back: What You Can Do about Identity Theft
If you think your identity has been stolen, here's what to do now: Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified to place fraud alerts. Once the alert is placed, you may order a free copy of your credit report from all three major credit bureaus. The special toll-free numbers for the fraud departments are: Equifax at (800) 525-6285, Experian at (888) 397-3742 and Trans Union at (800) 680-7289. Close the accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit when disputing new unauthorized accounts.
File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.
This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations.
The FDIC is issuing the attached guidance to financial institutions recommendingan effective spyware prevention and detection program based on an institution’s risk profile. This guidance and the attached informational supplement discuss the risks associated with spywarefrom both a bank and consumer perspective and provide recommendations to mitigate these risks.
The federal bank and thrift regulatory agencies have jointly issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The guidelines require the proper disposal of consumer information. The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (agencies) have adopted the attached final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 of the FACT Act is designed to protect a consumer against the risks associated with identity theft and other types of fraud.
Under the final rule, the agencies have amended their "Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by the Gramm-Leach-Bliley Act, to require the proper disposal of consumer information. The guidelines have been renamed "Interagency Guidelines Establishing Information Security Standards."
Executive Summary and Findings Focus of Supplement Identity theft in general and account hijacking in particular continue to be significant problems for the financial services industry and consumers. Recent studies indicate that identity theft is evolving in more complicated ways that make it more difficult for consumers to protect themselves. Recent studies also indicate that consumers are concerned about online security and may be receptive to using two-factor authentication if they perceive it as offering improved safety and convenience.
This Supplement discusses seven additional technologies that were not discussed in the Study. These technologies, as well as those considered in the Study, have the potential to substantially reduce the level of account hijacking (and other forms of identity theft) currently being experienced.
This bulletin transmits a small entity compliance guide for the Interagency Guidelines Establishing Information Security Standards (Security Guidelines), jointly drafted by staff of the federal banking agencies, pursuant to the requirements of the Small Business Regulatory Enforcement Fairness Act of 1996. The compliance guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations.
Successful frauds tend to be replicated until they no longer work. Financial institutions can help reduce identity theft, including account hijacking, by encouraging information sharing so that identity theft frauds are thwarted sooner. A number of such information-sharing efforts are noteworthy including those sponsored by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Anti-Phishing Working Group (APWG), the Identity Theft Assistance Corporation (ITAC), and Infragard, in addition to individual financial institution Web sites.
This advisory letter highlights risks associated with wireless networks and provides guidance for managing those risks. National banks can use this guidance to help in protecting company assets and confidential customer information, achieving service level requirements, maintaining safe and sound practices, and ensuring compliance with regulatory security expectations. BACKGROUND The emergence of wireless networking standards and products that rely upon unlicensed radio frequencies is causing an increasing number of national banks to consider how they might benefit from the technology advancements. National banks can use wireless technologies to build local-area-networks and personal-area- networks with low-cost devices and easy installations. The basic technology components include:
* Systems and devices sharing information (e.g., computers,
workstations, networks);
Since 1998, when identity theft first became a federal crime, a number of statutes and regulations have clarified impermissible use of personal information and offered greater tools to law enforcement. However, no law or regulation is focused solely on account hijacking. These changes in federal law have either established standards for protecting information, provided consumers with more information about their credit history so they can be more vigilant in protecting their own identity, or increased criminal penalties for identity theft and enforcement tools in an effort to deter it. Each of these approaches is discussed below.
The purpose of this paper is to provide financial institutions and examiners with background information and guidance on various risk assessment tools and practices related to information security. Institutions using the Internet or other computer networks are exposed to various categories of risk that could result in the possibility of financial loss and reputational harm. Given the rapid growth of the Internet and networking technology, the available risk assessment tools and practices are becoming more important for information security. This paper provides a summary of critical points, discusses components of a sound information security program, and describes the risk assessment and risk management processes for information security. The appendix provides specific information on certain risk assessment tools and practices that may be part of an institution's information security program. The paper and appendix are intended to provide useful information and guidance, not to create new examination standards, impose new regulatory requirements, or represent an exclusive description of the various ways financial institutions can implement effective information security programs.
