62
IT security and compliance update August 10, 2017
IT security and compliance update
August 10, 2017
Moderator: Liz Ziesmer, CPA, CBA
Director of Financial Institution Services• Specializes in audit and consulting
services for financial institution clients– Leads numerous financial statement and
internal audits, SOX 404 and other financial services consulting engagements for the firm’s largest and most complex financial institutions, including SEC registrants
• Works closely with management and audit committees to address technical issues and ensure sound internal controls
• Services as a firm-wide resource for financial institution accounting and auditing matters
Regulatory Compliance UpdatePresented by:
Beth A. Behrend, CCBCO, CBAP
Speaker: Beth A. Behrend, CCBCO, CBAP
Senior Manager• Rehmann• Leader of our firm’s compliance services
for financial institutions.• Worked for and with financial institutions
for more than 30 years. • Expertise includes providing a wide range
of audit and consulting services for our financial institution clients.
• Extensive knowledge of financial institution operations and serves in an advisory role to clients within the BSAand Regulatory Compliance related areas
Regulatory Compliance UpdateFair Lending Issues
Bank Secrecy Act – Beneficial OwnersTips, Tricks and Tidbits
Fair LendingCurrent Regulatory Considerations
Fair Lending Concerns
• FDIC and OCC have highlighted Fair Lending as an Emerging Risk– OCC 2017 Operating Plan– FDIC 2015 Winter Insights
• Specifically mentions underwriting practices• High growth areas and auto lending
• CFPB Activity – trickle down impact
Fair Lending – CFPB
• In 2016, fair lending supervisory and public enforcement actions by the CFPB resulted in approximately $46 million in remediation to harmed consumers
• Focus has been on redlining risk, assessment of lenders intentional discouragement of application for credit in minority neighborhoods
• Additional focus has been on compliance with ECOA in indirect auto lending
Areas of Focus for 2017
• Redlining• Mortgage and Student Loan Servicing• Small Business Lending
Redlining Considerations
• Reasonably Expected Market Area (REMA)– Where the institution actually marketed and provided
credit and where it could reasonably be expected to have marketed and provided credit
– REMA is used in evaluating redlining risk– Considerations:
• Not extending credit in certain areas• Targeting certain areas with less advantageous products• Offering different loans to different areas• Not marketing residential loans to certain areas
Redlining - Continued
• How is REMA determined:– Discussion with the Bank– Assessing Branch network– Marketing efforts: Print, Calling Program, Direct
Mailings– Location of Bank’s Loan Applications, Originations,
and Deposit Customers– Any Significant Barriers to Lending
Mortgage and Student Loan Servicing
• ECOA Baseline Reviews– ECOA Baseline Modules (CFPB Exam Manual)– Evaluate how well the institution’s compliance
management systems identify and manage fair lending risk
– Assess fair lending training of servicing staff; fair lending monitoring of servicing; and servicing of consumers with limited English proficiency
Small Business Lending
• Assess lending practices in regard to women-owned and minority-owned businesses
• Review lending activity for material discrepancies in ratios of approval-to-denial rates for various geographies
Polling Question #1
Have you conducted an internal Fair Lending assessment within the last 18 months?
A. YesB. No
Regulatory Fair Lending Prioritization
• Risk-based prioritization – data driven approach to identify potential fair lending harm to consumers– Strength of compliance management system– Assess emerging developments and trends in key
consumer financial markets – Consumer complaints– Tips/leads from advocacy groups– Supervisory and enforcement history– Analysis of HMDA data
Exam Scoping
• Develop overview of the Financial Institution• Identify Compliance Program Risk Factors• Review Residential Loan Products• Identify Residential Lending Risk Factors• Organize and Focus Risk & Disparity Analysis• Identify Consumer Lending Risk Factors• Identify Commercial Lending Risk Factors• Complete the Scoping process
How to Prepare?• Ensure policies and procedures are in place that accurately reflect
bank practices
• Review current portfolio for pricing exceptions
• Consider establishing a risk based pricing matrix and apply consistently
• Set-up secondary approval for non-compliance loans (pricing and underwriting)
• Clearly document mitigating factors for non-compliance loans
How to Prepare?• Review legally prohibited factors and train staff
• Determine your REMA and use these parameters when conducting a redlining risk assessment; be aware of where you are lending and marketing, as well as where you are not
• Assess current mortgage and student loan servicing practices
• Consider performing geocode analysis of small business loans
Bank Secrecy Act Beneficial Ownership
Beneficial Ownership
• Final rule: compliance date May 11, 2018
• Impact: effectively a fifth “pillar” for AML programs
• Requirement: Financial Institutions will be required to establish risk-based procedures for conducting ongoing customer due diligence
Coverage
• Applies to “covered financial institutions”:– Depository institutions– Securities broker-dealers– Mutual funds– Futures commission merchants
Requirement
• Establish and maintain written procedures reasonably designed to identify and verify beneficial owners of legal entity customers:– “Legal Entity Customer”: a corporation, LLC, or other
entity form created by filing a public document with a Secretary of State or similar office, a general partnership
– Exclusions include: banking organizations; entities with listed stocks; SEC-registered investment companies; state-regulated insurance companies
Types of Beneficial Owners
• Ownership Prong: “beneficial owner” includes each natural person who, directly or indirectly, owns 25% or more of the equity interest of the legal entity
• Control Prong: “beneficial owner” means a single natural person with significant responsibility to control, manage, or direct the legal entity customer (i.e. a CEO, VP, or Treasurer)
Identification
• At least one beneficial owner is required to be identified for each legal entity customer with respect to the control prong.
