 |
 |
 |
 |
 |
|
Comptroller of the Currency John C. Dugan recently established the Enterprise Governance unit to support the Office of the Comptroller of the Currency’s strategic planning, risk management, quality management, assurance testing, and business process improvement efforts.
On December 21, 2006, the Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) was revised. The revisions are the result of their continuing efforts to reduce paperwork and respondent burden. The form was revised and reformatted to standardize suspicious activity reports, enhance the clarity of instructions, allow for joint filing of Suspicious Activity Reports, and to improve the usefulness of the Suspicious Activity Report to law enforcement.
This bulletin is intended to provide guidance to national banks on a number of disclosure and marketing issues presented by gift cards, so that national banks that issue gift cards do so in a manner in which both purchasers and recipients of gift cards are fully informed of the terms and conditions of the product. A gift card is a type of prepaid or stored value card that is designed to be purchased by one consumer (purchaser) and presented as a gift to a second consumer (recipient). The terms and conditions of different gift card products can vary significantly, but gift cards are generally divided into two main categories: retail gift cards and bank-issued gift cards.
FINANCIAL MARKET PREPAREDNESS Significant Progress Has Been Made, but Pandemic Planning and Other Challenges Remain Highlights of GAO-07-399, a report to congressional requesters This is GAO’s third report since the September 11 terrorist attacks that assesses progress that market participants and regulators have made to ensure the security and resiliency of our securities markets. This report examined (1) actions taken to improve the markets’ capabilities to prevent and recover from attacks; (2) actions taken to improve disaster response and increase telecommunications resiliency; and (3) financial regulators’ efforts to ensure market resiliency. GAO inspected physical and electronic security measures and business continuity capabilities using regulatory, government, and industry-established criteria and discussed improvement efforts with broker dealers, banks, regulators, telecommunications carriers, and trade associations. What GAO Recommends To improve the readiness of the securities markets to withstand potential disease pandemics, securities and banking regulators should consider taking additional actions, including providing formal expectations that market participants’ plans address even severe pandemic outbreaks and setting a date by which such plans should be completed. Banking and securities regulators indicated they believe organizations are adequately addressing this risk, but will consider taking the recommended actions if progress lags. GAO believes that giving greater consideration now would better assure market readiness.
The Financial Crimes Enforcement Network (FinCEN) today filed a Federal Register notice announcing the delayed implementation of certain revised Suspicious Activity Report (SAR) forms that were scheduled to become effective on June 30, 2007. The agency is withdrawing this effective date for the revised SAR forms for depository institutions, casinos and card clubs, insurance companies, and the securities and futures industries. FinCEN will establish new effective and mandatory compliance dates for these revised forms in a future notice. The delay does not impact ongoing suspicious activity reporting, which will continue using the current forms.
In its decision today in the Watters vs. Wachovia Bank case, the Supreme Court held that federal preemption standards applicable to national banks extend to activities conducted through their operating subsidiaries. Specifically, the Court held that a national bank’s mortgage business, whether conducted by the bank itself or through the bank’s operating subsidiary, is subject to the OCC’s supervision and regulation, and not to state licensing, reporting, and visitorial regimes. We are pleased that the Court’s decision supports the ability of national banks to continue to conduct business activities in their operating subsidiaries as they are now doing.
The Office of the Comptroller of the Currency will host a compliance risk workshop for national community bank directors at the Omni Charlottesville Hotel, Charlottesville, Virginia, May 2. The workshop entitled, "Compliance Risk: What Directors Need to Know," provides practical information that expands bank directors' skills and understanding of issues facing their banks.
Because of the integration of voice and data in a single network, establishing a secure VOIP and data network is a complex process that requires greater effort than that required for data-only networks. In particular, start with these general guidelines, recognizing that practical considerations, such as cost or legal requirements, may require adjustments for the organization: 1. Develop appropriate network architecture. • Separate voice and data on logically different networks if feasible. Different subnets with separate RFC 1918 address blocks should be used for voice and data traffic, with separate DHCP servers for each, to ease the incorporation of intrusion detection and VOIP firewall protection
The government’s interest in using technology to detect terrorism and other threats has led to increased use of data mining. A technique for extracting useful information from large volumes of data, data mining offers potential benefits but also raises privacy concerns when the data include personal information. GAO was asked to review the development by the Department of Homeland Security (DHS) of a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement). Specifically, GAO was asked to determine (1) the tool’s planned capabilities, uses, and associated benefits and (2) whether potential privacy issues could arise from using it to process personal information and how DHS has addressed any such issues. GAO reviewed program documentation and discussed these issues with DHS officials.
The Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced Thursday that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) has been revised to support a new joint filing initiative, which will reduce the number of duplicate SARs filed for a single suspicious transaction. The revisions are the result of a joint effort by FinCEN and the federal banking agencies.
On December 21, 2006, the Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) was revised. The revisions are the result of their continuing efforts to reduce paperwork and respondent burden. The form was revised and reformatted to standardize suspicious activity reports, enhance the clarity of instructions, allow for joint filing of Suspicious Activity Reports, and to improve the usefulness of the Suspicious Activity Report to law enforcement.
Kmart Corporation has agreed to settle Federal Trade Commission charges that it engaged in deceptive practices in advertising and selling its Kmart gift card. As part of the settlement, Kmart will implement a refund program and publicize it on its Web site. This is the agency’s first law enforcement action involving gift cards. “Consumers have a right to know when gift cards come with strings attached,” FTC Chairman Deborah Platt Majoras said. “If fees or restrictions apply, gift card issuers must fully and clearly disclose them.”
This bulletin is intended to provide guidance to national banks on a number of disclosure and marketing issues presented by gift cards, so that national banks that issue gift cards do so in a manner in which both purchasers and recipients of gift cards are fully informed of the terms and conditions of the product. A gift card is a type of prepaid or stored value card that is designed to be purchased by one consumer (purchaser) and presented as a gift to a second consumer (recipient). The terms and conditions of different gift card products can vary significantly, but gift cards are generally divided into two main categories: retail gift cards and bank-issued gift cards.
In the first 10 months of 2006, over half of the 213 information security breaches reported by financial institutions to the FDIC involved technology service providers (TSP). In accordance with federal laws and regulations, financial institutions must safeguard sensitive customer information against unauthorized disclosure when outsourcing various information technology (IT) operations to TSPs. Interagency guidelines contained in Part 364 of the FDIC Rules and Regulations establish key controls over TSPs, noting that each bank shall (1) exercise due diligence in selecting TSPs, (2) have contractual arrangements with their TSPs that require appropriate measures to safeguard customer information, and (3) provide ongoing monitoring of TSPs to ensure they have satisfied their contractual obligations.
The Office of the Comptroller of the Currency today announced its schedule of workshops for national community bank directors. This year the OCC has added a workshop for community bank directors entitled "A New Director’s Challenge: Mastering the Basics." This two-day program, scheduled in Washington D.C., April 16-18, is geared primarily to directors with less than three years of experience. The workshop should be particularly valuable to directors of new national banks, many of whom are also new to the industry.
Purpose and Scope This document outlines the Office of Thrift Supervision’s (OTS’s) supervisory expectations for savings associations’ gift card programs. The purpose of this guidance is to ensure adequate account administration, marketing, and consumer disclosure practices for gift card programs; to encourage more uniform practices among the thrift institutions that offer gift card programs; and to promote consumer protection while continuing to encourage product innovation. Background A gift card is a payment card with a preloaded value that one consumer typically gives to another as a gift. Like a gift certificate, a consumer may use a gift card to purchase goods or services from one or more merchants.
Summary: The federal bank and thrift regulatory agencies are seeking comment on the attached proposed guidance describing current agency expectations for banking organizations that would adopt the Advanced Internal Ratings-Based Approach (IRB) for credit risk and the Advanced Measurement Approaches (AMA) for operational risk under the proposed new Basel II capital framework. The proposed guidance also establishes the process for supervisory review and the implementation of the capital adequacy assessment process under Pillar 2 of the Basel II framework. The FDIC will accept comments on the proposed guidance through May 29, 2007.
Comptroller of the Currency John C. Dugan told an audience of bank risk managers today that, because their goals are so closely aligned to those of the regulators, the regulations and guidance issued by the agencies can support them in meeting their firms’ objectives. For example, he said, regulators can highlight concerns that are important to risk managers, but which others in the bank might prefer to ignore for competitive reasons. An example is the interagency guidance on non-traditional mortgages, which establishes expectations for prudent underwriting, taking into account some of the unique features and risks these products present.
The Federal Deposit Insurance Corporation (FDIC) recognizes the serious impact of the recent severe storms and tornadoes in central Florida on the operations of financial institutions and will provide regulatory assistance to institutions subject to its supervision. These initiatives are being taken to provide regulatory relief and facilitate recovery. The FDIC encourages depository institutions in the affected disaster areas to meet the financial service needs of their communities.
E-mails fraudulently claiming to be from the FDIC or VeriSign, Inc. are attempting to deceive financial institutions in to installing unknown software on their computer networks. The Federal Deposit Insurance Corporation (FDIC) has become aware of e-mails that appear to be sent from the FDIC or VeriSign, Inc. and ask recipients to run a "security guard script" to secure Web sites. Currently, the e-mails are purportedly from "FDIC Legal Information Technology," "FDIC Information Security," or "Verisign Inc." and the subject lines include the phrase "Regular Security Maintenance" or "Regular Hosting Security Maintenance." The e-mails are fraudulent and were not sent by the FDIC or VeriSign, Inc.
PURPOSE This bulletin reminds national banks and their technology service providers of the upcoming change in the schedule for Daylight Savings Time. National banks may be exposed to a variety of risks if they do not prepare their systems to reflect this change. BACKGROUND Daylight Savings Time (DST) in the United States will begin earlier and end later in 2007 than in years past. The Energy Policy Act of 2005, signed into law August 2005, moves the beginning of DST from the first Sunday in April to the second Sunday in March. DST will now end the first Sunday in November instead of the last Sunday in October.
Why GAO Did This Study The Federal Deposit Insurance Reform Conforming Amendments Act of 2005 requires GAO to report on the effectiveness of Federal Deposit Insurance Corporation’s (FDIC) organizational structure and internal controls. GAO reviewed (1) mechanisms the board of directors uses to oversee the agency, (2) FDIC’s human capital strategies and how its training initiatives are evaluated, and (3) FDIC’s process for monitoring and assessing risks to the banking industry and the deposit insurance fund, including its oversight and evaluation. To answer these objectives, GAO analyzed FDIC documents, reviewed recommended practices and GAO guidance, conducted interviews with FDIC officials and board members, and conducted site visits to FDIC regional and field offices in three states. What GAO Recommends GAO recommends that FDIC (1) develop outcome-based performance measures for key human capital initiatives and make available such performance results to all employees and (2) develop policies and procedures that define how it will systematically and comprehensively evaluate its risk assessment activities.
What GAO Recommends With safeguards, it is appropriate for U.S. banking regulators to proceed with finalizing Basel II and begin the transition period. GAO recommends that they (1) clarify some aspects of the Notice of Proposed Rulemaking (NPR); (2) issue a new NPR if material differences from the current NPR, or a U.S. standardized approach option, are planned for the final rule; (3) issue periodic public reports on progress, results, and any needed adjustments; and (4) at the end of the transition period, reevaluate the appropriateness of Basel II as a long-term framework for setting regulatory capital. The Federal Reserve said it agreed with our recommendations and the other banking agencies said they will consider them as part of the rule-making process.
The federal bank and thrift regulatory agencies on Thursday announced that they will seek public comment on three proposed supervisory guidance documents related to the September 2006 notice of proposed rulemaking (NPR) on new risk-based capital requirements in the United States for large, internationally active banking organizations. The September 2006 NPR detailed the agencies' proposal for implementing the new capital framework issued by the Basel Committee on Banking Supervision in 2004 (Basel II). The proposed U.S. Basel II capital framework would be mandatory for large, internationally active U.S. banking organizations and optional for other institutions. The Basel II NPR includes requirements that banking organizations would need to satisfy to calculate their risk-based capital under the proposed new capital framework. The proposed supervisory guidance provides information to assist bankers, as well as supervisors, in addressing the Basel II qualification requirements.
