5 Considerations When Vetting Fintech Partnerships

Written by

Fintech collaborations are an increasingly critical component of a bank’s strategy.

So much so that Bank Director launched FinXTech, committed to bridging the gap between financial institutions and financial technology companies. Identifying and establishing the right partner enables banks to remain competitive among peers and non-bank competitors by allowing them to access modern and scalable solutions. With over 10,000 fintechs operating in the U.S. alone, finding and vetting the right solution can seem like an arduous task for banks.

The most successful partnerships are prioritized at the board and executive level. Ideally, each partnership has an owner — one that is senior enough to make decisions that dictate the direction of the partnership. With prioritization and owners in place, banks can consider fintech companies at all stages of maturity as potential partners. While early-stage companies inherently carry more risk, the trade-off often comes in the form of enhanced customization or pricing discounts. These earlier-stage partnerships may require the bank to be more involved during the implementation, compliance or regulatory processes, compared to working with a more-mature company.

There is no one-size-fits-all approach, and it’s important for banks to evaluate potential partners based on their own strategic plan and risk tolerance. When conducting diligence on fintechs of any stage or category, banks should place emphasis on the following aspects of a potential partner:

1. Analyze Business Health. This starts with understanding the fintech’s ability to scale while remaining in viable financial conditions. Banks should evaluate financial statements, internal key performance indicator reports, and information on sources of funding, including major investors.

Banks should also research the company’s competitive environment, strength of its client base and potential expansion plans. This information can help determine the fintech’s capability to sustain operations and satisfy any financial commitments, allowing for a long-term, prosperous partnership. This analysis is even more important in the current economic environment, where fresh capital may be harder to come by.

2. Determine Legal and Compliance. Banks need to assess a fintech’s compliance policies to determine if their partner will be able to comply with the bank’s own legal and regulatory standards. Executives should include quarterly and annual reports, litigation or enforcement action records, and other relevant public materials, such as patents or licenses, in this evaluation.

Banks may also want to consider reviewing the fintech’s relationship with other financial institutions, as well as the firm’s risk management controls and regulatory compliance processes in areas relevant to the operations. This can give bank executives greater insight into the fintech’s familiarity with the regulatory environment and ability to comply with important laws and regulations.

3. Evaluate Data Security. Banks must understand a fintech’s information and security framework and procedures, including how the company plans to leverage customer or other potentially sensitive, proprietary information.

Executives should review the fintech’s policies and procedures, information security control assessments, incident management and response policies, and information security and privacy awareness training materials. In addition, external reports, such as SOC 2 audits, can be key documents to aid in the assessment. This due diligence can help banks understand the fintech’s approach to data security, while upholding the regulator’s expectations.

4. Ask for References. When considering a potential fintech partnership, executives should consult with multiple references. References can provide the bank with insight into the company’s history, conflict resolution, strengths and weakness, renewal plans and more, allowing for a deeper understanding of the fintech’s past and current relationships. If possible, choose the reference you speak with, rather than allowing the fintech to choose.

5. Ensure Cultural Alignment. The fintech’s culture plays an important role in a partnership, which is why on-site visits to see the operations and team in action can help executives with their assessment. Have conversations with the founders about their goals and speak with other members of the team to get a better idea of who you will be working with. Partners should be confident in the people and technology — both will create a mutually successful and meaningful relationship.

Despite the best intentions, not all partnerships are successful. Common mistakes include lack of ownership and strategy, project fatigue, risk aversion and unreasonable expectations. Too often, banks are looking for a silver bullet, but meaningful outcomes take time. Setting expectations and continuing to re-evaluate the success and performance of these partnerships frequently will ensure that both parties are achieving optimal results.

Once banks establish partnerships, they must also nurture the relationship. Again, this is best accomplished by having a dedicated partner owner who is responsible for meeting objectives. As someone who analyzes hundreds of fintechs to determine quality, viability and partner value, I am encouraged by the vast number of technology solutions available to financial institutions today. Keeping a focused, analytical approach to partnering with fintechs will put your bank well on its way to implementing innovative new technology for all stakeholders.

