|
 |
 |
 |
 |
|
Comptroller of the Currency John C. Dugan recently established the Enterprise Governance unit to support the Office of the Comptroller of the Currency’s strategic planning, risk management, quality management, assurance testing, and business process improvement efforts.
On December 21, 2006, the Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) was revised. The revisions are the result of their continuing efforts to reduce paperwork and respondent burden. The form was revised and reformatted to standardize suspicious activity reports, enhance the clarity of instructions, allow for joint filing of Suspicious Activity Reports, and to improve the usefulness of the Suspicious Activity Report to law enforcement.
This bulletin is intended to provide guidance to national banks on a number of disclosure and marketing issues presented by gift cards, so that national banks that issue gift cards do so in a manner in which both purchasers and recipients of gift cards are fully informed of the terms and conditions of the product. A gift card is a type of prepaid or stored value card that is designed to be purchased by one consumer (purchaser) and presented as a gift to a second consumer (recipient). The terms and conditions of different gift card products can vary significantly, but gift cards are generally divided into two main categories: retail gift cards and bank-issued gift cards.
FINANCIAL MARKET PREPAREDNESS Significant Progress Has Been Made, but Pandemic Planning and Other Challenges Remain Highlights of GAO-07-399, a report to congressional requesters This is GAO’s third report since the September 11 terrorist attacks that assesses progress that market participants and regulators have made to ensure the security and resiliency of our securities markets. This report examined (1) actions taken to improve the markets’ capabilities to prevent and recover from attacks; (2) actions taken to improve disaster response and increase telecommunications resiliency; and (3) financial regulators’ efforts to ensure market resiliency. GAO inspected physical and electronic security measures and business continuity capabilities using regulatory, government, and industry-established criteria and discussed improvement efforts with broker dealers, banks, regulators, telecommunications carriers, and trade associations. What GAO Recommends To improve the readiness of the securities markets to withstand potential disease pandemics, securities and banking regulators should consider taking additional actions, including providing formal expectations that market participants’ plans address even severe pandemic outbreaks and setting a date by which such plans should be completed. Banking and securities regulators indicated they believe organizations are adequately addressing this risk, but will consider taking the recommended actions if progress lags. GAO believes that giving greater consideration now would better assure market readiness.
The Financial Crimes Enforcement Network (FinCEN) today filed a Federal Register notice announcing the delayed implementation of certain revised Suspicious Activity Report (SAR) forms that were scheduled to become effective on June 30, 2007. The agency is withdrawing this effective date for the revised SAR forms for depository institutions, casinos and card clubs, insurance companies, and the securities and futures industries. FinCEN will establish new effective and mandatory compliance dates for these revised forms in a future notice. The delay does not impact ongoing suspicious activity reporting, which will continue using the current forms.
In its decision today in the Watters vs. Wachovia Bank case, the Supreme Court held that federal preemption standards applicable to national banks extend to activities conducted through their operating subsidiaries. Specifically, the Court held that a national bank’s mortgage business, whether conducted by the bank itself or through the bank’s operating subsidiary, is subject to the OCC’s supervision and regulation, and not to state licensing, reporting, and visitorial regimes. We are pleased that the Court’s decision supports the ability of national banks to continue to conduct business activities in their operating subsidiaries as they are now doing.
The Office of the Comptroller of the Currency will host a compliance risk workshop for national community bank directors at the Omni Charlottesville Hotel, Charlottesville, Virginia, May 2. The workshop entitled, "Compliance Risk: What Directors Need to Know," provides practical information that expands bank directors' skills and understanding of issues facing their banks.
Because of the integration of voice and data in a single network, establishing a secure VOIP and data network is a complex process that requires greater effort than that required for data-only networks. In particular, start with these general guidelines, recognizing that practical considerations, such as cost or legal requirements, may require adjustments for the organization: 1. Develop appropriate network architecture. • Separate voice and data on logically different networks if feasible. Different subnets with separate RFC 1918 address blocks should be used for voice and data traffic, with separate DHCP servers for each, to ease the incorporation of intrusion detection and VOIP firewall protection
The government’s interest in using technology to detect terrorism and other threats has led to increased use of data mining. A technique for extracting useful information from large volumes of data, data mining offers potential benefits but also raises privacy concerns when the data include personal information. GAO was asked to review the development by the Department of Homeland Security (DHS) of a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement). Specifically, GAO was asked to determine (1) the tool’s planned capabilities, uses, and associated benefits and (2) whether potential privacy issues could arise from using it to process personal information and how DHS has addressed any such issues. GAO reviewed program documentation and discussed these issues with DHS officials.
The Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced Thursday that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) has been revised to support a new joint filing initiative, which will reduce the number of duplicate SARs filed for a single suspicious transaction. The revisions are the result of a joint effort by FinCEN and the federal banking agencies.
On December 21, 2006, the Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) was revised. The revisions are the result of their continuing efforts to reduce paperwork and respondent burden. The form was revised and reformatted to standardize suspicious activity reports, enhance the clarity of instructions, allow for joint filing of Suspicious Activity Reports, and to improve the usefulness of the Suspicious Activity Report to law enforcement.
Kmart Corporation has agreed to settle Federal Trade Commission charges that it engaged in deceptive practices in advertising and selling its Kmart gift card. As part of the settlement, Kmart will implement a refund program and publicize it on its Web site. This is the agency’s first law enforcement action involving gift cards. “Consumers have a right to know when gift cards come with strings attached,” FTC Chairman Deborah Platt Majoras said. “If fees or restrictions apply, gift card issuers must fully and clearly disclose them.”
This bulletin is intended to provide guidance to national banks on a number of disclosure and marketing issues presented by gift cards, so that national banks that issue gift cards do so in a manner in which both purchasers and recipients of gift cards are fully informed of the terms and conditions of the product. A gift card is a type of prepaid or stored value card that is designed to be purchased by one consumer (purchaser) and presented as a gift to a second consumer (recipient). The terms and conditions of different gift card products can vary significantly, but gift cards are generally divided into two main categories: retail gift cards and bank-issued gift cards.