Summary: The FDIC has revised its Compliance Examination Handbook. The new handbook contains the FDIC's compliance examination policies and procedures in effect as of June 2006. It also includes revised Community Reinvestment Act (CRA) examination procedures and performance evaluations. The handbook will be available in electronic format only and can be accessed on the FDIC's Web site at http://www.fdic.gov/regulations/compliance/handbook/index.html.
Hurricanes Katrina and Rita destroyed homes and displaced millions of individuals. While federal and state governments continue to respond to this disaster, GAO has identified significant control weaknesses-specifically in the Federal Emergency Management Agency (FEMA)'s Individuals and Households Program (IHP) and in Department of Homeland Security (DHS)'s purchase card program—resulting in significant fraud, waste, and abuse. In response to the numerous recommendations GAO made, DHS and FEMA have reported on numerous actions taken to address our recommendations. Lessons learned from GAO's prior work can serve as a framework for an effective fraud prevention system for federal and state governments as they consider spending billions more on disaster recovery. These lessons are particularly important because funding that is lost to fraud, waste, and abuse reduces the amount of money that could be delivered to victims in need.
The Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) has prepared an assessment of mortgage loan fraud, which it based on its analysis of Suspicious Activity Reports (SARs). Financial institutions offering mortgage loan products may find the assessment useful. The assessment, entitled "Mortgage Loan Fraud," is available on FinCEN's Web site at http://www.fincen.gov/mortage_fraud.html.
The Federal Reserve Board on Friday approved changes to its Policy on Payments System Risk that revise the Board's expectations for systemically important payments and settlement systems subject to its authority and update and clarify the policy with regard to central counterparties. Under the revised policy, systemically important payments and settlement systems subject to the Board's authority are expected to complete and disclose publicly self-assessments against the principles and minimum standards in the policy. The self-assessment should be reviewed and approved by the system's senior management and board of directors upon completion and made readily available to the public. In addition, a self-assessment should be updated following material changes to the system or its environment and, at a minimum, reviewed by the system every two years.
Summary: The FDIC, along with the other federal banking agencies and the Securities and Exchange Commission, is issuing the attached final Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities (Final Statement). The Final Statement describes the types of internal controls and risk-management policies and procedures that the agencies have found to be useful in identifying, managing and addressing the potentially heightened legal or reputational risks that may arise from certain complex structured finance transactions.
As use of the Internet continues to expand, more credit unions are using it to offer products and services or otherwise enhance communications with members. The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct credit union business, any day, any time. However, members need to make good on-line choices—decisions that may help avoid costly surprises or scams.
The Office of the Comptroller of the Currency issued guidance today warning of the risks posed by scams involving fraudulent bank cashier's checks and describing steps national banks should take to protect themselves and their customers. A cashier's check, which is issued by a bank and sold to a consumer or other purchaser, represents a direct obligation of the bank. The guidance was issued in response to a growing incidence of scams involving cashier's checks. In most of these cases, individuals receive a cashier's check and are asked to deposit the check into their account, wait until funds become available and then wire some part of the funds from their account to a third party, often in a foreign country.
The Agencies are adopting an Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities ("Final Statement"). The Final Statement pertains to national banks, state banks, bank holding companies (other than foreign banks), federal and state savings associations, savings and loan holding companies, U.S. branches and agencies of foreign banks, and SEC-registered broker-dealers and investment advisers (collectively, "financial institutions" or ("institutions") engaged in complex structured finance transactions ("CSFTs"). In May 2004, the Agencies issued and requested comment on a proposed interagency statement ("Initial Proposed Statement"). After reviewing the comments received on the Initial Proposed Statement, the Agencies in May 2006 issued and requested comment on a revised proposed interagency statement ("Revised Proposed Statement").
How a financial institution can create an effective incident response program to mitigate a data security breach is reported in the FDIC's winter 2006 edition of Supervisory Insights, released today. Other topics covered in today's edition are: an update on CRE lending nationwide, with a look at best practices in CRE concentrations, particularly for identifying, monitoring and controlling risk in this lending area; the increasing number of unfair or deceptive acts or practices, and how examiners identify and address those violations; and highlights of recent USA PATRIOT Act changes and the types of Bank Secrecy Act (BSA)-related violations that examiners are citing.
Unauthorized access to sensitive customer information threatens to undermine customer confidence and the reputations of both individual financial institutions and the financial services industry. This threat is aggravated by the patchwork of state laws and federal regulations that govern unauthorized access or breach response incidents. Despite these challenges, financial institutions are strengthening data security programs and developing or improving customer notification programs. The “BITS/ABA Key Considerations for Responding to Unauthorized Access to Sensitive Customer Information” is a tool that may assist some financial institutions in developing and executing response programs when sensitive information is accessed and misused by unauthorized individuals.
This BITS Consumer Confidence Toolkit provides information to support consumer confidence in the safety, soundness and security of financial services. Originally published in September 2005, this is a revised and updated edition. This is intended to be an educational resource—whether for use by consumers, policy makers, financial institutions or others with interest in the subject matter. Special attention is placed on information security as well as online financial services transacted through the Internet. Data in support of the safety of online financial transactions is provided. Information about the proactive leadership of the financial services industry is included, as well as a description of the current environment and tips for consumers to help protect their financial security, including in the online environment. Recommendations for government agencies are also provided.
Why GAO Did This Study
This Regulatory Alert is to inform you about revisions to Part 748 of the NCUA Rules and Regulations. The revised rule describes in greater detail Suspicious Activity Report (SAR) reporting and filing requirements. The rule became effective November 27, 2006. There are six changes to Part 748 which are summarized below. 1. Notification to board of directors
Computer security incident response has become an important component of information technology (IT) programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
Why GAO Did This Study
Today's testimony will address whether FEMA provided improper and potentially fraudulent (1) rental assistance payments to registrants at the same time it was providing free housing via trailers and apartments; (2) duplicate assistance payments to individuals who claimed damages to the same property for both hurricanes Katrina and Rita; and (3) IHP payments to non-U.S. residents who did not qualify for IHP. This testimony will also discuss (1) the importance of fraud identification and prevention, and (2) the results of our investigation into property FEMA bought using DHS purchase cards.
The Federal Reserve Board on Tuesday released a draft interagency notice of proposed rulemaking that would revise the existing risk-based capital framework by giving the vast majority of banks, bank holding companies, and savings associations the option of either continuing to use the existing Basel I-based capital rule or adopting a more risk sensitive rule, known as Basel IA. However, as proposed, Basel IA would not be available to large, complex international banking organizations subject to the proposed Basel II advanced capital framework. "Basel IA is intended as an option for the wide range of institutions that will not be adopting the advanced approaches of Basel II," said Governor Susan S. Bies. "The goal is to improve the Basel I standards by making them somewhat more risk sensitive while at the same time retaining a relatively simple and straightforward approach suitable for all but the largest and most complex institutions."
The FDIC Board of Directors has approved the attached final rule to amend Part 327 of the FDIC Rules and Regulations. The amendments are being made simultaneously with amendments implementing the Federal Deposit Insurance Reform Act of 2005, and are intended to make the deposit insurance assessment system react more quickly and more accurately to changes in institutions' risk profiles and to ameliorate several causes for complaint by insured depository institutions. The final rule takes effect on January 1, 2007.
The Federal Deposit Insurance Corporation (FDIC) today adopted final regulations that implement the Federal Deposit Insurance Reform Act of 2005 passed by Congress earlier this year to create a stronger and more stable insurance system. Among the final regulations is a new rule on the risk-based assessment system that will enable the FDIC to more closely tie each bank's premiums to the risk it poses to the deposit insurance fund. In addition, the FDIC has new flexibility to manage the deposit insurance fund's reserve ratio within a range, which in turn will help prevent sharp swings in assessment rates that were possible under the design of the former system. "Throughout the FDIC's push for deposit insurance reform, our goals have been to provide for long-term stability and less procyclicality in the deposit insurance system," said FDIC Chairman Sheila C. Bair. "This new system will enable the FDIC to achieve our goals, and also will add incentives for good risk management at insured institutions."
The Office of Thrift Supervision (OTS) is issuing updated versions of the Directors' Responsibility Guide and the Directors' Guide to Management Reports to highlight our supervisory expectation for a strong, consistent approach towards sound corporate governance practices, as well as the importance of strong, independent boards of directors.
The updated Director's Guide adds a new section on statutory and regulatory responsibility and clarifies the issue of blurred lines of responsibility between the board and management. We have also added a chart on the applicability of selected Sarbanes-Oxley requirements. The streamlined, restructured Guide to Management Reports consolidates some existing reports and adds additional red flags to monitor internal controls and financial performance.
Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems1 to process their information for better support of their missions, risk management plays a critical role in protecting an organization's information assets, and therefore its mission, from IT-related risk. An effective risk management process is an important component of a successful IT security program. The principal goal of an organization's risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
NCUA is issuing a final rule to describe in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and to address prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also is changing the heading for this part so it more accurately describes its scope. NCUA seeks to enhance credit union compliance with SAR reporting requirements by providing greater detail in its rule on the thresholds and procedures for filing a SAR. DATES: This rule is effective [insert date 30 days after published in the FEDERAL REGISTER]. FOR FURTHER INFORMATION CONTACT: Linda K. Dent, Staff Attorney, Office of General Counsel, at (703) 518-6540.
Organizations have information technology (IT) plans in place, such as contingency and computer security incident response plans, so that they can respond to and manage adverse situations involving IT. These plans should be maintained in a state of readiness, which should include having personnel trained to fulfill their roles and responsibilities within a plan, having plans exercised to validate their content, and having systems and system components tested to ensure their operability in an operational environment specified in a plan. These three types of events can be carried out efficiently and effectively through the development and implementation of a test, training, and exercise (TT&E) program. Organizations should consider having such a program in place because tests, training, and exercises are so closely related. For example, exercises and tests offer different ways of identifying deficiencies in IT plans, procedures, and training. This document provides guidance on designing, developing, conducting, and evaluating TT&E events so that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse events that may affect their missions. The scope of this document is limited to TT&E events for single organizations, as opposed to large-scale events involving multiple organizations, involving internal IT operational procedures for emergencies.
A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network. Many logs within an organization contain records related to computer security. These computer security logs are generated by many sources, including security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; and applications. The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems.
Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the clearance level of the user accessing those documents. This publication explains some of the commonly used access control services available in information technology systems.
Why GAO Did This Study In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government's response to those events. On July 19, 2006, GAO testified on the results of its purchase card work. This report summarizes the testimony and provides recommendations. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane relief operations. GAO analyzed transactions between June and November of 2005 to determine if (1) DHS's control environment and management of purchase card usage were effective; (2) DHS's key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive purchase card activity existed at DHS.
Why GAO Did This Study In 2005, Hurricanes Katrina and Rita caused unprecedented damage. FEMA’s Individuals and Households Program (IHP), provides direct assistance (temporary housing units) and financial assistance (grant funding for temporary housing and other disaster-related needs) to eligible individuals affected by disasters. Our objectives were to (1) compare the types and amounts of IHP assistance provided to Hurricanes Katrina and Rita victims to other recent hurricanes, (2) describe the challenges FEMA faced by the magnitude of the requests for assistance following Hurricanes Katrina and Rita, and (3) determine the vulnerability of the IHP program to fraud and abuse. GAO determined the extent to which the program was vulnerability to fraud and abuse, by conducting statistical sampling, data mining and undercover operations.
Comptroller of the Currency John C. Dugan told a Senate committee today that the inadequacies of the current Basel I capital regime for the largest internationally active banks are a matter of great concern to the OCC because the agency supervises the five largest banks in the United States, some of which hold more than $1 trillion in assets, have complex balance sheets, take complex risks, and have complex risk management needs that are fundamentally different from those faced by community and mid-size banks. "The new regime is intended not only to align capital requirements more closely to the complex risks inherent in these largest institutions, but just as important—and this is a total departure from the existing capital framework—it would also require them to substantially improve their risk management systems and controls," Mr. Dugan said in testimony before the Senate Committee on Banking, Housing and Urban Affairs.