Complete this section’s objectives to assign the information technology (IT)composite rating using as a guide OCC Bulletin 99-3, “Uniform Rating System for Information Technology (URSIT).” The composite URSIT ratingshould reflect:
•The adequacy of the bank’s risk management practices.
In assigning the rating the examiner should consult the EIC, the examinersassigned to review management and audit, and other examining personnel, asappropriate. Although the OCC does not assign URSIT component ratings tothe financial institutions it supervises, risks arising from the areas covered bythe component ratings are considered when assigning the URSIT compositerating.
The Agencies are jointly issuing final Guidance that interprets the requirements of section 501(b) of the GLBA, 15 U.S.C. 6801, and the Security Guidelines2 to include the development and implementation of a response program to address unauthorized access to, or use of customer information that could result in substantial harm or inconvenience to a customer. The Guidance describes the appropriate elements of a financial institution’s response program, including customer notification procedures. Section 501(b) required the Agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards to: (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
On February 1, 2001, the Agencies issued the Security Guidelines as required by section 501(b) (66 FR 8616). Among other things, the Security Guidelines direct financial institutions to: (1) identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and (3) assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
The Federal Financial Institutions Examination Council (FFIEC) has released updated information security guidance in the form of a new Information Security Booklet. The Information Security Booklet is the first in a series of booklets that will completely update and replace the 1996 FFIEC Information Systems Examination Handbook.
Reliance on technology in all aspects of banking by bankers, consumers, and corporations has increased both the potential for, and likely impact of, security threats to national banks. Widespread adoption of effective security processes can help ensure that the banking industry maintains effective safeguards against such threats and, by doing so, helps preserve the public trust. The Information Security Booklet provides a comprehensive security framework for national banks and their technology service providers. The framework focuses on implementing a security risk management process that identifies risks, develops and implements a security strategy, tests key controls, and monitors the risk environment. This framework also stresses the important roles that senior management and boards of directors play in this process by emphasizing their responsibility to recognize security risks in their banks and to assign appropriate roles and responsibilities to their managers and employees.
The Office of Inspector General (OIG) for the National Credit Union Administration (NCUA) engaged Cotton & Company LLP to conduct an independent evaluation of NCUA’s information systems (IS) and security program and controls for compliance with the Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002.
The Office of Management & Budget (OMB) issued 2004 Guidance on Annual Information Technology Security Reports on August 23, 2004. This guidance provides clarification to agencies for implementing, meeting, and reporting FISMA requirements to OMB and the Congress. This report contains a summary of our evaluation of the NCUA’s information security program and is presented in the OMB prescribed format.
NCUA Annual Performance Budget 2005 I am pleased to present the National Credit Union Administration’s Annual Performance Budget 2005. You will notice that it is called a performance budget and not a plan. It was developed to serve as an element of budget development and reflects a greater correlation between our strategic and annual performance goals and resource allocation. This enhanced correlation is in support of the President Management Agenda Initiative #5 – Budget and Performance Integration.
The year 2004 has been a very productive year. NCUA Annual Performance Plan 2004 served to guide the agency’s efforts to achieve its performance goals and objectives in its regulatory and supervisory roles during the past year. The credit union industry’s performance validated these efforts with assets increasing $30.6 billion or 5.02%, net worth increasing $4.3 billion or 6.52%, shares increasing $22.8 billion or 4.31%, loans increasing $30.2 billion or 8.02% and delinquent loans as a percentage of total loans decreasing from 0.76% to 0.71% for a very productive year. As a result, NCUA’s priorities continue to stress providing proper training and tools for examiners, an optimal regulatory environment that balances innovation with safety and soundness, enhanced organizational effectiveness and efficiency, promoting access of financial services to all eligible residents and maintaining a responsible budget process.