In the first 10 months of 2006, over half of the 213 information security breaches reported by financial institutions to the FDIC involved technology service providers (TSP). In accordance with federal laws and regulations, financial institutions must safeguard sensitive customer information against unauthorized disclosure when outsourcing various information technology (IT) operations to TSPs. Interagency guidelines contained in Part 364 of the FDIC Rules and Regulations establish key controls over TSPs, noting that each bank shall (1) exercise due diligence in selecting TSPs, (2) have contractual arrangements with their TSPs that require appropriate measures to safeguard customer information, and (3) provide ongoing monitoring of TSPs to ensure they have satisfied their contractual obligations.
The Office of the Comptroller of the Currency today announced its schedule of workshops for national community bank directors. This year the OCC has added a workshop for community bank directors entitled "A New Director’s Challenge: Mastering the Basics." This two-day program, scheduled in Washington D.C., April 16-18, is geared primarily to directors with less than three years of experience. The workshop should be particularly valuable to directors of new national banks, many of whom are also new to the industry.
Purpose and Scope This document outlines the Office of Thrift Supervision’s (OTS’s) supervisory expectations for savings associations’ gift card programs. The purpose of this guidance is to ensure adequate account administration, marketing, and consumer disclosure practices for gift card programs; to encourage more uniform practices among the thrift institutions that offer gift card programs; and to promote consumer protection while continuing to encourage product innovation. Background A gift card is a payment card with a preloaded value that one consumer typically gives to another as a gift. Like a gift certificate, a consumer may use a gift card to purchase goods or services from one or more merchants.
Summary: The federal bank and thrift regulatory agencies are seeking comment on the attached proposed guidance describing current agency expectations for banking organizations that would adopt the Advanced Internal Ratings-Based Approach (IRB) for credit risk and the Advanced Measurement Approaches (AMA) for operational risk under the proposed new Basel II capital framework. The proposed guidance also establishes the process for supervisory review and the implementation of the capital adequacy assessment process under Pillar 2 of the Basel II framework. The FDIC will accept comments on the proposed guidance through May 29, 2007.
Comptroller of the Currency John C. Dugan told an audience of bank risk managers today that, because their goals are so closely aligned to those of the regulators, the regulations and guidance issued by the agencies can support them in meeting their firms’ objectives. For example, he said, regulators can highlight concerns that are important to risk managers, but which others in the bank might prefer to ignore for competitive reasons. An example is the interagency guidance on non-traditional mortgages, which establishes expectations for prudent underwriting, taking into account some of the unique features and risks these products present.
The Federal Deposit Insurance Corporation (FDIC) recognizes the serious impact of the recent severe storms and tornadoes in central Florida on the operations of financial institutions and will provide regulatory assistance to institutions subject to its supervision. These initiatives are being taken to provide regulatory relief and facilitate recovery. The FDIC encourages depository institutions in the affected disaster areas to meet the financial service needs of their communities.
E-mails fraudulently claiming to be from the FDIC or VeriSign, Inc. are attempting to deceive financial institutions in to installing unknown software on their computer networks. The Federal Deposit Insurance Corporation (FDIC) has become aware of e-mails that appear to be sent from the FDIC or VeriSign, Inc. and ask recipients to run a "security guard script" to secure Web sites. Currently, the e-mails are purportedly from "FDIC Legal Information Technology," "FDIC Information Security," or "Verisign Inc." and the subject lines include the phrase "Regular Security Maintenance" or "Regular Hosting Security Maintenance." The e-mails are fraudulent and were not sent by the FDIC or VeriSign, Inc.
PURPOSE This bulletin reminds national banks and their technology service providers of the upcoming change in the schedule for Daylight Savings Time. National banks may be exposed to a variety of risks if they do not prepare their systems to reflect this change. BACKGROUND Daylight Savings Time (DST) in the United States will begin earlier and end later in 2007 than in years past. The Energy Policy Act of 2005, signed into law August 2005, moves the beginning of DST from the first Sunday in April to the second Sunday in March. DST will now end the first Sunday in November instead of the last Sunday in October.
Why GAO Did This Study The Federal Deposit Insurance Reform Conforming Amendments Act of 2005 requires GAO to report on the effectiveness of Federal Deposit Insurance Corporation’s (FDIC) organizational structure and internal controls. GAO reviewed (1) mechanisms the board of directors uses to oversee the agency, (2) FDIC’s human capital strategies and how its training initiatives are evaluated, and (3) FDIC’s process for monitoring and assessing risks to the banking industry and the deposit insurance fund, including its oversight and evaluation. To answer these objectives, GAO analyzed FDIC documents, reviewed recommended practices and GAO guidance, conducted interviews with FDIC officials and board members, and conducted site visits to FDIC regional and field offices in three states. What GAO Recommends GAO recommends that FDIC (1) develop outcome-based performance measures for key human capital initiatives and make available such performance results to all employees and (2) develop policies and procedures that define how it will systematically and comprehensively evaluate its risk assessment activities.
What GAO Recommends With safeguards, it is appropriate for U.S. banking regulators to proceed with finalizing Basel II and begin the transition period. GAO recommends that they (1) clarify some aspects of the Notice of Proposed Rulemaking (NPR); (2) issue a new NPR if material differences from the current NPR, or a U.S. standardized approach option, are planned for the final rule; (3) issue periodic public reports on progress, results, and any needed adjustments; and (4) at the end of the transition period, reevaluate the appropriateness of Basel II as a long-term framework for setting regulatory capital. The Federal Reserve said it agreed with our recommendations and the other banking agencies said they will consider them as part of the rule-making process.
The federal bank and thrift regulatory agencies on Thursday announced that they will seek public comment on three proposed supervisory guidance documents related to the September 2006 notice of proposed rulemaking (NPR) on new risk-based capital requirements in the United States for large, internationally active banking organizations. The September 2006 NPR detailed the agencies' proposal for implementing the new capital framework issued by the Basel Committee on Banking Supervision in 2004 (Basel II). The proposed U.S. Basel II capital framework would be mandatory for large, internationally active U.S. banking organizations and optional for other institutions. The Basel II NPR includes requirements that banking organizations would need to satisfy to calculate their risk-based capital under the proposed new capital framework. The proposed supervisory guidance provides information to assist bankers, as well as supervisors, in addressing the Basel II qualification requirements.