Summary: The federal bank and thrift regulatory agencies have jointly issued the attached notice of proposed rulemaking (NPR) on possible modifications to the risk-based capital standards for market risk. The proposed rule would incorporate improvements to the current trading book regime as proposed by the Basel Committee on Bank Supervision and the International Organization of Securities Commissions in the joint document The Application of Basel II to Trading Activities and the Treatment of Double Default Effects, published in July 2005. The proposed rule would also apply to certain savings associations, which currently are not covered under the rule. The FDIC will accept comments on the NPR through January 23, 2007. Highlights:
- Applies to banks with aggregate trading assets and liabilities equal to 10 percent or more of quarter-end total assets as reported on the most recent quarterly Call Report or Thrift Financial Report, or equal to $1 billion or more.
Summary: The federal bank and thrift regulatory agencies have jointly issued and are seeking comment on the attached notice of proposed rulemaking (NPR) concerning the domestic application of selected elements of the Basel II capital framework. The proposed rule would require some core banks, and permit other banks, to use an internal ratings-based approach to calculate regulatory credit risk capital requirements and an advanced measurement approach to calculate regulatory operational risk capital requirements. The FDIC will accept comments on the proposal through January 23, 2007. Highlights: In the attached NPR, the agencies: - Propose to apply the rule to banking organizations that (i) have consolidated assets equal to $250 billion or more; (ii) have consolidated total on-balance sheet foreign exposures of $10 billion or more; (iii) elect to use the proposed rule; or (iv) are subsidiaries of a bank or bank holding company that uses the proposed rule.
In October 2005, the FFIEC agencies (agencies) issued guidance entitled Authentication in an Internet Banking Environment (guidance) . The guidance focuses on the risks of fraud and identity theft associated with Internet banking activities. The guidance states that financial institutions should perform a risk assessment, identify and strengthen control weaknesses, measure and evaluate customer awareness efforts, and implement any necessary corrective actions. National banks are expected to have achieved conformance with the guidance by year-end 2006. It is anticipated that there will be increased activity by fraudsters to send false communications with the intent of obtaining customer information for the purposes of fraud and identity theft. These communications may attempt to exploit the December 31, 2006, conformance date. For example, communications purporting to be from a national bank could inform customers that, due to the FFIEC guidance, the bank is required to change its security procedures and, as a result, request customers to re-register or provide personal information that would enable the bank to comply with the regulatory requirement.
This bulletin provides guidance for national banks and examiners on managing the risks of automated clearing house (ACH) activity. National banks may be exposed to a variety of risks when originating, receiving, or processing ACH transactions, or outsourcing these activities to a third party. This bulletin outlines the key components of an effective ACH risk management program. Each bank should use this guidance to develop an ACH risk management program that reflects the nature and complexity of the bank's activities. This bulletin supplements guidance on ACH activities contained in the FFIEC IT Examination Handbook on Retail Payment Systems,[1] dated March 2004, and National Automated Clearinghouse Operating Rules[2] and replaces OCC Bulletin 2002-2 (ACH Transactions Involving the Internet).
1.1 Background Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. The human factor is so critical to success that the Computer Security Act of 1987 (Public Law [P.L.] 100-235) required that, "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency." In accordance with P.L. 100-235, the National Institute of Standards and Technology (NIST), working with the U.S. Office of Personnel Management (OPM), was charged with developing and issuing guidelines for Federal computer security training. This requirement was satisfied by NIST's issuance of "Computer Security Training Guidelines" (Special Publication [SP] 500¬172) in November 1989. In January 1992, OPM issued a revision to the Federal personnel regulations which made these voluntary guidelines mandatory. This regulation, 5 CFR Part 930, is entitled "Employees Responsible for the Management or Use of Federal Computer Systems" and requires Federal agencies to provide training as set forth in NIST guidelines.
The mandatory dissemination of certain information by financial institutions is a key aspect of consumer protection law. It offers two significant advantages for consumer protection in the financial area over the alternative of direct government intervention into product pricing and content. First, information disclosure is compatible with competition, a significant market force already at work to protect consumers by keeping price rises in check. Because of competition, institutions already have incentives to make their products known, to reveal favorable pricing and product features, and to treat consumers fairly by keeping them generally informed about what they want and need to know. When a financial institution employs these strategies, it generates a good business reputation that will produce referrals and repeat customers. Actions that firms use to accomplish these goals include advertising their prices and supplying clients and potential customers with useful information about product prices and features. The requirements for disclosures assist in the dissemination of financial information by standardizing concepts and terminology, such as the finance charge and annual percentage rate under the Truth in Lending Act and the annual percentage yield under the Truth in Savings Act. Such standardization advances consumers; knowledge about pricing and features of the financial products and institutions and lowers consumers; transactions costs by making shopping easier. The standard format of required disclosures helps highlight the performance of the best institutions and exposes the inadequacies of the poorer ones. Well-informed shoppers help keep markets competitive, which benefits buyers of products and services by minimizing the spread between
producers’ production costs and market price.
NIST is pleased to announce the release of draft Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist. SP 800-69 provides guidance to home users, such as telecommuting Federal employees, on improving the security of their home computers that run Windows XP Home Edition. Home computers face many threats from people wanting to cause mischief and disruption, commit fraud, and perform identity theft. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security. It also emphasizes the importance of performing regular backups to ensure that user data is available after an adverse event such as an attack against the computer, a hardware failure, or human error. The publication contains detailed step-by-step directions for securing Windows XP Home Edition computers that can be performed by experienced Windows XP Home Edition users. NIST requests comments on NIST SP 800-69 by August 31, 2006. Please submit comments to itsec@nist.gov with "Comments SP800-69/XPHome" in the subject line.
THE NEED FOR SECURITY CONTROLS TO PROTECT INFORMATION SYSTEMS The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations and assets of an IT organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: - What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual's 2005 release. The revisions also draw upon feedback from the banking industry and examination staff.
The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes. The security of financial institutions' systems and information is essential to maintaining the privacy of customer information and safe and sound operations. The Information Security Booklet describes how an institution should protect and secure the systems and facilities that process and maintain information. The booklet calls for financial institutions and technology service providers (TSPs) to maintain effective security programs tailored to the complexity of their operations.
The Offıce of Thrift Supervision (OTS), along with the other federal banking agencies, has released the revised Information Security Booklet and an Executive Summary of the Federal Financial Institutions Examination Council's (FFIEC) Information Technology Examination Handbook. The revised Information Security Booklet, which replaces the 2003 version of the booklet, provides updated guidance for examiners, savings associations, and technology service providers to use in identifying information security risks and evaluating the adequacy of controls and risk management practices. The revised guidance addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance.
The FDIC Board of Directors is seeking comment on the three attached proposed rules. The first proposed rule would create a new system for risk-based assessments. The second proposed rule would set the designated reserve ratio (DRR) at 1.25 percent. The third proposed rule would govern the penalties for failure to pay assessments. The Federal Deposit Insurance Reform Act of 2005 requires the FDIC to prescribe final regulations by November 5, 2006. Comments on the first two proposed rules are due by September 22, 2006; comments on the third rule are due by September 18, 2006. Assessments Risk Categories: The FDIC proposes to consolidate the existing nine assessment rate categories into four. Small well-capitalized, well-managed institutions: The FDIC proposes to combine CAMELS component ratings with current financial ratios to determine assessment rates applicable to a small well-capitalized, well-managed institution.
Why GAO Did This Study Federal regulation is one of the basic tools of government used to implement public policy. In 1980, the Regulatory Flexibility Act (RFA) was enacted in response to concerns about the effect that regulations can have on small entities, including small businesses, small governmental jurisdictions, and certain small not-for-profit organizations. Congress amended RFA in 1996, and the President issued Executive Order 13272 in 2002, to strengthen requirements for agencies to consider the impact of their proposed rules on small entities. However, concerns about the regulatory burden on small entities persist, prompting legislative proposals such as H.R. 682, the Regulatory Flexibility Improvements Act, which would amend RFA. At the request of Congress, GAO has prepared many reports and testimonies reviewing the implementation of RFA and related policies. On the basis of that body of work, this testimony (1) provides an overview of the basic purpose and requirements of RFA, (2) highlights the main impediments to the Act’s implementation that GAO's reports identified, and (3) suggests elements of RFA that Congress might consider amending to improve the effectiveness of the Act. GAO's prior reports and testimonies contain recommendations to improve the implementation of RFA and related regulatory process requirements.
FinCEN's primary function is to support and strengthen domestic and international anti-money laundering efforts through coordination and partnerships. Since its creation in 1990, FinCEN has been responsible for overseeing the management, processing, storage and dissemination of Bank Secrecy Act (BSA) data. In 2004, FinCEN embarked on a major initiative intended to improve the sharing of information reported under the Bank Secrecy Act. BSA Direct is an umbrella project intended to provide secure, user-friendly, web-based tools for accessing, analyzing, and filing BSA data. It is part of a broad effort to reengineer data management responsibilities and transition them from the IRS. During the early spring of 2006, it became clear to FinCEN that the Retrieval and Sharing component of the BSA Direct project (BSA Direct R&S) was not going to meet the critical implementation deadline of June 30, 2006. Objectives Because FinCEN has experienced problems with development and implementation of the BSA Direct R&S, you asked us about the project's current status and to provide observations on FinCEN's IT investment management practices. Our objectives were to (1) describe BSA Direct R&S and the project's current status; (2) examine FinCEN's application of information technology (IT) investment management processes to the BSA Direct R&S project; and (3) describe, at a high level, the range of options FinCEN may consider as it reexamines the BSA Direct R&S project.
"Operational risk management" increasingly viewed as distinct discipline due to growing complexity of the industry, recent large operational losses The increasing importance of banks' "operational risk management" (ORM) processes and how ORM is evolving as a distinct discipline are highlighted in the FDIC's summer 2006 issue of Supervisory Insights released today. Other topics covered include disaster planning for banks, with a look back at some of the challenges banks faced during the hurricane seasons of 2004 and 2005, and enforcement actions taken against individuals in 2005, with a particular focus on bank losses resulting from insider misconduct or fraud.
Before the U.S. House of Representatives Committee on Financial Services Subcommittee on Oversight and Investigations Thank you Chairwoman Kelly, Ranking Member Gutierrez, and Members of the Subcommittee. I appreciate the opportunity to speak to you about the Treasury Department's contribution to pandemic planning within the financial services sector. Though the Treasury's efforts are just a small part of the enormous Federal effort, we have been very active. President Bush stated, "Together we will confront this emerging threat and together, as Americans, we will be prepared to protect our families, our communities, this great Nation, and our world." I would like to begin my remarks by telling you about the sector's general state of preparedness and then tell you about the Treasury's leadership on pandemic planning within the financial services sector.
Please note that the following rule is the version that was approved by the NCUA Board. The official version is published in the Federal Register approximately one week after Board approval. There may be some minor numbering or format differences between the two versions. The proposed rule describes in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and addresses prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also proposes to change the heading for this part so it more accurately describes its scope. While retaining cross-references in the rule to the SAR form and instructions, these changes will enhance credit union compliance by providing greater detail in the rule on the thresholds and procedures for filing a SAR.
Financial institutions have traditionally used domestic third-party service providers to handle their technology, data processing and other needs, such as call center services. However, with increasing frequency, institutions have been presented with opportunities to enter into contractual arrangements with foreign-based third-party service providers (FBTSPs) to fulfill those needs. Moreover, U.S.-based third-party service providers are subcontracting substantial portions of their operations to entities located outside of the United States. In its 2004 study of offshore outsourcing of data services to identify both consumer and safety and soundness risks associated with offshore data processing,[1] the FDIC learned that financial institutions may be unaware of such subcontracting arrangements or, if they are aware, are not adequately monitoring the relationship. The increased use of FBTSPs by U.S. financial institutions and U.S. third-party service providers is due, in large part, to the potential cost savings that are achievable as low-wage, yet highly qualified, labor pools are tapped in foreign countries. However, as with any sound business decision, financial institutions cannot accept the benefits while ignoring the potential risks.
The Federal Emergency Management Agency (FEMA) has issued the attached revised Standard Flood Hazard Determination Form, which includes a new Office of Management and Budget (OMB) control number and a revised expiration date of October 31, 2008. The form's format and content have not changed. The updated form must be used beginning July 1, 2006. Highlights: · FDIC-supervised banks must use FEMA's Standard Flood Hazard Determination Form when determining whether a building or mobile home offered as security for a loan will be located in a · Special Flood Hazard Area. This requirement is pursuant to the National Flood Insurance Reform Act of 1994 and FDIC regulations (12 CFR 339.6).
