Chapter 13. Regulatory Compliance for Financial Institutions

Banks and credit unions provide an array of financial services. Although it may appear that money is their most valuable asset, the reality is that customer and transactional information is the heart of their business. Money is fungible and can be replaced. Protection of customer information is necessary to establish and maintain trust between the financial institution and the community it serves. More specifically, institutions have a responsibility to safeguard the privacy of individual consumers and protect them from harm, including fraud and identity theft. On a broader scale, the industry is responsible for maintaining the nation’s financial services critical infrastructure.

In this chapter, we will examine the regulations applicable to the financial sector. We will focus on Title 5 Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) and the corresponding interagency guidelines, Federal Trade Commission (FTC) Safeguards Act, and Financial Institutions Letters (FILS). Compliance with GLBA is mandatory. Noncompliance has significant penalties, including being forced to cease operations. As we examine the various regulations, we will look at how examiners assess compliance. We will conclude the chapter with a look at the most significant financial security issue of our time—personal and corporate identity theft—and the regulations that address this ever-growing problem.

On November 11, 1999, the Glass-Steagall Act was repealed and the Gramm-Leach-Bliley Act (GLBA) was signed into law by President Bill Clinton. Also known as the Financial Modernization Act of 1999, GLBA effectively repealed the restrictions placed on banks during the six preceding decades, which prevented the merger of banks, stock brokerage companies, and insurance companies. Prior to GLBA, the insurance company that maintained health records was by law unrelated to the bank that financed mortgages and the brokerage house that traded stocks. Once merged, however, companies would have access to a cross-section of personal information. Using data-mining techniques, it is possible to build detailed customer and prospect profiles. Because of the potential for misuse of information, Title 5 of GLBA specifically addresses protecting both the privacy and the security of non-public personal information (NPPI).

The Privacy Rule limits a financial institution’s disclosure of NPPI to unaffiliated third parties, such as by selling the information to unaffiliated third parties. Subject to certain exceptions, the Privacy Rule prohibits disclosure of a consumer’s NPPI to a nonaffiliated third party unless certain notice requirements are met and the consumer does not elect to prevent, or “opt out of,” the disclosure. The Privacy Rule requires that privacy notices provided to customers and consumers describe the financial institution’s policies and practices to protect the confidentiality and security of that information. It does not impose any other obligations with respect to safeguarding customers or their information.

The Security Guidelines address safeguarding the confidentiality and security of customer NPPI and ensuring the proper disposal of customer NPPI. They are directed toward preventing or responding to foreseeable threats to, or unauthorized access or use of, that information.

Non-public personal information (NPPI) includes (but is not limited to) names, addresses, and phone numbers when linked to bank and credit card account numbers, income and credit histories, and social security numbers (SSNs). Regulatory language uses the terms sensitive customer information and NPPI interchangeably.

The Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (FRS), Federal Deposit Insurance Corporation (FDIC), and Office of Thrift Supervision (OTS) jointly developed the Interagency Guidelines Establishing Standards for Safeguarding Customer Information. The final rule was published in the Federal Register on February 1, 2001, with an effective date of July 1, 2001.

The National Credit Union Administration (NCUA) published their Guidelines for Safeguarding Member Information on January 30, 2001, with an effective date of July 1, 2001.

The Securities and Exchange Commission (SEC) incorporated a safeguards rule as part of its Privacy of Consumer Financial Information June 2000 Final Rule.

The FTC published their Standards for Safeguarding Customer Information (FTC 16 CFR Part 314) on May 23, 2002, with an effective date of May 23, 2003.

Designate the employee or employees to coordinate the safeguards

Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of current safeguards for controlling these risks

Design a safeguards program, and detail the plans to monitor it

Select appropriate service providers and require them (by contract) to implement the safeguards

Evaluate the program and explain adjustments in light of changes to its business arrangements or the results of its security tests

The FTC does not conduct regulatory compliance audits. Enforcement is complaint driven. Consumers can file a complaint with the FTC. The FTC analyzes the complaints and if it detects a pattern of wrongdoing, it will investigate and prosecute, if appropriate. The FTC does not resolve individual consumer complaints. Table 13.1 provides the GLBA regulatory agencies and their respective rules.

