When It Comes to Protecting Your Data, How Well Do You Really Know Your Members?

August 30, 2021 at 9:47 am Leave a comment

When the Federal Financial Institutions Examination Council (FFIEC) issues guidance, all financial institutions should pay attention, irrespective of their size and risk profile. After all, the Council represents the combined wisdom, or at least the consensus of financial regulators, including the NCUA, on the issues of most pressing concern. Conversely, it is my ever so humble opinion that these documents are often written in such vague terms with so many qualifiers that they lack the clarity needed to make them truly useful documents.

With this caveat, I present to you a guidance, Authentication and Access to Financial Institution Services and Systems, issued by the FFIEC on August 11th in which it highlights the need for financial institutions to take a holistic approach to protecting unauthorized access to information by third parties. Specifically, this guidance “sets forth risk management principles and practices that can support a financial institution’s authentication of (a) users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices (collectively, users) and (b) consumer and business customers.”

Whereas a decade ago your red flag risk assessment was primarily concerned with how to prevent unauthorized third parties from accessing your system, in today’s environment you’ll also face threats from within.  Your Board member, negligent customer and of course, your Luddite employee pose as great a potential threat as the most sophisticated hacker.  As a result, these threats should be considered as part of your ongoing risk assessments. Furthermore, layered security protections, which make individuals provide authentication more than once when inside a platform may inconvenience your members and employees but at the very least this inconvenience should be weighed against the need to protect the data on your system.

Remember, you should pay attention to this guidance for both legal and compliance reasons. Legally, these guidelines provide a concise source for courts to use in assessing whether a vendor or financial institution is taking reasonable measures to protect member information (see for example Shames-Yeakel v. Citizens Financial Bank; Bessemer System Federal Credit Union v. Fiserv Solutions, LLC). From a compliance standpoint, you have an obligation to make sure your credit union is periodically assessing and updating its cyber threat assessments. 12 CFR 748 Appendix A

On that note, enjoy your day.

Entry filed under: Compliance, Legal Watch, Regulatory, technology. Tags: , , , , .

Life After The CDC Eviction Ban New Governor Moves Quickly To Extend Foreclosure Protections

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 755 other followers

Archives


%d bloggers like this: