Bank Regulatory Update: Three Things to Think About for 2017


regulation-1-18-17.pngSignificant regulatory changes continued to affect the banking industry in 2016. The industry generally has moved beyond implementing the requirements of the Dodd-Frank and Wall Street Reform and Consumer Protection Act, but regulatory expectations continue to rise, with increased emphasis on each institution’s ability to respond to and withstand adverse economic conditions. Regulatory supervision, often through oversight from multiple agencies, is becoming more focused on supporting compliance efforts with strong corporate cultures within the institution. Managing regulatory compliance risk for a financial institution has never been more complex.

Looking forward to 2017, regulators are expected to continue to ramp up expectations in several areas. Industry stakeholders undoubtedly will be watching closely as the new administration takes control of the White House. However, regulators are expected to continue to increase their emphasis on three areas: cybersecurity risk, consumer compliance and third-party risk management.

1. Cybersecurity Risk
Cybersecurity is likely to remain a key supervisory focal point for regulators in 2017. Regulatory officials have stressed that cybersecurity vulnerabilities are not just a concern at larger financial institutions: small banks also are at risk. As such, financial institutions of all sizes need to improve their ability to more aptly identify, assess and mitigate risks in light of the increasing volume and sophistication of cyberthreats.

The Federal Financial Institutions Examination Council (FFIEC) agencies have established a comprehensive cybersecurity awareness website that serves as a central repository where financial services companies of all sizes can access valuable cybersecurity tools and resources. The website also houses an FFIEC cybersecurity self-assessment tool to help banks identify their risks and assess their cybersecurity preparedness. The voluntary assessment provides a repeatable and quantifiable process that measures a bank’s cybersecurity preparedness over time.

2. Consumer Compliance
The Consumer Financial Protection Bureau (CFPB)—now a more mature entity—is having a dramatic impact on the supervisory processes around consumer financial products. While the CFPB conducts on-site consumer exams for financial institutions with more than $10 billion in assets, it also has begun to work with regulators in consumer supervisory efforts in smaller banks. The CFPB also has issued a significant number of new and revised consumer regulations that apply to institutions of all sizes. Some of the more onerous requirements center on mortgage lending and truth-in-lending integrated disclosures (TRID).

The CFPB also continues to cast a wide net when it comes to gathering consumer complaints about financial products and services through its consumer complaint database. The latest snapshot shows the database contains information on more than one million complaints about mortgages, student loans, deposit accounts and services, other consumer loans, and credit cards.

CFPB examiners often use complaints received through the database as a channel for reviewing practices and identifying possible violations. This continued pressure has forced financial institutions to ensure their compliance management systems are supported by effective policies, procedures and governance. But keep in mind, it’s even more important now to adequately aggregate, analyze and report customer-level data, so your institution can identify and remediate problems before the regulators come after you, and so you don’t get accused of “abusive” practices under the Dodd-Frank Act.

3. Third-Party Risk Management
As a component of safety and soundness examinations, effective third-party risk management is regarded as an important indicator of a financial institution’s ability to manage its business. As a result, regulatory examinations consistently include an element of third-party risk management, and all of the federal bank regulators have issued some form of guidance related to third-party risk. The Federal Reserve’s (Fed’s) SR 13-19 applies to all financial services companies under Fed supervision. The Fed guidance focuses on outsourced activities that have a substantial impact on a bank’s financial condition or that are critical to ongoing operations for other reasons, such as sensitive customer information, new products or services, or activities that pose material compliance risk.

Guidance from the Office of the Comptroller of the Currency (OCC) on third-party risk (Bulletin 2013-29) generally is more comprehensive than the Fed guidance and requires rigorous oversight and management of third-party relationships that involve critical activities. The OCC bulletin specifically highlights third-party activities outside of traditional vendor relationships.

Outlook
The critical areas discussed here are just a few for which banks need to expect more regulatory scrutiny in 2017. While there are early indicators that some elements of Dodd-Frank and other regulatory requirements could be pared back as the new administration takes control of the White House, the industry will need to closely monitor any changes and adjust compliance efforts accordingly.

Cybersecurity Governance: How to Protect the Bank


cybersecurity-12-23-16.pngModern banking increasingly relies upon technology and the internet to manage and streamline business operations. With increased dependence on technology comes an increased risk of security threats. Kaspersky Lab reported it had detected 323,000 malware files per day using its software in 2016. This number is 4 percent higher than in 2015.

The impact of a successful cyberattack is often quite damaging: legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately, revenue. The average cost of a data breach is now up to $4 million, according to a 2016 Ponemon study.

Banks are responsible for more data than ever and as data use continues to grow, banks face the challenge of properly creating strategies, frameworks and policies for keeping sensitive data secure. Meanwhile, criminals develop new and sophisticated tactics to target valuable data.

Security is, and should be, a concern for all employees. However, leadership must be responsible for establishing and maintaining a framework for information security governance. Information security governance is defined as a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, and manages risks while monitoring the success or failure of the IT security program.

Whether it is the board of directors, executive management or a steering committee that is involved—or all of these—information security governance requires strategic planning and decision-making.

Best Practices
Despite the threats of cyberattacks and data breaches, banks can take proactive steps to better position themselves for successful security governance. What follows are five strategic best practices for information security governance:

1. Take a holistic approach.
Security strategy is about aligning and connecting with business and IT objectives. A holistic approach can provide leadership with more levels of control and visibility.

What data needs to be protected? Where are the risks? Take a unified view of how information security impacts your organization and how employees view security. Get early buy-in from key stakeholders, such as those in the IT, sales, marketing, operations and legal departments. Scope out what data needs to be protected and how that fits into the larger picture.

2. Increase awareness and training.
Although developed by leadership, information security governance speaks to all employees within the organization and requires continued level of awareness. Governance creates policies and assigns accountabilities, but each member is responsible for following the security standards.

Constant training and education on security best practices is vital. The cyberthreat landscape is rapidly changing and employees, and company training, must keep up. This way, if new threats emerge, you will be prepared.

3. Monitor and measure.
Information security governance should never have a “set it, then forget it” approach. It’s about ongoing assessment and measuring. Monitoring ensures that objectives are being achieved and resources are appropriately managed. What security governance policies are working? Which policies are not?

Conduct mock data breach scenarios to test the efficacy of corporate teams and company incident response plans. Test results can reveal strong and weak links—what the bank needs to concentrate on, and what security governance policies work well under pressure.

4. Foster open communication.
Stakeholders should feel they can openly communicate directly with leadership, even when sharing bad news. Open communication promotes trust and brings a higher level of visibility throughout. Engagement is key. Consider creating a steering committee comprised of executive management and key team leads (IT, marketing, finance, PR, legal, operations, etc.) to review and assess current security risks.

5. Promote agility and adaptability.
Gone are the days of monolithic, cumbersome governance; banks need to adapt quickly to meet the changing tide of security threats. IT management, which is typically concerned with making tactical decisions to mitigate security risks, might have some hands-on experience and opinions about the effectiveness of a particular security policy, but their recommendations can only go so far without C-suite support. Leadership must quickly determine how to implement suggested changes throughout the bank. And if a security governance policy is ineffective, leadership must be willing to jettison the policy.

Overall, successful information security governance involves a continuous process of learning, revising and adapting. Banks need to be proactive and strategic with their security posture. Threats and incidents are inevitable, but moving strategic security governance to the forefront of your organization can help protect valuable information.

Download the full Diligent white paper: Five Best Practices for Information Security Governance.

What You Don’t Know About Network Defenses Can Definitely Hurt You


defense.png

Hackers have many avenues to choose from when it comes to attacking your organization, the most obvious of which is breaking in from the outside, or attacking your network’s perimeter. But they also can choose to attack from the inside-out by targeting your employees and internal weaknesses.

Cyber criminals use tactics like password attacks, session hijacking, exploiting application vulnerabilities and leveraging malware to gain unauthorized access to your network. Once inside, they steal, delete or distort confidential data, and often alter or disable security features to enable larger future attacks and avoid detection.

As revealed in Verizon’s 2016 Data Breach Investigations Report—a yearly study composed of findings from law enforcement agencies, forensic services firms and other entities—external threat perpetrators have been responsible for at least 75 percent of confirmed data breaches in each of the last six years.

To help protect your network, all employees—from the top down—should learn to spot the signs of a possible attack or breach, from suspicious emails and system modifications to unusual network glitches.

Here are some examples of the possible tools in an attacker’s arsenal:

  • Session hijacking: occurs when an attacker hijacks a network session shared by two systems by masquerading as one of them.
  • Password cracking: involves identifying the password of a user or administrator to gain system access.
  • Denial of Service (DoS) attacks: bombard a system, causing it to crash or deny access to legitimate users.
  • Web-application attacks: hackers exploit weaknesses and/or security flaws in a web application, possibly leading to the compromise of the host device or internal network.
  • Malware: includes ransomware that encrypts your files on the network drives and demands payment of a “ransom” to decrypt them; rootkits that embed themselves in your computer’s software, replacing legitimate software or hiding malicious ones; and remote access trojans (RATs), disguised as legitimate programs, but giving attackers an open door into your network.

Toughen Your Defenses with Vulnerability Assessments and Penetration Testing
Two crucial types of security testing offer financial institutions the best protection against these threats: vulnerability assessments and penetration testing. One is focused on finding as many vulnerabilities as possible, while the other can reveal the impact of an attack rather than theorizing about it, and also ensure that controls work as expected.

A vulnerability assessment is designed to yield a prioritized list of the environment’s vulnerabilities, and works best for institutions that already understand they are not where they should be in terms of security. However, recent guidance outlines the importance of regularly performing vulnerability assessments on your network. The scope, in industry terms, is breadth over depth.

This type of assessment, which helps ensure compliance with Gramm-Leach-Bliley Act data guidelines, can be performed using a remote scanning device—configured by a certified provider—that is plugged into an organization’s network. The device scans the entire network, including hardware and software, and performs internal vulnerability, patch management and port-scanning functions.

The provider can then analyze the data and prepare a detailed report with recommendations for securing your network.

By contrast, a penetration test’s ethical hackers seek to achieve a specific, attacker-simulated goal. A typical goal could be to gain access to the internal network and compromise a privileged account, or obtain the contents of the customer database. The test determines whether a mature security posture can withstand an intrusion attempt from a hacker. Here, the scope is depth over breadth.

A thorough penetration test consists of these elements:

  • Reconnaissance: Entails learning about the target using little or no interaction with their systems. This compares to a burglar watching a neighborhood to determine the patterns of its residents as well as their types of possessions and whether they have security systems. Reconnaissance includes Internet searches, website reviews, IP block information and domain name system (DNS) interrogation.
  • Scanning: The first major contact with the target’s systems, which involves looking for potential openings. This is likened to a burglar rattling doorknobs and checking for unlocked windows. Scanning includes network mapping, port scanning, operating system (OS) fingerprinting, service detection and vulnerability scanning.
  • Gaining Access: This is where the hacker comes in, with an attempt to compromise the system. This step is similar to the burglar breaking into the home using the most vulnerable door or window. Gaining access features password and web application attacks and the exploitation of vulnerable software and configuration flaws.
  • Maintaining Access and Covering Your Tracks: Performed only upon successful penetration into the institution’s network. It should be noted that many organizations forego these steps because they involve manipulating systems, applications and files.

It is crucial for your financial institution to maintain cyber-resilient networks and systems. The costs of disrupted business, reduced customer confidence, fines and lower profitability resulting from an attack are simply too great.