The Interagency Guidelines require every covered institution to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank or credit union and the nature and scope of its activities. To be in compliance, the information security program must include policies and processes that require institutions to do the following:

Involve the Board of Directors

Assess risk

Manage and control risk

Oversee service provider arrangements

Adjust the program

Report to the Board

It is up to each institution to develop a program that meets these objectives. The ISO 27002:2013 standard provides an excellent framework to develop a GLBA-compliant information security program.

Board members are generally chosen for their experience, business acumen, and standing in the community. It can be assumed that they understand business goals, processes, and inherent risks. Even experienced professionals, however, do not always have an in-depth natural understanding of information security issues. Institutions are expected to provide their Boards with educational opportunities to become and remain proficient in the area. Recognizing that this is a specialized body of knowledge, the Interagency Guidelines include the provision for delegation and distribution of responsibilities.

Examples of delegation include the following:

Delegating Board oversight to a subcommittee whose members include directors and representatives of the financial institution, such as a Chief Information Security Officer (CISO) or Chief Risk Officer (CRO)

Assigning information security management program oversight and management to a CISO or CRO

Assigning implementation and maintenance of administrative controls to the Information Security Officer

Assigning implementation and maintenance of technical controls to the Director of Information Technology

Assigning implementation and maintenance of physical controls to the facilities manager

Assigning design and delivery of information security training and awareness programs to the training department

Assigning verification of controls to the internal audit department

Assigning risk evaluation to the risk management committee

Assigning the evaluation of technology initiatives to the technology steering committee

Creating a multidisciplinary information security advisory committee that includes the representatives of all of the aforementioned roles and departments

Information security crosses many boundaries and involves multiple domains. Experience has shown us that institutions that have adopted a cross-functional multidisciplinary approach, as shown in Figure 13.1, have a stronger and more successful information security program.

The systematic rating of threats based on level of impact and likelihood sans controls is used to determine the inherent risk. A risk assessment is used to evaluate the corresponding safeguards in order to calculate residual risk, which is defined as the level of risk after controls have been implemented. The Federal Financial Institutions Examination Council (FFIEC) recommends using the NIST risk management framework and methodology as described in Special Publication 800-53 to calculate residual risk. Multiple categories of risk are defined by the FDIC as relevant for financial institutions, including strategic, reputational, operational, transactional, and compliance:

Strategic risk is the risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.

Reputational risk is the risk arising from negative public opinion.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

Transactional risk is the risk arising from problems with service or product delivery.

Compliance risk is the risk arising from violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or with the institution’s business standards.

Risk assessments and corresponding risk management decisions must be documented and reported to the Board of Directors or designee. The reports are used by both independent auditors and regulators to evaluate the sufficiency of the institution’s risk management program.

A must-read supporting resource is IT InfoBase published by the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is an interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the FDIC, the NCUA, the OCC, and the OTS, and to make recommendations to promote uniformity in the supervision of financial institutions. The IT InfoBase spans a number of topics, including Information Security, IT Audit, Business Continuity Planning, Development and Acquisition, Management, Operations, and Outsourcing Technology Services.

The FFIEC InfoBase is the de facto guide for a financial institution that wants to ensure it has a GLBA-compliant information security program that meets regulatory expectations. Resources include explanatory text, guidance, recommended examination procedures and work papers, presentations, and resource pointers. The InfoBase can be accessed from the FFIEC home page (www.ffiec.gov).

At a minimum, financial institutions are expected to deliver and document annual enterprise-wide training. The training can be instructor led or online. Recommended topics include an overview of state and federal regulatory requirements, an explanation of user-focused threats such as malware and social engineering, and a discussion of best practices and information resources acceptable use. It is commonplace for institutions to coordinate the distribution and signing on the acceptable use agreement with the annual training.

The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks. The three most commonly used testing methodologies are audit, assessment, and assurance:

An audit is an evidence-based examination that compares current practices against a specific internal (for example, policy) or external (for example, regulations or audit standard such as Control Objectives for Information and Related Technology [COBIT]) criteria.

An assessment is a focused privileged inspection to determine condition, locate weakness or vulnerabilities, and identify corrective actions.

An assurance test measures how well the control or safeguard works generally by subjecting the system or device to an actual attack, misuse, or an accident. Assurance tests can be black box, meaning with no prior knowledge of the system or process being tested, or white box, meaning with knowledge of the system or process being tested.