5 Best Practices for Digital Identity Verification

Written by

Attacks on the financial sector have increased steadily for two decades, and the volume of reported attempts surged in just the last few years.

In fact, 68% of financial services providers reported an increase in fraud attempts compared to the prior year. Fraud in the account opening processes is endemic; in response, institutions are using multi-layered verification to locate, approve and onboard legitimate customers with low friction while deterring fraud and maintaining compliance. A robust identity verification program allows platforms to capitalize on digital adoption while delivering a seamless customer experience. Fifty-three percent of Americans report that being prompted to take extra steps to verify their identity makes them trust that company more. And those who report being less trusting are less likely to engage in desirable downstream business practices.

A lack of trust creates a drag on profits while compromising the end-user experience. But institutions can use several best practices to locate and approve new legitimate customers, significantly lessening friction or fraud and streamlining the customer journey.

1. Analyze Multiple Layers of Data
Forty-five percent of organizations say they perceive multiple layers of identity attributes as a best practice. As fraudsters increasingly add sophistication to their schemes, additional layers, or “blankets,” of attributes that work together are the key to a seamless customer experience and fraud mitigation. Solutions that orchestrate multiple dynamic data sets not only detect and deter fraud — especially synthetic identity fraud — but don’t add friction because the solution is predicated on data collection practices that are easy to explain and defend.

Multiple layers at the heart of the identity verification process identifies legitimate customers more quickly and accurately, and uses additional verification methods only when absolutely necessary.

2. Layer Machine Learning with Human Fraud Expertise
Financial service providers can balance user experience with identity verification standards by combining  increasingly adopted technologies with human fraud expertise. Financial institutions have the power to analyze massive amounts of digital transaction data by applying supervised machine learning (ML) to the identity verification process, creating efficiencies by recognizing patterns that can improve decision-making.

Coupling this with human expertise and intuition gives institutions the best of both worlds: enhanced anti-fraud protocols and new, more usable data sets that improve identity verification efforts going forward. Machines are great at detecting trends that have already been identified as suspicious, but have a blind spot of detecting novel forms of fraud. It’s critical that providers layer human fraud expertise on top of machine learning.

3. Embrace Data and Decision Transparency
Many ML-based solutions provide a pass or fail score that is as opaque as it is simple. Without visibility into decisioning data, institutions are left to depend on restrictive and hazy score-based identity proofing models. These “black box” solutions don’t offer data intelligence visibility; instead, they apply common engine logic across multiple customers and industries.

An effective identity verification solution should provide a continuous data feedback loop so institutions can understand and explain to regulators and consumers why they made certain decisions. This allows financial institutions to better assess their risk and fine-tune the identity verification processes to best fit their needs. This is nearly impossible to do with a system that relies on “black box” algorithms and little governance of modifications from one company to another.

4. Implement Customized Identity Verification Workflows
The ability to customize identity verification settings to meet specific customer needs is quickly becoming mission-critical. Every organization is different; every financial institution has different verification protocols that reflect these unique needs. This includes the ability to tweak and tune identity verification settings in real time, without the help of IT. Every institution needs the ability to act quickly as they anticipate attacks, adapt to changes in human behavior and respond to the emergence of new customer segments, profiles and needs.

At the same time, institutions need to empower decision-makers to collect less sensitive information or enact pre-qualification formats for certain applications, streamlining customer onboarding without compromising identity verification standards.

5. Cross-Industry Fraud Intelligence
It’s common for fraudsters to jump from industry to industry as they carry out their plans, which means that effectively fighting fraud is a group effort. With the right identity verification solution in place, financial institutions will have visibility into serial, multi-industry fraud schemes and trends and data across industries and channels.

As the financial sector moves towards a post-pandemic reality, fraud attempts are likely to grow alongside customer expectations. Identity verification will be an operational necessity and a moral imperative, keeping financial institutions and consumers safe in a challenging digital environment.

Guarding Against Virtual Viruses in a Pandemic

Written by

As healthcare experts work to mitigate the Covid-19 pandemic, the banking industry is faced with fighting other viruses.