Summary: The FDIC has revised its Compliance Examination Handbook. The new handbook contains the FDIC's compliance examination policies and procedures in effect as of June 2006. It also includes revised Community Reinvestment Act (CRA) examination procedures and performance evaluations. The handbook will be available in electronic format only and can be accessed on the FDIC's Web site at http://www.fdic.gov/regulations/compliance/handbook/index.html.
Hurricanes Katrina and Rita destroyed homes and displaced millions of individuals. While federal and state governments continue to respond to this disaster, GAO has identified significant control weaknesses-specifically in the Federal Emergency Management Agency (FEMA)'s Individuals and Households Program (IHP) and in Department of Homeland Security (DHS)'s purchase card program—resulting in significant fraud, waste, and abuse. In response to the numerous recommendations GAO made, DHS and FEMA have reported on numerous actions taken to address our recommendations. Lessons learned from GAO's prior work can serve as a framework for an effective fraud prevention system for federal and state governments as they consider spending billions more on disaster recovery. These lessons are particularly important because funding that is lost to fraud, waste, and abuse reduces the amount of money that could be delivered to victims in need.
The Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) has prepared an assessment of mortgage loan fraud, which it based on its analysis of Suspicious Activity Reports (SARs). Financial institutions offering mortgage loan products may find the assessment useful. The assessment, entitled "Mortgage Loan Fraud," is available on FinCEN's Web site at http://www.fincen.gov/mortage_fraud.html.
The Federal Reserve Board on Friday approved changes to its Policy on Payments System Risk that revise the Board's expectations for systemically important payments and settlement systems subject to its authority and update and clarify the policy with regard to central counterparties. Under the revised policy, systemically important payments and settlement systems subject to the Board's authority are expected to complete and disclose publicly self-assessments against the principles and minimum standards in the policy. The self-assessment should be reviewed and approved by the system's senior management and board of directors upon completion and made readily available to the public. In addition, a self-assessment should be updated following material changes to the system or its environment and, at a minimum, reviewed by the system every two years.
Summary: The FDIC, along with the other federal banking agencies and the Securities and Exchange Commission, is issuing the attached final Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities (Final Statement). The Final Statement describes the types of internal controls and risk-management policies and procedures that the agencies have found to be useful in identifying, managing and addressing the potentially heightened legal or reputational risks that may arise from certain complex structured finance transactions.
As use of the Internet continues to expand, more credit unions are using it to offer products and services or otherwise enhance communications with members. The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct credit union business, any day, any time. However, members need to make good on-line choices—decisions that may help avoid costly surprises or scams.
The Office of the Comptroller of the Currency issued guidance today warning of the risks posed by scams involving fraudulent bank cashier's checks and describing steps national banks should take to protect themselves and their customers. A cashier's check, which is issued by a bank and sold to a consumer or other purchaser, represents a direct obligation of the bank. The guidance was issued in response to a growing incidence of scams involving cashier's checks. In most of these cases, individuals receive a cashier's check and are asked to deposit the check into their account, wait until funds become available and then wire some part of the funds from their account to a third party, often in a foreign country.
The Agencies are adopting an Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities ("Final Statement"). The Final Statement pertains to national banks, state banks, bank holding companies (other than foreign banks), federal and state savings associations, savings and loan holding companies, U.S. branches and agencies of foreign banks, and SEC-registered broker-dealers and investment advisers (collectively, "financial institutions" or ("institutions") engaged in complex structured finance transactions ("CSFTs"). In May 2004, the Agencies issued and requested comment on a proposed interagency statement ("Initial Proposed Statement"). After reviewing the comments received on the Initial Proposed Statement, the Agencies in May 2006 issued and requested comment on a revised proposed interagency statement ("Revised Proposed Statement").
How a financial institution can create an effective incident response program to mitigate a data security breach is reported in the FDIC's winter 2006 edition of Supervisory Insights, released today. Other topics covered in today's edition are: an update on CRE lending nationwide, with a look at best practices in CRE concentrations, particularly for identifying, monitoring and controlling risk in this lending area; the increasing number of unfair or deceptive acts or practices, and how examiners identify and address those violations; and highlights of recent USA PATRIOT Act changes and the types of Bank Secrecy Act (BSA)-related violations that examiners are citing.
Unauthorized access to sensitive customer information threatens to undermine customer confidence and the reputations of both individual financial institutions and the financial services industry. This threat is aggravated by the patchwork of state laws and federal regulations that govern unauthorized access or breach response incidents. Despite these challenges, financial institutions are strengthening data security programs and developing or improving customer notification programs. The “BITS/ABA Key Considerations for Responding to Unauthorized Access to Sensitive Customer Information” is a tool that may assist some financial institutions in developing and executing response programs when sensitive information is accessed and misused by unauthorized individuals.
This BITS Consumer Confidence Toolkit provides information to support consumer confidence in the safety, soundness and security of financial services. Originally published in September 2005, this is a revised and updated edition. This is intended to be an educational resource—whether for use by consumers, policy makers, financial institutions or others with interest in the subject matter. Special attention is placed on information security as well as online financial services transacted through the Internet. Data in support of the safety of online financial transactions is provided. Information about the proactive leadership of the financial services industry is included, as well as a description of the current environment and tips for consumers to help protect their financial security, including in the online environment. Recommendations for government agencies are also provided.
Why GAO Did This Study
This Regulatory Alert is to inform you about revisions to Part 748 of the NCUA Rules and Regulations. The revised rule describes in greater detail Suspicious Activity Report (SAR) reporting and filing requirements. The rule became effective November 27, 2006. There are six changes to Part 748 which are summarized below. 1. Notification to board of directors
Computer security incident response has become an important component of information technology (IT) programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
Why GAO Did This Study
Today's testimony will address whether FEMA provided improper and potentially fraudulent (1) rental assistance payments to registrants at the same time it was providing free housing via trailers and apartments; (2) duplicate assistance payments to individuals who claimed damages to the same property for both hurricanes Katrina and Rita; and (3) IHP payments to non-U.S. residents who did not qualify for IHP. This testimony will also discuss (1) the importance of fraud identification and prevention, and (2) the results of our investigation into property FEMA bought using DHS purchase cards.