Because testing may uncover non-public customer information, appropriate safeguards to protect the information must be in place. Contracts with third parties that provide testing services should require that the third parties implement appropriate measures to meet the objectives of the Interagency Guidelines and that any exposure of NPPI be reported immediately.

The Interagency Guidelines require financial institutions to ensure that service providers have implemented security controls in accordance with GLBA requirements. In June 2008, the Financial Institution Letter FIL-44-2008 “Third-Party Risk Guidance for Managing Third-Party Risk” made clear that an “institution can outsource a task, but it cannot outsource the responsibility.” It is up to the institution to ensure that the controls and safeguards designed, managed, and maintained by third parties are equivalent to or exceed internal policies and standards.

Recommended service provider oversight procedures include the following:

Conducting a risk assessment to ensure that the relationship is consistent with the overall business strategy and to ensure that management has the knowledge and expertise to provide adequate oversight

Using appropriate due diligence in service provider research and selection

Implementing contractual assurances regarding security responsibilities, controls, and reporting

Requiring non-disclosure agreements (NDAs) regarding the institution’s systems and data

Providing a third-party review of the service provider’s security though appropriate audits and tests

Coordinating incident response policies and contractual notification requirements

Reviewing at least annually significant third-party arrangements and performance

The Bank Service Company Act (BSCA), 12 USC 1861-1867, gives federal financial regulators statutory authority to regulate and examine the services a technology service provider (TSP) performs for FDIC-insured financial institutions. According to the FFIEC Outsourcing Technology Services Handbook, TSP relationships should be subject to the same risk management, security, privacy, and other internal controls and policies that would be expected if the financial institution were conducting the activities directly. In order to maintain an accurate database of TSPs, BSCA requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution. Selected TSPs are examined on a 24-, 36-, or 48-month cycle. Distribution of the exam results is restricted to financial institutions that have signed a contract with the TSP. Ironically, this means that the findings are not available during the initial due-diligence phase.

Regulatory examination results and post-examination follow-up.

Security incidents that occurred in the previous 12 months, including a synopsis of response and impact.

Major IT and security initiatives completed in the previous 12 months, in progress and scheduled.

Information security program–related governance activities, including a synopsis of roles, responsibilities, and significant decisions.

Independent audit and testing conducted in the previous 12 months. The description should include type of test, date of test, tester, test objective, test results, recommendations, follow-up, and, if applicable, remediation plan.

Risk assessments conducted in the previous 12 months. The description should include methodology, focus areas, results, follow-up, and, if applicable, remediation plan.

Service provider oversight activities. The description should include due diligence, contract updates, monitoring, and, if applicable, identified issues and remediation plan.

Employee training conducted in the previous 12 months. The description should include the type of training, conduct, participation, and evaluation.

Updates to and testing of the incident disaster recovery, public health emergency, and business continuity plan.

Updates to and testing of the incident response plan and procedures.

Recommended changes to the information security program or policy that require Board approval or authorization.

The final section of the report should be management’s opinion of the institution’s compliance with information security–related state and federal regulations and guidance. Conversely, if in management’s opinion the institution does not comply with applicable regulations or guidance, the issues should be fully documented and a remediation plan presented.

Per URSIT standards:

Financial institutions that are rated as a “1” exhibit strong performance in every respect. Weaknesses in IT are minor in nature and are easily corrected during the normal course of business. Risk management processes provide a comprehensive program to identify and monitor risk relative to the size, complexity, and risk profile of the entity.

Financial institutions rated as a “2” exhibit safe and sound performance but may demonstrate modest weaknesses in operating performance, monitoring, management processes, or system development. Generally, senior management corrects weaknesses in the normal course of business. Risk management processes adequately identify and monitor risk relative to the size, complexity, and risk profile of the entity. As a result, supervisory action is informal and limited.

Financial institutions and service providers rated composite “3” exhibit some degree of supervisory concern because of a combination of weaknesses that may range from moderate to severe. If weaknesses persist, further deterioration in the condition and performance of the institution or service provider is likely. Risk management processes may not effectively identify risks and may not be appropriate for the size, complexity, or risk profile of the entity. Formal or informal supervisory action may be necessary to secure corrective action.

Financial institutions and service providers rated composite “4” operate in an unsafe and unsound environment that may impair the future viability of the entity. Operating weaknesses are indicative of serious managerial deficiencies. Risk management processes inadequately identify and monitor risk, and practices are not appropriate given the size, complexity, and risk profile of the entity. Close supervisory attention is necessary and, in most cases, formal enforcement action is warranted.