The National Credit Union Administration (NCUA) has developed this guide to assist credit unions engaging in, or considering, e-Commerce activities. For the purposes of this guide, e-Commerce is defined as the electronic delivery of financial services via the Internet. NCUA does not expect all credit unions to offer e-Commerce. However, NCUA expects credit unions offering e-Commerce to do so in a safe and sound manner. This guide focuses on processes to assist credit unions in managing the risks related to e-Commerce in an environment of rapidly changing technology. Credit union management should use the information in this guide to assist with technology planning, contracting, delivery, and support of e-Commerce activities. This should be done within a framework designed to identify, quantify and, to the extent possible, reduce related technology risks.
Much of the information in this guide is derived from NCUA issuances such as Rules & Regulations and Letters to Credit Unions. Although this information is provided in summary format in the guide, the related issuances typically contain more detail on a particular subject and may contain additional checklists that can assist in evaluating performance in a given area. Please refer to Appendix A for a listing of NCUA reference information. These issuances, as well as additional guidance, can be found via the Information Systems and Technology link under the reference section of the NCUA website (http://www.ncua.gov)*. This site is updated frequently and can serve as a valuable resource.
Periodic security awareness training is specifically mandated by three Federal issuances. On October 30, 2000, the Government Information Security Reform Act (GISRA) was signed into law. One of the requirements of GISRA is that each Federal agency shall develop and implement an agency-wide information security program to provide information security for the operations and assets of the agency. This program shall include security awareness training to inform personnel of information security risks associated with the activities of personnel, and responsibilities of personnel in complying with agency policies and procedures designed to reduce such risk.
OB Circular A-130, Management of Federal Information Resources, ,pestablishes policy for the management of Federal information resources.
Appendix III of OMB Circular A-130 requires that prior to being granted access to Information Technology (IT) applications and systems, all individuals must receive specialized training on their IT security responsibilities and established system rules.
E-mail and Internet-related fraudulent schemes, such as “phishing” (pronounced “fishing”), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false “from” address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.
I. INTRODUCTION Purpose and Scope of the Guide This Small-Entity Compliance Guide1 is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs. Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.
Flawed modeling presents risk to sound management decision-making; rise in online fraud, theft of consumer data dictate need for tighter online banking security Banks' financial modeling, the security of Internet banking transactions, and bank insider misconduct are some of the issues of current focus for the bank regulatory community that are highlighted in the FDIC's Winter 2005 issue of Supervisory Insights, released today. With financial modeling growing in importance as a bank management tool, attention is now focused on a new source of risk - the potential for flawed information to be introduced into the management decision-making process. The article "Model Governance" describes how strong governance procedures can help minimize this risk, and it suggests areas that examiners should target when evaluating a bank's model oversight, control and validation programs. And with incidents of online fraud - including identity theft - on the rise, strengthening security for Internet-based financial transactions continues to be an area of focus for bank supervisors and management. "Online Delivery of Banking Services: Making Consumers Feel Secure" reviews key findings of an FDIC study that evaluated identity authentication technologies. This article also reviews recently issued interagency guidance requiring insured institutions and service providers - as part of the development of Internet banking products and services - to design safeguards to protect sensitive customer data.
This statement alerts the Board of Directors and management to some of the risks and concernsof retail on-line, personal computer banking (PC banking). Recently, the staff of the FFIECagencies organized a symposium to hear industry experts offer their thoughts and observations onthe development of retail on-line PC banking. Through this statement, the FFIEC agencies wishto impart many of the ideas discussed during the symposium to bankers and examiners. II.EXECUTIVE SUMMARY Financial institutions are beginning to utilize new technologies to offer innovative products andservices to their customers. On-line PC banking exemplifies an emerging delivery channel forretail banking services made possible by technology. One of the reasons for the rapid evolution ofPC banking involves the increased use of the Internet1. Regulatory agencies recognize that PCbanking offers opportunities for financial institutions to enhance customer relationships andimprove competitive positions. Before implementing a PC banking program, management should exercise sufficient due diligenceand develop comprehensive plans. Such due diligence would ordinarily include the followingactivities.
• Review the implications of PC banking on the institution's strategic plan;
WASHINGTON -- The Office of the Comptroller of the Currency (OCC) published on its website today its annual notice of fees that incorporates an amendment to the timing of payments of OCC assessments by national banks. The OCC, rather than each national bank, will calculate and draft the semiannual assessment from either the Federal Reserve account or Federal Home Loan Bank account based on the most recent call report. The fee will be due by March 31 and September 30, two months later than the current due date.