The Treasury Department in cooperation with the FloridaFIRST regional financial coalition will sponsor the first U.S. pandemic flu response exercise focused on the financial sector Thursday, June 22 in Miami, Fl. Treasury Deputy Assistant Secretary for Critical Infrastructure Protection and Compliance Policy Scott Parsons and will join 70 participants from Florida financial services firms and health, police and fire officials from local, state and federal agencies to test the local industry's preparedness for such a crisis.
Submission for OMB review; joint comment request In accordance with the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. chapter 35), FinCEN, OCC, OTS, FDIC, and NCUA (collectively, the "agencies") hereby give notice that they have submitted to the Office of Management and Budget (OMB) requests for review of the information collections described below.
OCC, OTS, FDIC, NCUA, and FinCEN are submitting the Suspicious Activity Report (SAR) information collection to OMB for extension with revision. The Board of Governors fo the Federal Reserve System (the Board) alos participated in this review. However, the Board, under its Paperwork Reduction Act (PRA) delegated authority, will publish a separate final notice and submit its SAR inforamtion collection to OMB.
Preparing Your Institution for a Catastrophic Event The member agencies of the Federal Financial Institutions Examination Council (FFIEC) and the Conference of State Bank Supervisors today announced the release of LESSONS LEARNED FROM HURRICANE KATRINA: Preparing Your Institution for a Catastrophic Event. The booklet relays financial institutions' experiences and lessons learned in the aftermath of Hurricane Katrina that other institutions may find helpful in considering their readiness for a catastrophic event.
In a speech today before the Conference of State Bank Supervisors in Norfolk, Virginia, Federal Deposit Insurance Corporation Acting Chairman Martin Gruenberg outlined overall capital objectives contained in the proposed rule for proceeding with Basel II in the U.S. Basel II is a new, international standard for the way the largest banks calculate their capital levels. "Basel II was intended to bring about technical improvements in the risk-sensitivity of bank capital in the United States while broadly maintaining the overall level of risk-based capital requirements," Acting Chairman Gruenberg told the group. "I think those are both worthy goals, and the achievement of both goals is essential for the safety and soundness of the U.S. banking system."
The FDIC, along with the other federal banking agencies and the Securities and Exchange Commission, is issuing the attached statement for public comment. The statement informs financial institutions of the internal controls and risk-management procedures that should be used to identify, manage and address the heightened legal or reputational risks that may arise from their involvement in certain complex structured finance transactions. The FDIC will accept comments on this statement through June 15, 2006. Highlights: The attached interagency statement: - Focuses on complex structured finance transactions entered into by institutions when the transactions > circumvent regulatory or financial reporting requirements or > evade tax liabilities or involve other illegal and/or improper behavior
Five federal agencies today requested public comment on a revised proposed statement on the complex structured finance activities of financial institutions. The revised statement describes the types of internal controls and risk management procedures that should help financial institutions identify, manage and address the heightened legal and reputational risks that may arise from certain complex structured finance transactions. The agencies have modified the revised statement in several important respects in light of the comments received on the original proposed statement, which was issued for comment on May 19, 2004. For example, the agencies have reorganized, streamlined and modified the statement to make the document more principles-based and focused on those complex structured finance transactions that may pose heightened levels of legal or reputational risk to a financial institution.
Summary: This Regulatory Bulletin transmits Examination Handbook Section 341, Information Technology Risks and Controls. The Office of Thrift Supervision substantially revised and reorganized this section of the Examination Handbook. This handbook section replaces existing guidance found in Thrift Activities Handbook Section 341, Technology Risk Controls. This bulletin rescinds RB 32-21 dated January 7, 2002.
The rapid growth and extensive deployment of information technology (IT) requires a thorough assessment of the risks inherent in such activities. The Examination Handbook section issued today outlines OTS expectations that savings associations fully address the risks and challenges posed by using technlology, and establish effective risk management practices commensurate with the association's size and complexity. Use this Handbook section and its examination procedures in conjunction with other Handbook sections that provide guidance for reviewing an association's internal control environment.
The Federal Reserve Board announced Wednesday the consolidation of two internal advisory committees on payments system matters. The duties of the Payments System Policy Advisory Committee will be expanded to encompass the responsibilities and activities of the Payments System Development Committee, including its public outreach efforts. The Payments System Development Committee will be discontinued. The Payments System Policy Advisory Committee was formed in July 1986 to advise the Board on a range of issues, including risk-management issues, primarily in wholesale payment and settlement systems, and the relationship between wholesale payment systems and financial markets. The Payments System Development Committee was formed in July 1999 to advise on medium- and long-term public policy issues surrounding innovation in the retail payments system. The expanded Payments System Policy Advisory Committee will provide the Board with a coordinated view of developments in both wholesale and retail payments at a time of significant overall change in the U.S. payments system and help coordinate Federal Reserve work involving domestic and international payments and settlement systems.
Summary: The FDIC has issued revised compliance examination procedures that update the procedures issued in 2003. The new examination procedures incorporate banker feedback and results of internal reviews. Highlights:
- The FDIC also gathered information about how well the procedures were meeting its objectives. - These included focusing increased attention on a bank's compliance management system, and conducting more of the review process off-site, where appropriate. - Bankers were generally pleased with the revised procedures issued in 2003, particularly the focus on compliance management systems. However, they made several suggestions to improve the examination process while reducing burden. - As a result of banker input, the FDIC has made a number of changes to the compliance examination procedures. - Revised worksheets have been distributed to examiners to support the latest version of the compliance examination procedures.
This report presents the results of our audit of the FDIC’s consideration of risk in determining the deposit insurance premiums paid to the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF). To assess semiannual premiums on financial institutions, the FDIC uses the Risk-Related Premium System (RRPS) and considers capital levels, safety and soundness examination results, and other pertinent information to assign insured institutions to one of three Capital Groups and to one of three Supervisory Subgroups for the purpose of determining an insurance assessment risk classification.[ 1 ] The audit objective was to determine whether the insurance assessment system is adequately tied to the results of examinations of financial institutions by the primary federal regulators and to other information relevant to the institutions’ financial condition. Appendix I of this report discusses our objective, scope, and methodology in detail. BACKGROUND
Federal regulators today released Evolution of a Prototype Financial Privacy Notice, a report by Kleimann Communication Group summarizing consumer research commissioned by the regulators as part of their ongoing efforts to develop improved financial privacy notices.
The report's release concludes the first phase of an interagency project by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission to explore alternatives for financial privacy notices that would be easier for consumers to read, understand, and use than many of the notices consumers currently receive from financial institutions. These six agencies were among those that jointly issued regulations in 2000 implementing the financial privacy provisions of the Gramm-Leach-Bliley Act, but survey data indicate that many consumers neither read nor understand the notices financial institutions provide under those regulations.
An interagency notice of proposed rulemaking (NPR) that would implement Basel II risk-based capital requirements in the United States for large, internationally active banking organizations was made public Thursday by the Federal Reserve Board. The proposed rule would require the largest internationally active banks to enhance the measurement and management of their risks, including credit risk and operational risk. It also would require these banks to have rigorous processes for assessing overall capital adequacy in relation to their total risk profile and to publicly disclose information regarding their risk profile and capital adequacy.
"Given the increasing complexity of the activities at our largest banks, and the related risks of those activities, I fully support efforts to develop a more appropriately risk-sensitive capital framework for those institutions," said Board Chairman Ben S. Bernanke. "The current Basel I framework has become increasingly inadequate for capturing the risks at large, complex U.S. banking organizations."
The purpose of this Letter to Credit Unions (LTCU) is intended to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services. It further advises credit unions and their service providers to consider this and similar threats in their event response and contingency strategies (business continuity and disaster recovery plans). This LTCU discusses the National Strategy for Pandemic Influenza (National Strategy) and the roles and responsibilities it outlines for financial institutions.
On November 1, 2005, the White House issued the National Strategy, which discusses the threat and potential impact of a pandemic influenza event. It also identifies the roles and responsibilities for the federal government, the private sector, and others.
The Office of the Comptroller of the Currency will host workshops for national community bank directors at the Westin Great Southern Hotel, Columbus, Ohio, on April 25-26. The workshops provide practical information that expands bank directors' skills and understanding of issues facing their banks. This year's workshops cover risk assessment and compliance risk. Workshops cost $65 each. Attendees receive pre-course reading and course materials, an OCC telephone seminar CD, a community bank supervision handbook, other supervisory material, a continental breakfast and lunch. Workshops are limited to the first 50 registrants and are geared primarily to outside directors of national community banks with assets of less than $1 billion. Management directors may also find the workshop beneficial. For information or to register online, visit http://www.occ.gov/conference.htm
The "Insider Activities" booklet is one of several booklets in the Comptroller's Handbook that will be published under the theme of corporate governance. This booklet provides guidance on how banks may legally and prudently engage in transactions with insiders and implement risk management processes that provide for the appropriate control and monitoring of insider activities. This booklet also provides guidance on how examiners will review and assess insider activities during the supervisory process.
A bank should engage in safe and sound business and personal transactions with its insiders, consistent with law and regulation. Transactions between a bank its insiders can address legitimate banking needs and serve the interests of both parties. The challenge is to separate legitimate insider financial relationships from those that are, or could become, abusive, imprudent, or preferential. Studies of bank failures have found that insider abuse, including excessive or poor quality loans made, and unjustified fees paid, to directors and officers, is often a contributing factor to the failure. Because of the significant risks that insider activities can pose, activities are subject to strict laws and ethical guidelines.
The Financial Crimes Enforcement Network (FinCEN) and the federal bank, thrift and credit union regulatory agencies are soliciting comments on the attached proposed changes to the Suspicious Activity Report (SAR) form. Highlights:
- On February 17, 2006, FinCEN and the federal bank, thrift and credit union regulatory agencies issued the attached notice and request for comments in the Federal Register on proposed changes to the SAR form that is used by depository institutions. The SAR form is being revised and reformatted to standardize it with SARs used by financial institutions in other industries.
The Federal Reserve and the other financial institutions regulatory agencies published on February 9, 2006, the attached Advisory to address safety and soundness concerns that may arise when financial institutions enter into external audit contracts (typically referred to as "engagement letters") that limit the auditors' liability for audit services. The Advisory informs financial institutions that it is unsafe and unsound to enter into engagement letters for audits of financial statements, audits of internal control over financial reporting, or attestations on management's assessment of internal control over financial reporting which include provisions that (1) indemnify the external auditor against all claims made by third parties, (2) hold harmless or release the external auditor from liability for claims or potential claims that might be asserted by the client financial institution (other than claims for punitive damages), or (3) limit the remedies available to the client financial institution (other than punitive damages).
The Federal Financial Institution Examinations Council (FFIEC) Task Force on Consumer Compliance has approved the attached revised Fair Credit Reporting Act (FCRA) examination procedures, which incorporate the new requirements created by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The revised FCRA examination procedures have been reorganized into a new format in which similar requirements are grouped into modules for use in risk-focused compliance examinations. This modular format is also designed to assist financial institutions in organizing compliance programs and internal reviews. The revised procedures separate background information from the examination steps, contained in Appendix A. Appendix B lists the statutory and regulatory requirements in the order in which they are addressed in the examination procedures, according to a financial institution's primary federal regulator.
Welcome to the fifth issue of the The SAR Activity Review - By the Numbers, a compilation of statistitcal data gathered from Suspicious Activity Report forms submitted by depository institutions since April 1996, casinos and card clubs since August 1996, certain money services businesses since January 2002, and certain segments of the securities and futures industries since January 2003. By the Numbers serves as a companion piece to the publication of The SAR Activity Review - Trends, Tips & Issues, which provides inforamtion about the preparation, use, and utility of Suspicious Activity Reports.