Emerging Technologies Combat Cybercrime


Emerging-Technology-e1474579010897.jpg

Anyone following the news knows that cybersecurity is a hot topic across all industries. This is especially true for the financial services industry. With hacks and online fraud on the rise, banks are doing everything they can to reassure customers that their digital information is safe and secure.

And in 2016, this means thinking beyond traditional security measures like a simple username and password combination or a personal identification number (PIN). Digital authentication technologies have evolved beyond passwords, and now include biometric data, like a fingerprint or voice identification, and digital identify authentication, which could combine a user’s device and location, for example.

Banks are increasingly adopting emerging technologies to minimize the opportunities hackers have to conduct illegal activities. Here are three areas that illustrate how banks are stepping up their fraud prevention game through the use of digital authentication technologies.

Federated Digital Identity
One of the biggest friction points for both security teams and users is having multiple identities and logins for different systems. That’s why forward-thinking institutions are exploring the move to a single, federated digital ID that users can authenticate themselves with across different institutions and product lines.

Giving users a single ID provides greater security. Login information isn’t being passed around among multiple systems, so hackers have fewer access points to exploit. Banks are also being forced to comply with increasing cybersecurity regulation as the federal government tries to combat illegal activities like money laundering. Having a single ID would allow financial institutions to quickly access that user’s unique digital token, thereby eliminating unnecessary fraud investigations.

An early sign of this model is USAA’s partnership with the federal government. The goal of the partnership is to allow USAA’s members to access their banking and government accounts with a single username and password. This will serve not only to make things more convenient for the user, but to allow both the U.S. government and USAA to focus their security efforts on protecting just a single digital identity. (USAA’s customer base is restricted to active and former U.S. military members and their families.)

Blockchain Technology
While centralizing IDs and logins makes sense on the front end, banks are looking at the blockchain and distributed networks to provide additional security on the back end. The blockchain acts as a digital public ledger, and the technology was originally designed for bitcoin transactions. Because information on the blockchain isn’t stored on a single computer or server, it removes the risk of a central point of security failure.

Since blockchain technology authenticates users based on a device-specific token, hackers can’t just steal user data from a central server for the purpose of fraudulent usage. The blockchain also facilitates true peer-to-peer transactions, eliminating the need for middlemen who verify ACH transfers, for example. This eliminates yet another potential access point for hackers.

That’s why payment technology companies like Dwolla are turning to blockchain to enhance security. They partnered with BBVA earlier this year to create a real-time payments platform on the blockchain. The idea is to still provide the convenience of digital payments, but facilitated by the Blockchain to provide an additional layer of security.

Biometric Authentication
The next big wave in preventing online fraud for banks might just be biometric authentication technologies. In fact, USAA is in the process of rolling out user authentication with software that recognizes the facial contours of users before allowing them to log in. Since things like fingerprints and facial features are nearly impossible to duplicate by hackers, biometrics could provide even more security than device-specific tokens.

In addition to providing secure access, biometrics take away the need to use other sensitive data for authentication purposes. Things like phone numbers, emails and Social Security numbers wouldn’t have to pass back and forth during the login process, thus decreasing their vulnerability of being hacked.

Banks are forced to walk a finer line than ever, balancing convenience with security and fraud prevention. Technologies like the federated ID, blockchain and biometrics are being recognized by financial institutions as the next wave in fraud prevention. If banks are able to steadily phase these in and fortify potential security gaps along the way, they’ll be able to more effectively keep the bad guys out while keeping the customer experience smooth and seamless.

The New FFIEC Information Security Examination Procedures: What Boards Should Be Doing Now


FFIEC-9-14--16.pngHow effective is your bank’s approach to information security, including cybersecurity? On September 9, the Federal Financial Institutions Examination Council (FFIEC) published new information security examination procedures. It is critical that boards and management teams quickly get up to speed on the new exam procedures so there are no surprises in the bank’s next exam that adversely impact earnings, capital or value creation.

