Blog: Financial Institutions

On September 9th, 2016, the Federal Financial Institutions Examination Council (FFIEC) released a revised Information Security booklet.  This booklet is one of eleven booklets that make up the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The IT Handbook is designed to provide information and reference to financial institutions and examiners.  The Information Security booklet specifically “provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems.”

To learn more about the new FFIEC Information Security Booklet, join us for a webinar on October 11th at 2:00pm CDT. Register now

To see other webinars offered by CoNetrix, visit our webinars page.

About the FFIEC: The FFIEC was established in 1979 per Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978.  The FFIEC is comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administrator (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).



Today the FFIEC released a Cybersecurity Assessment Tool to help financial institutions identify their risks and assess their cybersecurity preparedness.  The assessment tool is designed to provide a repeatable and measurable process for banks and credit unions to measure their cybersecurity preparedness over time.

The FFIEC tool consists of pdf documents including an Overview for Chief Executive Officers and Boards of Directors, a User's Guide, an Inherent Risk Profile, a Cybersecurity Maturity, and some Additional Resources.

CoNetrix is working on a FREE online, interactive tool to assist banks and credit unions in completing the new FFIEC cybersecurity assessment.  This easy to use SaaS will allow financial institutions to answer questions provided in the FFIEC documents, view and analyze inherent risk and cybersecurity maturity, and run various reports.  To learn more about the new Tandem Cybersecurity tool, visit



The ".bank" domain registration will open into general availability on June 24, 2015 at 00:00:00 UTC or June 23 at 8:00pm Eastern, 7:00pm Central, 6:00pm Mountain, & 5:00pm Pacific.  According to fTLD, during the initial sunrise regstration period, there were more than 700 applications made for ".bank" domains.  Domains will be awarded on a first-come, first-served basis in all registration periods.  To learn more, read the article Dot Bank by Leticia Saiid of CoNetrix published in the Spring 2015 issue of The Community Banker or visit


Registration for the new “.bank” domains is coming up soon. These domains could be prime Internet names in the future. A few quick notes: [more] 

  • Early “sunrise” registration will be May 18, 2015 with general availability on June 24th.
  • Registration will be limited to domain names with corresponding trademark, trade name, service mark, or bank name. 
  • There will be a verification procedure to ensure these domain names are only issued to valid financial institutions.
  • Banks should consider registering a trademark now to be able to register the associated domain during the sunrise registration period. 
  • Registration will be on a “first come, first serve” basis, so if a bank with similar names want the good domains, they need to register early.
  • More information is available at



The Federal Financial Institutions Examination Council (FFIEC) today launched a web page dedicated to cybersecurity ( The website is designed to be "a central repository for current and future FFIEC-related materials on cybersecurity." [more]

As a part of the Press Release announcing the launch of the cybersecurity web page, the FFIEC also noted the launch of the website "coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations."  According to the press release, the focus of the pilot program will be on:

  1. Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. Service Provider and Vendor Risk Management
  5. Cyber Incident Management and Resilience
The pilot program is expected to last about 4 weeks and include regulators from the FDIC, OCC, Federal Reserve, NCUA, and the States.


The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit


I was recently helping a bank network support client install an update to a Jack Henry application named Yellowhammer. Normally we save the installation file to the network of that certain program just for organizational purposes. 

Upon reading the instruction I just save the .exe file to the user's PC because I wanted to see what files needed to be updated.  However, upon running the installation it just opened a GUI that setup a connection back to Jack Henry.  We closed out the program to begin saving the program to the network.  When we did this ALL THE DESKTOP ITEMS DISAPPEARED from the user's PC. [more]

After looking into what files were unzipped I came across a file name “cleanup.bat” which deleted whatever folder these files were located, and in our case it happened to be the Desktop folder. 

I am just curious as to what would have happened if I saved this anywhere else.  So for future reference, check for a cleanup.bat file in any Jack Henry Installation.


During a recent audit, we noticed one of the Internet domain names registered to the bank was displaying a website provided by the registrar (Network Solutions).  Upon discussing this issue with the bank, they told me they had registered the name because they use it internally as their Active Directory domain name and did not want anybody else registering the public name.  So the bank’s IT vendor dutifully registered the name, but did not do anything with it as far as pointing it to an existing bank website or an “under construction” site.  As a result the registrar parked the domain name and displayed an advertisement website.  The advertisements were for Gucci, Wells Fargo, Bank of America, etc.  The bank was not very happy when they found out their domain was being used to advertise other banks.


Declaring that “the American people will never again be asked to foot the bill for Wall Street’s mistakes,” President Obama signed the 2300-page Dodd-Frank Wall Street Reform and Consumer Protection Act into law today.  The American Bankers Association (ABA) and Independent Community Bankers of America (ICBA) have released similar statements declaring that core provisions in the new legislation provide the much-needed reform that banks have long supported, but they are leery of the seemingly unrelated regulations added to the bill during its journey from inception to signing.

Some highlights of the Dodd-Frank Act include:

  • Creating the Consumer Financial Protection Bureau with the authority to write new rules for mortgages, credit cards, payday loans, and other consumer products
  • Increasing FDIC protection to $250,000
  • Enhancing the authority of the Fed and other bank regulators to examine and take enforcement action against non-bank subsidiaries, such as mortgage affiliates
  • Eliminating the Office of Thrift Supervision, bringing savings and loan holding company and institution supervision to the Fed, OCC, and FDIC
  • Imposing strict controls on large bank holding companies and significant nonbank financial companies
  • Prohibiting banks and their affiliates from engaging in proprietary trading and providing strict limits on investment in and sponsoring of hedge and private equity funds
  • Allowing merchants to discriminate or discount based on payment type and set minimum payment amounts for acceptance of debit and credit cards
  • Subjecting holding companies to new “source of strength” rules regarding their depository institution subsidiary

Most provisions will be enacted immediately, but many have delayed effective dates. [more]

For a more detailed summary of the Dodd-Frank Act, as well as a timeline of deadline dates, visit the ABA Regulatory Reform Center at or the ICBA’s Victories, Helpful Exemptions and Harmful Measures for Community Banks at

While legislators are in staunch disagreement over whether or not this bill should have been passed, no one seems to disagree that this will change the face of the banking and financial industry as we know it.