SlideShare a Scribd company logo

Chapter 13: Regulatory Compliance for Financial Institutions

Download as PPTX, PDF
Nada G.Youssef
Nada G.Youssef

Security Program and Policies, Principles and Practices

Education
1 of 23
Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 13: Regulatory Compliance for Financial Institutions
Copyright 2014 Pearson Education, Inc. 2 Objectives ■ Explain financial institution information security regulatory compliance requirements ■ Understand the components of a GLBA- compliant information security program ■ Prepare for a regulatory examination ■ Respond to the twin threats of personal identity theft and corporate account takeover
Copyright 2014 Pearson Education, Inc. 3 Introduction ■ A financial institution’s most significant asset is not money: It’s information about money, transactions and customers ■ Protection of those information assets is necessary to establish the required trust for the institution to conduct business ■ Institutions have a responsibility to protect their client’s information and privacy from harm such as fraud and ID theft
Copyright 2014 Pearson Education, Inc. 4 The Gramm-Leach-Bliley Act (GLBA) ❑ Signed into law by President Clinton in 1999 ❑ Also known as the Financial Modernization Act of 1999 ❑ Meant to allow banks to engage in a wide array of financial services ❑ Banks can now merge with stock brokerage companies and insurance companies, which means that they can possess large amounts of private, personal client information
Copyright 2014 Pearson Education, Inc. 5 The Gramm-Leach-Bliley Act (GLBA) Cont. ❑ Title 5 of the GLBA specifically addresses protecting both the privacy and the security of non-public personal information (NPPI) ■ Privacy Rule ❑ Limits the financial institutions disclosure of NPPI to unaffiliated third parties ■ Security Guidelines ❑ Address safeguarding the confidentiality and security of customer NPPI and ensuring proper disposal of NPPI
Copyright 2014 Pearson Education, Inc. 6 The Gramm-Leach-Bliley Act (GLBA) Cont. ❑ What is NPPI? ■ Stands for non-public personal information ■ Includes the following information: ❑ Names ❑ Addresses ❑ Phone numbers ❑ Income and credit histories ❑ Social Security numbers
Copyright 2014 Pearson Education, Inc. 7 What Is a Financial Institution? ■ Financial institution is “Any institution the business of which is significantly engaged in financial activities as described in Section 4(k) of the Bank Holding Company Act (12 U.S.C. § 1843(k).” ■ GLBA also applies to companies that provide financial products and/or services such as: ❑ Automobile dealers ❑ Check-cashing businesses ❑ Consumer reporting agencies ❑ Courier services ❑ Debt collectors
Copyright 2014 Pearson Education, Inc. 8 Regulatory Oversight ■ Seven federal agencies and the states have authority to administer and enforce the Financial Privacy Rule and Section 501(b) ■ Which agency is tasked with enforcing the regulation, along with the severity of the penalty, is dependent upon the industry to which the business belongs ■ Nontraditional financial services companies are regulated by the FTC but are not subject to scheduled, regular audits unless a complaint has been lodged against them
Copyright 2014 Pearson Education, Inc. 9 What Are Interagency Guidelines? ❑ The dependence of financial institutions upon information systems is a source of risks ❑ The interagency guidelines (IG) were created as a way to mitigate those risks related to information being compromised ❑ The IG require every covered institution to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards
Copyright 2014 Pearson Education, Inc. 10 What Are Interagency Guidelines? Cont. ■ Information Security Program Requirements ■ Involving the board of directors ■ Assessing risk ■ Managing and controlling risks ■ Overseeing service provider arrangements ■ Adjusting the program ■ Reporting to the board
Copyright 2014 Pearson Education, Inc. 11 Involve the Board of Directors ■ The board must approve the bank’s written information security program ■ The board must oversee the development, implementation, and maintenance of the program ■ As corporate officials, the board has a fiduciary and legal responsibility ■ Banks should provide board members with appropriate training on information security ■ The board may in turn delegate information security tasks to other roles and/or committees
Copyright 2014 Pearson Education, Inc. 12 Assess Risk ❑ Risk assessments start by creating an inventory of all information items and information systems ❑ Identifying threats is the next step ■ Threat: Potential for violation of security ■ Threat assessment: Identification of types of threats ■ Threat analysis: Systematic rating of threats based upon risk and probability ■ Threat probability: Likelihood that a threat will materialize ■ Residual risk: The level of risk after controls have been implemented