The FDIC has updated its Trust Examination Manual. It is now available on the FDIC’s Web site and may also be purchased in a CD-ROM format.
The FDIC has amended Part 363 of its regulations by raising the asset-size threshold from $500 million to $1 billion for internal control assessments by management and external auditors. For institutions between $500 million and $1 billion in assets, only a majority, rather than all, of the members of the audit committee, who must be outside directors, must be independent of management. The final rule is effective December 28, 2005.
TO:All Federally-Insured Credit Unions The purpose of this letter is to inform you of revised technology-related guidance provided to examiners and the credit union industry. Earlier this year, the Federal Financial Institutions Examination Council (FFIEC1) released the Information Security Booklet – a first in a series of booklets to revise the existing 1996 FFIEC Information Systems Examination Handbook. The revised Information Technology (IT) Examination Handbook will be composed of several booklets to address significant changes in technology since 1996 and incorporates a risk-based examination approachto each booklet.
The FFIEC agencies plan to issue additional booklets covering such topics as business continuity planning, technology service providers, electronic banking, audit, payment systems, outsourcing, management, computer operations, and systems development and acquisition.
This policy issuance alerts all financial institutions to the importance of strategic information systems planning and its role in overall corporate management and planning. It identifies management's responsibilities in preparing strategic plans for their information systems requirements.
This interagency statement alerts financial institutions to potential risks in contracting for EDP services and/or failing to properly account for certain contract provisions.
POLICY STATEMENT FOR THE REVIEW OF INFORMATION SYSTEM VENDORS
Weblinking:
Identifying Risks & Risk Management Techniques ENCL:
Weblinking Guidance The purpose of this letter is to assist
credit unions in identifying risks posed by the use of weblinks on
their websites and suggest a variety of risk management techniques to
mitigate these risks. A large number of credit unions maintain
sites on the World Wide Web. Virtually every website contains weblinks.
A weblink is a word, phrase, or image that contains coding that will
transport the viewer to a different part of the website or a completely
different website by clicking on it. While weblinks are a convenient
and accepted tool in website design, their use can present certain risks.
The primary risk posed by weblinking is viewer confusion about whose
website they are viewing and who is responsible for information, products,
and services available through that website. Credit unions using weblinks are encouraged
to review the enclosed guidance that was developed jointly with other
federal regulatory agencies. This guidance applies to credit unions
that develop and maintain their own websites, as well as those using
service providers for these functions. This letter supercedes NCUA Letter 02-FCU-04.
If you have any questions, please contact your NCUA Regional Office
or State Supervisory Authority.
Chairman Bachus, and Members of the Subcommittee, I appreciate your invitation to present this testimony reviewing the National Credit Union Administration’s (NCUA’s) experiences with information systems and technology (IS&T) incidents and other security events resulting in the potential compromise of personal financial data. We also identify actions by NCUA to ensure credit unions safeguard member information and to mitigate potential losses to credit unions and members when breaches occur. We recommend that NCUA be granted examination authority over third party vendors, which would enable us to better monitor risk and protect credit union members’ personal financial data. Examples of Data Security Breaches Involving Credit Union Members
Information is provided here on types of security breaches NCUA and credit unions have experienced. These security breaches include: fraudulent email or telephone scams, known as phishing; the unauthorized storing of customer information and the ensuing theft of this information; the theft of a credit union’s hard drive; and the theft of a vendor’s computer. We also provide information on how NCUA and credit unions have responded to these data security incidents.
The purpose of this letter is to provide important considerations for credit unions that are currently engaged in or may be considering the use of wireless technology. Wireless technology can potentially provide important benefits for credit unions and their members. For some, this may be a cost-effective alternative for a credit union seeking to expand its existing hard-wired computer network. Additionally, it may enable a credit union to provide members with increased accessibility to its Internet-based financial service offerings.
However, those credit unions that have made a decision to implement wireless technology should also be aware of the potential increase in the amount of risk exposure for the credit union. Credit unions may be able to mitigate the following risk areas with proper planning and controls.