Cyber attackers are known to be opportunistic, pouncing during times of anxiety and uncertainty. Rest assured, they won’t let up once the coronavirus has run its course. While information technology directors are focusing their attention on processing huge volumes of Small Business Administration loans and assisting bankers working remotely for the first time, computer virus and malware threats continue to rise. If not handled effectively, this could threaten the security of the financial system.

Dr. Anthony Fauci, head of the National Institute of Allergy and Infectious Diseases, cautions that Americans need to prepare for the possibility that Covid-19 could return — or even become a seasonal disease. With such prospects, savvy bank directors should familiarize themselves with their institutions’ data security and technology infrastructure. Here are six points to consider when assessing the future of their bank’s information security system:

Look again at business continuity plans. While your bank may have one, it likely did not consider the immediate worldwide demands for laptops and network hardware needed to configure remote work capabilities. Nor did these plans likely consider supply chain interruptions when factories shut down in Asia, where the virus was first detected. The lesson: If you wait until the next global emergency occurs, you might be too late. Plan now.

Consider the increased risk with more employees working remotely. The larger the inventory — coupled with less control of who uses the computer — the tougher it is to protect. An even more concerning practice is allowing bank employees to use personal computers to access bank networks. Firewalls, spam filters, anti-virus software and other security measures should not be determined by individual employees.

The Cybersecurity and Infrastructure Security Agency has issued guidance related to remote work and defending against Covid-19 scams. One of their tips is to ensure virtual private networks, or VPNs, have the latest software package and configurations, and that current anti-virus software is installed and up-to-date. Multi-factor authentication is another must-have for protecting your bank’s network.

Make sure you have enough IT support. Even before Covid-19, there were not enough qualified technical staff to fill available positions. The increased demand for remote connectivity has further stretched IT departments. Make sure your technology departments are fully staffed, or have access qualified outside help.

Be sure employees are hyper-vigilant. Attackers hope that more distance between coworkers will equate to guards being lowered. Ensure that employees are regularly reminded of social engineering, email and other current threats to increase top-of-mind awareness of cyber security.

Be aware that some attacks are physical. We typically think of cyberattacks occurring “invisibly,” through system networks and software. But at least one entity is now mass-mailing infected “free” USB drives to financial institutions. Remind employees to discard any hardware that comes from unknown sources.

Consider the benefits of cloud technology. A recent article in The Wall Street Journal described how remote-work capabilities could become more common as money tightens and daily operations need more flexibility. Cloud computing is both more efficient and flexible, and is easily scalable. Bank regulators have taken notice, saying that outsourcing such technologies gives banks more options.

Time will tell, but this may be a turning point for American business. As more workers have established a routine for working from home — and have found surprising levels of efficiency and productivity — it’s expected that this could become more of the norm, at least in the near term.

Some in the financial services industry have been slow to change; they may now be forced to out of necessity. It’s incumbent upon directors to champion for this flexibility and resiliency by ensuring their data security and information infrastructure is ready to handle it.

How Banks Can Use the Dark Web to Shed Light on Cybersecurity

Written by


cybersecurity-9-5-19.pngCyberthreat intelligence, or CTI, can give bankers a deeper understanding of the potential threats that face their business.

Whether it is knowing your enemy or learning about the latest malware, CTI provides information that can help executives make prudent, risk-based decisions. This information comes from the open internet as well as closed sources, including the darknet and dark web. Analyzing this CTI can produce insights and identify signs of a potential breach, leaked data or pending attacks.

The darknet is the part of the internet that is not accessible through conventional browsers and requires specific software or configurations; the deep web is the part of the internet that is not accessible through search engines. Some nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity that includes the sale of personal information, financial goods and illicit services. For bank’s CTI, the deep web and darknet are a treasure trove of breached information and threat indicators.

A vast majority of these cyberthreat intelligence sources contain goods and sensitive data stolen from the financial services industry. Potential financial gain drives bad actors to maintain a thriving marketplace built on illicit items, including debit and credit card numbers, identity theft services and banking malware.