Copyright 2014 Pearson Education, Inc. 13 Manage and Control Risk ❑ The information security program should be designed to control the identified risks commensurate with the sensitivity of the information as well as the complexity and scope of its activities: ▪ Access controls on customer information systems ▪ Access restrictions at physical locations containing customer information ▪ Encryption of electronic customer information ▪ Separation of duties ▪ Monitoring systems to identify attacks ▪ Incident response program ▪ Disaster recovery plan
Copyright 2014 Pearson Education, Inc. 14 Training ❑ Institutions must implement ongoing information security awareness program ❑ Staff should receive security training at least once a year ❑ Training can be instructor led or online ❑ Untrained staff are perfect targets for hackers!
Copyright 2014 Pearson Education, Inc. 15 Testing ■ All controls must be tested ❑ Priority should be given to high-risk, critical systems ❑ Separation of duties applies to control testing ❑ Three most commonly testing methodologies ■ Audit ❑ Evidence-based examination that compares current practices against internal or external criteria ■ Assessments ❑ A focused privileged inspection ■ Assurance test ❑ Measures how well controls work by subjecting the system to an actual attack
Copyright 2014 Pearson Education, Inc. 16 Oversee Service Provider Arrangements ■ Financial institutions must ensure that service providers have implemented security controls in accordance with GLBA ■ Recommended oversight procedures: ❑ Conduct risk assessment ❑ Use due diligence when selecting third parties ❑ Implementing contractual assurances regarding security responsibilities, controls, and reporting ❑ Requiring non-disclosure agreements ❑ Providing third-party review of the service provider’s security through audits and tests ❑ Coordinating incident response policies and contractual notification requirements ❑ Review third-party agreements and performance at least annually
Copyright 2014 Pearson Education, Inc. 17 Adjusting the Program ■ Effective monitoring involves both technical and non-technical evaluations ■ Change drivers include mergers and acquisitions, changes in technology, changes in data sensitivity ■ Information security policy should be reviewed at least annually
Copyright 2014 Pearson Education, Inc. 18 Report to the Board ■ Reporting to the board should take place at least annually and describe the overall status of the information security program and the organization's compliance with the interagency guidelines ❑ The report needs to address risk assessment and management, control decisions, service provider arrangements, employee training, independent audits and testing, recommendation for change of the program
What Is Regulatory Examination? ■ Regulatory agencies are responsible for oversight and supervision of financial institutions ■ Exams are conducted every 12 to 18 months ■ The exam includes evaluation of policies, processes, personnel, controls, and outcomes ■ Financial institutions are given a rating on a scale of 1 to 5, with 1 representing the best rating and 5 the worst rating with the highest degree of concern Copyright 2014 Pearson Education, Inc. 19
Copyright 2014 Pearson Education, Inc. 20 Personal and Corporate Identity Theft ■ Personal identity theft occurs when someone possesses and uses any identifying information that is not his with the intent to commit fraud or other crimes ❑ Identifying information includes: ❑ Name ❑ Date of birth ❑ Social Security numbers ❑ Credit card numbers ■ Corporate identity theft when criminals attempt to impersonate authorized employees to access corporate bank accounts and steal money ❑ Known as corporate account takeover
Copyright 2014 Pearson Education, Inc. 21 Personal and Corporate Identity Theft cont. ■ Responding to identity theft: Supplement A, “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” (“the guidance”) ■ The guidance describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information ■ FTC supports identity theft criminal investigations and prosecution through its Identity Theft Data Clearinghouse
Copyright 2014 Pearson Education, Inc. 22 Personal and Corporate Identity Theft cont. ■ Updated guidance on Internet banking safeguards was released October 2011 ❑ Financial institutions are required to review and update existing risk assessment at least every 12 months ❑ Financial institutions must implemented a layered security model ❑ Financial institutions must offer multifactor authentication to commercial cash management customers ❑ Financial institutions must implement authentication and transactional fraud monitoring ❑ Financial institutions must educate commercial account holders about risks associated with online banking
Copyright 2014 Pearson Education, Inc. 23 Summary ❑ Financial institutions must protect the information with which they are entrusted. ❑ The GLBA requires that standards be developed and assigns this task to seven federal agencies: The seven monitor federally insured banks and publish the interagency guidelines, whereas the FTC oversees organizations that provide non-traditional financial services and publish the standards for safeguarding customer information. ❑ The intent of both publications is to protect the confidentiality, integrity, and availability of non-public personal information.

Recommended

Devaluation presentation 1
Devaluation presentation 1Devaluation presentation 1
Devaluation presentation 1Asma4646
 
Replacement analysis
Replacement analysisReplacement analysis
Replacement analysisMallikarjun Vastrad
 
Topic 7 and_8_modifier_placement_-
Topic 7 and_8_modifier_placement_-Topic 7 and_8_modifier_placement_-
Topic 7 and_8_modifier_placement_-Estefania España
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
83341 ch12 jacobsen
83341 ch12 jacobsen83341 ch12 jacobsen
83341 ch12 jacobsenNada G.Youssef
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorNada G.Youssef
 
Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Nada G.Youssef
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityNada G.Youssef
 

Recommended

Devaluation presentation 1
Devaluation presentation 1Devaluation presentation 1
Devaluation presentation 1Asma4646
 
Replacement analysis
Replacement analysisReplacement analysis
Replacement analysisMallikarjun Vastrad
 
Topic 7 and_8_modifier_placement_-
Topic 7 and_8_modifier_placement_-Topic 7 and_8_modifier_placement_-
Topic 7 and_8_modifier_placement_-Estefania España
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
83341 ch12 jacobsen
83341 ch12 jacobsen83341 ch12 jacobsen
83341 ch12 jacobsenNada G.Youssef
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorNada G.Youssef
 
Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Nada G.Youssef
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityNada G.Youssef
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset ManagementNada G.Youssef
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Nada G.Youssef
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Nada G.Youssef
 
Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementNada G.Youssef
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and MaintenanceNada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementNada G.Youssef
 
83341 ch06 jacobsen
83341 ch06 jacobsen83341 ch06 jacobsen
83341 ch06 jacobsenNada G.Youssef
 
83341 ch13 jacobsen
83341 ch13 jacobsen83341 ch13 jacobsen
83341 ch13 jacobsenNada G.Youssef
 
83341 ch14 jacobsen
83341 ch14 jacobsen83341 ch14 jacobsen
83341 ch14 jacobsenNada G.Youssef
 
83341 ch11 jacobsen
83341 ch11 jacobsen83341 ch11 jacobsen
83341 ch11 jacobsenNada G.Youssef
 
83341 ch09 jacobsen
83341 ch09 jacobsen83341 ch09 jacobsen
83341 ch09 jacobsenNada G.Youssef
 
83341 ch07 jacobsen
83341 ch07 jacobsen83341 ch07 jacobsen
83341 ch07 jacobsenNada G.Youssef
 
83341 ch10 jacobsen
83341 ch10 jacobsen83341 ch10 jacobsen
83341 ch10 jacobsenNada G.Youssef
 
83341 ch08 jacobsen
83341 ch08 jacobsen83341 ch08 jacobsen
83341 ch08 jacobsenNada G.Youssef
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Chapter 12
Chapter 12Chapter 12
Chapter 12Nada G.Youssef
 
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...Dr. Khaled OUANES
 
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...Ethisphere
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist, LLC
 

More Related Content

Viewers also liked

Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset ManagementNada G.Youssef
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Nada G.Youssef
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Nada G.Youssef
 
Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementNada G.Youssef
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and MaintenanceNada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementNada G.Youssef
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...Dr. Khaled OUANES
 

Viewers also liked (20)

Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources Security
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset Management
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style
 
Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity Management
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control Management
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk Management
 
83341 ch06 jacobsen
83341 ch06 jacobsen83341 ch06 jacobsen
83341 ch06 jacobsen
 
83341 ch13 jacobsen
83341 ch13 jacobsen83341 ch13 jacobsen
83341 ch13 jacobsen
 
83341 ch14 jacobsen
83341 ch14 jacobsen83341 ch14 jacobsen
83341 ch14 jacobsen
 
83341 ch11 jacobsen
83341 ch11 jacobsen83341 ch11 jacobsen
83341 ch11 jacobsen
 
83341 ch09 jacobsen
83341 ch09 jacobsen83341 ch09 jacobsen
83341 ch09 jacobsen
 
83341 ch07 jacobsen
83341 ch07 jacobsen83341 ch07 jacobsen
83341 ch07 jacobsen
 
83341 ch10 jacobsen
83341 ch10 jacobsen83341 ch10 jacobsen
83341 ch10 jacobsen
 
83341 ch08 jacobsen
83341 ch08 jacobsen83341 ch08 jacobsen
83341 ch08 jacobsen
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...
INTRODUCTION TO HEALTHCARE RESEARCH METHODS: Correlational Studies, Case Seri...
 

Similar to Chapter 13: Regulatory Compliance for Financial Institutions

Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...Ethisphere
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist, LLC
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideJoAnna Cheshire
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
Weaver - Financial Institutions Consulting
Weaver - Financial Institutions ConsultingWeaver - Financial Institutions Consulting
Weaver - Financial Institutions ConsultingAndrew Topa
 
Information Security Incident Management.pdf
Information Security Incident Management.pdfInformation Security Incident Management.pdf
Information Security Incident Management.pdfGoldenMIT
 
Trends 121415 Citizens Bank
Trends 121415 Citizens BankTrends 121415 Citizens Bank
Trends 121415 Citizens BankMichael Ouellet
 
NICSA Webinar | AML Enhanced Customer Due Diligence - "Beneficial Owner Rule"
NICSA Webinar | AML Enhanced Customer Due Diligence - "Beneficial Owner Rule"NICSA Webinar | AML Enhanced Customer Due Diligence - "Beneficial Owner Rule"
NICSA Webinar | AML Enhanced Customer Due Diligence - "Beneficial Owner Rule"NICSA
 
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESINITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESMay Martinsen
 
Auditing Principles1
Auditing Principles1Auditing Principles1
Auditing Principles1Jose Cintron
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsTrustArc
 
Navigate the Financial Crime Landscape with a Vendor Management Program
Navigate the Financial Crime Landscape with a Vendor Management ProgramNavigate the Financial Crime Landscape with a Vendor Management Program
Navigate the Financial Crime Landscape with a Vendor Management ProgramPerficient, Inc.
 
5. op risk and aml
5. op risk and aml5. op risk and aml
5. op risk and amlcrmbasel
 
How to Prepare Your Firm for a Visit from the SRA
How to Prepare Your Firm for a Visit from the SRAHow to Prepare Your Firm for a Visit from the SRA
How to Prepare Your Firm for a Visit from the SRALegl
 
D&B onboard.pdf
D&B onboard.pdfD&B onboard.pdf
D&B onboard.pdfWilson Kao
 
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...Poyner Spruill LLP, Attorneys
 

Similar to Chapter 13: Regulatory Compliance for Financial Institutions (20)

Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guide
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
Weaver - Financial Institutions Consulting
Weaver - Financial Institutions ConsultingWeaver - Financial Institutions Consulting
Weaver - Financial Institutions Consulting
 
Opportunities At NYCM
Opportunities At NYCMOpportunities At NYCM
Opportunities At NYCM
 
Information Security Incident Management.pdf
Information Security Incident Management.pdfInformation Security Incident Management.pdf
Information Security Incident Management.pdf
 
Trends 121415 Citizens Bank
Trends 121415 Citizens BankTrends 121415 Citizens Bank
Trends 121415 Citizens Bank
 