The new exam procedures focus on assessing the quality and effectiveness of the bank’s information security program, including its culture, governance, security operations, with emphasis on cybersecurity, and assurance processes, such as self-assessments, penetration tests, vulnerability assessments and independent audits. The procedures contain eleven objectives for the examiners to attain.

The objective relating to security operations and cybersecurity is especially noteworthy, as it contains enhanced expectations. Both in the preamble and in the specific exam procedures, there is recognition that it is not a question of if, but when an attacker will break into the network, so banks need to enhance threat identification, monitoring, detection and response. Examiners will evaluate whether the bank has monitoring in place to identify malicious activity, a process to identify possible compromises in the bank’s systems, and whether it uses tools that reveal and trace an attacker’s actions, such as attack or event trees, to size up exposures and respond effectively.

While speaking on cybersecurity on the main stage at Bank Director’s 2016 Bank Audit and Risk Committees Conference in June, I electronically polled the bank directors and senior executives in attendance. The results from the 206 respondents indicate a need for banks to beef up cybersecurity to meet these enhanced regulatory expectations. While cybersecurity is a top concern for bank boards, seventy-seven percent indicated that they do not review cybersecurity at every board meeting. Fifty-nine percent of attendees said that detecting anomalous activity or threats from malicious insiders are the cybersecurity risks for which their bank is least prepared.

FFIEC.PNG
Source: 206 respondents, Bank Director Audit and Risk Committees Conference June 2016

When I asked how many had implemented ongoing reviews of the network visibility map for risk oversight, only 31 percent had done so. This map visually shows all assets inside the network and helps identify threats. Without this visual map, the bank will be managing its cyber risks in the blind.

What the Board Should Do
Here are five steps that boards should take to remain proactive regarding information security.

  1. Review cybersecurity at every board meeting. Cybersecurity must be handled as a strategic boardroom issue, not as a back-office IT issue.
  2. Use the new information security exam procedures to perform a self-assessment. Identify and eliminate any deficiencies well in advance of the next exam.
  3. Review the network visibility map at every board meeting to visually identify all assets and the risk mitigation in place to protect them.
  4. Task a “hunt” team to identify anomalies within the bank’s network, as described in the new exam procedures. On average, attackers roam inside the network undetected for more than 200 days. Eliminate the exposure using advanced analytics that can mine through millions of records and reveal the attacker and the entire exposure. Response must be prompt.
  5. Conduct ongoing but randomly scheduled social engineering and phishing simulation training to keep employee awareness heightened. Education can prevent employees from falling victim to real attacks and becoming the weakest link in the chain.

In March, the Consumer Financial Protection Bureau fined an online payment processor for engaging in unfair, deceptive or abusive acts and practices (UDAAP), due to its failure to implement an adequate information security program and protect consumer data. Other regulators have taken notice, and will not hesitate to assess enforcement actions for information or cybersecurity deficiencies using UDAAP or other enforcement tools available against banks and its technology providers. Information or cybersecurity lapses can cause irreparable harm to the bank, and tarnish its reputation instantly. The stakes are very high. Banks must stay one step ahead.

Embracing Disruption: Why Banks and Fintechs Should Work Together in a Regulated Environment


disruption.png

At first glance, financial technology companies and banks are competitors with similar products but different business models. Fintech companies need fast growth to survive. They must exercise quick marketing strategies and adaptive technologies. And they excel at reaching customers in new ways and providing more personalized customer service. Banks, on the other hand, rely on well-established customer networks, deep pockets and industry experience for their success. However, if they want to preserve their customer base and continue to grow, banks will have to adapt to what’s happening in the financial technology space.