While no tool or service can completely eliminate the risk of a data breach, integrating CTI into a bank’s cybersecurity program can make it more difficult to target and lower the likelihood of a breach. To get value from CTI, a bank can:

  • Identify the threat actors that are leveraging potential vulnerabilities in systems used by the financial sector;
  • Understand whether a particular organization or client is being targeted directly;
  • Detect active malware campaigns that could target the bank;
  • Learn where its customer and employee information may exist;
  • Find breached credit or debit cards on deep web or darknet marketplaces; and
  • Understand emerging trends regarding data theft.

There are a variety of ways that financial institutions can leverage, and directly benefit from, CTI. Some examples include:

  • Incorporating technical indicators of compromise into the company’s security information and event management system;
  • Briefing high-level executives on industry trends and providing intelligence on potential future attacks;
  • Providing intelligence briefings to security operation centers (SOCs), increasing the situational awareness of technical campaigns and bad actors;
  • Developing incident response scenarios;
  • Achieving timely integration with fraud teams to deactivate stolen credit or debit cards;
  • Working with law enforcement to remove stolen credit, debit or other financial information from the deep or dark web;
  • Segregating and limiting internal access to systems if an individual’s credentials are exposed;
  • Communicating with social media and marketing teams about exposed data; and
  • Implementing patches for known vulnerabilities that are discovered on external-facing systems and applications.

What does a successful CTI program look like at financial institutions?
Deep analytical CTI is usually not possible at small- to medium-sized financial institutions using the internal resources of their existing security teams, and is often outsourced to a vendor or third party. Outsourcing can provide some value-added actions, such as:

  • Identifying breached credit and debit cards or other financial information;
  • Monitoring chatter about C-suite executives;
  • Assisting in fraud prevention through credential theft;
  • Thwarting attacks planned by adversaries that uses new financial theft malware, ransomware or Trojans;
  • Examining reputational damage or brand-related chatter for an organization;
  • Identifying large credential data dumps or breaches;
  • Identifying or ascertaining stolen or fraudulent goods like blueprints, skimmers and physical devices, or sensitive data such as tax forms, personally identifiable information and protected health information.

CTI can provide a variety of actionable information that executives can use to make better cybersecurity decisions and assess their risk appetite. With CTI, bankers can prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. A deeper understanding of the threats they face gives companies a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.

How Financial Institutions Should Prepare For and Respond to a Cybersecurity Incident

Written by


cybersecurity-7-2-18.pngCybersecurity incidents and data compromises continue to plague financial institutions on a seemingly daily basis. Without a proper response plan in place, financial institutions risk significant damage to their reputation and operations, as well as serious potential liability from regulators and class-action litigation. This guide outlines the procedures financial institutions should implement to prepare for and respond to a cybersecurity incident.

It is crucial that financial institutions adopt a response policy to mitigate the harm of a cybersecurity incident. This policy should establish a response team, including an executive officer and technical and operational personnel, charged with handling all cybersecurity incidents.

Time is of the essence during any cybersecurity incident, and communication is vital to the response team’s effective handling and investigation of the situation. Each employee should know how to report an incident. Notification processes, responsible personnel, and other elements of the communications plan should be as seamless as possible to enable the cybersecurity response team to immediately investigate the potential incident and determine whether an incident actually occurred. As soon as the incident is confirmed, the team must immediately respond.

Determine the severity of the incident. The response team should first determine the severity of the harm and the type of incident that occurred. This will help determine the scope of response necessary to appropriately address the incident. The team should be sure to create a detailed record of all investigations and responses.

Mitigate the harm. The response team next should work to mitigate the harm on its systems. For example, the team can quarantine or isolate the compromised system, install security patches to prevent further incidents, update anti-virus signatures, and conduct a vulnerability analysis to identify elements of the system potentially at risk of a similar incident.