The Federal Reserve Board on Tuesday released a draft interagency notice of proposed rulemaking that would revise the existing risk-based capital framework by giving the vast majority of banks, bank holding companies, and savings associations the option of either continuing to use the existing Basel I-based capital rule or adopting a more risk sensitive rule, known as Basel IA. However, as proposed, Basel IA would not be available to large, complex international banking organizations subject to the proposed Basel II advanced capital framework. "Basel IA is intended as an option for the wide range of institutions that will not be adopting the advanced approaches of Basel II," said Governor Susan S. Bies. "The goal is to improve the Basel I standards by making them somewhat more risk sensitive while at the same time retaining a relatively simple and straightforward approach suitable for all but the largest and most complex institutions."
The FDIC Board of Directors has approved the attached final rule to amend Part 327 of the FDIC Rules and Regulations. The amendments are being made simultaneously with amendments implementing the Federal Deposit Insurance Reform Act of 2005, and are intended to make the deposit insurance assessment system react more quickly and more accurately to changes in institutions' risk profiles and to ameliorate several causes for complaint by insured depository institutions. The final rule takes effect on January 1, 2007.
The Federal Deposit Insurance Corporation (FDIC) today adopted final regulations that implement the Federal Deposit Insurance Reform Act of 2005 passed by Congress earlier this year to create a stronger and more stable insurance system. Among the final regulations is a new rule on the risk-based assessment system that will enable the FDIC to more closely tie each bank's premiums to the risk it poses to the deposit insurance fund. In addition, the FDIC has new flexibility to manage the deposit insurance fund's reserve ratio within a range, which in turn will help prevent sharp swings in assessment rates that were possible under the design of the former system. "Throughout the FDIC's push for deposit insurance reform, our goals have been to provide for long-term stability and less procyclicality in the deposit insurance system," said FDIC Chairman Sheila C. Bair. "This new system will enable the FDIC to achieve our goals, and also will add incentives for good risk management at insured institutions."
The Office of Thrift Supervision (OTS) is issuing updated versions of the Directors' Responsibility Guide and the Directors' Guide to Management Reports to highlight our supervisory expectation for a strong, consistent approach towards sound corporate governance practices, as well as the importance of strong, independent boards of directors.
The updated Director's Guide adds a new section on statutory and regulatory responsibility and clarifies the issue of blurred lines of responsibility between the board and management. We have also added a chart on the applicability of selected Sarbanes-Oxley requirements. The streamlined, restructured Guide to Management Reports consolidates some existing reports and adds additional red flags to monitor internal controls and financial performance.
Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems1 to process their information for better support of their missions, risk management plays a critical role in protecting an organization's information assets, and therefore its mission, from IT-related risk. An effective risk management process is an important component of a successful IT security program. The principal goal of an organization's risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
NCUA is issuing a final rule to describe in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and to address prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also is changing the heading for this part so it more accurately describes its scope. NCUA seeks to enhance credit union compliance with SAR reporting requirements by providing greater detail in its rule on the thresholds and procedures for filing a SAR. DATES: This rule is effective [insert date 30 days after published in the FEDERAL REGISTER]. FOR FURTHER INFORMATION CONTACT: Linda K. Dent, Staff Attorney, Office of General Counsel, at (703) 518-6540.
Organizations have information technology (IT) plans in place, such as contingency and computer security incident response plans, so that they can respond to and manage adverse situations involving IT. These plans should be maintained in a state of readiness, which should include having personnel trained to fulfill their roles and responsibilities within a plan, having plans exercised to validate their content, and having systems and system components tested to ensure their operability in an operational environment specified in a plan. These three types of events can be carried out efficiently and effectively through the development and implementation of a test, training, and exercise (TT&E) program. Organizations should consider having such a program in place because tests, training, and exercises are so closely related. For example, exercises and tests offer different ways of identifying deficiencies in IT plans, procedures, and training. This document provides guidance on designing, developing, conducting, and evaluating TT&E events so that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse events that may affect their missions. The scope of this document is limited to TT&E events for single organizations, as opposed to large-scale events involving multiple organizations, involving internal IT operational procedures for emergencies.
A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network. Many logs within an organization contain records related to computer security. These computer security logs are generated by many sources, including security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; and applications. The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems.
Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the clearance level of the user accessing those documents. This publication explains some of the commonly used access control services available in information technology systems.
Why GAO Did This Study In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government's response to those events. On July 19, 2006, GAO testified on the results of its purchase card work. This report summarizes the testimony and provides recommendations. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane relief operations. GAO analyzed transactions between June and November of 2005 to determine if (1) DHS's control environment and management of purchase card usage were effective; (2) DHS's key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive purchase card activity existed at DHS.
Why GAO Did This Study In 2005, Hurricanes Katrina and Rita caused unprecedented damage. FEMA’s Individuals and Households Program (IHP), provides direct assistance (temporary housing units) and financial assistance (grant funding for temporary housing and other disaster-related needs) to eligible individuals affected by disasters. Our objectives were to (1) compare the types and amounts of IHP assistance provided to Hurricanes Katrina and Rita victims to other recent hurricanes, (2) describe the challenges FEMA faced by the magnitude of the requests for assistance following Hurricanes Katrina and Rita, and (3) determine the vulnerability of the IHP program to fraud and abuse. GAO determined the extent to which the program was vulnerability to fraud and abuse, by conducting statistical sampling, data mining and undercover operations.
Comptroller of the Currency John C. Dugan told a Senate committee today that the inadequacies of the current Basel I capital regime for the largest internationally active banks are a matter of great concern to the OCC because the agency supervises the five largest banks in the United States, some of which hold more than $1 trillion in assets, have complex balance sheets, take complex risks, and have complex risk management needs that are fundamentally different from those faced by community and mid-size banks. "The new regime is intended not only to align capital requirements more closely to the complex risks inherent in these largest institutions, but just as important—and this is a total departure from the existing capital framework—it would also require them to substantially improve their risk management systems and controls," Mr. Dugan said in testimony before the Senate Committee on Banking, Housing and Urban Affairs.
Summary: The federal bank and thrift regulatory agencies have jointly issued the attached notice of proposed rulemaking (NPR) on possible modifications to the risk-based capital standards for market risk. The proposed rule would incorporate improvements to the current trading book regime as proposed by the Basel Committee on Bank Supervision and the International Organization of Securities Commissions in the joint document The Application of Basel II to Trading Activities and the Treatment of Double Default Effects, published in July 2005. The proposed rule would also apply to certain savings associations, which currently are not covered under the rule. The FDIC will accept comments on the NPR through January 23, 2007. Highlights:
- Applies to banks with aggregate trading assets and liabilities equal to 10 percent or more of quarter-end total assets as reported on the most recent quarterly Call Report or Thrift Financial Report, or equal to $1 billion or more.
Summary: The federal bank and thrift regulatory agencies have jointly issued and are seeking comment on the attached notice of proposed rulemaking (NPR) concerning the domestic application of selected elements of the Basel II capital framework. The proposed rule would require some core banks, and permit other banks, to use an internal ratings-based approach to calculate regulatory credit risk capital requirements and an advanced measurement approach to calculate regulatory operational risk capital requirements. The FDIC will accept comments on the proposal through January 23, 2007. Highlights: In the attached NPR, the agencies: - Propose to apply the rule to banking organizations that (i) have consolidated assets equal to $250 billion or more; (ii) have consolidated total on-balance sheet foreign exposures of $10 billion or more; (iii) elect to use the proposed rule; or (iv) are subsidiaries of a bank or bank holding company that uses the proposed rule.
In October 2005, the FFIEC agencies (agencies) issued guidance entitled Authentication in an Internet Banking Environment (guidance) . The guidance focuses on the risks of fraud and identity theft associated with Internet banking activities. The guidance states that financial institutions should perform a risk assessment, identify and strengthen control weaknesses, measure and evaluate customer awareness efforts, and implement any necessary corrective actions. National banks are expected to have achieved conformance with the guidance by year-end 2006. It is anticipated that there will be increased activity by fraudsters to send false communications with the intent of obtaining customer information for the purposes of fraud and identity theft. These communications may attempt to exploit the December 31, 2006, conformance date. For example, communications purporting to be from a national bank could inform customers that, due to the FFIEC guidance, the bank is required to change its security procedures and, as a result, request customers to re-register or provide personal information that would enable the bank to comply with the regulatory requirement.
This bulletin provides guidance for national banks and examiners on managing the risks of automated clearing house (ACH) activity. National banks may be exposed to a variety of risks when originating, receiving, or processing ACH transactions, or outsourcing these activities to a third party. This bulletin outlines the key components of an effective ACH risk management program. Each bank should use this guidance to develop an ACH risk management program that reflects the nature and complexity of the bank's activities. This bulletin supplements guidance on ACH activities contained in the FFIEC IT Examination Handbook on Retail Payment Systems,[1] dated March 2004, and National Automated Clearinghouse Operating Rules[2] and replaces OCC Bulletin 2002-2 (ACH Transactions Involving the Internet).
1.1 Background Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. The human factor is so critical to success that the Computer Security Act of 1987 (Public Law [P.L.] 100-235) required that, "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency." In accordance with P.L. 100-235, the National Institute of Standards and Technology (NIST), working with the U.S. Office of Personnel Management (OPM), was charged with developing and issuing guidelines for Federal computer security training. This requirement was satisfied by NIST's issuance of "Computer Security Training Guidelines" (Special Publication [SP] 500¬172) in November 1989. In January 1992, OPM issued a revision to the Federal personnel regulations which made these voluntary guidelines mandatory. This regulation, 5 CFR Part 930, is entitled "Employees Responsible for the Management or Use of Federal Computer Systems" and requires Federal agencies to provide training as set forth in NIST guidelines.
The mandatory dissemination of certain information by financial institutions is a key aspect of consumer protection law. It offers two significant advantages for consumer protection in the financial area over the alternative of direct government intervention into product pricing and content. First, information disclosure is compatible with competition, a significant market force already at work to protect consumers by keeping price rises in check. Because of competition, institutions already have incentives to make their products known, to reveal favorable pricing and product features, and to treat consumers fairly by keeping them generally informed about what they want and need to know. When a financial institution employs these strategies, it generates a good business reputation that will produce referrals and repeat customers. Actions that firms use to accomplish these goals include advertising their prices and supplying clients and potential customers with useful information about product prices and features. The requirements for disclosures assist in the dissemination of financial information by standardizing concepts and terminology, such as the finance charge and annual percentage rate under the Truth in Lending Act and the annual percentage yield under the Truth in Savings Act. Such standardization advances consumers; knowledge about pricing and features of the financial products and institutions and lowers consumers; transactions costs by making shopping easier. The standard format of required disclosures helps highlight the performance of the best institutions and exposes the inadequacies of the poorer ones. Well-informed shoppers help keep markets competitive, which benefits buyers of products and services by minimizing the spread between
producers’ production costs and market price.
NIST is pleased to announce the release of draft Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist. SP 800-69 provides guidance to home users, such as telecommuting Federal employees, on improving the security of their home computers that run Windows XP Home Edition. Home computers face many threats from people wanting to cause mischief and disruption, commit fraud, and perform identity theft. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security. It also emphasizes the importance of performing regular backups to ensure that user data is available after an adverse event such as an attack against the computer, a hardware failure, or human error. The publication contains detailed step-by-step directions for securing Windows XP Home Edition computers that can be performed by experienced Windows XP Home Edition users. NIST requests comments on NIST SP 800-69 by August 31, 2006. Please submit comments to itsec@nist.gov with "Comments SP800-69/XPHome" in the subject line.
THE NEED FOR SECURITY CONTROLS TO PROTECT INFORMATION SYSTEMS The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations and assets of an IT organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: - What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual's 2005 release. The revisions also draw upon feedback from the banking industry and examination staff.