Financial institutions and service providers rated composite “5” exhibit critically deficient operating performance and are in need of immediate remedial action. Operational problems and serious weaknesses may exist throughout the organization. Risk management processes are severely deficient and provide management little or no perception of risk relative to the size, complexity, and risk profile of the entity. Ongoing supervisory attention is necessary.

Supplemental to the rating, if violations of any law or regulations are identified, the agency must provide detailed information, including legal numerical citations and name, a brief description of the law or regulation (or portion of it) that is in violation, a description of what led to the violation, and corrective action taken or promised by management.

The top five states with the most ID theft complaints are, in order, Florida, California, Texas, New York, and Georgia.

The total estimated cost of identity theft in 2012 was $21 billion, with an average per-incident loss of $4,930.

The average victim spent $365 and 12 hours to resolve the problem and clear up records.

In response to this problem, in early 2005, the regulatory agencies issued Supplement A, “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.”

Corporate identity theft occurs when criminals attempt to impersonate authorized employees, generally for the purpose of accessing corporate bank accounts in order to steal money. This type of attack is known as a corporate account takeover. Using specially crafted malware, criminals capture a business’s online banking credentials or compromise the workstation used for online banking. The criminals then access online accounts and create fraudulent ACH or wire transfers. The transfers are directed “money mules” who are waiting to withdraw the funds and send the money overseas. Once the funds are offshore, it is very difficult for law enforcement to recover them.

As many of these crimes go unreported, there are few definitive statistics regarding corporate account takeover activity. In early 2010, the U.S. FDIC estimated US$120 million in activity from online banking fraud involving the electronic transfer of funds in the third quarter of 2009. According to the most recent Account Takeover Survey from FS-ISAC’s Account Takeover Task Force, financial institutions reported 87 account takeover attempts in 2009, 239 in 2010, and 314 annualized in 2011. According to the same survey, in 2011, 12 percent of account takeover attempts resulted in money leaving the banks, whereas in 2009, 70 percent of attacks involved money leaving the bank. In response to this problem, in October 2011, the regulatory agencies issued the Supplement to the Authentication in an Internet Banking Environment Guidance.

Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused.

Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.

Being consistent with the agencies’ Suspicious Activity Report (SAR) regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing.

Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information—for example, by monitoring, freezing, or closing affected accounts—while preserving records and other evidence.

Requiring its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customers.

Notifying customers when warranted.

The guidance empathizes notification requirements. When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution is required to conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it must notify its regulatory agency and affected customers as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. In this case, the institution should notify its customers as soon as notification will no longer interfere with the investigation. When customer notification is warranted, an institution may not forgo notifying its customers of an incident because the institution believes that it may be potentially embarrassed or inconvenienced by doing so.

Compliance with the Supplement A, “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” is included in the Information Technology Examination.

Requirements include the following:

Financial institutions are required to review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every 12 months.

Financial institutions are required to implement a layered security model. Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.

Financial institutions are required to offer multifactor authentication to their commercial cash management (ACH and wire transfer) customers. Because the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer.

Financial institutions are required to implement authentication and transactional fraud monitoring.

Financial institutions are required to educate their retail and commercial account holders about the risks associated with online banking. Commercial customers must be notified that their funds are not covered under Regulation E and that they may incur a loss. It is strongly recommended that the awareness programs include risk reduction and mitigation recommendations.

Compliance with the Supplement to the Authentication in an Internet Banking Environment Guidance has been added to the Information Technology Examination. Anecdotal evidence suggests that the guidance has had an impact as losses associated with corporate account takeover are declining.

In 1999, Congress enacted legislation requiring all financial institutions that do business in the United States to protect the privacy and security of customer non-public personal information (NPPI). The Gramm-Leach-Bliley Act (GLBA) required that appropriate privacy and security standards be developed and enforced, and assigned this task to various federal agencies. The agencies that regulate banks and credit unions collaborated and in 2001 published the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and the Guidelines for Safeguarding Member Information, respectively. The Federal Trade Commission (FTC) was charged with developing standards for nonregulated businesses that provide financial services, and in 2003 published the Standards for Safeguarding Customer Information, also known as the Safeguards Act. Due to the type of business the regulations apply to, the requirements of the Safeguards Act are not as stringent as the Interagency Guidelines. The FTC does not conduct compliance examinations. The basis for investigation and enforcement actions are consumer complaints.