Establish lines of communication. Pre-determined and clear lines of communication, both internal and external, are critical to responding to an incident. The response team should also be in communication with appropriate auxiliary teams in the financial institution. For example, if the cybersecurity incident led to customer information being compromised, the response team should coordinate with the customer relations team to facilitate customer notification. Senior management should also inform the board of directors of the incident so that the directors can assist in developing a response strategy as appropriate.

When deemed necessary, the response team should also be in contact with third-party advisors, such as legal counsel or forensics experts. If the response team determines an incident has potentially compromised personally identifiable information or other legally protected information, the team should immediately contact legal counsel and the institution’s insurance carrier (unless instructed otherwise by legal counsel).

Review and repair vulnerabilities. After a financial institution has experienced a cybersecurity incident, it should evaluate system vulnerabilities by identifying the incident’s source and method. The financial institution should rectify or mitigate the risk of the vulnerabilities as soon as possible.

After addressing the incident, the financial institution should also evaluate its response team’s efficiency and effectiveness. Are there aspects of the plan that can be improved? Were the communication lines clear and efficient? How long did it take for the team to spring into action? How long did it take to implement the mitigation? Was the response team appropriately staffed? Answers to these and other probing questions will serve to better prepare the institution for the next incident and should provide the basis for improvements to policies and procedures.

Preparing in advance for a cybersecurity incident can mean the difference between quarantining the release of sensitive data and having the sensitive data released to the public; and because preparations help control damage even if a breach happens, they can also make the difference between a small, manageable cybersecurity incident and a large, cumbersome data breach that could severely damage the reputation and operations of the company.

How Poor Communication Practices by Directors Increase Cyber Risk

Written by


cyberrisk-10-9-17.pngThe role of a corporate director is continuously expanding, particularly in the banking space. Beyond growing profits, today’s directors are also responsible for ensuring corporate ethics, social responsibility, cybersecurity and more. Unfortunately, many directors are still using their old communication tools. A recent report from the New York Stock Exchange and Diligent found that the communication practices of directors and executives are potentially increasing their company’s level of cyber risk for the sake of personal convenience.

These findings are particularly alarming in the context of recent regulatory pressures on boards to be held accountable for data privacy and cyber breaches—including a recent ruling by the New York State Department of Financial Services applicable to all financial services firms conducting business in New York, and the impending impact of the European Union’s General Data Protection Regulation for every company that serves EU customers. (For further details about the New York regulations, see “New Rules for Financial Firms in New York Put New Onus on Boards.”)

The NYSE/Diligent report noted that while directors and executives have access to sensitive data, they operate with little-to-no direct oversight by the company’s IT/data security teams, and are therefore not restricted to using only secure communication channels when discussing board business. In fact, of the 381 corporate directors of publically traded companies surveyed for the report:

  • Ninety-two percent use personal email accounts (outside corporate firewalls) at least occasionally to conduct board business.
  • Fifty percent regularly download confidential company documents onto personal devices or computers.
  • Sixty-two percent are not required to undergo cybersecurity training.
  • Forty percent “didn’t know” if the board had ever conducted a security audit.

So what what are some best practices for secure board communication that banks and financial institutions can employ to mitigate cyber risk and prepare their directors and executives to meet the challenge?

Training and Assessments
Cyber threats can change at a moment’s notice, and regulatory requirements in the cybersecurity space continue to evolve. Regular training is imperative for board members, especially experienced directors who need refreshers or may not be aware of the latest risks. Customize the training to include a review of the practices your company expects from directors to ensure they are handling sensitive information appropriately, and continue to revisit these on an annual basis.

Bring the data security team into the boardroom to conduct an audit of directors’ communication practices. By ensuring that directors are handling documents only through secured and encrypted channels, your company can minimize exposure to some of the worst penalties of the new regulations.

Also, leverage the annual board evaluation by making cybersecurity a key component of board success. Query directors on their level of readiness to handle a material data breach or leak, and their understanding of the board’s responsibility versus the roles of IT and the management team. From there, the company can identify areas where further education and training are needed.