GUIDELINES FOR ENSURING THE QUALITY OF DISSEMINATED INFORMATION Policy NCUA will undertake to ensure that the information it disseminates to the public is objective (accurate, clear, complete, and unbiased), useful and has integrity. Most information disseminated by NCUA is subject to the basic standard described in these guidelines. Additional levels of quality standards are adopted as appropriate for specific categories of disseminated information. The OMB guidelines require “influential scientific, financial or statistical information” to meet a higher standard of quality. OMB defines “influential” to mean, “the agency can reasonably determine that dissemination of the information will have or does have a clear and substantial impact on important public policies or important private sector decisions.” Id. at 8455. Influential information disseminated byNCUA is subject to a level higher than the basic standard. The NCUA’s Chief Information Officer (CIO) serves as the agency official charged with overseeing the agency’s compliance with OMB guidelines for the quality of information disseminated by NCUA.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2004 delineates those audits and investigations that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Inspector General Act, the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, the Federal Information Security Management Act (FISMA), and the Sarbanes-OxleyAct of 2002; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Audits and reviews of NCUA and the credit union industry planned and performed by the General Accounting Office (GAO); • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2005 delineates those audits that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, Federal Information Security Management Act (FISMA), the Sarbanes-Oxley Act, and the Inspector General Act; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Audits planned and performed by the General Accounting Office (GAO); • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2003 delineates those audits and investigations that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, the Government Information Security Act (GISRA), and the Inspector General Act; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment. How the Annual Plan was formulatedThe NCUA OIG plans its work to identify and respond to issues that are of greatest importance to NCUA. For purposes of the Annual Plan, we have identified prospective audit and investigative work that is responsive to the agency’s strategic goals. The agency’s strategic goals are: • Promote a system of financially healthy, well-managed federally insured credit unions able to withstand economic volatility. • Facilitate credit unions’ ability to safely integrate financial services and emerging technology in order to meet the changing expectations of their members. • Create a regulatory environment that will facilitate credit union innovation to meet member financial service expectations. • Enable credit unions to leverage their unique place in the American financial system to extend availability of service to all who seek such service, while encouraging and recognizing their historical emphasis on servicing those of modest means.
• Enhance NCUA’s organization to continue to work with the credit union community in creating an environment that enables credit unions to continue to flourish while addressing the challenges of the 21stcentury.
Rapidly evolving technologies continue to provide efficient, cost effective methods for providing fast delivery of a wide range of member services. Accompanying the opportunities to deliver cost effective services is growing exposure of technology resources to misuse and theft, which can result in loss of member confidence. Intrusion and abuse of technology is growing at an escalating rate. Intrusions, as noted in the chart below, reflect an increasing average rate of approximately 300 percent annually. The data was provided by Computer Emergency Response Team/Coordinating Committee (CERT/CC). The CERT/CC1is a government sponsored organization operated by the Carnegie Mellon Software Engineering Institute. Part of its mission is to track vulnerabilities in computer systems and recommend methods to improve computer security. Incidents are voluntarily reported and include:
1. Attempts to gain unauthorized access to a system or its data;
The purpose of this Letter is to provide additional guidance for combating the email schemes discussed in the recently released Letter to Credit Unions #04-CU-05 Fraudulent E-Mail Schemes. In addition, this Letter is intended to raise awareness of the increasingly common Internet fraud called “phishing.” NCUA encourages credit unions to educate their members, strengthen monitoring systems, and enhance response programs to reduce the potential risk of Internet-related fraud schemes to their organization and members. Such schemes may negatively impact your credit union’s reputation, transaction, liquidity, and strategic risks.
This alert is intended to raise awareness of an Internet worm, BugBear.B, that recently surfaced as a potential threat specifically targeted to financial institutions and to prompt credit unions and credit union technology service providers to take immediate steps to mitigate the threat to their organizations and customers.