The Interagency Guidelines Establishing Standards for Safeguarding Customer Information and the Guidelines for Safeguarding Member Information, collectively referred to as the Interagency Guidelines, define information security program objectives and requirements for banks and credit unions. It is up to each covered entity to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. To be in compliance, the information security program must include policies and processes that require institutions to do the following:

Involve the Board of Directors

Assess risk

Manage and control risk

Oversee service provider arrangements

Adjust the program

Report to the Board

It is up to each institution to develop a program that meets these objectives. The ISO 27002:2013 standard provides an excellent framework for a GLBA-compliant information security program.

Financial institutions are expected to take a risk-based approach to information security. The process begins with identifying threats. Threats are defined as potential dangers that have the capacity to cause harm. It is incumbent upon each institution to continually engage in a threat assessment. A threat assessment is the identification of the types of threats and attacks that may affect the institution’s condition and operations or may cause data disclosures that could result in substantial harm or inconvenience to customers. At a minimum, financial institutions must address the threats of unauthorized access, unauthorized data modification, system infiltration, malware, destruction of data or systems, and DoS. The systematic rating of threats based on level of impact and likelihood sans controls is used to determine the inherent risk. A risk assessment is used to evaluate the corresponding safeguards in order to calculate residual risk. Residual risk is defined as the level of risk after controls and safeguards have been implemented. The FFIEC recommends using the NIST risk management framework and methodology as described in Special Publication 800-53 to calculate residual risk. Multiple categories of risk are defined by the FDIC as relevant for financial institutions, including strategic, reputational, operational, transactional, and compliance.

Controls and safeguards can be circumvented by users. Although these actions may be deliberate or accidental, they are often intentionally malicious. In order to mitigate the risk of circumvention, it is critical that users understand the threat environment, learn best practices, and agree to acceptable use of information and information systems. To this end, institutions are expected to have a security awareness program and to provide annual enterprise-wide training.

Controls and safeguards are only useful if they perform as expected. Scheduled testing should be conducted by personnel that are independent of the targeted system. The tests and methods utilized should be sufficient to validate the effectiveness of the controls and safeguards. The three most common testing methodologies are audit, assessment, and assurance.

The Interagency Guidelines require financial institutions to ensure that service providers have implemented security controls in accordance with GLBA requirements. Financial Institution Letter FIL-44-2008, “Third-Party Risk Guidance for Managing Third-Party Risk,” clearly states that an institution can outsource a task, but it cannot outsource the responsibility. It is up to the institution to ensure that the controls and safeguards designed, managed, and maintained by third parties comply with the Interagency Guidelines and are equivalent to or exceed internal policies and standards.

The financial institutions’ Board of Directors is ultimately responsible for oversight of the information security program and for compliance with all applicable state and federal regulations. Throughout the year, board members should receive information security program updates and be immediately apprised of all major security issues. Decisions that may significantly affect the risk profile of the institution must be authorized by the Board. The Interagency Guidelines require each institution to provide a comprehensive annual Information Security and GLBA Compliance report to the Board of Directors or designated committee.

In response to the problem of personal and corporate identity threat, in 2005 the regulatory agencies issued Supplement A, “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” and in 2011, Supplement to the Authentication in an Internet Banking Environment Guidance. Both supplements focus on threats related to unauthorized access to or use of customer information as well as corresponding controls, including education, incident response programs, and notification procedures.

To ensure compliance with GLBA Interagency Guidelines and supplemental guidance, financial institutions are subject to regulatory examinations. Depending on size, scope, and previous examination findings, exams are conducted every 12 to 18 months. Included in the exam is an evaluation of policies, processes, personnel, controls, and outcomes. The outcome of the examination is a rating based on a scale of 1 to 5, in ascending order of supervisory concern (1 representing the best rating and least degree of concern, and 5 representing the worst rating and highest degree of concern), supervisory comments, and recommendations. Financial institutions that are found not in compliance with regulatory requirements and do not remediate examination findings within an agreed-upon timeframe can be subject to closure.