Keep Business and Personal Separate
Free email service provider use has been the center of too many corporate cyber incidents in recent years—yet directors continue to use personal email as a primary communications method rather than adopting more secure technology. Why? While internal emails and servers typically have heightened security and stronger encryption, many directors reject company-issued email accounts because they serve on multiple boards, which could lead to a single director having to check multiple inboxes and multiple calendars to conduct board work.

But what directors gain in convenience by using personal email, they lose in increased risk. The better solution? Give up on email altogether and opt for a secure messaging tool.

Secure and Convenient Technology
Select a secure messaging tool that is designed specifically for director communication and can be integrated into your existing governance software. There are a number of considerations to keep in mind. Do your directors prefer to use mobile? Do they want to make digital edits while reviewing board docs? What level of protection and encryption do you need?

These platforms can alert directors’ mobile phones when messages arrive and allow them to login with biometrics—while still enabling the data security team and corporate secretary to control record retention and data encryption. It not only facilitates convenient board communication, but can also be a last line of defense in case devices are stolen in transit, lost on planes or impacted by viruses/malware while connected to unsecure Wi-Fi.

Six Best Practices to Help Customers Achieve True Data Privacy

Written by


data-7-24-17.pngWith today’s constant news stream of ransomware threats, denial of service attacks and data breaches, data privacy is more of a concern than ever. But, what exactly do we mean by data privacy, and how can we convey its importance to customers?

At its root, data privacy is the concept of implementing appropriate controls related to the sensitivity of data. There are two key components of data privacy: data classification and data protection.

Data classification simply means understanding the sensitivity level of data. There are three main categories: public, sensitive and confidential. Any data, even that which is publically available, can be collected and used by a criminal to profile their prey. The numbers tell the story: Through July 6, 2017, according to the nonprofit Identify Theft Resource Center, we’ve seen a total of 791 breaches and 12.39 million compromised records across all major industries.

Data classification helps determine the level of protection warranted, with confidential data justifying the most:

  • Confidential data, such as social security numbers, bank details, or other personally identifiable information—whether in transmission or storage—should be encrypted, and devices used to store and transmit it should be secured as well. When disposing of this data, whether electronically or in a tangible format, the data records should be fully destroyed through shredding (electronic or physically). In some cases, entire storage devices should be destroyed.
  • Sensitive data, such as religious or relationship information, or private business plans, is similar to confidential data in that the owner does not wish to share it with others. As such, sensitive data often is protected similarly to confidential data. The only differentiator is the amount spent to protect it.
  • Public data is that which is publically available, like where a person attended high school.

With greater access to information, coupled with the increased rate and publicity of compromise, many consumers are numb to the severity of a data breach, even though strengthening the environments in which they store or transmit data should be top of mind.

Below are six best practices you can convey to your customers to help them achieve real data privacy:

  • Employ data encryption for both storage and transmission. One advantage of encrypting all data is that a decision doesn’t have to be made regarding classification when it comes to encryption. A second benefit is that a criminal doesn’t know what to target when all data is encrypted.
  • Avoid accessing data such as emails, cloud storage, and the like on a public computer or network, which are easily compromised. If a public network must be used, virtual private network (VPN) encryption is necessary when sensitive or confidential data is being accessed. Keep in mind, passwords aren’t always transmitted in an encrypted format, so a criminal could intercept the password. Public computers should be used only as a last resort, and never to access confidential or sensitive data.
  • Ensure your computer is patched and protected with a firewall and up-to-date anti-malware solution. Further, even careful users should periodically have their machine inspected for malware and cleaned by a trusted technician; with the sophistication of malware today, even the most cautious and educated can still end up compromised.
  • When possible, implement multi-factor authentication, which entails using more than one means of authentication, such as passwords and authentication codes. This is one of the most promising ways to ensure data and accounts remain secure, yet even these systems aren’t foolproof. Avoid receiving texts of access codes when possible, as this is a weaker form of multi-factor authentication. Use authentication applications, phone calls or a secure email account instead, and remember that codes sent to a device are only as secure as the device itself.
  • Use strong passwords that are changed at least every 90 days. Passwords should, when allowed, be at least 15 characters in length and complex in nature, including letters, numbers and symbols. Also, password safes like KeyPass are useful for storing them. And remember, treat your password like your toothbrush: never share it and change it often.
  • Consider the sensitivity of the data you store in the cloud. Utilizing a cloud service means entrusting a company to protect your data, so ensure the provider is equipped to protect the data to the same degree that you would. Another alternative is encrypting the data with your own encryption key before storing it in the cloud, which helps mitigate risk.