The purpose of this Letter is to provide additional guidance for combating the email schemes discussed in the recently released Letter to Credit Unions #04-CU-05 Fraudulent E-Mail Schemes. In addition, this Letter is intended to raise awareness of the increasingly common Internet fraud called "phishing." NCUA encourages credit unions to educate their members, strengthen monitoring systems, and enhance response programs to reduce the potential risk of Internet-related fraud schemes to their organization and members. Such schemes may negatively impact your credit union's reputation, transaction, liquidity, and strategic risks.
Information technology (IT) and security continue to evolve at a rapid pace. New risks and threats arise quickly to challenge emerging and established technologies. Yet the essential elements of strong controls and sound IT practices remain the same despite the environmental changes. As part of our review of IT in corporate credit unions, the Office of Corporate Credit Unions (OCCU) IT examiners have focused on ensuring the adequacy of basic control elements such as firewalls, intrusion detection, penetration tests, and sound network architectures. I am pleased to note that corporates have been diligent in this regard and that many sound control practices have been implemented. OCCU IT staff will continue to verify that basic IT security control elements remain strong. However, the ever changing dynamics of the corporate credit union IT risk profile require that we also focus attention on the following critical information security areas: Information Security Risk Assessment; 2. Security Application Code Reviews; 3. Service Provider Oversight & Contracts; 4. Security Awareness of Employees; 5. Change Management for Applications & Infrastructure; and 6. Security for Remote Locations. Each area is briefly discussed below.
The federal banking regulatory agencies today issued proposed rules to implement a special post-employment restriction on certain senior examiners employed by an agency or Federal Reserve Bank, as required by the Intelligence Reform and Terrorism Prevention Act of 2004. Under the proposal, if an examiner serves as the senior examiner for a depository institution or depository institution holding company for two or more months during the examiners final twelve months of employment with an agency or Reserve Bank, the examiner may not knowingly accept compensation as an employee, officer, director, or consultant from that institution or holding company, or from certain related entities.
European Union Data Directive The 1995 European Union Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data became effective on October 25, 1998, and covers the processing of data within the EU and its transfer outside of the EU. The Directive requires EU member states to pass national privacy laws implementing the principles established in the Directive. While laws implementing the Directive vary somewhat from one member state to another, the general framework remains the same throughout the EU. Since the EU imposes sanctions on its members for not passing laws according to its Directive, 15 EU member states (except Ireland, Luxembourg and France) have implemented the Directive to date. Even the three exceptions have privacy legislation that requires compliance from companies doing business in these nations. The EU Directive applies to all processing of personal information by any person or organization within the EU, both private and public. The Directive applies to all citizens and resident employees. It also covers data processing and/or transfer by entities owned or affiliated with United States companies that process data within the EU. Data can only be processed if certain processing principles are utilized.
Guidance on Developing an Information System Introduction As financial institutions become increasingly dependent on commercial software to support critical business processes, they also increase their exposure to software vulnerabilities. Most financial institutions use multiple commercial software packages. Therefore, it can be challenging to identify, test, and install all of the applicable patches that are necessary to maintain each software package. A patch management program should be part of an institution's overall computer security program. Oversight and accountability should be assigned to an appropriate party; however, the patch management program should include management, information security, and systems operations personnel. Consumer privacy regulations require that periodic risk assessments be provided to the Board of Directors.
The banking agencies will implement the Central Data Repository (CDR) to process the Reports of Condition and Income (Call Reports) beginning with the third quarter 2005. This filing period begins September 30, 2005. Except for certain banks with foreign offices, data must be received by October 30, 2005. **The agencies recognize that institutions whose operations have been significantly affected by Hurricane Katrina may experience difficulty or delay in filing their third quarter Call Report. Those institutions should contact their primary regulator or the CDR help desk at 1-888-CDR-3111 for special assistance in filing third quarter Call Report data. The CDR will require banks to validate their Call Report data before it will be accepted. To allow sufficient time to complete the new prevalidation process prior to the submission deadline, banks should start their Call Report preparation process earlier than in the past. The new prevalidation process will require banks to correct errors identified by the CDR and, where necessary, to prepare explanatory comments for data that fall outside specific parameters. These explanatory comments, which will be filed along with a bank's data, will be considered confidential.
WASHINGTON-Comptroller of the Currency John C. Dugan today said today that the OCC is committed to a process of Bank Secrecy Act and Anti-Money Laundering (BSA/AML) supervision and enforcement that is not only effective, but also measured and fair. "The post-9/11 world is profoundly different in many ways from what it used to be, and that is certainly true in the BSA area," Comptroller Dugan said in a speech before a money laundering conference sponsored jointly by the American Bankers Association and the American Bar Association. "Whether we like it or not, the traditional concerns of BSA, that, disrupting the money flow of the drug trade and other illicit activity, have been joined with concerns about combating the financing of terrorism," he said.
Donald E. Powell today announced that he will be leaving the agency to coordinate the Bush Administration's efforts to rebuild the Gulf Coast areas affected by the recent hurricanes. Mr. Powell became the 18th Chairman of the Federal Deposit Insurance Corporation (FDIC) on August 29, 2001. “I am honored that the President has chosen me for this important effort to help rebuild the Gulf region,” said Powell. “This new position allows me to continue to serve my country and help the many people who have had their lives turned completely upside down.” “In my role as FDIC chairman, I had the opportunity to tour the area and see firsthand what the communities in the Gulf region face. I look forward to this new challenge and appreciate the trust that the President has in me. Of course, I will always have fond memories of my time at the FDIC. I have been afforded the opportunity to work with many wonderful people inside and outside the agency, and I feel truly blessed,” Powell concluded.
Welcome to the fourth issue of The SAR Activity Review – By the Numbers, a compilation of statistical data gathered from Suspicious Activity Report forms submitted by depository institutions since April 1996,casinos and card clubs since August 1996,certain money services businesses since January 2002, and certain segments of the securities and futures industries since January 2003. By the Numbers serves as a companion piece to the publication of the Trends, Tips &Issues, which provides information about the preparation, use, and utility of Suspicious Activity Reports. By the Numbers is produced twice a year to cover two periods:January 1 A review of the statistical data generated for Issue 4 of By the Numbers reveals some interesting facts. As of December 31,2004,over 2.1 million Suspicious Activity Report forms 1 had been ith FinCEN. Although the remainder of this publication provides detailed statistical data on those , some general observations are provided below for each type of form.
The SAR Activity Review - Trends,Tips &Issues
Today;s announcement that 207,000 jobs were created in July is another significant indicator that Americas economy is expanding. Now, nearly 4 million new jobs have been created since May 2003 and the unemployment rate remains at 5 percent. Combined with several recent reports indicating steady non-inflationary increases in economic activity, this shows that the fundamentals of our economy are strong and that we are continuing on a positive path of growth and prosperity.
The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance in three booklets on electronic banking (e-banking), information technology (IT) audit, and the FedLine electronic funds transfer application. These booklets are the most recent in a series that will completely update and replace the 1996 FFIEC Information Systems (IS) Examination Handbook. The work programs contained in the booklets represent expanded procedures that examiners can use if appropriate for the risk and complexity of the bank’s operations. The Audit Booklet rescinds chapter 8, and the FedLine Booklet rescinds chapter 19 of the 1996 FFIEC IS Examination Handbook. The E-Banking Booklet replaces the OCC Internet Banking Handbook and OCC Bulletin 98-38, “Technology Risk Management: PC Banking.” This booklet reflects the OCC’s views on the risks specific to e-banking and provides bankers and examiners with guidance on those risks and the risk management issues associated with the delivery of e-banking products and services. Banks face unique risks based on the choices they make when implementing and enhancing their e-banking services. Decisions on network Internet connectivity, outsourcing various system components, and the specific products and services affect the level of risk and the complexity of risk management. Senior management and boards of directors must understand these risks before investing in and expanding their e-banking activities. They need to integrate the e-banking-related controls into their existing strategic plan, information security program, vendor management process, and business continuity plans. Banks must have appropriate controls, testing, and expertise for all internally managed e-banking system components. In addition, banks with outsourced e-banking processes should carefully select and monitor service providers to ensure that appropriate controls exist. The bank can outsource the process or service, but remains responsible for the adequacy of the controls to ensure confidentiality, integrity, and availability.
