Articles

Remote Deposit Capture (RDC) is a popular deposit activity that is quickly growing and expanding in delivery method and overall acceptance. While some forms of RDC have been around for some time, many forms of RDC have only recently been widely adopted and could introduce new or additional risks to a bank. Just like any other new product, service, or delivery method, banks should use a formal risk management approach for implementing and managing all forms of RDC.

What is RDC?

First, what is RDC? According to the FFIEC:

Are you overwhelmed by the vast offerings of security applications, appliances, systems, and programs? Wondering which is best, if they will live up to their promise, and how they will integrate into your already complex technology environment? Discouraged by the cost and confused by the complexity of it all? We’ve all been there too many times, afraid of the global threats, but feeling like we are spinning our wheels and throwing money at a phantom enemy.

But, did you know you already have your most valuable security defense system? Did you also know, if you do not manage, monitor and tweak it, it can become your largest security hole? What is it you ask? Your employees!

In today's climate of enormous economic turmoil and tightening budgets, an ever-expanding information security threat landscape and additional regulatory oversight, how would you like to strengthen your bank's information security with a minimal amount of time or expense? Thought you'd say that.

Reconfigure That Misconfigured Anti-Virus Software

After scores of Information Technology / GLBA 501(b) Audit and Assessments, virtually every audit report we write includes a finding about ineffective implementation of antivirus software. Since protection against malicious software is one of a bank's primary defenses, this finding is typically classified as a highrisk finding. Antivirus software installed on bank workstations and servers should be managed by a centralized management console installed on one of the bank's servers. In fact, the ability to consistently configure and effectively manage antivirus software across a bank's network actually depends on this type of implementation.

On March 19, 2008, the Agencies (OCC, Federal Reserve Board, FDIC, OTS, NCUA and FTC) jointly issued guidance for examiners, financial institutions and technology service providers in the form of an update to the IT Examination Handbook, Business Continuity Planning Booklet (the booklet was previously released in March 2003). The new guidance handbook included many significant changes. This, the third article in a three-part series, will review the booklet's expanded sections on the business impact analysis process. [To review the previous articles, visit www.conetrix.com/resources.]

What is a business impact analysis (BIA)?

The risk assessment in business continuity planning helps you focus your time and resources. Hopefully, the risk assessment will lead you, as a Colorado banker, to devote more energy in preparing for blizzards than preparing for hurricanes. If not, it means you forgot to revise the plan you borrowed from your pal in Florida.

A risk assessment prioritizes the bank’s business processes (business processes are identified during the first step, Business Impact Analysis.) and defines what could disrupt them. The goal is to be sure the Business Continuity Plan (BCP) addresses the most important things first.

Is that a Threat?

If you had Googled "Red Flag" 6 months ago, it would have returned page after page of links to sites selling flags or discussing martial law. Today, if you search "Red Flag" you begin to see many advertisements and links to Identity Theft.

For the Financial, Auto, Telco, Energy, etc. industries, the term "Red Flag" has become synonymous with the new Identity Theft Red Flag rules and guidelines. These new rules require financial institutions or creditors to have a written Identity Theft Prevention Program (herein Program) in place to detect, prevent, and mitigate identity theft in connection with opening or accessing certain accounts by November 1, 2008!

In the wake of Hurricane Katrina and increased attention to the threat of a biological pandemic, the OCC, Federal Reserve Board, FDIC, OTS, NCUA, and FTC (the Agencies) consolidated five years of lessons learned and planning considerations into new federal guidance on effective business continuity planning.

On March 19, 2008, the Agencies jointly issued guidance for examiners, financial institutions, and technology service providers in the form of an update to the IT Examination Handbook, Business Continuity Planning Booklet. The booklet was previously released in March 2003.

Many significant changes were made in the new guidance handbook – too many to adequately address in a single article. Therefore, let’s concentrate on one of the major updates – BCP testing.

Long gone are the days when the primary threat to a community bank was a local outlaw with a gun and bandana. The external perimeter of community banks is no longer limited to the brick and mortar building in which their money and information resides. The security landscape of today’s Internet connected bank has expanded to include global threats, such as Foreign Terrorist Organizations. Therefore, banks must take a strong stance on security to ensure their information and assets are protected from a wide variety of threats.

A recent Attack

On November 9, 2007 the OCC, Board, FDIC, NCUA and FTC (the Agencies) jointly issued the final rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act. The rules implementing section 114 require financial institutions or creditors to develop and implement a written Identity Theft Prevention Program (the Program) to detect, prevent, and mitigate identity theft in connection with covered accounts and to establish policies and procedures to assess the validity of a change of address. These rules and guidelines became effective January 1, 2008, and require financial institutions to comply by November 1, 2008.