While one of banks’ most important tasks is protecting customer data, educating customers to respond in kind goes a long way toward a common goal.

New Rules for Financial Firms in New York Put New Onus on Boards

Written by


cybersecurity-7-10-17.pngNew York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.

How Far Does Regulation Go?
Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.

New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members
The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.

In reality, banking regulators have held boards responsible for their banks’ cybersecurity program for years, as described in the Federal Financial Institutions Examination Council’s IT Examination HandBook.

In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.

This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders on the board must take an active role in security oversight.

For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.

It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.

What Comes Next
Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.

To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.

Fintech Opportunities for Your Bank: A Voyage Into New, But Not Uncharted Waters

Written by


strategy-6-9-17.pngFinancial technology, or fintech, is creating a dynamic range of new services and products for banks. Much of the initial discussion about fintech focused on disruption and replacement of traditional banking products and services.

Now, fintech is evolving and is creating new opportunities for banks to expand their products and services, as well as creating various non-interest revenue possibilities through partnering and joint venturing with fintech entities.

Increasingly, fintech entities such as online lenders and payment systems are turning towards partnering and joint venturing with banks for a simple reason they need banks. They need banks because banks can hold federally insured deposits and have the experience and track record of existing and prospering under various federal and state regulatory regimes. However, working with a fintech is not necessarily a voyage into uncharted waters while regulators may adapt with new technologies, banks are comfortable working in the existing banking regulatory ecosystem.

Some existing examples of fintech entities working with banks include:

  • licensing online lending platforms
  • licensing online customer interface platforms
  • using banks as insured depository support for payment systems
  • developing cryptocurrencies
  • developing digital tools that allow banks to mine and harness data for more efficient operations

State and federal regulators are expanding their ever-advancing regulatory agenda to cover fintech’s unique aspects. Indeed, the Office of the Comptroller of the Currency recently announced plans to start issuing Special Purpose National Bank charters to fintech entities, which the state regulators are heavily criticizing. Fintech entities are debating whether they will seek a federal charter in its proposed form.

Nevertheless, if your bank is considering working with a fintech entity, you should consider the following issues:

Strategic Plan: The first, and primary issue that your bank should consider is whether the fintech opportunity fits your bank’s strategic vision and innovation plan. If the opportunity does not, the relationship may not only be not successful, but ultimately detrimental to your bank’s efforts in this area.

Vendor Management: Vendor management is an especially critical area because most banks will choose to work with a fintech entity that owns, develops and services the technology. The key for banks in this area is know their fintech partner and understand the deal. Fintech partners can range from early-stage start-ups to mature entities. Many of these fintech entities have little bank regulatory experience and may be learning as they develop and deploy their products without the legacy regulatory experience. They may also propose contract terms that expose banks to unnecessary risks. The challenge for banks is to conduct thorough due diligence on their fintech partner and understand the agreement.

Cybersecurity: Because essentially all fintech-based products and services are online, cybersecurity is a significant consideration. Additionally, most fintech accumulates and evaluates customer data, which is very attractive to cybercriminals. The critical issue for banks is the ability to ensure that their fintech partners are employing best-of-class cybersecurity practices, not simply regulatory compliant cybersecurity, because the cybercriminals are almost always one step ahead of their targets, as well as the regulators. This will also help the bank protect itself in the event of a data breach or an attack.

Data Privacy: If your bank is working with a fintech, banks should ensure that there are provisions to protect your customer’s data so that it is not used or disseminated in a way that violates the law, as well as provide adequate disclosures to your customers about how their data is used.