This alert is intended to raise awareness of an Internet virus, Bugbear.B, that recently surfaced as a potentially serious threat to financial institutions and to prompt banks and bank technology service providers to take immediate steps to mitigate the threat to their organizations and customers. BACKGROUND Viruses are an increasing threat to Internet-connected systems. The Bugbear.B virus is the latest and most capable variant that threatens financial institutions. Institutions with the capability to access the Internet, including dial-up connections, may be vulnerable to the Bugbear.B virus and other viruses, and should institute appropriate measures to mitigate the risks posed to their servers, desktops, laptops, and other computing devices.
Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols. Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability. Properly used, encryption can strengthen the security of an institution’s systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti-virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.
Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third-party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include -Altering data, -Deleting production and back up data, -Crashing systems, -Destroying systems, -Misusing systems for personal gain or to damage the institution, -Holding data hostage, and -Stealing strategic or customer data for corporate espionage or fraud schemes.
The federal bank, thrift and credit union agencies today announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as “phishing.” The term is a play on the word “fishing,” and that’s exactly what Internet thieves are doing – fishing for confidential financial information, such as account numbers and passwords. With enough information, a con artist can run up bills on another person’s credit card or, in the worst case, even steal that person’s identity. In a common type of phishing scam, individuals receive e-mails that appear to come from their financial institution. The e-mail may look authentic, right down to the use of the institution’s logo and marketing slogans. The e-mails often describe a situation that requires immediate attention and then warn that the account will be terminated unless the e-mail recipients verify their account information immediately by clicking on a provided link.
The four federal banking agencies--the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision--today published an interagency advance notice of proposed rulemaking (ANPR) regarding potential revisions to the existing risk-based capital framework. These changes would apply to banks, bank holding companies, and savings associations.
The FDIC has created this webpage to inform and warn consumers about a type of fraud called “phishing.” The term "phishing" – as in fishing for confidential information - refers to a scam that encompasses fraudulently obtaining and using an individual's personal or financial information.
The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidance interprets the agencies’ customer information security standards and states that financial institutions should implement a response program to address security breaches involving customer information. The response program should include procedures to notify customers about incidents of unauthorized access to customer information that could result in substantial harm or inconvenience to the customer. The guidance provides that, "when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused."
>"User names" and passwords should be supported in Internet banking transactions with new and better ways of identifying real customers from fraud artists trying to "highjack" bank accounts, according to an update on identity theft from the Federal Deposit Insurance Corporation (FDIC). "Identity theft, particularly account hijacking, continues to grow as a problem for the financial services industry and for consumers," said FDIC Chairman Don Powell. "Our review illustrates that ID theft is evolving in more complicated ways and that more can and should be done to make online banking more secure." The new findings are in a supplement to an FDIC study issued in December about ways to fight "phishing" scams, in which criminals send fraudulent e-mails to trick consumers into providing confidential financial information that can lead to illegal access to bank accounts. The supplement reviews and responds to public comments that the FDIC received about the original study, identifies the most recent trends in identity theft, and discusses a variety of new technologies that could be used to make Internet banking more secure. In the latest findings, the FDIC concluded that the risk assessment financial institutions are required to perform regarding information security also should address customer authentication. The supplement also said that if an institution offers Internet banking, it has an obligation to properly secure that delivery channel. This extra level of security for online accounts, often referred to as "multifactor authentication," would be used in addition to the traditional passwords. These new security features may include "tokens" issued to customers that generate new passwords every 60 seconds, software that can identify the computer that a customer uses to access online accounts, or contacting a customer by phone to make sure that he or she is the one attempting to access the account.
The federal bank and thrift regulatory agencies today issued final rules to implement a special post-employment restriction on certain senior examiners employed by an agency or Federal Reserve Bank, as required by the Intelligence Reform and Terrorism Prevention Act of 2004. Under the final rules, if an examiner serves as the senior examiner for a depository institution or depository institution holding company for two or more months during the examiner's final twel
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS SyndicationCopyright © 2007 BankInfoSecurity.com