Identification and Verification
• Must establish and maintain written procedures reasonably designed to identify, verify, and certify beneficial owners of a legal entity customer
• Procedures must allow financial institution to identify all beneficial owners of each legal entity at the time of account opening
Identification and Verification
• Verify the identity of each beneficial owner using risk-based procedures “to the extent reasonable and practicable”– These procedures must contain the elements required
under the existing CIP
• Retain records obtained regarding beneficial ownership for 5 years. At a minimum: identifying information obtained and a description of documents reviewed to verify the beneficial owner’s identity
Certification
• Use of a model Certification Form, or
• “Obtain from the individual the information required by the form by another means, provided the individual certifies, to the best of the individual’s knowledge, the accuracy of the information”
Polling Question #2
Where is your institution at in implementing the Beneficial Ownership rule?
A. Completely implementedB. Policies and procedures updated, testing of
systems completedC. In process of creating policies and proceduresD. Not yet started
Other Points of Interest
• Rule is not retroactive – only need to obtain information going forward– If a legal entity opens a new account another
certification must be obtained – even with existing relationship
– Examiners will expect a risk-based approach to updates if during normal monitoring there appears to be changes to beneficial ownership information
• The rule applies to all accounts including checking, savings, certificates, and loans
Other Points of Interest
• Beneficial ownership information will need to be in your CTR and AML monitoring system, as you are required to aggregate
• A copy of the identification for beneficial owners is acceptable – retention of these copies is not required but documentation of what was collected is required for 5 years after the account is closed.
Other Points of Interest
• Ownership prong:– May rely on information provided on the certification
form– Potentially no beneficial owner with 25% or more– If entity is an owner, no requirement to identify
natural person behind that entity
• Control prong:– Must collect at least one individual
Other Points of Interest
• If individual opening account does not provide CIP on beneficial owners, account should not be opened
• Non-documentary verification for CIP is allowed for beneficial owners as detailed in your policy/procedures
• OFAC checks are required on beneficial owners
Conclusion
• Ensure policies and procedures are updated to incorporate these requirements
• Review/update forms: signature cards, certification forms, new account worksheets
• Assess your onboarding process
• Assess system for any necessary changes
• Training
Tips, Tricks and TidbitsMiscellaneous Compliance Highlights
Compliance Highlights for 2017 and Beyond
• HMDA revisions implementation
• Consumer Complaint monitoring
• Increased focus on Compliance Management Systems
• Website ADA Compliance
Continued Focus:• TRID
• Loan Officer Compensation
• UDAAP
• New Compliance Rating System
• Third-party risk
Cyber securityPresented by:
Jessica Dore, CISA
Speaker: Jessica Dore, CISA
Principal• Technology Risk Management• Specializes in technology
consulting & security and SOX 404 compliance
• Experience in leading teams and performing IT security assessments for clients
Cyber Security
• The National Institute of Standards and Technology (NIST) defines cyber security as "the process of protecting information by preventing, detecting, and responding to attacks."
• As part of cyber security, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.