By the Numbers is produced twice a year to cover two filing periods: January 1 to June 30 and July 1 to December 31. The statistical data from the filing periods is available for publication on the FinCEN website after the end of each period, usually in the spring and fall. The last issue of By the Numbers was published in May 2005 and may be accessed through the following link:
The Federal Deposit Insurance Corporation (FDIC), in observance of National Consumer Protection Week (NCPW) February 5-11 and its theme of fraud prevention, is reminding the public about the agency's wide range of educational materials designed to help consumers learn how to protect themselves from scams. "Consumers, as well as banking institutions, face significant costs and challenges from fraud," said Christopher Spoth, Acting Director of the Division of Supervision and Consumer Protection. "The FDIC will continue to work to help consumers avoid being victimized by some of the fastest growing crimes in America."
The federal financial regulatory agencies today announced the issuance of a final advisory that addresses safety and soundness concerns that may arise when financial institutions agree to limit their external auditors' liability. The agencies' primary concern is that limiting the liability of external auditors in engagement letters may reduce the reliability of audits. The Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters informs financial institutions that they should not enter into external audit engagement letters that incorporate unsafe and unsound limitation of liability provisions with respect to audits of financial statements and internal control over financial reporting.
The federal bank and thrift regulatory agencies today announced that they will be hosting a forum in New Orleans for banks and thrifts on March 2 and 3, 2006. The forum, titled “The Future of Banking on the Gulf Coast: Helping Banks and Thrifts Rebuild Communities,” will focus on the short-term and long-term challenges facing banks and thrifts operating in the areas affected by Hurricanes Katrina and Rita and on ways of helping meet the needs of the local communities. Principals from each of the four federal banking agencies will participate in the forum, which will convene at the New Orleans Marriott, 555 Canal Street, New Orleans, Louisiana, at 8:00 a.m. CST on Thursday, March 2, 2006, and close at noon on Friday, March 3, 2006. The FDIC and NeighborWorks of New Orleans will conduct optional bus tours of devastated areas nearby on the afternoons of Wednesday, March 1, and Friday, March 3.
The purpose of this bulletin is to provide banks with guidance on how to respond to incidents of Web-site spoofing. The bulletin addresses procedures banks can implement to mitigate the risks to themselves and their customers by detecting and responding to Web-site spoofing. It also identifies the types of information banks can provide to law enforcement authorities to assist in investigating illegal activities. This bulletin expands on OCC Alert 2003-11, “Customer Identity Theft: E-mail-Related Fraud Threats,” September 12, 2003.
For the security of any system to be strong, the system's owners must consider three fundamental security areas: management controls, operational controls, and technical controls. While technical controls, such as encryption, digital signatures, or firewalls, receive the most attention, inadequate operational controls and the day-to-day administration of technical controls often create the most vulnerabilities. Strong management controls are needed to tie all the aspects of security together into a sensible protection strategy. NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, helps organizations to improve their operational and management controls. This CSL Bulletin explains some of the needs which GSSPs can solve and presents a set of generally accepted system security principles developed by NIST.
Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.
The quality of security controls can significantly influence all categories of risk.additional information. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.
The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:
The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:
Whatever direction the cyberthreat takes, the United States Government will be confronting an increasingly interconnected world in the years ahead. This is the core message of GT2015. We will have to develop, in response, greater communications and collaboration across the agencies of our own Government, with other governments, and with the corporate world. Interagency cooperation will be essential to understanding the cyberthreat, as well as other transnational threats that will crowd our agenda, and to responding effectively with interdisciplinary strategies. Consequence management of a major attack on a critical US infrastructure would involve virtually all agencies of the Federal Government, State, and local governments, foreign governments, law enforcement, the military, the medical community, and the media. NSTISSC and the Intelligence Community clearly have a lot of work to do if we are to understand this evolving threat and to be prepared to deal with it.
To assure that prudent practices are being followed by banking institutions in their funds transfer activities, examinations should focus, with equal emphasis, on the evaluation of credit risks and operational controls. Deficiencies disclosed in either of these areas and suggestions for improvement should be discussed with management and listed in the Report of Examination. Constructive criticism by the examiners should help the institutions strengthen procedures to minimize the risks associated with funds transfer activities. Refer to the Electronic Funds Transfer (EFT) Examination Documentation module for further guidance.
The Financial Crimes Enforcement Network and the federal banking agencies – the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision – are issuing the attached guidance to notify institutions when a Suspicious Activity Report (SAR) can be shared with a holding company or other controlling company, or with the head office of a U.S. branch or agency of a foreign bank.
This Small-Entity Compliance Guide is intended to help financial institutions comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines). The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs.
Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.
The FDIC Office of Inspector General issued its semiannual report to Congress, highlighting what the Inspector General considers to be 2005's most taxing management and performance challenges. The report focuses on the need to streamline Information Security initiatives that can "maintain stability and confidence in the nation's banking system." The FDIC's Inspector General's Office comprehends the tremendous risk associated with safe guarding banking clients private information, and has therefore centered his priorities and managerial initiatives accordingly.
WASHINGTON, D.C. (January 13, 2006) – The federal financial regulatory agencies today announced a public service campaign to aid in the financial recovery of victims of last year's hurricanes. Although four months have passed since Hurricanes Katrina and Rita made landfall, some bank customers have not yet been in contact with their lenders. Communication is an essential step in the road to financial recovery. The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration and state financial regulators are encouraging banks, thrifts, and credit unions to continue to work with borrowers affected by the hurricanes. Assistance may include waiving fees, lowering interest rates, extending repayment schedules, or deferring principal or interest for an additional period, where appropriate. For these options to be considered, however, it is essential that the borrower contact his or her lender.
At the request of the Assistant to the President and Chief of Staff, we have prepared this memorandum to provide guidance for reviewing Government information regarding weapons of mass destruction, as well as other information that could be misused to harm the security of our nation or threaten public safety. It is appropriate that all federal departments and agencies consider the need to safeguard such information on an ongoing basis and also upon receipt of any request for records containing such information that is made under the Freedom of Information Act (FOIA), 5 U.S.C. § 552 (2000). Consistent with existing law and policy, the appropriate steps for safeguarding such information will vary according to the sensitivity of the information involved and whether the information currently is classified.
The attached final rule, published in the Federal Register on August 13, 2003, concerns the removal, suspension, and debarment of accountants from performing annual audit and attestation services. The final rule will become effective on October 1. Section 36 of the Federal Deposit Insurance Act (FDIA) requires that each national bank with $500 million or more in total assets submit an annual report on its financial statements and required management assessments to the Comptroller of the Currency (OCC). An independent public accountant must audit these financial statements to determine whether they are presented in accordance with generally accepted accounting principles.
Dr. Robert DeYoung has been named Associate Director of the FDIC's Division of Insurance and Research (DIR), FDIC Acting Chairman Martin Gruenberg announced today. DeYoung will head the division's Research Branch. "Bob DeYoung brings a wealth of experience in the publication of original research and in its application to the banking and financial system," said Art Murton, DIR Director. "We look forward to the contributions he will make to the policy leadership and research efforts at the FDIC."
Dr. DeYoung joins the FDIC from the Federal Reserve Bank of Chicago, where he served as a senior economist and economic advisor in the research department. For the past two years, Dr. DeYoung has played a key role in the advancement of the FDIC's Center for Financial Research as the Coordinator of the Center's Banking Policy and Regulation Program. Dr. DeYoung also serves as an associate editor of the Journal of Financial Services Research and the Journal of Economics and Business, and as a lecturer on economics and finance at the Kellstadt Graduate School of Business at DePaul University in Chicago.
The Financial Crimes Enforcement Network (FinCEN) has announced the final regulation implementing the international correspondent banking provisions and the private banking provisions of Section 312 of the USA PATRIOT Act. Concurrently, FinCEN has released a further notice of proposed rulemaking on one key issue regarding correspondent banking. To view the final and proposed rules, along with a press release and fact sheet from FinCEN, visit FinCEN's Web site at http://www.fincen.gov/section312.pdf.
Highlights: The final regulation takes effect within 90 days from the date the regulation is published in the Federal Register (anticipated by January 4, 2006) for new accounts opened by U.S. financial institutions and 270 days from that date for existing accounts.
The final rule requires certain U.S. financial institutions to apply due diligence to correspondent accounts maintained for certain foreign financial institutions and private banking accounts maintained for foreign individuals.
You are receiving this information because you have notified a consumer reporting agency that you believe that you are a victim of identity theft. Identity theft occurs when someone uses your name, Social Security number, date of birth, or other identifying information, without authority, to commit fraud. For example, someone may have committed identity theft by using your personal information to open a credit card account or get a loan in your name. For more information, visit www.consumer.gov/idtheft or write to: FTC, Consumer Response Center, Room 130-B, 600 Pennsylvania Avenue, N.W. Washington, D.C., 20580. The Fair Credit Reporting Act (FCRA) gives you specific rights when you are, or believe that you are, the victim of identity theft. Here is a brief summary of the rights designed to help you recover from identity theft.
Following a public comment period, the Federal Trade Commission has issued final summaries of identity theft and general consumer rights and revised furnisher and user notices under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Consumer reporting companies are required to notify consumers of their rights under FACTA and steps they can take to protect themselves against identity theft and difficulties resulting from identity theft.
The identity theft rights summary includes the major new identity theft rights granted to consumers by FACTA, including the right to place fraud alerts on their credit reports, to block businesses and credit bureaus from reporting information in their credit files that is a result of identity theft, and to obtain from businesses information about accounts or transactions in their name that result from identity theft. The identity theft rights summary will be provided by consumer reporting companies to consumers who contact the agencies because they believe they are victims of fraud or identity theft.
The Federal Trade Commission today said that provisions of the recently enacted Fair and Accurate Credit Transactions Act will help reduce identity theft and help victims recover. In testimony to the House Ways and Means Committee’s Subcommittee on Social Security, Howard Beales, Director of the FTC’s Bureau of Consumer Protection, said that many of the provisions will go into effect over the course of this year.
The testimony says one of the newly enacted provisions requires the three major credit reporting agencies to provide consumers with a free copy of their own credit report every 12 months. The requirement will become effective in December but will be phased in over nine months from West to East. The reports allow consumers to discover and correct errors in their credit records and to assure that accounts have not been fraudulently opened in their names.
On June 30, 2000, Congress enacted the Electronic Signatures in Global and National Commerce Act(1) ("ESIGN" or "the Act"), to facilitate the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically. Careful to preserve the underlying consumer protection laws governing consumers' rights to receive certain information in writing, Congress imposed special requirements on businesses that want to use electronic records or signatures in consumer transactions. Section 101(c)(1)(C)(ii) of the Act requires businesses to obtain from consumers electronic consent or confirmation to receive information electronically that a law requires to be in writing. The Act went into effect in October 2000.
The Check Clearing for the 21st Century Act (Check 21) was signed into law on October 28, 2003, and became effective on October 28, 2004. Check 21 is designed to foster innovation in the payments system and to enhance its efficiency by reducing some of the legal impediments to check truncation. The law facilitates check truncation by creating a new negotiable instrument called a substitute check, which permits banks to truncate original checks, to process check information electronically, and to deliver substitute checks to banks that want to continue receiving paper checks. A substitute check is the legal equivalent of the original check and includes all the information contained on the original check. The law does not require banks to accept checks in electronic form nor does it require banks to use the new authority granted by the Act to create substitute checks.
Fight Back: What You Can Do about Identity Theft
If you think your identity has been stolen, here's what to do now: Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified to place fraud alerts. Once the alert is placed, you may order a free copy of your credit report from all three major credit bureaus. The special toll-free numbers for the fraud departments are: Equifax at (800) 525-6285, Experian at (888) 397-3742 and Trans Union at (800) 680-7289. Close the accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit when disputing new unauthorized accounts.
File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.
This bill, operative July 1, 2003, would require a state agency,
or a person or business that conducts business in California, that
owns or licenses computerized data that includes personal
information, as defined, to disclose in specified ways, any breach of
the security of the data, as defined, to any resident of California
whose unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person. The bill
would permit the notifications required by its provisions to be
delayed if a law enforcement agency determines that it would impede a
criminal investigation. The bill would require an agency, person,
or business that maintains computerized data that includes personal
information owned by another to notify the owner or licensee of the
information of any breach of security of the data, as specified. The
bill would state the intent of the Legislature to preempt all local
regulation of the subject matter of the bill. This bill would also
make a statement of legislative findings and declarations regarding
privacy and financial security.
