On April 29, the FFIEC updated its IT Examination Handbook, revising its Retail Payment Systems booklet to include an Appendix E, Mobile Financial Services. The Retail Payment Systems booklet consists of guidance intended to help examiners evaluate financial institutions’ and third-party providers’ management of risks associated with retail payment systems. Appendix E is designed to address risk management associated with mobile financial services (MFS): “Appendix E contains guidance pertaining to [MFS] risks that supplements existing booklet guidance on other retail payment topics, such as electronic payments related to credit cards and debit cards, remote deposit capture and changes in technology or retail payment systems.” Appendix E outlines risk management practices for the following MFS technologies: (i) short message service/text messaging; (ii) mobile-enabled web sites and browsers; (iii) mobile applications; and (iv) wireless payment technologies. In addition to MFS technologies, Appendix E also addresses management strategies related to (i) risk identification; (ii) risk measurement; (iii) risk mitigation; and (iv) monitoring and reporting.
FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks
On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Read more…
On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”
On November 3, the FFIEC issued a statement notifying financial institutions of the increasing frequency and severity of cyber attacks involving extortion. The joint statement urges financial institutions to take steps to ensure effective risk management programs, including but not limited to the following: (i) conducting ongoing information security risk assessments; (ii) performing security monitoring, prevention, and risk mitigation; (iii) implementing and regularly testing controls around critical systems; and (iv) participating in industry information-sharing forums. The statement identifies resources financial institutions can refer to for assistance in mitigating cyber attacks involving extortion.
The OCC also published a bulletin alerting all OCC-supervised institutions of the FFIEC’s joint statement.
On October 1, CFPB Director Richard Cordray, on behalf of the FFIEC, responded to correspondence from the American Bankers Association and other trade associations seeking guidance as to their compliance with the Bureau’s Know Before You Owe TILA-RESPA Integrated Disclosure Rule, which will become effective on October 3, 2015. Per Director Cordray’s letter, the FFIEC’s member agencies’ examiners “will expect supervised entities to make good faith efforts to comply with the Rule’s requirements in a timely manner.” Moreover, examiners will take a number of factors into consideration in determining compliance with the Rule, including (i) an institution’s implementation plan; (ii) an institution’s training of its staff; and (iii) how an institution handles any early technical problems or other implementation challenges.