Data Breach History
Source: ID Theft Resource Center
Category 2017 (as of 8/2/17) 2016 2015
Banking/Financial 50 (5.7%)2,776,000
52 (4.8%)72,262
71 (9.1%)5,063,044
Business 470 (53.3%)9,219,263
495 (45.3%)5,669,711
312 (39.9%)16,191,017
Educational 93 (10.6%)1,080,151
98 (9.0%)1,048,342
58 (7.4%)759,600
Government/Military 44 (5.0%)216,521
72 (6.6%)13,869,571
63 (8.1%)34,222,763
Medical/Healthcare 224 (25.4%)3,497,804
376 (34.4%)15,942,053
277 (35.5%)112,832,082
Data Breach Costs Are Rising
• The difference a year makes
• The average total cost of a data breach increased from $3.79 to $4 million (+5.3%)– Up 29% since 2013
• The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 (+2.6%)– Up 15% since 2013
Source: Poneman 2016 Cost of Data Breach Study
Average Size of Data Breach By Country
Source: Poneman 2016 Cost of Data Breach Study
The Main Root Causes of A Data Breach
Source: Poneman 2016 Cost of Data Breach Study
• The most common types of malicious or criminal attacks include malware infections, criminal insiders, phishing/social engineering and SQL injection.
• Negligent insiders are individuals who cause a data breach because of their carelessness
Who’s Behind The Breaches?
• 75% were perpetrated by outsiders.
• 25% involved internal actors.
• 18% were conducted by state-affiliated actors.
• 3% featured multiple parties.
• 51% involved organized criminal groups.
Source: Verizon 2017 Data Breach Investigations Report
What Tactics Do They Use?
• 62% of breaches featured hacking
• 51% of breaches included malware
• 81% of hacking related breaches leveraged either stolen and/or weak passwords
• 43% were social attacks
• 8% included physical actions
Source: Verizon 2017 Data Breach Investigations Report
Who Are The Victims?
• 24% of breaches affected financial organizations.
• 15% of breaches involved healthcare organizations.
• 12% of breaches affected public sector entities.
• 15% of breaches affected retail and accommodation.
Source: Verizon 2017 Data Breach Investigations Report
What Else Is Common?
• 66% of malware was installed via malicious e-mail attachments.
• 73% of breaches were financially motivated.
• 21% of breaches were related to espionage.
• 27% of breaches were discovered by third parties.
Source: Verizon 2017 Data Breach Investigations Report
Source: progressbangladesh.com
Cyber Crime Is Here To Stay
• Cyber warrior ‘mercenaries’ for hire worldwide
• Cyber crime is a multi-billion dollar underground economy
• Cyber crime is an industry of suppliers, distributors and manufacturers
• Information is the commodity
Small Organizations A Big Target
• Don’t believe they will be attacked
• Cybersecurity not a priority
• Weak cybersecurity/ outdated tools
• Poor employee training• Poor or no data breach
response plan• Lead to bigger fish
Source: ameriscope.com
Polling Question #3
Has your institution suffered a ransomware attack?
A. YesB. NoC. No, but I know of an institution that has
Phishing
How Do Cyber Criminals Get In?
Ransomware Smishing
Social Engineering DDOS
Keylogging Skimming
Vishing
Malware/Spyware
2016 Most Common Passwords
1. 123456 2. 1234567893. qwerty 4. 12345678 5. 1111116. 12345678907. 12345678. password 9. 12312310. 987654321
Employees Are The Weakest Link
• Negligent insiders are the top cause of data breaches
• Clicking on links in emails
• Sending work email to personal accounts
• Using data on insecure lines
• Not following corporate policies
• Not securing mobile devices
Vulnerability: Weak IT Security
• Poor access controls• Poor patch management• Improper device configuration• Lack of security audits• Weak enforcement of remote login policies
Hot Topics
• Vendor Management– Risk Assessment– Due Diligence at Selection– Annual Due Diligence for Critical Vendors– Contract Reviews
Hot Topics
• Patch Management– Apply patches timely– Ensure system reporting is working appropriately– Board Reporting
Polling Question #4
Does your institution backup data daily?A. YesB. NoC. I’m not sure
Hot Topics
• Backups & BCP – Backup at least daily– Testing of backups and BCP– Manual processes
Close The Loopholes
Create and enforce security policies
Educate employees
Update security software
Backup & encrypt data
Secure wireless devices
Patch systems
Have an IT Security assessment performed
Source: blog.zopim.com
In The End …
Q&A Session
Thank you!
Beth Behrend, CCBCO, CBAPPhone: 616.975.4100
Email: [email protected]
Jessica Dore, CISAPhone: 989.797.9580
Email: [email protected]
Liz Ziesmer, CPA, CBAPhone: 616.975.4100
Email: [email protected]