This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations.
The federal bank and thrift regulatory agencies have jointly issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The guidelines require the proper disposal of consumer information. The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (agencies) have adopted the attached final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Section 216 of the FACT Act is designed to protect a consumer against the risks associated with identity theft and other types of fraud.
Under the final rule, the agencies have amended their "Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by the Gramm-Leach-Bliley Act, to require the proper disposal of consumer information. The guidelines have been renamed "Interagency Guidelines Establishing Information Security Standards."
Executive Summary and Findings Focus of Supplement Identity theft in general and account hijacking in particular continue to be significant problems for the financial services industry and consumers. Recent studies indicate that identity theft is evolving in more complicated ways that make it more difficult for consumers to protect themselves. Recent studies also indicate that consumers are concerned about online security and may be receptive to using two-factor authentication if they perceive it as offering improved safety and convenience.
This Supplement discusses seven additional technologies that were not discussed in the Study. These technologies, as well as those considered in the Study, have the potential to substantially reduce the level of account hijacking (and other forms of identity theft) currently being experienced.
This bulletin transmits a small entity compliance guide for the Interagency Guidelines Establishing Information Security Standards (Security Guidelines), jointly drafted by staff of the federal banking agencies, pursuant to the requirements of the Small Business Regulatory Enforcement Fairness Act of 1996. The compliance guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations.
This advisory letter highlights risks associated with wireless networks and provides guidance for managing those risks. National banks can use this guidance to help in protecting company assets and confidential customer information, achieving service level requirements, maintaining safe and sound practices, and ensuring compliance with regulatory security expectations. BACKGROUND The emergence of wireless networking standards and products that rely upon unlicensed radio frequencies is causing an increasing number of national banks to consider how they might benefit from the technology advancements. National banks can use wireless technologies to build local-area-networks and personal-area- networks with low-cost devices and easy installations. The basic technology components include:
* Systems and devices sharing information (e.g., computers,
workstations, networks);
The purpose of this paper is to provide financial institutions and examiners with background information and guidance on various risk assessment tools and practices related to information security. Institutions using the Internet or other computer networks are exposed to various categories of risk that could result in the possibility of financial loss and reputational harm. Given the rapid growth of the Internet and networking technology, the available risk assessment tools and practices are becoming more important for information security. This paper provides a summary of critical points, discusses components of a sound information security program, and describes the risk assessment and risk management processes for information security. The appendix provides specific information on certain risk assessment tools and practices that may be part of an institution's information security program. The paper and appendix are intended to provide useful information and guidance, not to create new examination standards, impose new regulatory requirements, or represent an exclusive description of the various ways financial institutions can implement effective information security programs.
The federal bank and thrift regulatory agencies have sent to the Federal Register joint guidelines for safeguarding confidential customer information. The guidelines implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), and will be effective on July 1, 2001.
The GLBA requires the agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer records and information. These safeguards are to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of these records, and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to a customer.
Complete this section’s objectives to assign the information technology (IT)composite rating using as a guide OCC Bulletin 99-3, “Uniform Rating System for Information Technology (URSIT).” The composite URSIT ratingshould reflect:
•The adequacy of the bank’s risk management practices.
In assigning the rating the examiner should consult the EIC, the examinersassigned to review management and audit, and other examining personnel, asappropriate. Although the OCC does not assign URSIT component ratings tothe financial institutions it supervises, risks arising from the areas covered bythe component ratings are considered when assigning the URSIT compositerating.
The Agencies are jointly issuing final Guidance that interprets the requirements of section 501(b) of the GLBA, 15 U.S.C. 6801, and the Security Guidelines2 to include the development and implementation of a response program to address unauthorized access to, or use of customer information that could result in substantial harm or inconvenience to a customer. The Guidance describes the appropriate elements of a financial institution’s response program, including customer notification procedures. Section 501(b) required the Agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards to: (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
On February 1, 2001, the Agencies issued the Security Guidelines as required by section 501(b) (66 FR 8616). Among other things, the Security Guidelines direct financial institutions to: (1) identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and (3) assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
The Federal Financial Institutions Examination Council (FFIEC) has released updated information security guidance in the form of a new Information Security Booklet. The Information Security Booklet is the first in a series of booklets that will completely update and replace the 1996 FFIEC Information Systems Examination Handbook.
Reliance on technology in all aspects of banking by bankers, consumers, and corporations has increased both the potential for, and likely impact of, security threats to national banks. Widespread adoption of effective security processes can help ensure that the banking industry maintains effective safeguards against such threats and, by doing so, helps preserve the public trust. The Information Security Booklet provides a comprehensive security framework for national banks and their technology service providers. The framework focuses on implementing a security risk management process that identifies risks, develops and implements a security strategy, tests key controls, and monitors the risk environment. This framework also stresses the important roles that senior management and boards of directors play in this process by emphasizing their responsibility to recognize security risks in their banks and to assign appropriate roles and responsibilities to their managers and employees.
The Office of Inspector General (OIG) for the National Credit Union Administration (NCUA) engaged Cotton & Company LLP to conduct an independent evaluation of NCUA’s information systems (IS) and security program and controls for compliance with the Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002.
The Office of Management & Budget (OMB) issued 2004 Guidance on Annual Information Technology Security Reports on August 23, 2004. This guidance provides clarification to agencies for implementing, meeting, and reporting FISMA requirements to OMB and the Congress. This report contains a summary of our evaluation of the NCUA’s information security program and is presented in the OMB prescribed format.
NCUA Annual Performance Budget 2005 I am pleased to present the National Credit Union Administration’s Annual Performance Budget 2005. You will notice that it is called a performance budget and not a plan. It was developed to serve as an element of budget development and reflects a greater correlation between our strategic and annual performance goals and resource allocation. This enhanced correlation is in support of the President Management Agenda Initiative #5 – Budget and Performance Integration.
The year 2004 has been a very productive year. NCUA Annual Performance Plan 2004 served to guide the agency’s efforts to achieve its performance goals and objectives in its regulatory and supervisory roles during the past year. The credit union industry’s performance validated these efforts with assets increasing $30.6 billion or 5.02%, net worth increasing $4.3 billion or 6.52%, shares increasing $22.8 billion or 4.31%, loans increasing $30.2 billion or 8.02% and delinquent loans as a percentage of total loans decreasing from 0.76% to 0.71% for a very productive year. As a result, NCUA’s priorities continue to stress providing proper training and tools for examiners, an optimal regulatory environment that balances innovation with safety and soundness, enhanced organizational effectiveness and efficiency, promoting access of financial services to all eligible residents and maintaining a responsible budget process.
The National Credit Union Administration (NCUA) has developed this guide to assist credit unions engaging in, or considering, e-Commerce activities. For the purposes of this guide, e-Commerce is defined as the electronic delivery of financial services via the Internet. NCUA does not expect all credit unions to offer e-Commerce. However, NCUA expects credit unions offering e-Commerce to do so in a safe and sound manner. This guide focuses on processes to assist credit unions in managing the risks related to e-Commerce in an environment of rapidly changing technology. Credit union management should use the information in this guide to assist with technology planning, contracting, delivery, and support of e-Commerce activities. This should be done within a framework designed to identify, quantify and, to the extent possible, reduce related technology risks.
Much of the information in this guide is derived from NCUA issuances such as Rules & Regulations and Letters to Credit Unions. Although this information is provided in summary format in the guide, the related issuances typically contain more detail on a particular subject and may contain additional checklists that can assist in evaluating performance in a given area. Please refer to Appendix A for a listing of NCUA reference information. These issuances, as well as additional guidance, can be found via the Information Systems and Technology link under the reference section of the NCUA website (http://www.ncua.gov)*. This site is updated frequently and can serve as a valuable resource.
Periodic security awareness training is specifically mandated by three Federal issuances. On October 30, 2000, the Government Information Security Reform Act (GISRA) was signed into law. One of the requirements of GISRA is that each Federal agency shall develop and implement an agency-wide information security program to provide information security for the operations and assets of the agency. This program shall include security awareness training to inform personnel of information security risks associated with the activities of personnel, and responsibilities of personnel in complying with agency policies and procedures designed to reduce such risk.
OB Circular A-130, Management of Federal Information Resources, ,pestablishes policy for the management of Federal information resources.
Appendix III of OMB Circular A-130 requires that prior to being granted access to Information Technology (IT) applications and systems, all individuals must receive specialized training on their IT security responsibilities and established system rules.
I. INTRODUCTION Purpose and Scope of the Guide This Small-Entity Compliance Guide1 is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs. Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.
Flawed modeling presents risk to sound management decision-making; rise in online fraud, theft of consumer data dictate need for tighter online banking security Banks' financial modeling, the security of Internet banking transactions, and bank insider misconduct are some of the issues of current focus for the bank regulatory community that are highlighted in the FDIC's Winter 2005 issue of Supervisory Insights, released today. With financial modeling growing in importance as a bank management tool, attention is now focused on a new source of risk - the potential for flawed information to be introduced into the management decision-making process. The article "Model Governance" describes how strong governance procedures can help minimize this risk, and it suggests areas that examiners should target when evaluating a bank's model oversight, control and validation programs. And with incidents of online fraud - including identity theft - on the rise, strengthening security for Internet-based financial transactions continues to be an area of focus for bank supervisors and management. "Online Delivery of Banking Services: Making Consumers Feel Secure" reviews key findings of an FDIC study that evaluated identity authentication technologies. This article also reviews recently issued interagency guidance requiring insured institutions and service providers - as part of the development of Internet banking products and services - to design safeguards to protect sensitive customer data.
This statement alerts the Board of Directors and management to some of the risks and concernsof retail on-line, personal computer banking (PC banking). Recently, the staff of the FFIECagencies organized a symposium to hear industry experts offer their thoughts and observations onthe development of retail on-line PC banking. Through this statement, the FFIEC agencies wishto impart many of the ideas discussed during the symposium to bankers and examiners. II.EXECUTIVE SUMMARY Financial institutions are beginning to utilize new technologies to offer innovative products andservices to their customers. On-line PC banking exemplifies an emerging delivery channel forretail banking services made possible by technology. One of the reasons for the rapid evolution ofPC banking involves the increased use of the Internet1. Regulatory agencies recognize that PCbanking offers opportunities for financial institutions to enhance customer relationships andimprove competitive positions. Before implementing a PC banking program, management should exercise sufficient due diligenceand develop comprehensive plans. Such due diligence would ordinarily include the followingactivities.
• Review the implications of PC banking on the institution's strategic plan;
WASHINGTON -- The Office of the Comptroller of the Currency (OCC) published on its website today its annual notice of fees that incorporates an amendment to the timing of payments of OCC assessments by national banks. The OCC, rather than each national bank, will calculate and draft the semiannual assessment from either the Federal Reserve account or Federal Home Loan Bank account based on the most recent call report. The fee will be due by March 31 and September 30, two months later than the current due date.
The FDIC has updated its Trust Examination Manual. It is now available on the FDIC’s Web site and may also be purchased in a CD-ROM format.
The FDIC has amended Part 363 of its regulations by raising the asset-size threshold from $500 million to $1 billion for internal control assessments by management and external auditors. For institutions between $500 million and $1 billion in assets, only a majority, rather than all, of the members of the audit committee, who must be outside directors, must be independent of management. The final rule is effective December 28, 2005.
TO:All Federally-Insured Credit Unions The purpose of this letter is to inform you of revised technology-related guidance provided to examiners and the credit union industry. Earlier this year, the Federal Financial Institutions Examination Council (FFIEC1) released the Information Security Booklet – a first in a series of booklets to revise the existing 1996 FFIEC Information Systems Examination Handbook. The revised Information Technology (IT) Examination Handbook will be composed of several booklets to address significant changes in technology since 1996 and incorporates a risk-based examination approachto each booklet.
The FFIEC agencies plan to issue additional booklets covering such topics as business continuity planning, technology service providers, electronic banking, audit, payment systems, outsourcing, management, computer operations, and systems development and acquisition.
In testimony before the Senate Banking Committee this morning, FDIC Chairman Donald Powell underscored the need to maintain Prompt Corrective Action (PCA) regulations, particularly existing U.S. leverage requirements, as part of the U.S. implementation of the Basel II Framework, an international effort to modernize the bank capital regime.
This policy issuance alerts all financial institutions to the importance of strategic information systems planning and its role in overall corporate management and planning. It identifies management's responsibilities in preparing strategic plans for their information systems requirements.
This interagency statement alerts financial institutions to potential risks in contracting for EDP services and/or failing to properly account for certain contract provisions.
POLICY STATEMENT FOR THE REVIEW OF INFORMATION SYSTEM VENDORS
Weblinking:
Identifying Risks & Risk Management Techniques ENCL:
Weblinking Guidance The purpose of this letter is to assist
credit unions in identifying risks posed by the use of weblinks on
their websites and suggest a variety of risk management techniques to
mitigate these risks. A large number of credit unions maintain
sites on the World Wide Web. Virtually every website contains weblinks.
A weblink is a word, phrase, or image that contains coding that will
transport the viewer to a different part of the website or a completely
different website by clicking on it. While weblinks are a convenient
and accepted tool in website design, their use can present certain risks.
The primary risk posed by weblinking is viewer confusion about whose
website they are viewing and who is responsible for information, products,
and services available through that website. Credit unions using weblinks are encouraged
to review the enclosed guidance that was developed jointly with other
federal regulatory agencies. This guidance applies to credit unions
that develop and maintain their own websites, as well as those using
service providers for these functions. This letter supercedes NCUA Letter 02-FCU-04.
If you have any questions, please contact your NCUA Regional Office
or State Supervisory Authority.
Chairman Bachus, and Members of the Subcommittee, I appreciate your invitation to present this testimony reviewing the National Credit Union Administration’s (NCUA’s) experiences with information systems and technology (IS&T) incidents and other security events resulting in the potential compromise of personal financial data. We also identify actions by NCUA to ensure credit unions safeguard member information and to mitigate potential losses to credit unions and members when breaches occur. We recommend that NCUA be granted examination authority over third party vendors, which would enable us to better monitor risk and protect credit union members’ personal financial data. Examples of Data Security Breaches Involving Credit Union Members
Information is provided here on types of security breaches NCUA and credit unions have experienced. These security breaches include: fraudulent email or telephone scams, known as phishing; the unauthorized storing of customer information and the ensuing theft of this information; the theft of a credit union’s hard drive; and the theft of a vendor’s computer. We also provide information on how NCUA and credit unions have responded to these data security incidents.
The purpose of this letter is to provide important considerations for credit unions that are currently engaged in or may be considering the use of wireless technology. Wireless technology can potentially provide important benefits for credit unions and their members. For some, this may be a cost-effective alternative for a credit union seeking to expand its existing hard-wired computer network. Additionally, it may enable a credit union to provide members with increased accessibility to its Internet-based financial service offerings.
However, those credit unions that have made a decision to implement wireless technology should also be aware of the potential increase in the amount of risk exposure for the credit union. Credit unions may be able to mitigate the following risk areas with proper planning and controls.
GUIDELINES FOR ENSURING THE QUALITY OF DISSEMINATED INFORMATION Policy NCUA will undertake to ensure that the information it disseminates to the public is objective (accurate, clear, complete, and unbiased), useful and has integrity. Most information disseminated by NCUA is subject to the basic standard described in these guidelines. Additional levels of quality standards are adopted as appropriate for specific categories of disseminated information. The OMB guidelines require “influential scientific, financial or statistical information” to meet a higher standard of quality. OMB defines “influential” to mean, “the agency can reasonably determine that dissemination of the information will have or does have a clear and substantial impact on important public policies or important private sector decisions.” Id. at 8455. Influential information disseminated byNCUA is subject to a level higher than the basic standard. The NCUA’s Chief Information Officer (CIO) serves as the agency official charged with overseeing the agency’s compliance with OMB guidelines for the quality of information disseminated by NCUA.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2004 delineates those audits and investigations that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Inspector General Act, the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, the Federal Information Security Management Act (FISMA), and the Sarbanes-OxleyAct of 2002; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Audits and reviews of NCUA and the credit union industry planned and performed by the General Accounting Office (GAO); • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2005 delineates those audits that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, Federal Information Security Management Act (FISMA), the Sarbanes-Oxley Act, and the Inspector General Act; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Audits planned and performed by the General Accounting Office (GAO); • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2003 delineates those audits and investigations that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, the Government Information Security Act (GISRA), and the Inspector General Act; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment. How the Annual Plan was formulatedThe NCUA OIG plans its work to identify and respond to issues that are of greatest importance to NCUA. For purposes of the Annual Plan, we have identified prospective audit and investigative work that is responsive to the agency’s strategic goals. The agency’s strategic goals are: • Promote a system of financially healthy, well-managed federally insured credit unions able to withstand economic volatility. • Facilitate credit unions’ ability to safely integrate financial services and emerging technology in order to meet the changing expectations of their members. • Create a regulatory environment that will facilitate credit union innovation to meet member financial service expectations. • Enable credit unions to leverage their unique place in the American financial system to extend availability of service to all who seek such service, while encouraging and recognizing their historical emphasis on servicing those of modest means.
• Enhance NCUA’s organization to continue to work with the credit union community in creating an environment that enables credit unions to continue to flourish while addressing the challenges of the 21stcentury.
NATIONAL CREDIT UNION ADMINISTRATIONOFFICE OF INSPECTOR GENERAL EVALUATION The Government Information Security Reform Act (GISRA), Public Law 106-398, requires Inspectors General (IG) to perform independent evaluations to:
•Assess compliance with GISRA and agency security policies and procedures; and The Office of Management and Budget (OMB) has requested IGs to submit the results of their independent evaluation by responding specifically to questions 2 through 13 of OMB Memorandum M-01-24. The following presents our evaluation of the National Credit Union Administration’s (NCUA) compliance with GISRA. The NCUA Office of Inspector General (OIG) has determined that NCUA is not yet in compliance with GISRA. The following represents the agency’s status toward compliance with key GISRA provisions as of August 2001:
•NCUA needs to develop an agency-wide security program. NCUA developed a draft security policy that will be incorporated in the security program. However this policy has not been approved by the agency head or disseminated to personnel with key responsibilities.
Rapidly evolving technologies continue to provide efficient, cost effective methods for providing fast delivery of a wide range of member services. Accompanying the opportunities to deliver cost effective services is growing exposure of technology resources to misuse and theft, which can result in loss of member confidence. Intrusion and abuse of technology is growing at an escalating rate. Intrusions, as noted in the chart below, reflect an increasing average rate of approximately 300 percent annually. The data was provided by Computer Emergency Response Team/Coordinating Committee (CERT/CC). The CERT/CC1is a government sponsored organization operated by the Carnegie Mellon Software Engineering Institute. Part of its mission is to track vulnerabilities in computer systems and recommend methods to improve computer security. Incidents are voluntarily reported and include:
1. Attempts to gain unauthorized access to a system or its data;
The purpose of this Letter is to provide additional guidance for combating the email schemes discussed in the recently released Letter to Credit Unions #04-CU-05 Fraudulent E-Mail Schemes. In addition, this Letter is intended to raise awareness of the increasingly common Internet fraud called “phishing.” NCUA encourages credit unions to educate their members, strengthen monitoring systems, and enhance response programs to reduce the potential risk of Internet-related fraud schemes to their organization and members. Such schemes may negatively impact your credit union’s reputation, transaction, liquidity, and strategic risks.
This alert is intended to raise awareness of an Internet worm, BugBear.B, that recently surfaced as a potential threat specifically targeted to financial institutions and to prompt credit unions and credit union technology service providers to take immediate steps to mitigate the threat to their organizations and customers.
Information technology (IT) and security continue to evolve at a rapid pace. New risks and threats arise quickly to challenge emerging and established technologies. Yet the essential elements of strong controls and sound IT practices remain the same despite the environmental changes. As part of our review of IT in corporate credit unions, the Office of Corporate Credit Unions (OCCU) IT examiners have focused on ensuring the adequacy of basic control elements such as firewalls, intrusion detection, penetration tests, and sound network architectures. I am pleased to note that corporates have been diligent in this regard and that many sound control practices have been implemented. OCCU IT staff will continue to verify that basic IT security control elements remain strong. However, the ever changing dynamics of the corporate credit union IT risk profile require that we also focus attention on the following critical information security areas: Information Security Risk Assessment; 2. Security Application Code Reviews; 3. Service Provider Oversight & Contracts; 4. Security Awareness of Employees; 5. Change Management for Applications & Infrastructure; and 6. Security for Remote Locations. Each area is briefly discussed below.
The federal banking regulatory agencies today issued proposed rules to implement a special post-employment restriction on certain senior examiners employed by an agency or Federal Reserve Bank, as required by the Intelligence Reform and Terrorism Prevention Act of 2004. Under the proposal, if an examiner serves as the senior examiner for a depository institution or depository institution holding company for two or more months during the examiners final twelve months of employment with an agency or Reserve Bank, the examiner may not knowingly accept compensation as an employee, officer, director, or consultant from that institution or holding company, or from certain related entities.
European Union Data Directive The 1995 European Union Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data became effective on October 25, 1998, and covers the processing of data within the EU and its transfer outside of the EU. The Directive requires EU member states to pass national privacy laws implementing the principles established in the Directive. While laws implementing the Directive vary somewhat from one member state to another, the general framework remains the same throughout the EU. Since the EU imposes sanctions on its members for not passing laws according to its Directive, 15 EU member states (except Ireland, Luxembourg and France) have implemented the Directive to date. Even the three exceptions have privacy legislation that requires compliance from companies doing business in these nations. The EU Directive applies to all processing of personal information by any person or organization within the EU, both private and public. The Directive applies to all citizens and resident employees. It also covers data processing and/or transfer by entities owned or affiliated with United States companies that process data within the EU. Data can only be processed if certain processing principles are utilized.
The banking agencies will implement the Central Data Repository (CDR) to process the Reports of Condition and Income (Call Reports) beginning with the third quarter 2005. This filing period begins September 30, 2005. Except for certain banks with foreign offices, data must be received by October 30, 2005. **The agencies recognize that institutions whose operations have been significantly affected by Hurricane Katrina may experience difficulty or delay in filing their third quarter Call Report. Those institutions should contact their primary regulator or the CDR help desk at 1-888-CDR-3111 for special assistance in filing third quarter Call Report data. The CDR will require banks to validate their Call Report data before it will be accepted. To allow sufficient time to complete the new prevalidation process prior to the submission deadline, banks should start their Call Report preparation process earlier than in the past. The new prevalidation process will require banks to correct errors identified by the CDR and, where necessary, to prepare explanatory comments for data that fall outside specific parameters. These explanatory comments, which will be filed along with a bank's data, will be considered confidential.
Donald E. Powell today announced that he will be leaving the agency to coordinate the Bush Administration's efforts to rebuild the Gulf Coast areas affected by the recent hurricanes. Mr. Powell became the 18th Chairman of the Federal Deposit Insurance Corporation (FDIC) on August 29, 2001. “I am honored that the President has chosen me for this important effort to help rebuild the Gulf region,” said Powell. “This new position allows me to continue to serve my country and help the many people who have had their lives turned completely upside down.” “In my role as FDIC chairman, I had the opportunity to tour the area and see firsthand what the communities in the Gulf region face. I look forward to this new challenge and appreciate the trust that the President has in me. Of course, I will always have fond memories of my time at the FDIC. I have been afforded the opportunity to work with many wonderful people inside and outside the agency, and I feel truly blessed,” Powell concluded.
Welcome to the fourth issue of The SAR Activity Review – By the Numbers, a compilation of statistical data gathered from Suspicious Activity Report forms submitted by depository institutions since April 1996,casinos and card clubs since August 1996,certain money services businesses since January 2002, and certain segments of the securities and futures industries since January 2003. By the Numbers serves as a companion piece to the publication of the Trends, Tips &Issues, which provides information about the preparation, use, and utility of Suspicious Activity Reports. By the Numbers is produced twice a year to cover two periods:January 1 A review of the statistical data generated for Issue 4 of By the Numbers reveals some interesting facts. As of December 31,2004,over 2.1 million Suspicious Activity Report forms 1 had been ith FinCEN. Although the remainder of this publication provides detailed statistical data on those , some general observations are provided below for each type of form.