NICSA Webinar | AML Enhanced Customer Due Diligence - "Beneficial Owner Rule"
NICSA Webinar | AML Enhanced Customer Due Diligence - "Beneficial Owner Rule"NICSA Webinar | AML Enhanced Customer Due Diligence - "Beneficial Owner Rule"
NICSA Webinar | AML Enhanced Customer Due Diligence - "Beneficial Owner Rule"
 
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESINITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
 
Auditing Principles1
Auditing Principles1Auditing Principles1
Auditing Principles1
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
 
Navigate the Financial Crime Landscape with a Vendor Management Program
Navigate the Financial Crime Landscape with a Vendor Management ProgramNavigate the Financial Crime Landscape with a Vendor Management Program
Navigate the Financial Crime Landscape with a Vendor Management Program
 
5. op risk and aml
5. op risk and aml5. op risk and aml
5. op risk and aml
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
How to Prepare Your Firm for a Visit from the SRA
How to Prepare Your Firm for a Visit from the SRAHow to Prepare Your Firm for a Visit from the SRA
How to Prepare Your Firm for a Visit from the SRA
 
D&B onboard.pdf
D&B onboard.pdfD&B onboard.pdf
D&B onboard.pdf
 
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
The Hazards of Vendor Management - presented to NC Bankers Association by Ric...
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
Your Third-Party Vendor's Risk Is Your Risk, Too
Your Third-Party Vendor's Risk Is Your Risk, Too Your Third-Party Vendor's Risk Is Your Risk, Too
Your Third-Party Vendor's Risk Is Your Risk, Too
 

More from Nada G.Youssef

Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Nada G.Youssef
 

More from Nada G.Youssef (15)

مجلة 1
مجلة 1مجلة 1
مجلة 1
 
Chapter Tewlve
Chapter TewlveChapter Tewlve
Chapter Tewlve
 
Chapter Eleven
Chapter ElevenChapter Eleven
Chapter Eleven
 
Chapter Ten
Chapter TenChapter Ten
Chapter Ten
 
Chapter Nine
Chapter NineChapter Nine
Chapter Nine
 
Chapter Eight
Chapter Eight Chapter Eight
Chapter Eight
 
Chapter Seven
Chapter SevenChapter Seven
Chapter Seven
 
Chapter Six
Chapter SixChapter Six
Chapter Six
 
Chapter Five
Chapter FiveChapter Five
Chapter Five
 
Chapter Four
Chapter FourChapter Four
Chapter Four
 
Chapter Three
Chapter ThreeChapter Three
Chapter Three
 
Chapter Two
Chapter TwoChapter Two
Chapter Two
 
Chapter one
Chapter oneChapter one
Chapter one
 
Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University
 
Chapter 11
Chapter 11Chapter 11
Chapter 11
 

Recently uploaded

21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptxJoelynRubio1
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfNirmal Dwivedi
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
PANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxPANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxakanksha16arora
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfstareducators107
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsSandeep D Chaudhary
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Economic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesEconomic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesSHIVANANDaRV
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...Amil baba
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxPooja Bhuva
 

Recently uploaded (20)

21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
PANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxPANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Economic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesEconomic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food Additives
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Our Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdfOur Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdf
 
VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 

Chapter 13: Regulatory Compliance for Financial Institutions

  • 1. Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 13: Regulatory Compliance for Financial Institutions
  • 2. Copyright 2014 Pearson Education, Inc. 2 Objectives ■ Explain financial institution information security regulatory compliance requirements ■ Understand the components of a GLBA- compliant information security program ■ Prepare for a regulatory examination ■ Respond to the twin threats of personal identity theft and corporate account takeover
  • 3. Copyright 2014 Pearson Education, Inc. 3 Introduction ■ A financial institution’s most significant asset is not money: It’s information about money, transactions and customers ■ Protection of those information assets is necessary to establish the required trust for the institution to conduct business ■ Institutions have a responsibility to protect their client’s information and privacy from harm such as fraud and ID theft
  • 4. Copyright 2014 Pearson Education, Inc. 4 The Gramm-Leach-Bliley Act (GLBA) ❑ Signed into law by President Clinton in 1999 ❑ Also known as the Financial Modernization Act of 1999 ❑ Meant to allow banks to engage in a wide array of financial services ❑ Banks can now merge with stock brokerage companies and insurance companies, which means that they can possess large amounts of private, personal client information
  • 5. Copyright 2014 Pearson Education, Inc. 5 The Gramm-Leach-Bliley Act (GLBA) Cont. ❑ Title 5 of the GLBA specifically addresses protecting both the privacy and the security of non-public personal information (NPPI) ■ Privacy Rule ❑ Limits the financial institutions disclosure of NPPI to unaffiliated third parties ■ Security Guidelines ❑ Address safeguarding the confidentiality and security of customer NPPI and ensuring proper disposal of NPPI
  • 6. Copyright 2014 Pearson Education, Inc. 6 The Gramm-Leach-Bliley Act (GLBA) Cont. ❑ What is NPPI? ■ Stands for non-public personal information ■ Includes the following information: ❑ Names ❑ Addresses ❑ Phone numbers ❑ Income and credit histories ❑ Social Security numbers
  • 7. Copyright 2014 Pearson Education, Inc. 7 What Is a Financial Institution? ■ Financial institution is “Any institution the business of which is significantly engaged in financial activities as described in Section 4(k) of the Bank Holding Company Act (12 U.S.C. § 1843(k).” ■ GLBA also applies to companies that provide financial products and/or services such as: ❑ Automobile dealers ❑ Check-cashing businesses ❑ Consumer reporting agencies ❑ Courier services ❑ Debt collectors
  • 8. Copyright 2014 Pearson Education, Inc. 8 Regulatory Oversight ■ Seven federal agencies and the states have authority to administer and enforce the Financial Privacy Rule and Section 501(b) ■ Which agency is tasked with enforcing the regulation, along with the severity of the penalty, is dependent upon the industry to which the business belongs ■ Nontraditional financial services companies are regulated by the FTC but are not subject to scheduled, regular audits unless a complaint has been lodged against them
  • 9. Copyright 2014 Pearson Education, Inc. 9 What Are Interagency Guidelines? ❑ The dependence of financial institutions upon information systems is a source of risks ❑ The interagency guidelines (IG) were created as a way to mitigate those risks related to information being compromised ❑ The IG require every covered institution to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards
  • 10. Copyright 2014 Pearson Education, Inc. 10 What Are Interagency Guidelines? Cont. ■ Information Security Program Requirements ■ Involving the board of directors ■ Assessing risk ■ Managing and controlling risks ■ Overseeing service provider arrangements ■ Adjusting the program ■ Reporting to the board
  • 11. Copyright 2014 Pearson Education, Inc. 11 Involve the Board of Directors ■ The board must approve the bank’s written information security program ■ The board must oversee the development, implementation, and maintenance of the program ■ As corporate officials, the board has a fiduciary and legal responsibility ■ Banks should provide board members with appropriate training on information security ■ The board may in turn delegate information security tasks to other roles and/or committees
  • 12. Copyright 2014 Pearson Education, Inc. 12 Assess Risk ❑ Risk assessments start by creating an inventory of all information items and information systems ❑ Identifying threats is the next step ■ Threat: Potential for violation of security ■ Threat assessment: Identification of types of threats ■ Threat analysis: Systematic rating of threats based upon risk and probability ■ Threat probability: Likelihood that a threat will materialize ■ Residual risk: The level of risk after controls have been implemented
  • 13. Copyright 2014 Pearson Education, Inc. 13 Manage and Control Risk ❑ The information security program should be designed to control the identified risks commensurate with the sensitivity of the information as well as the complexity and scope of its activities: ▪ Access controls on customer information systems ▪ Access restrictions at physical locations containing customer information ▪ Encryption of electronic customer information ▪ Separation of duties ▪ Monitoring systems to identify attacks ▪ Incident response program ▪ Disaster recovery plan