A. GLBA applies only to banks and credit unions.

B. GLBA applies only to check cashing businesses.

C. GLBA applies to any business engaged in financial services.

D. GLBA applies only to institutions licensed to offer depository services.

2. The Financial Modernization Act of 1999 __________________.

A. deregulated financial services

B. mandated use of computers

C. required banks and credit unions to merge

D. prohibited banks from controlling a nonbanking company

3. The GLBA requires financial institutions to protect which of the following?

A. The privacy of customer NPPI

B. The security of customer NPPI

C. The privacy and the security of customer NPPI

D. None of the above

4. Which of the following is not considered NPPI?

A. SSN

B. Name

C. Checking account number

D. PIN or password associated with a financial account or payment card

5. The Interagency Guidelines Establishing Standards for Safeguarding Customer Information was jointly developed by the _____________________________.

A. Federal Deposit Insurance Corporation (FDIC)

B. Office of the Comptroller of the Currency (OCC), Federal Reserve System (FRS), FDIC, and Office of Thrift Supervision (OTS)

C. Securities and Exchange Commission (SEC) and FDIC

D. National Credit Union Administration (NCUA) and FDIC

6. Which of the following entities developed, published, and enforced the Safeguards Act?

A. Federal Reserve System (FRS)

B. Securities and Exchange Commission (SEC)

C. Federal Trade Commission (FTC)

D. Federal Deposit Insurance Corporation (FDIC)

7. Which of the following statements is false?

A. The Safeguards Act applies to all federally insured institutions.

B. Compliance with the Safeguards Act is not proactively audited.

C. The Interagency Guidelines are more stringent than the Safeguards Act.

D. Enforcement of the Safeguards Act begins with a complaint.

8. The Interagency Guidelines require a written security program that includes all of the following except ____________.

A. legal safeguards

B. physical safeguards

C. technical safeguards

D. administrative safeguards

9. Financial institutions can be fined up to _____ per violation.

A. $100

B. $1,000

C. $10,000

D. $100,000

10. Financial institutions are expected to take a _________ approach to information security.

A. threat-based

B. risk-based

C. audit-based

D. management-based

11. Which of the following terms describes a potential danger that has the capacity to cause harm?

A. Risk

B. Threat

C. Variable

D. Vulnerability

12. Which of the following statements best describes a threat assessment?

A. A threat assessment identifies the types of threats that may affect the institution or customers.

B. A threat assessment is a systematic rating of threats based on level of impact and likelihood.

C. A threat assessment is an audit report.

D. A threat assessment is a determination of inherent risk.

13. Which of the following risk types is defined as a level of risk after controls and safeguards have been implemented?

A. Ongoing risk

B. Residual risk

C. Acceptable risk

D. Inherent risk

14. Which of the following risk management frameworks is recommended by the FFIEC?

A. Basil

B. COBIT

C. NIST

D. FDIC

15. Which of the following statements is true?

A. Strategic risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

B. Reputational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

C. Transactional risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

D. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

16. The risk arising from problems with service or product delivery is known as ________________.

A. strategic risk

B. reputational risk

C. transactional risk

D. operational risk

17. At a minimum, financial institutions are expected to deliver user-focused information security training _________.

A. quarterly

B. semi-annually

C. annually

D. bi-annually

18. A security awareness and training program is considered which type of control?

A. Administrative control

B. Physical control

C. Technical control

D. Contractual control

19. Which of the following statements best describes independent testing?

A. Independent testing is testing performed by a contractor.

B. Independent testing is testing performed by personnel not associated with the target system.

C. Independent testing is testing performed by personnel with security clearance.

D. Independent testing is testing performed by certified professionals.

20. Which of the following test methodologies is a privileged inspection to determine condition, locate weakness or vulnerabilities, and identify corrective actions?

A. Audit

B. Assessment

C. White box

D. Black box

21. The statement, “An institution can outsource a task, but it cannot outsource the responsibility,” applies to an organization’s relationship with ________.

A. regulators

B. employees

C. directors

D. service providers

22. Per the Interagency Guidance, which of the following entities is responsible for oversight of a financial institution’s Information Security Program?

A. Chief Executive Officer (CEO)

B. Information Security Officer

C. Board of Directors

D. Regulatory Agencies

23. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it must notify ____________.