The SAR Activity Review - Trends,Tips &Issues
Summary: The FDIC has updated its risk-focused information technology (IT) examination procedures for FDIC-supervised financial institutions. Highlights: * The FDIC ‘s new risk-focused IT examination procedures focus on the financial institution’s information security program and risk-management practices for securing information assets. * The IT Examination Officer‘s Questionnaire must be completed and signed by an officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of the examination.
">U. S. Implementation of Basel II: Objectives of Basel Accord Advance a “three- pillar ” approach –Pillar 1 - - minimum capital requirement –Pillar 2 - - supervisory oversight –Pillar 3 - - heightened market discipline Develop a measure of capital that is: –more risk sensitive than the current approach –better suited to the complex activities of internationally-active banks –capable of adapting to market and product evolution
assessments of capital adequacy
The Federal Reserve Board on Monday announced amendments to Appendix A of Regulation CC that reflect the restructuring of the Federal Reserves check processing operations in the Twelfth District. These amendments are part of a series of amendments to Appendix A that will take place through the first quarter of 2006, associated with the previously-announced restructuring of the Reserve Banks check processing operations. Appendix A provides a routing number guide that helps depository institutions determine the maximum permissible hold periods for most deposited checks. As of October 22, 2005, the Portland branch office of the Federal Reserve Bank of San Francisco no longer will process checks, and banks currently served by that office will be reassigned to the Seattle branch office of the Federal Reserve Bank of San Francisco.
Today;s announcement that 207,000 jobs were created in July is another significant indicator that Americas economy is expanding. Now, nearly 4 million new jobs have been created since May 2003 and the unemployment rate remains at 5 percent. Combined with several recent reports indicating steady non-inflationary increases in economic activity, this shows that the fundamentals of our economy are strong and that we are continuing on a positive path of growth and prosperity.
FACILITATING AFFILIATION AMONG BANKS, SECURITIES FIRMS, AND INSURANCE COMPANIES
The Patriot Act, and How It Applies to the Banking Industry: The U.S. Department of the Treasury issued a final rule on September 26, 2002, to implement Section 314 of the USA PATRIOT Act that adds sections 103.100 and 103.110 to the Bank Secrecy Act regulations. These sections establish procedures that encourage information sharing between governmental authorities and financial institutions, and among financial institutions themselves. The new section 103.100 establishes a mechanism for law enforcement to communicate names of suspected terrorists and money launderers to financial institutions in return for securing the ability to promptly locate accounts and transactions involving those suspects. Financial institutions receiving names of suspects must search their account and transaction records for potential matches and report positive results to Treasury's Financial Crimes Enforcement Network (FinCEN) in the manner and time frame specified in the request. Each financial institution must designate a point of contact to receive information requests. FinCEN has prescribed that each financial institution supply point of contact information to its primary federal regulator. If you have not already done so, send by e-mail to FDICAdvisory@fdic.gov or by mail to FDIC, Special Activities Section, 550 17th Street NW, Washington, DC 20429, the following information: name of institution, name of point of contact, title, mailing address, e-mail address, telephone number, and fax number. Changes in contact information must be promptly reported.
Summary: The FDIC is providing guidance to financial institutions on the security risks • VoIP is susceptible to the same security risks as data networks if security policies and configurations are inadequate.
Guidance on Developing an Effective Pre-Employment Background Screening
Summary: The Federal Deposit Insurance Corporation encourages banks to assist those impacted by Hurricane Katrina by honoring handwritten, typewritten, and laser checks issued by certain Social Security Administration Offices.
In 2001, NCUA amended 12 CFR Part 748 to fulfill a requirement in Section 501 of the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA), in which Congress directed both NCUA and the other Federal Financial Institution Examination Council (FFIEC ) agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (collectively, the “Banking Agencies”) to establish standards for financial institutions relating to administrative, technical, and physical safeguards to...
The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance in three booklets on electronic banking (e-banking), information technology (IT) audit, and the FedLine electronic funds transfer application. These booklets are the most recent in a series that will completely update and replace the 1996 FFIEC Information Systems (IS) Examination Handbook. The work programs contained in the booklets represent expanded procedures that examiners can use if appropriate for the risk and complexity of the bank’s operations. The Audit Booklet rescinds chapter 8, and the FedLine Booklet rescinds chapter 19 of the 1996 FFIEC IS Examination Handbook. The E-Banking Booklet replaces the OCC Internet Banking Handbook and OCC Bulletin 98-38, “Technology Risk Management: PC Banking.” This booklet reflects the OCC’s views on the risks specific to e-banking and provides bankers and examiners with guidance on those risks and the risk management issues associated with the delivery of e-banking products and services. Banks face unique risks based on the choices they make when implementing and enhancing their e-banking services. Decisions on network Internet connectivity, outsourcing various system components, and the specific products and services affect the level of risk and the complexity of risk management. Senior management and boards of directors must understand these risks before investing in and expanding their e-banking activities. They need to integrate the e-banking-related controls into their existing strategic plan, information security program, vendor management process, and business continuity plans. Banks must have appropriate controls, testing, and expertise for all internally managed e-banking system components. In addition, banks with outsourced e-banking processes should carefully select and monitor service providers to ensure that appropriate controls exist. The bank can outsource the process or service, but remains responsible for the adequacy of the controls to ensure confidentiality, integrity, and availability.
This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems. BACKGROUND Federal legislation changed the legal framework for electronic records and will likely result in more banks adopting electronic record retention systems. Banks can implement electronic record retention systems in many ways to support different business processes. Some examples of possible electronic record retention systems are loan file imaging, retention of paperless applications and online agreements, and the use of electronic payment systems.
On January 17, 2001, the banking regulatory agencies adopted guidelines implementing Section 501 of the Gramm-Leach-Bliley Act (GLBA). The guidelines require financial institutions to establish a comprehensive and coordinated information security program, appropriate to the size of the bank and the complexity of its operations.
Summary: The FDIC is providing guidance to financial institutions on implementing a fraud hotline to minimize potential and actual fraud risks as part of a bank‘s governance and enterprise risk management program.
Highlights: .
The FDIC encourages financial institutions to consider the benefits of implementing a fraud hotline as a confidential communication channel to identify fraud and reduce fraud-related losses.
The Association of Certified Fraud Examiners – in its “2004 Report to the Nation” – stated that organizations without mechanisms to report fraud suffered financial losses that were more than twice as high as organizations with anonymous fraud-reporting mechanisms.
This alert is intended to raise awareness of an Internet virus, Bugbear.B, that recently surfaced as a potentially serious threat to financial institutions and to prompt banks and bank technology service providers to take immediate steps to mitigate the threat to their organizations and customers. BACKGROUND Viruses are an increasing threat to Internet-connected systems. The Bugbear.B virus is the latest and most capable variant that threatens financial institutions. Institutions with the capability to access the Internet, including dial-up connections, may be vulnerable to the Bugbear.B virus and other viruses, and should institute appropriate measures to mitigate the risks posed to their servers, desktops, laptops, and other computing devices.
Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols. Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability. Properly used, encryption can strengthen the security of an institution’s systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti-virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.
Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third-party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include -Altering data, -Deleting production and back up data, -Crashing systems, -Destroying systems, -Misusing systems for personal gain or to damage the institution, -Holding data hostage, and -Stealing strategic or customer data for corporate espionage or fraud schemes.
The four Federal banking agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision) today announced their revised plans for the U.S. implementation of the "International Convergence of Capital Measurement and Capital Standards: A Revised Framework," otherwise known as Basel II. The agencies previously announced on April 29, 2005 that they were delaying issuance of a notice of proposed rulemaking (NPR), pending additional analysis of the quantitative impact study (QIS4) submissions. The agencies intend to move forward with an NPR for domestic implementation of Basel II, but plan to introduce additional prudential safeguards in the NPR to address concerns identified in the analysis of the results of the QIS4 conducted with the industry. The agencies expect that the U.S. Basel II proposal will be available in the first quarter of 2006.
The Board of Directors of the Federal Deposit Insurance Corporation (FDIC) today approved an interagency advance notice of proposed rulemaking (ANPR) to solicit comments on the way that the vast majority of banks and thrifts in the U.S. calculate their minimum capital requirements. This framework is sometimes referred to as Basel I-A because it is anticipated to apply to banks that do not adopt the international Basel II Capital Accord. That standard, which is expected to only cover the largest and most complex banks and thrifts in the U.S., is moving through a separate rulemaking process, with a proposed rule targeted to become available the 1st quarter of 2006. The Basel II standard is intended to strengthen the regulation of large, complex banking companies by making their capital requirements more sensitive to changes in risk. The prospect of reductions in risk-based capital requirements under the Basel II standard has given rise to competitive equity concerns among smaller banks and thrifts. The ANPR that the Board approved today is intended, in part, to provide these institutions an opportunity to comment formally about these competitive issues, and what the federal banking regulators should do about them.
Summary: On September 30, 2005, the FDIC implemented the Relationship Manager Program (RMP) for all FDIC-supervised financial institutions. The RMP is designed to strengthen lines of communication between bankers and the FDIC, as well as improve the coordination, continuity and effectiveness of FDIC supervision. Highlights:
The four federal banking agencies--the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision--today published an interagency advance notice of proposed rulemaking (ANPR) regarding potential revisions to the existing risk-based capital framework. These changes would apply to banks, bank holding companies, and savings associations.
The FDIC is providing the attached guidance to financial institutions to remind them of the importance of an effective internal corporate code of conduct or written ethics policy.
The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The guidance interprets the agencies’ customer information security standards and states that financial institutions should implement a response program to address security breaches involving customer information. The response program should include procedures to notify customers about incidents of unauthorized access to customer information that could result in substantial harm or inconvenience to the customer. The guidance provides that, "when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused."
Section 314(a) of the USA PATRIOT Act of 2001 (P.L. 107-56)1 , required the Secretary of the Treasury to adopt regulations to encourage regulatory authorities and law enforcement authorities to share with financial institutions information regarding individuals, entities, and organizations engaged in or reasonably suspected, based on credible evidence, of engaging in terrorist acts or money laundering activities. FinCEN issued a proposed rule on March 5, 2002, and the final rule on September 26, 2002(67 Fed. Reg. 60,579). Section 314(a) requirements are now published in 31 CFR Part 103.100.
WASHINGTON -- Comptroller of the Currency John C. Dugan told the Senate Banking Committee today that the goal of the Basel II Capital Framework – and a separate initiative for smaller institutions – will substantially enhance safety and soundness.“Basel II will promote significant advances in risk management that will benefit supervisors and banks alike and substantially enhance safety and soundness,” Mr. Dugan said in testimony before the Senate panel. However, the Basel Framework will inevitably require adjustments to address supervisory concerns, Mr. Dugan said. While the recent Quantitative Impact Study 4 (QIS-4) of the Capital Framework’s impact on large U.S. banks showed widely different results for participating institutions and suggested the possibility of substantial reductions in capital, the Comptroller said it is important now to see how live systems operate in a transition period. “We need to observe live systems in operation – and subject them to rigorous supervisory scrutiny – before we will be able to rely on Basel II for regulatory capital purposes,” he said. To accomplish that, Mr. Dugan said, the upcoming Basel II rulemakings will provide a meaningful transition period during which regulators can observe and scrutinize Basel II systems while strictly limiting, through a system of simple and conservative capital floors, potential reductions in capital requirements.
I. Introduction Good morning, Chairman Shelby, Ranking Member Sarbanes, and Members of the Committee. Thank you for the opportunity to discuss the views of the Office of Thrift Supervision on the development of the Basel II capital framework in the United States for our larges U.S. financial institutions and the parallel modernization of Basel I for our institutions. The development of Basel II has been underway, internationally, for a number of years. In the Uni
The federal bank and thrift regulatory agencies today issued final rules to implement a special post-employment restriction on certain senior examiners employed by an agency or Federal Reserve Bank, as required by the Intelligence Reform and Terrorism Prevention Act of 2004. Under the final rules, if an examiner serves as the senior examiner for a depository institution or depository institution holding company for two or more months during the examiner's final twel
Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, "Authentication in an Internet Banking Environment." For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS SyndicationCopyright © 2007 BankInfoSecurity.com