Fintech companies and banks both face many unique challenges. Fintech companies must often decide how to allocate limited resources between marketing, intellectual property, compliance and cybersecurity concerns. Banks depend on legacy technology, lack market speed and must continue to keep pace with new banking regulations and technologies. Although both fintech companies and banks face significant legal barriers, they have different needs and strengths. Fintech companies need the deep regulatory experience that banks have developed over many decades. Banks need flexibility to adapt new technologies to changes in the compliance landscape. These differing but not incompatible needs present an opportune cross point for partnership.

The following laws and regulations exemplify a small portion of the regulatory challenges and business relationship opportunities for fintech companies and banks. Please be aware that all financial products—especially new financial technology products with uncharted regulatory profiles–may implicate many other laws not discussed below.

  • Money transmission laws: In order for a fintech company to transfer money between two individuals, it must be licensed under federal and state money transmission laws. State money transmitter laws vary greatly and this creates a considerable barrier to entering the market on a national scale. Banks are generally exempt from state money transmitter laws. Fintech companies can meet money transmitter compliance requirements by strategically structuring the flow of money with banks. Alternatively, fintech companies can act as an authorized agent of a licensed money transmitter service provider.
  • Lending and brokerage laws: State law may require a lender, buyer, servicer or loan broker to be licensed to engage in its respective activity. A fintech company may face severe consequences for unlicensed lending or brokerage practices. Banks in many cases are able to engage in these types of activities. Fintech companies and banks can structure a business relationship to ensure that appropriate legal precautions are in place. Even if a fintech company is licensed, it does not have the ability to use and apply the interest rates of its home state, a power that is afforded to national banks. Fintech companies may be stuck with interest rate limitations set by the state where the borrower lives. Thus, a strategically structured relationship between a bank and fintech company may provide other non-compliance advantages for lending and brokerage products.
  • UDAP/UDAAP laws: Unfair, deceptive or abusive acts or practices affecting commerce are prohibited by law. Both fintech companies and banks face exposure to penalties for engaging in unfair, deceptive or abusive acts. Taking advantage of fintech companies’ adaptive technologies may help banks minimize the risk of committing the prohibited practices. For example, fintech companies may help banks design software that utilizes pop up warnings on a customer’s phones before the customer makes an overdraft.
  • Financial data law: Financial data is a growing industry that has seen increasing regulatory oversight. Both fintech companies and banks collect enormous amounts of data and may use it for various legal purposes. Data is the core part of the fintech business; fintech companies collect data and rely on data. However, fintech startups do not have the legal and technical resources of traditional banks to resolve a variety of regulatory and cybersecurity concerns related to the use of data. Fintech companies can partner with banks, particularly with respect to cybersecurity issues. A bank offering products through or with a third party is responsible for assessing the cybersecurity risk related to that third party and mitigating it, and thus parties should consider some important questions upfront, including where the data is located, who owns it and how it is protected.

Despite the many issues and concerns that may arise from the partnership between fintech companies and banks, cooperation colors the future. Fintech companies can take advantage of the industry knowledge that bankers possess, certain regulatory advantages that banks enjoy and the industry’s cybersecurity infrastructure. Banks can take advantage of fintech companies’ ability to create new products, certain regulatory advantages and adaptability to regulations. With an understanding of the legal and regulatory framework of fintech companies and banks, their different business models can be used as an opportunity rather than a barrier to business.

Aggressive Action Needed to Secure Banking’s Digital Future


cybersecurity.png

As a community bank stock investor one of my biggest tasks is to read. To stay on top of what is going on in the industry I read all the pertinent releases from the FDIC, the Fed and the OCC. I also read a few bank hundred earnings reports every quarter as well as the transcripts of the company conference calls if they are available. Over the years it became obvious that I needed to stay informed of developments concerning the major lending markets so I added reports from homebuilders, real estate developers and REITs to the mix. When it became clear that fintech was going to change the industry in a meaningful way, I added the reports of public fintech companies to the mix as well.

