Latest News

Identity theft red flags, business continuity planning, vendor management - these topics all have received fresh attention from the regulatory agencies this year. & with more to come before year’s end. So, as a way to both reflect & project, we take a look at the Top 6 Regulatory Issues of 2008 - & identify the topics that may be addressed next. 1) Identity Theft Red Flags Rule. Without a doubt, the top regulatory compliance issue for all financial institutions this year is the Identity Theft Red Flags Rule, which - among other requirements - forces financial institutions to document their identity theft prevention programs, assess accounts at risk of identity theft, & create new security awareness programs for employees & customers alike. ‘It will be the number one hurdle this year for financial institutions,’ says Dennis Hild, Crowe Chizek. To meet the 11/1 compliance deadline, institutions are reaching out for help from their service providers, security vendors, information security practitioners & risk assessment companies. With fewer than 90 days to go, 50% of institutions say they will struggle to meet the deadline, according the recent Identity Theft Red Flags Rule Compliance survey by Information Security Media Group. Any day now, federal regulators are expected to release their examination procedures for Identity Theft Red Flags Rule compliance - guidance that is eagerly awaited by institutions & examiners alike. 2) Updated BSA/AML examination guidance. Despite the sharpened focus on economic pressures as a result of the credit crunch, 2 regulatory topics continue to garner a significant share of compliance resources: risk management & anti-money laundering. ‘While neither is new to institutions, both continue to carry significant consequences for non-compliance,’ says Eva Weber, Aite. ‘Both of these areas are constantly evolving from a risk perspective which means regulators will continue to adjust their demands & expectations,’ Weber notes. Typically a low-profile activity, anti-money laundering captured major headlines earlier this year when the former governor of New York was forced to resign following a scandal revealed by Suspicious Activity Reports (SARS). Late last year, regulators revised the AML/BSA Examination Manual to expand discussion on providing banking services to money services businesses (MSBs). Further revisions are expected later this year. (For more help see: BSA/AML issues) 3) Vendor Management guidance. Bank & CU examiners are scrutinizing outsourced programs in ways not previously seen. For many smaller & mid-sized financial institutions, the topic is of great concern because of their reliance on third parties to provide core services. With resource constraints & tightened budgets, there is an increased urgency to either update or rewrite existing vendor management programs it adds more to the challenge. Ever since the passage of GLBA, institutions have been under regulatory pressure to improve vendor management. But that pressure has increased in recent times with such initiatives as the Identity Theft Red Flags Rule, & regulators have underscored the issue as one of major concern to examiners this year. Risk assessment & ongoing management of third-party relationships are the primary focus for regulators, according to recent guidance. 4) OCC’s Application Security letter. An area of compliance that concerns mainly midsized & smaller institutions is application security - the basic software (often web-based) that ensures accurate, timely & confidential processing of data. ‘It has been a major focus of examiners, but the bigger institutions are doing a better job in this area,’ says Steve Marchewitz, SecureState. Recognizing the inherent vulnerabilities of critical applications, regulators are pressuring institutions to step up their protective measures - no matter if the applications are internally developed, vendor-acquired or contracted. OCC sparked recent discussion of application security with its guidance on the topic. When comparing the bigger banks versus small & medium-sized banks, ‘The smaller banks are way, way behind in security. They’re not even close to the top 50 banks. The top 50 are way ahead of the curve when it comes to security, the rest of the banks below them fall behind,’ Marchewitz notes, alluding that is the reason that regulators are focusing attention on application security. 5) Updated Business Continuity Planning guidance. The newly updated BCP guidance issued for financial institutions was well-timed. Even though financial institutions have been expected to have a business continuity plan in place since ‘forever,’ the recent national disasters (Midwest floods, Gulf hurricanes, West Coast wildfires) have given institutional leaders a chance to consider how well they’d fare under certain conditions, & they’re looking for greater assurances from these programs. Under terms of the new guidance, spelled out in FFIEC update to the Business Continuity Planning Booklet, institutions must pay attention to enhancements to the business impact analysis & testing discussions, & emerging threats & lessons learned in recent years. The booklet stresses the responsibilities of each institution’s board & management to address business continuity planning with an enterprise-wide perspective by considering technology, business operations, communications & testing strategies for the entire institution. 6) Updated Pandemic Planning guidance. Hand-in-hand with Business Continuity Planning comes new emphasis on Pandemic Planning. Pandemic planning experts have predicted that surviving a pandemic for some will depend on the size of the institution, the strength of the predicted pandemic & how well the institution is prepared to handle such an event. The national pandemic exercise in Fall 2007 showed that many institutions are not fully prepared to exercise their BCP/DR should a pandemic break out in their area. This ‘sleeping giant’ may imperil many small institutions that haven’t made adequate plans to operate on reduced staff & resources for extended periods of time. As part of the update to the Business Continuity Planning Booklet in March, federal regulators specifically address pandemics. Key elements of the FFIEC’s 12/07 Interagency Statement on Pandemic Planning have been added to the booklet. The methodologies provide a framework for financial institutions to develop or update their pandemic preparedness plans. Coming Next: Remote Deposit? Future regulatory guidance will include examination procedures for ID Theft Red Flags - expected to be released this summer, in advance of the 11/1 compliance deadline. Guidance on remote deposit is said to be in its final stages of approval by the regulators, & should ‘be out any day now,’ says one unnamed regulator. ‘There is an increasing number of banks facing executive orders - with increased scrutiny on CEOs, CFOs, chief credit officers & even some regulatory mandates to require the banks to strengthen their leadership,’ says Crowe Chizek’s Hild. Don’t forget Basel II regulations. ‘There are few truly new compliance initiatives,’ says Aite’s Weber. But existing initiatives are constantly evolving & will lead to continuous guidance. ‘Issues around risk management & financial crime will be on the top of regulators agendas for a long time to come.’ SecureState’s Marchewitz sees increased focus on PCI-related compliance work at institutions & their service providers & other vendors. ‘We’ve done more assessments & remediation work on PCI-related compliance issues this year than any of the others on the list,’ this after PCI security standards were formalized 3 years ago. Many institutions are especially slow to react to newly-issued guidance. ‘It takes about a year for any of the institutions to pay attention to a new regulation or guidance.’