The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes. The security of financial institutions' systems and information is essential to maintaining the privacy of customer information and safe and sound operations. The Information Security Booklet describes how an institution should protect and secure the systems and facilities that process and maintain information. The booklet calls for financial institutions and technology service providers (TSPs) to maintain effective security programs tailored to the complexity of their operations.
The Offıce of Thrift Supervision (OTS), along with the other federal banking agencies, has released the revised Information Security Booklet and an Executive Summary of the Federal Financial Institutions Examination Council's (FFIEC) Information Technology Examination Handbook. The revised Information Security Booklet, which replaces the 2003 version of the booklet, provides updated guidance for examiners, savings associations, and technology service providers to use in identifying information security risks and evaluating the adequacy of controls and risk management practices. The revised guidance addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance.
The FDIC Board of Directors is seeking comment on the three attached proposed rules. The first proposed rule would create a new system for risk-based assessments. The second proposed rule would set the designated reserve ratio (DRR) at 1.25 percent. The third proposed rule would govern the penalties for failure to pay assessments. The Federal Deposit Insurance Reform Act of 2005 requires the FDIC to prescribe final regulations by November 5, 2006. Comments on the first two proposed rules are due by September 22, 2006; comments on the third rule are due by September 18, 2006. Assessments Risk Categories: The FDIC proposes to consolidate the existing nine assessment rate categories into four. Small well-capitalized, well-managed institutions: The FDIC proposes to combine CAMELS component ratings with current financial ratios to determine assessment rates applicable to a small well-capitalized, well-managed institution.
Why GAO Did This Study Federal regulation is one of the basic tools of government used to implement public policy. In 1980, the Regulatory Flexibility Act (RFA) was enacted in response to concerns about the effect that regulations can have on small entities, including small businesses, small governmental jurisdictions, and certain small not-for-profit organizations. Congress amended RFA in 1996, and the President issued Executive Order 13272 in 2002, to strengthen requirements for agencies to consider the impact of their proposed rules on small entities. However, concerns about the regulatory burden on small entities persist, prompting legislative proposals such as H.R. 682, the Regulatory Flexibility Improvements Act, which would amend RFA. At the request of Congress, GAO has prepared many reports and testimonies reviewing the implementation of RFA and related policies. On the basis of that body of work, this testimony (1) provides an overview of the basic purpose and requirements of RFA, (2) highlights the main impediments to the Act’s implementation that GAO's reports identified, and (3) suggests elements of RFA that Congress might consider amending to improve the effectiveness of the Act. GAO's prior reports and testimonies contain recommendations to improve the implementation of RFA and related regulatory process requirements.
FinCEN's primary function is to support and strengthen domestic and international anti-money laundering efforts through coordination and partnerships. Since its creation in 1990, FinCEN has been responsible for overseeing the management, processing, storage and dissemination of Bank Secrecy Act (BSA) data. In 2004, FinCEN embarked on a major initiative intended to improve the sharing of information reported under the Bank Secrecy Act. BSA Direct is an umbrella project intended to provide secure, user-friendly, web-based tools for accessing, analyzing, and filing BSA data. It is part of a broad effort to reengineer data management responsibilities and transition them from the IRS. During the early spring of 2006, it became clear to FinCEN that the Retrieval and Sharing component of the BSA Direct project (BSA Direct R&S) was not going to meet the critical implementation deadline of June 30, 2006. Objectives Because FinCEN has experienced problems with development and implementation of the BSA Direct R&S, you asked us about the project's current status and to provide observations on FinCEN's IT investment management practices. Our objectives were to (1) describe BSA Direct R&S and the project's current status; (2) examine FinCEN's application of information technology (IT) investment management processes to the BSA Direct R&S project; and (3) describe, at a high level, the range of options FinCEN may consider as it reexamines the BSA Direct R&S project.
"Operational risk management" increasingly viewed as distinct discipline due to growing complexity of the industry, recent large operational losses The increasing importance of banks' "operational risk management" (ORM) processes and how ORM is evolving as a distinct discipline are highlighted in the FDIC's summer 2006 issue of Supervisory Insights released today. Other topics covered include disaster planning for banks, with a look back at some of the challenges banks faced during the hurricane seasons of 2004 and 2005, and enforcement actions taken against individuals in 2005, with a particular focus on bank losses resulting from insider misconduct or fraud.
Before the U.S. House of Representatives Committee on Financial Services Subcommittee on Oversight and Investigations Thank you Chairwoman Kelly, Ranking Member Gutierrez, and Members of the Subcommittee. I appreciate the opportunity to speak to you about the Treasury Department's contribution to pandemic planning within the financial services sector. Though the Treasury's efforts are just a small part of the enormous Federal effort, we have been very active. President Bush stated, "Together we will confront this emerging threat and together, as Americans, we will be prepared to protect our families, our communities, this great Nation, and our world." I would like to begin my remarks by telling you about the sector's general state of preparedness and then tell you about the Treasury's leadership on pandemic planning within the financial services sector.
Please note that the following rule is the version that was approved by the NCUA Board. The official version is published in the Federal Register approximately one week after Board approval. There may be some minor numbering or format differences between the two versions. The proposed rule describes in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and addresses prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also proposes to change the heading for this part so it more accurately describes its scope. While retaining cross-references in the rule to the SAR form and instructions, these changes will enhance credit union compliance by providing greater detail in the rule on the thresholds and procedures for filing a SAR.
Financial institutions have traditionally used domestic third-party service providers to handle their technology, data processing and other needs, such as call center services. However, with increasing frequency, institutions have been presented with opportunities to enter into contractual arrangements with foreign-based third-party service providers (FBTSPs) to fulfill those needs. Moreover, U.S.-based third-party service providers are subcontracting substantial portions of their operations to entities located outside of the United States. In its 2004 study of offshore outsourcing of data services to identify both consumer and safety and soundness risks associated with offshore data processing,[1] the FDIC learned that financial institutions may be unaware of such subcontracting arrangements or, if they are aware, are not adequately monitoring the relationship. The increased use of FBTSPs by U.S. financial institutions and U.S. third-party service providers is due, in large part, to the potential cost savings that are achievable as low-wage, yet highly qualified, labor pools are tapped in foreign countries. However, as with any sound business decision, financial institutions cannot accept the benefits while ignoring the potential risks.