  • 14. Copyright 2014 Pearson Education, Inc. 14 Training ❑ Institutions must implement ongoing information security awareness program ❑ Staff should receive security training at least once a year ❑ Training can be instructor led or online ❑ Untrained staff are perfect targets for hackers!
  • 15. Copyright 2014 Pearson Education, Inc. 15 Testing ■ All controls must be tested ❑ Priority should be given to high-risk, critical systems ❑ Separation of duties applies to control testing ❑ Three most commonly testing methodologies ■ Audit ❑ Evidence-based examination that compares current practices against internal or external criteria ■ Assessments ❑ A focused privileged inspection ■ Assurance test ❑ Measures how well controls work by subjecting the system to an actual attack
  • 16. Copyright 2014 Pearson Education, Inc. 16 Oversee Service Provider Arrangements ■ Financial institutions must ensure that service providers have implemented security controls in accordance with GLBA ■ Recommended oversight procedures: ❑ Conduct risk assessment ❑ Use due diligence when selecting third parties ❑ Implementing contractual assurances regarding security responsibilities, controls, and reporting ❑ Requiring non-disclosure agreements ❑ Providing third-party review of the service provider’s security through audits and tests ❑ Coordinating incident response policies and contractual notification requirements ❑ Review third-party agreements and performance at least annually
  • 17. Copyright 2014 Pearson Education, Inc. 17 Adjusting the Program ■ Effective monitoring involves both technical and non-technical evaluations ■ Change drivers include mergers and acquisitions, changes in technology, changes in data sensitivity ■ Information security policy should be reviewed at least annually
  • 18. Copyright 2014 Pearson Education, Inc. 18 Report to the Board ■ Reporting to the board should take place at least annually and describe the overall status of the information security program and the organization's compliance with the interagency guidelines ❑ The report needs to address risk assessment and management, control decisions, service provider arrangements, employee training, independent audits and testing, recommendation for change of the program
  • 19. What Is Regulatory Examination? ■ Regulatory agencies are responsible for oversight and supervision of financial institutions ■ Exams are conducted every 12 to 18 months ■ The exam includes evaluation of policies, processes, personnel, controls, and outcomes ■ Financial institutions are given a rating on a scale of 1 to 5, with 1 representing the best rating and 5 the worst rating with the highest degree of concern Copyright 2014 Pearson Education, Inc. 19
  • 20. Copyright 2014 Pearson Education, Inc. 20 Personal and Corporate Identity Theft ■ Personal identity theft occurs when someone possesses and uses any identifying information that is not his with the intent to commit fraud or other crimes ❑ Identifying information includes: ❑ Name ❑ Date of birth ❑ Social Security numbers ❑ Credit card numbers ■ Corporate identity theft when criminals attempt to impersonate authorized employees to access corporate bank accounts and steal money ❑ Known as corporate account takeover
  • 21. Copyright 2014 Pearson Education, Inc. 21 Personal and Corporate Identity Theft cont. ■ Responding to identity theft: Supplement A, “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” (“the guidance”) ■ The guidance describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information ■ FTC supports identity theft criminal investigations and prosecution through its Identity Theft Data Clearinghouse
  • 22. Copyright 2014 Pearson Education, Inc. 22 Personal and Corporate Identity Theft cont. ■ Updated guidance on Internet banking safeguards was released October 2011 ❑ Financial institutions are required to review and update existing risk assessment at least every 12 months ❑ Financial institutions must implemented a layered security model ❑ Financial institutions must offer multifactor authentication to commercial cash management customers ❑ Financial institutions must implement authentication and transactional fraud monitoring ❑ Financial institutions must educate commercial account holders about risks associated with online banking
  • 23. Copyright 2014 Pearson Education, Inc. 23 Summary ❑ Financial institutions must protect the information with which they are entrusted. ❑ The GLBA requires that standards be developed and assigns this task to seven federal agencies: The seven monitor federally insured banks and publish the interagency guidelines, whereas the FTC oversees organizations that provide non-traditional financial services and publish the standards for safeguarding customer information. ❑ The intent of both publications is to protect the confidentiality, integrity, and availability of non-public personal information.