A. its regulatory agency

B. affected customers

C. Board of Directors

D. All of the above

24. Which of the following statements is not true about financial institution regulatory examination?

A. All institutions are subject to a three-year examination schedule.

B. A rating scale of 1 to 5 is used to represent supervisory concern.

C. Institutions found not in compliance can be subject to closure.

D. Results are presented to the Board of Directors.

25. Which of the following statements best defines a corporate account takeover attack?

A. Personal information is used to apply for a loan.

B. Users are denied access to online banking.

C. Fraudulent ACH and wire transfers are initiated from a commercial account.

D. Corporate logos are used in phishing emails.

26. Which of the following is an example of multifactor authentication?

A. Password and PIN

B. Password and picture

C. Password and challenge question

D. Password and out-of-band code

27. Which of the following terms best describes the Supplemental Authentication Guidance requirement of layered defense?

A. Dual control

B. Separation of duties

C. Defense in depth

D. Need-to-know

28. Which of the following statements is true?

A. When a financial institution chooses to outsource a banking function, it must conduct a due-diligence investigation.

B. When a financial institution chooses to outsource a banking function, it must report the relationship to its regulatory agency.

C. When a financial institution chooses to outsource a banking function, it must require the service provider to have appropriate controls and safeguards.

D. All of the above.

29. Which of the following agencies is responsible for investigating consumer security–related complaints about a university financial aid office?

A. FTC

B. Department of Education

C. FDIC

D. Sallie Mae

30. Banks have customers; credit unions have ________.

A. members

B. supporters

C. constituents

D. incorporators

1. Access the official websites of the Federal Reserve Board (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) and write a brief synopsis of the mission of each agency.

2. For each agency, identify at least one financial institution (within a 50-mile radius of your location) that it regulates.

3. In matters of information security, should it matter to consumers who regulates the financial institution they use? Why or why not?

Exercise 13.2: Researching the FTC

1. Visit the official FTC website and write a brief synopsis of its mission.

2. Prepare a summary of FTC information security resources for business.

3. Prepare a summary of an FTC GLBA-related enforcement action.

Exercise 13.3: Understanding the Federal Register

1. Locate a Federal Register copy of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information.

2. Highlight the actual regulations.

3. Prepare a brief explaining the other sections of the document.

Exercise 13.4: Assessing GLBA Training

1. Go online and find publicly available GLBA-related information security training.

2. Go through the training and make a list of the key points.

3. Did you find the training effective? Why or why not?

Exercise 13.5: Researching Identity Theft

1. Document the steps consumers should take if they have been or suspect they have been the victims of identity theft.

2. Document how a consumer reports identity theft to your local or state police.

3. Document how a consumer files an identity theft complaint with the FTC.

Educational institutions that collect, process, store, and/or transmit non-public personal student information, including financial records and SSNs, are subject to GLBA regulations.

1. Locate documents published by your school that relate to compliance with GLBA. If you are not a student, choose a local educational institution. GLBA compliance documentation is generally published on an institution’s website.

2. Evaluate the documentation for clarity (for example, is it written in plain language? is it easy to understand and relate to?) and content (does it address the objectives of the Safeguards Act?). Make suggestions for improvement.

3. Prepare a training session for new faculty and administration that describes the school’s GLBA compliance policy and standards. Include an explanation of why it is important to safeguard NPPI.

Project 13.2: Understanding Third-Party Oversight

GLBA Section III-D requires financial institutions to “oversee service provider relationships.”

1. Explain what is meant by the phrase “an institution can outsource a task, but it cannot outsource the responsibility.”

2. Access a copy of Financial Institution Letter FIL-44-2008, “Third-Party Risk Guidance for Managing Third-Party Risk.” What actions should an institution take to ensure the service provider is in compliance with regulatory requirements?

3. In October 2012, the FFIEC published an updated Supervision of Technology Service Providers InfoBase. Access the handbook and read the sections titled “Report of Examination,” “ROE Distribution,” and “Customer List.” A bad report can seriously harm a service provider. Prepare a brief for or against the examination of service providers and the distribution of the report.

Project 13.3: Assessing Risk Management

According to the FFIEC Information Security InfoBase Handbook (Appendix A), the initial step in a regulatory Information Technology Examination is to interview management and review examination information to identify changes to the technology infrastructure, new products and services, or organizational structure.

1. Explain how changes in network topology, system configuration, or business processes might increase the institution’s information security–related risk. Provide examples.

2. Explain how new products or services delivered to either internal or external users might increase the institution’s information security–related risk. Provide examples.