The Federal Emergency Management Agency (FEMA) has issued the attached revised Standard Flood Hazard Determination Form, which includes a new Office of Management and Budget (OMB) control number and a revised expiration date of October 31, 2008. The form's format and content have not changed. The updated form must be used beginning July 1, 2006. Highlights: · FDIC-supervised banks must use FEMA's Standard Flood Hazard Determination Form when determining whether a building or mobile home offered as security for a loan will be located in a · Special Flood Hazard Area. This requirement is pursuant to the National Flood Insurance Reform Act of 1994 and FDIC regulations (12 CFR 339.6).
The Treasury Department in cooperation with the FloridaFIRST regional financial coalition will sponsor the first U.S. pandemic flu response exercise focused on the financial sector Thursday, June 22 in Miami, Fl. Treasury Deputy Assistant Secretary for Critical Infrastructure Protection and Compliance Policy Scott Parsons and will join 70 participants from Florida financial services firms and health, police and fire officials from local, state and federal agencies to test the local industry's preparedness for such a crisis.
Submission for OMB review; joint comment request In accordance with the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. chapter 35), FinCEN, OCC, OTS, FDIC, and NCUA (collectively, the "agencies") hereby give notice that they have submitted to the Office of Management and Budget (OMB) requests for review of the information collections described below.
OCC, OTS, FDIC, NCUA, and FinCEN are submitting the Suspicious Activity Report (SAR) information collection to OMB for extension with revision. The Board of Governors fo the Federal Reserve System (the Board) alos participated in this review. However, the Board, under its Paperwork Reduction Act (PRA) delegated authority, will publish a separate final notice and submit its SAR inforamtion collection to OMB.
Preparing Your Institution for a Catastrophic Event The member agencies of the Federal Financial Institutions Examination Council (FFIEC) and the Conference of State Bank Supervisors today announced the release of LESSONS LEARNED FROM HURRICANE KATRINA: Preparing Your Institution for a Catastrophic Event. The booklet relays financial institutions' experiences and lessons learned in the aftermath of Hurricane Katrina that other institutions may find helpful in considering their readiness for a catastrophic event.
In a speech today before the Conference of State Bank Supervisors in Norfolk, Virginia, Federal Deposit Insurance Corporation Acting Chairman Martin Gruenberg outlined overall capital objectives contained in the proposed rule for proceeding with Basel II in the U.S. Basel II is a new, international standard for the way the largest banks calculate their capital levels. "Basel II was intended to bring about technical improvements in the risk-sensitivity of bank capital in the United States while broadly maintaining the overall level of risk-based capital requirements," Acting Chairman Gruenberg told the group. "I think those are both worthy goals, and the achievement of both goals is essential for the safety and soundness of the U.S. banking system."
The FDIC, along with the other federal banking agencies and the Securities and Exchange Commission, is issuing the attached statement for public comment. The statement informs financial institutions of the internal controls and risk-management procedures that should be used to identify, manage and address the heightened legal or reputational risks that may arise from their involvement in certain complex structured finance transactions. The FDIC will accept comments on this statement through June 15, 2006. Highlights: The attached interagency statement: - Focuses on complex structured finance transactions entered into by institutions when the transactions > circumvent regulatory or financial reporting requirements or > evade tax liabilities or involve other illegal and/or improper behavior
Five federal agencies today requested public comment on a revised proposed statement on the complex structured finance activities of financial institutions. The revised statement describes the types of internal controls and risk management procedures that should help financial institutions identify, manage and address the heightened legal and reputational risks that may arise from certain complex structured finance transactions. The agencies have modified the revised statement in several important respects in light of the comments received on the original proposed statement, which was issued for comment on May 19, 2004. For example, the agencies have reorganized, streamlined and modified the statement to make the document more principles-based and focused on those complex structured finance transactions that may pose heightened levels of legal or reputational risk to a financial institution.
Summary: This Regulatory Bulletin transmits Examination Handbook Section 341, Information Technology Risks and Controls. The Office of Thrift Supervision substantially revised and reorganized this section of the Examination Handbook. This handbook section replaces existing guidance found in Thrift Activities Handbook Section 341, Technology Risk Controls. This bulletin rescinds RB 32-21 dated January 7, 2002.
The rapid growth and extensive deployment of information technology (IT) requires a thorough assessment of the risks inherent in such activities. The Examination Handbook section issued today outlines OTS expectations that savings associations fully address the risks and challenges posed by using technlology, and establish effective risk management practices commensurate with the association's size and complexity. Use this Handbook section and its examination procedures in conjunction with other Handbook sections that provide guidance for reviewing an association's internal control environment.
The Federal Reserve Board announced Wednesday the consolidation of two internal advisory committees on payments system matters. The duties of the Payments System Policy Advisory Committee will be expanded to encompass the responsibilities and activities of the Payments System Development Committee, including its public outreach efforts. The Payments System Development Committee will be discontinued. The Payments System Policy Advisory Committee was formed in July 1986 to advise the Board on a range of issues, including risk-management issues, primarily in wholesale payment and settlement systems, and the relationship between wholesale payment systems and financial markets. The Payments System Development Committee was formed in July 1999 to advise on medium- and long-term public policy issues surrounding innovation in the retail payments system. The expanded Payments System Policy Advisory Committee will provide the Board with a coordinated view of developments in both wholesale and retail payments at a time of significant overall change in the U.S. payments system and help coordinate Federal Reserve work involving domestic and international payments and settlement systems.
Summary: The FDIC has issued revised compliance examination procedures that update the procedures issued in 2003. The new examination procedures incorporate banker feedback and results of internal reviews. Highlights:
- The FDIC also gathered information about how well the procedures were meeting its objectives. - These included focusing increased attention on a bank's compliance management system, and conducting more of the review process off-site, where appropriate. - Bankers were generally pleased with the revised procedures issued in 2003, particularly the focus on compliance management systems. However, they made several suggestions to improve the examination process while reducing burden. - As a result of banker input, the FDIC has made a number of changes to the compliance examination procedures. - Revised worksheets have been distributed to examiners to support the latest version of the compliance examination procedures.
