Posts tagged ‘FFIEC’
Yesterday, the FFIEC, a coordinating council of financial regulators including the NCUA, issued guidance on “cloud computing,” putting credit unions on notice that they had better exercise proper due diligence and oversight as they migrate more of their data and computer services to off-site third-party service providers. If you think this doesn’t impact your credit union, either it will in the near future or you already use cloud computing and you just don’t realize it.
In the guidance, the examiners concede that “there is no widely accepted definition” of what cloud computing is; however, in general, “cloud computing is a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers.” For those of you who use an iPAD or smart phone, you are already using the cloud since those devices probably don’t have enough memory to physically store all the information and applications you wish to save. But the real key to cloud computing is yet to come. We aren’t too far from the day that the clunky desktop looks as antiquated as the dusty typewriter in the office closet. Software applications will no longer be saved on your hard-drive and all of your information will be kept on servers, chances are in a state or country far away from the credit union.
The opportunity for cost savings are huge, but the council flags important steps that financial institutions have to take. The guidance urges credit unions to look at six general areas, including:
- Due diligence (e.g. Is this the provider that can best meet the needs of your credit union?);
- Vendor Management (e.g. Is your vendor familiar with your industry’s regulations?);
- Auditing (e.g. Can you keep an eye on your vendor on an ongoing basis?);
- Information Security (e.g. Is your member information being adequately protected?);
- Legal regulatory and policy considerations (e.g. Does your contract provide adequate protection in the event your service provider messes up? This is particularly important as more cloud computing takes place overseas.); and
- Business continuity planning (e.g. How will you get back online in the event of a disruption, such as a flood?).
The guidance is more than simply a list of best practices. Virtually all litigation involving data breaches and information technology center on whether a financial institution was using commercially reasonable policies and technology to protect member information and money. FFIEC guidance provides the baseline for commercial reasonableness. You can bet that plaintiff lawyers will be reading this document about as closely as your IT professional, so this is not one to file away.
Despite what Woody Allen says, crime really doesn’t pay, it is just that there’s always going to be some people who don’t get that.
Although Manhattan District Attorney Cyrus Vance is best known for bungling rape investigations of prominent French politicians, his office deserves credit for prioritizing financially related cyber crimes for investigation and prosecution. Interestingly, I can think of no place more removed from Manhattan, both culturally and geographically, than Watertown, New York. However, recent arrests in both localities provide important reminders to credit unions as they seek to prevent both good old-fashioned theft and computer-aided crime.
In Manhattan, the District Attorney’s cyber crimes and identity theft bureau announced that 94 persons were indicted this past week for their role in capitalizing on a defect in TD Bank’s account opening procedures. From May 2009 to August 2011, persons were recruited to open up new checking and savings accounts using checks drawn on either closed accounts or from accounts at other banks that had insufficient funds. The bank was aware that Regulation CC’s check availability rules don’t apply to newly opened accounts; unfortunately for the bank, someone knew that new account owners could transfer these funds from newly opened savings accounts over the phone into their newly opened checking accounts. The account openers were then driven to casinos, Western Union branch locations, or banks with particularly high ATM withdrawal limits where the money from the bogus checks would be withdrawn. The scheme is estimated to have cleared $494,000.
Also this past week, police in Watertown, New York arrested the manager of United Neighbors Federal Credit Union for allegedly stealing more than $34,000 from the credit union between January 1 and November 3 of this year. According to the paper, the three-year employee of the credit union told police that she stole $18,000 from the ATM and the rest from her cash drawer, although the newspaper account provided no specifics as to how exactly she carried out the heist. She admitted to the crime immediately upon observing that an audit was being conducted by the credit union’s audit committee.
To me, these disparate examples provide several important reminders for credit unions.
First, although you should all be putting your finishing touches on implementing the FFIEC’s layered security guidance, which examiners are going to begin reviewing in 2012, this guidance is in addition to rather than a replacement of the obligation of credit unions pursuant to section 12 CFR 748 to deter robbery, larceny, and embezzlement. For credit unions like the one in Watertown, New York this means recognizing the importance of audits. It’s not enough to have a policy in place, polices must be implemented.
For larger credit unions, this means insuring that you periodically review not only new account opening procedures, but the computer systems used to put them in place. One of the biggest mistakes a financial institution can make is to fail to monitor the systems put in place by its vendors or, if you’re lucky enough, your information technology employees. Is your credit union vulnerable to the same type of crime which bamboozled TD Bank for more than a year? Do you know who at your credit union would know the answer?
Irrespective of size, a credit union’s security procedures should not be static, but rather evolve to address potential new vulnerabilities. Make sure that someone in your credit union is aware of the latest schemes and that your credit union can guard against them.
The single most important mandate facing credit unions over the next few months is the authentication guidance issued by the grand council known as the FFIEC mandating that they take steps to upgrade the security of their internet banking operations. This guidance supplements the Council’s 2005 internet banking guidance.
First, I can assure you that I am not saying this as someone who loves technology. In fact, I am the type of person who makes IT departments cringe. But the reality is that given the potential expense and the need to review credit union operations by January, this is a guidance that cannot be put on the back burner.
At its core, it emphasizes the use of “layered” security in protecting your internet banking services when authorizing fund transfers. Given the growing sophistication of today’s hackers, the examiners recognized that simply stressing the use of two forms of identification no longer provides adequate protection against crooks who have figured out how to steal passwords despite the best of systems. What all institutions are required to do is develop security techniques that make it difficult to execute transactions even for people who have given the proper password. For example, a member making an unusually large transfer may be asked challenge questions, the answers to which require information beyond the typical date of birth or mother’s maiden name, in order to complete the transaction.
One of the problems with FFIEC guidance is that it applies to the smallest institutions, which offer only the most rudimentary internet banking services, and Goldman Sachs. Consequently, in analyzing how to respond to this guidance, keep in mind that it is primarily concerned with electronic fund transfers and that it recognizes that transfers involving business accounts represent a greater threat than do accounts involving individuals. In addition to reading the guidance, you should review §4-A-202 of New York’s Uniform Commercial Code, which regulates electronic fund transfers. As explained by the statute, commercial reasonableness is a legal standard that reflects, among other things, that you know your members and their typical banking practice, that you have offered and they have accepted security procedures to protect them, and that these procedures are consistent across similarly situated members.
Finally, keep in mind that by issuing this updated guidance, the FFIEC has created a baseline standard against which your actions would be judged if, God forbid, you were ever sued. This point was made abundantly clear in Patco Construction Co., Inc. v. People’s United Bank, where the bank prevailed because it convinced the court that it had complied with the 2005 guidance.
Kudos to Hudson Valley Federal Credit Union. On Thursday, NCUA responded to a request by the credit union with a legal opinion letter clarifying the awards that can be given to board members without running afoul of the prohibition against giving board members anything more than nominal compensation. The credit union successfully sought permission to give a $250 gift card to volunteers who have served the credit union for five years. NCUA’s letter explained that an award representing $50 for each year of service was reasonable. It also stressed that the reward was given to a member in recognition of multiple years of service member as opposed to an entire class of board members and, therefore, could not be misconstrued as an incentive for service.