3. Explain how loss or addition of key personnel, key management changes, or internal reorganizations might increase the institution’s information security–related risk. Provide examples.

“16 CFR Part 314 Standards for Safeguarding Customer Information: Final Rule,” accessed 05/2013, www.ftc.gov/os/2002/05/67fr36585.pdf.

“Appendix B to Part 364: Interagency Guidelines Establishing Information Security Standards,” accessed 08/2013, www.fdic.gov/regulations/laws/rules/2000-8660.html.

“Financial Institution Letter (FIL-49-99), Bank Service Company Act,” accessed 08/2013, www.fdic.gov/news/news/financial/1999/fil9949.html.

“Financial Institution Letter (FIL-44-2008), Third-Party Risk Guidance for Managing Third-Party Risk,” accessed 08/2013, www.fdic.gov/news/news/financial/2008/fil08044.html.

“Supplemental Guidance on Internet Banking Authentication, June 28, 2011,” official website of the FFIEC, accessed 08/2013, www.ffiec.gov/press/pr062811.htm.

Chilingerian, Natasha. “FS-ISAC Survey Shows Uptick in Account Takeover Attempts, Drop in Actual Losses,” Credit Union Times, June 15, 2012, accessed 08/2013, www.cutimes.com/2012/06/15/fs-isac-survey-shows-uptick-in-account-takeover-at.

“Consumer Information—Identity Theft,” official website of the Federal Trade Commission, accessed 08/2013, www.consumer.ftc.gov/features/feature-0014-identity-theft.

“FDIC Oversight of Technology Service Providers, July 2006, Report No. 06-015,” Audit Report, OIG Office of Audits, accessed 08/2013, www.fdicoig.gov/reports06/06-015-508.shtml.

“FFIEC Information Security IT Examination Handbook,” July 2006, Federal Financial Institutions Examination Council, accessed 08/2013, http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

“FFIEC Supervision of Technology Service Providers (TSP) Handbook,” October 2012, Federal Financial Institutions Examination Council, accessed 08/2013, http://ithandbook.ffiec.gov/it-booklets/supervision-of-technology-service-providers-(tsp).aspx.

Field, Tom. “The FDIC on Vendor management—Interview with Donald Saxinger,” Bank InfoSecurity, Sept. 27, 2010, accessed 08/2013, www.bankinfosecurity.com/interviews.php?interviewID=746.

“Fraud Advisory for Business: Corporate Account Takeover,” U.S. Secret Service, FBI, IC3, and FS-ISAC, accessed 08/2013, www.nacha.org/Corporate_Account_Takeover_Resource_Center.

“FTC Resources for Reporters,” official website of the Federal Trade Commission, accessed 08/2013, www.ftc.gov/opa/reporter/idtheft/.

Gross, Grant. “Banks Crack Down on Cyber-based Account Takeovers,” IDG News Service, January 9, 2013, accessed 08/2013, www.networkworld.com/news/2013/010913-banks-crack-down-on-cyber-based-265685.html.

“Identity Theft Impacts,” State of California Department of Justice, Office of the Attorney General, accessed 08/2013, http://oag.ca.gov/idtheft.

Note: The statistics cited are from the Javelin Strategy & Research “2012 Identity Fraud Report,” released in February 2013.

FTC Compliant Assistant, https://www.ftccomplaintassistant.gov/.

Financial Institution Letter. Guidance for Managing Third-Party Risk FIL-44-2008, June 6, 2008.

Krebs, Brian. “Target: Small Businesses,” Krebs on Security Blog, accessed 08/2013, http://krebsonsecurity.com/category/smallbizvictims/.

“PATCO Construction Company v. People’s United Bank, United States District Court District of Maine, Case 2:09-cv-00503-DBH,” accessed 08/2013, www.goodwinprocter.com/~/media/585506BA9D5C4280996AC20523131EF8.pdf%20.

“PATCO Construction Company v. People’s United Bank, United States Court of Appeals for the First Circuit, Case 11-2031,” accessed 08/2103, www.wired.com/images_blogs/threatlevel/2012/11/Patco-Appellate-Decision.pdf.

“The Evolution of Bank Information Technology Examinations,” FDIC Supervisory Insights, Summer 2013, Volume 10, Issue 1, accessed 08/2013, www.fdic.gov/regulations/examinations/supervisory/insights/index.html.