This report presents the results of our audit of the FDIC’s consideration of risk in determining the deposit insurance premiums paid to the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF). To assess semiannual premiums on financial institutions, the FDIC uses the Risk-Related Premium System (RRPS) and considers capital levels, safety and soundness examination results, and other pertinent information to assign insured institutions to one of three Capital Groups and to one of three Supervisory Subgroups for the purpose of determining an insurance assessment risk classification.[ 1 ] The audit objective was to determine whether the insurance assessment system is adequately tied to the results of examinations of financial institutions by the primary federal regulators and to other information relevant to the institutions’ financial condition. Appendix I of this report discusses our objective, scope, and methodology in detail. BACKGROUND
Federal regulators today released Evolution of a Prototype Financial Privacy Notice, a report by Kleimann Communication Group summarizing consumer research commissioned by the regulators as part of their ongoing efforts to develop improved financial privacy notices.
The report's release concludes the first phase of an interagency project by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission to explore alternatives for financial privacy notices that would be easier for consumers to read, understand, and use than many of the notices consumers currently receive from financial institutions. These six agencies were among those that jointly issued regulations in 2000 implementing the financial privacy provisions of the Gramm-Leach-Bliley Act, but survey data indicate that many consumers neither read nor understand the notices financial institutions provide under those regulations.
An interagency notice of proposed rulemaking (NPR) that would implement Basel II risk-based capital requirements in the United States for large, internationally active banking organizations was made public Thursday by the Federal Reserve Board. The proposed rule would require the largest internationally active banks to enhance the measurement and management of their risks, including credit risk and operational risk. It also would require these banks to have rigorous processes for assessing overall capital adequacy in relation to their total risk profile and to publicly disclose information regarding their risk profile and capital adequacy.
"Given the increasing complexity of the activities at our largest banks, and the related risks of those activities, I fully support efforts to develop a more appropriately risk-sensitive capital framework for those institutions," said Board Chairman Ben S. Bernanke. "The current Basel I framework has become increasingly inadequate for capturing the risks at large, complex U.S. banking organizations."
The purpose of this Letter to Credit Unions (LTCU) is intended to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services. It further advises credit unions and their service providers to consider this and similar threats in their event response and contingency strategies (business continuity and disaster recovery plans). This LTCU discusses the National Strategy for Pandemic Influenza (National Strategy) and the roles and responsibilities it outlines for financial institutions.
On November 1, 2005, the White House issued the National Strategy, which discusses the threat and potential impact of a pandemic influenza event. It also identifies the roles and responsibilities for the federal government, the private sector, and others.
The Office of the Comptroller of the Currency will host workshops for national community bank directors at the Westin Great Southern Hotel, Columbus, Ohio, on April 25-26. The workshops provide practical information that expands bank directors' skills and understanding of issues facing their banks. This year's workshops cover risk assessment and compliance risk. Workshops cost $65 each. Attendees receive pre-course reading and course materials, an OCC telephone seminar CD, a community bank supervision handbook, other supervisory material, a continental breakfast and lunch. Workshops are limited to the first 50 registrants and are geared primarily to outside directors of national community banks with assets of less than $1 billion. Management directors may also find the workshop beneficial. For information or to register online, visit http://www.occ.gov/conference.htm
The "Insider Activities" booklet is one of several booklets in the Comptroller's Handbook that will be published under the theme of corporate governance. This booklet provides guidance on how banks may legally and prudently engage in transactions with insiders and implement risk management processes that provide for the appropriate control and monitoring of insider activities. This booklet also provides guidance on how examiners will review and assess insider activities during the supervisory process.
A bank should engage in safe and sound business and personal transactions with its insiders, consistent with law and regulation. Transactions between a bank its insiders can address legitimate banking needs and serve the interests of both parties. The challenge is to separate legitimate insider financial relationships from those that are, or could become, abusive, imprudent, or preferential. Studies of bank failures have found that insider abuse, including excessive or poor quality loans made, and unjustified fees paid, to directors and officers, is often a contributing factor to the failure. Because of the significant risks that insider activities can pose, activities are subject to strict laws and ethical guidelines.
The Financial Crimes Enforcement Network (FinCEN) and the federal bank, thrift and credit union regulatory agencies are soliciting comments on the attached proposed changes to the Suspicious Activity Report (SAR) form. Highlights:
- On February 17, 2006, FinCEN and the federal bank, thrift and credit union regulatory agencies issued the attached notice and request for comments in the Federal Register on proposed changes to the SAR form that is used by depository institutions. The SAR form is being revised and reformatted to standardize it with SARs used by financial institutions in other industries.
The Federal Reserve and the other financial institutions regulatory agencies published on February 9, 2006, the attached Advisory to address safety and soundness concerns that may arise when financial institutions enter into external audit contracts (typically referred to as "engagement letters") that limit the auditors' liability for audit services. The Advisory informs financial institutions that it is unsafe and unsound to enter into engagement letters for audits of financial statements, audits of internal control over financial reporting, or attestations on management's assessment of internal control over financial reporting which include provisions that (1) indemnify the external auditor against all claims made by third parties, (2) hold harmless or release the external auditor from liability for claims or potential claims that might be asserted by the client financial institution (other than claims for punitive damages), or (3) limit the remedies available to the client financial institution (other than punitive damages).
The Federal Financial Institution Examinations Council (FFIEC) Task Force on Consumer Compliance has approved the attached revised Fair Credit Reporting Act (FCRA) examination procedures, which incorporate the new requirements created by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The revised FCRA examination procedures have been reorganized into a new format in which similar requirements are grouped into modules for use in risk-focused compliance examinations. This modular format is also designed to assist financial institutions in organizing compliance programs and internal reviews. The revised procedures separate background information from the examination steps, contained in Appendix A. Appendix B list | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