In reading the fintech reports one thing became very obvious to me. The key to fintech’s future is going to be cybersecurity. None of the innovation and productivity improvements offered by the new technology for banking means anything if the data and funds can easily be hacked, manipulated or stolen. So I have added cybersecurity companies to my reading list and that’s what led me to the transcript of a quarterly call with the CEO of Vasco Data Security Systems.

Vasco is a leader in providing two-factor authentication and digital signature solutions to financial institutions. It does business with many of the world’s largest financial institutions and has more than 10,000 customers around the globe. Founder and CEO Ken Hunt has been involved in the cybersecurity industry since the 1990s and has seen its growth explode as cyber crime became the next big thing in criminal activity. On his most recent conference call he discussed the current trends in cybersecurity with a special emphasis on the banking industry.

The growing use of EMV cards has made it more difficult to steal data and funds during the payment process. While Hunt sees this as a major step forward in protecting the customer’s money, it has not deterred the cyber thieves but merely pushed them in new directions such as mobile and online banking as venues for stealing data and funds.

Hunt pointed out that according to a recent report from consulting firm KPMG nearly three out of four consumers–and almost 90 percent of millennials–use mobile banking. While it is the wave of the future, unfortunately it is also one of the most vulnerable points in the banking process. Staying out in front of potential cyber threats to their mobile banking systems will be critical for banks going forward as the same study points out that most consumers would switch banks if their current institution was hacked and it did not take immediate steps to fix the situation and reimburse their losses. Banks have to offer mobile platforms for competitive and customer preference reasons, but they will also have to spend money to keep the platform secure from what will be relentless hacking efforts by the bad guys.

According to Hunt, biometric identification is going to be a big part of the mobile security solution. We are already seeing some banks and credit card processors use fingerprints and what MasterCard is calling “selfie” identification to control access to mobile banking and payment systems. He cited a study recently released by Acuity Market Intelligence that estimates that by the end of 2018 all smartphones shipped will contain a biometric identification system. Banks that want to stay in the forefront of mobile banking will need to consider adopting such a system if they want to retain a security conscious customer base.

While mobile is a cyber security hot spot, Hunt also referenced what he called the “enduring nature” of hardware-based security. Cyber attacks against banks are not going to go away, but will become more aggressive and sophisticated over time. Hardware-based security programs will need to be constantly updated. Traditional bank robberies have declined in number in recent years. Typically, they are the work of not very bright criminals, and an estimated 98 percent of them are captured and spend a significant portion of their lives as guests of Uncle Sam. Cyber criminals tend to be smarter and have the luxury of being able to attack from remote locations. They will be much harder to catch and their tactics will evolve as protection systems grow stronger, so it is likely that hacking attempts directed at banks will continue to grow a rapid pace.

Fintech is changing banking and it is happening very quickly, particularly in the mobile space. Reading Hunts discussion with investors and analysts reveals that banks that want to survive and thrive will need to take aggressive action to protect customer data and funds as we move into an increasingly digital and mobile world of banking.

Raising the Bar: Top Challenges Facing Bank Boards


Regulators are expecting more and more from bank management teams and boards. In this video, Lynn McKenzie, a partner at KPMG, offers solutions to help address the top challenges facing the industry.

  • Legal and Regulatory Compliance
  • Cybersecurity
  • Financial and Regulatory Reporting
  • Vendor Risk Management

Taking on the Toughest Challenges


As bank leaders explore different avenues for growth, they must also weigh the risks that could threaten their institution. In this panel discussion from Bank Director’s 2016 Bank Audit & Risk Committees Conference, led by President & CEO Al Dominick, Dale Gibbons of Western Alliance Bancorp., Lynn McKenzie of KPMG and Bill Fay of Barack Ferrazzano Kirschbaum & Nagelberg focus on the key issues that bank boards and executive teams need to address, from third-party vendor risk to strategic growth.

Highlights from this video:

  • Top Issues for Audit & Risk Committees
  • Aligning Growth Strategy & Risk
  • Evaluating Partnership Opportunities
  • Addressing Technology & Cybersecurity as a Board

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.