Consumer Banking Laws and Regulations: If a bank is working with a fintech entity in providing any type of consumer services, federal and state consumer lending laws and regulations will likely apply to that activity. The combination of new technologies and a fintech entity without a great deal of regulatory experience could spell trouble for a bank partner.

Bank Secrecy Act/Know Your Customer/Anti-Money Laundering: BSA/KYC/AML issues remain critically important for regulators and fintech entities working with banks need to be fully versed in them.

Even considering the regulatory and related issues, working with a fintech is not a voyage into uncharted waters. The tide is also changing, and fintech can provide your bank potentially great opportunities to grow and develop as technology evolves and as fintech entities mature in this sector.

Cybersecurity Governance: How to Protect the Bank

Written by


cybersecurity-12-23-16.pngModern banking increasingly relies upon technology and the internet to manage and streamline business operations. With increased dependence on technology comes an increased risk of security threats. Kaspersky Lab reported it had detected 323,000 malware files per day using its software in 2016. This number is 4 percent higher than in 2015.

The impact of a successful cyberattack is often quite damaging: legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately, revenue. The average cost of a data breach is now up to $4 million, according to a 2016 Ponemon study.

Banks are responsible for more data than ever and as data use continues to grow, banks face the challenge of properly creating strategies, frameworks and policies for keeping sensitive data secure. Meanwhile, criminals develop new and sophisticated tactics to target valuable data.

Security is, and should be, a concern for all employees. However, leadership must be responsible for establishing and maintaining a framework for information security governance. Information security governance is defined as a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, and manages risks while monitoring the success or failure of the IT security program.

Whether it is the board of directors, executive management or a steering committee that is involved—or all of these—information security governance requires strategic planning and decision-making.

Best Practices
Despite the threats of cyberattacks and data breaches, banks can take proactive steps to better position themselves for successful security governance. What follows are five strategic best practices for information security governance:

1. Take a holistic approach.
Security strategy is about aligning and connecting with business and IT objectives. A holistic approach can provide leadership with more levels of control and visibility.

What data needs to be protected? Where are the risks? Take a unified view of how information security impacts your organization and how employees view security. Get early buy-in from key stakeholders, such as those in the IT, sales, marketing, operations and legal departments. Scope out what data needs to be protected and how that fits into the larger picture.

2. Increase awareness and training.
Although developed by leadership, information security governance speaks to all employees within the organization and requires continued level of awareness. Governance creates policies and assigns accountabilities, but each member is responsible for following the security standards.

Constant training and education on security best practices is vital. The cyberthreat landscape is rapidly changing and employees, and company training, must keep up. This way, if new threats emerge, you will be prepared.

3. Monitor and measure.
Information security governance should never have a “set it, then forget it” approach. It’s about ongoing assessment and measuring. Monitoring ensures that objectives are being achieved and resources are appropriately managed. What security governance policies are working? Which policies are not?

Conduct mock data breach scenarios to test the efficacy of corporate teams and company incident response plans. Test results can reveal strong and weak links—what the bank needs to concentrate on, and what security governance policies work well under pressure.

4. Foster open communication.
Stakeholders should feel they can openly communicate directly with leadership, even when sharing bad news. Open communication promotes trust and brings a higher level of visibility throughout. Engagement is key. Consider creating a steering committee comprised of executive management and key team leads (IT, marketing, finance, PR, legal, operations, etc.) to review and assess current security risks.

5. Promote agility and adaptability.
Gone are the days of monolithic, cumbersome governance; banks need to adapt quickly to meet the changing tide of security threats. IT management, which is typically concerned with making tactical decisions to mitigate security risks, might have some hands-on experience and opinions about the effectiveness of a particular security policy, but their recommendations can only go so far without C-suite support. Leadership must quickly determine how to implement suggested changes throughout the bank. And if a security governance policy is ineffective, leadership must be willing to jettison the policy.

Overall, successful information security governance involves a continuous process of learning, revising and adapting. Banks need to be proactive and strategic with their security posture. Threats and incidents are inevitable, but moving strategic security governance to the forefront of your organization can help protect valuable information.

Download the full Diligent white paper: Five Best Practices for Information Security Governance.