CSI Blog

The Latest CFPB Rule Finalizations

Wed, 22 May 2013 08:58:29 GMT

by Amber Goodrich

Finally, financial institutions are getting some relief from the confusion of the continuing barrage of new regulations, and the help comes from none other than the regulators themselves.

The Consumer Financial Protection Bureau (CFPB) in April announced a major change to the 2009 Credit Card Accountability Responsibility and Disclosure Act (CARD Act) under Regulation Z, as well as the long-awaited finalization of the Remittance Transfer Rule under Regulation E (Electronic Funds Transfer Act). The agency also has taken measures to amend and finalize rulings for greater clarity and ease of compliance.

Changes for Financial Institutions

The CARD Act amendment allows institutions issuing credit cards to consider income that a stay-at-home applicant (who is 21 or older) shares with a spouse or partner, which can increase the applicant’s ability to repay. Under previous provisions of the Act, card issuers only were able to consider the individual’s income or assets. The ruling is not limited to married couples.

And the wait’s over for the Remittance Transfer Rule’s effective date, which now is Oct. 28, 2013. Two major changes also were made during its finalization:

In preliminary rule publications, institutions providing remittance transfer services would have been required to disclose their own transfer services fees as well as fees assessed by the receiving institution and any foreign taxes associated with the transaction. Now, the disclosure of recipient fees as well as foreign taxes is optional, and providers must only include, where applicable, a disclaimer that fees and taxes may apply.
The second change pertains to errors in transactions resulting from the sender providing incorrect recipient information. Institutions preliminarily were responsible for attempting to recover the funds in these situations, as well as bearing the cost of non-recoverable funds. The CFPB now only requires that institutions attempt to recover the funds.

Your Next Steps

Institutions that issue cards must now assess their policies and procedures for reviewing an applicant’s ability to repay for credit card products, since they have not had to consider third-party income in the credit approval process.

As for the Remittance Transfer Rule, institutions should review their international transfer programs and decide how to ensure compliance with the October effective date, taking into consideration new disclosure requirements, error resolution guidelines and the consumer’s right to cancel such transactions.

For a more in-depth review of these CFPB developments, click here.

Amber Goodrich, Consumer Compliance Consultant for CSI Regulatory Compliance, has more than 10 years of financial industry experience. She is a Certified Community Bank Compliance Officer (CCBCO) and Certified Bank Secrecy Act (BSA) Professional (CBAP).

Document Delivery—Go Green and Save Big

Thu, 16 May 2013 08:34:42 GMT

by David Culbertson

When it comes to delivering statements and notices to customers, will you join the paperless movement?

According to the just-published CSI 2013 Annual Banking Priorities Study, more than 85 percent of your financial industry peers are “going green”—meaning they have eliminated or are in the process of eliminating paper delivery. This survey of more than 200 financial institution (FI) decision makers validates an industry trend that FIs are gradually selecting e-statements, since this option helps them gain cost and operational efficiencies.

The trend is expected to continue as more consumers acquire electronic devices that make receiving and viewing banking information easier.

For a financial institution, transitioning to e-statements and notices provides three key benefits:

It ensures the timely delivery of information.
It creates the opportunity to deliver content within the online banking environment.
It saves money. Electronic delivery is generally less than 35 percent of the print cost when considering the price of postage.

As if the higher cost of paper delivery weren’t enough, consider the challenges that will surely arise if the USPS makes changes to its delivery schedule.

But for those FIs that continue using paper, opportunities do exist for saving time and money. While the cost to produce and deliver a paper statement varies widely, doing the work in-house can run up to $1.50 per statement when postage is included. Outsourcing to a third-party vendor, on the other hand, can lower that expense by as much as 50 percent.

Remember, however, that if you continue outsourcing paper statement delivery, you must ensure you’re following federal regulations. GLBA requires FIs and their vendors to safeguard and hold all non-public customer information confidential. But according to the banking priorities survey, nearly 48 percent of respondents do not utilize a GLBA-compliant vendor, which sets them up for information security risks.

Further, FIs must ensure that their print provider has a GLBA policy that is part of a larger information security strategy, and they should regularly test this policy through audit review and electronic vulnerability assessments conducted by independent third parties. Outsourced print vendors also should be reviewed annually by federal and state bank examiners, according to FFIEC guidelines.

To read more about 2013 document processing practices as well as all of your peers’ key opportunities and challenges for this year, download your free copy of the CSI 2013 Annual Banking Priorities Study.

David Culbertson is president and general manager of CSI’s Document Services Division, which is focused on providing a best-in-class product line devoted to electronic and paper document capture and delivery. David currently serves on the national board of the Association for Financial Technologies.

DDoS Day. Dud or Diversion?

Mon, 13 May 2013 10:54:47 GMT

by Sean Martin

So, May 7 was supposed to be a day of dread for financial institutions across the country as the hacktivist collective Anonymous announced it would slam banks and credit unions with system-halting distributed denial of service (DDoS) attacks.

And that was that.

By day’s end, a few DDoS incidents were reported, but certainly nothing out of the ordinary. So, what happened? Only the group announcing the attack knows for sure. But really, that’s beside the point. Because it shouldn’t take some major announcement like this one for us all to take notice of DDoS threats—they are always present. We must remain vigilant, because it’s much more likely that an attack will come with no warning when you least expect it.

In fact, what if the May 7 announcement turns out to be a “testing the waters” campaign, with the actual attacks hitting weeks from now? It’s entirely possible the hacktivists sat back and watched their targets’ defensive measures to learn ways around them.

Further, there’s mounting evidence that DDoS attacks merely conceal more covert secondary attacks. For example, while they divert employees and resources toward stopping the flood of network-clogging traffic, they simultaneously sneak up from another direction by phoning in unauthorized wire and other electronic transfers. Our blog, CFIs and DDoS Attacks—It’s Possible, further explains this current climate.

So, keep your financial institution armed with the tools and resources necessary to protect it 24x7. At a minimum, you should:

ensure systems and software are patched
confirm your Intrusion Prevention System can detect unusual traffic patterns
safeguard your perimeter with such tools as firewalls and network routers
if possible, employ a managed services provider to constantly and thoroughly monitor your network—but only after performing your due diligence
perform regular network vulnerability assessments to discover any weaknesses

In addition, make sure your incident response and business continuity plans are up-to-date in case an attack occurs.

To learn more, a recording of our recent DDoS webinar, Proactive Defenses Against DDoS Attacks, provides detailed information from a panel of CSI experts about this type of attack and how best to safeguard against it, along with recommended responses should an attack occur.

As for what’s on the horizon, begin to familiarize yourself with TDoS attacks—or, telephony denial of service. Similar to DDoS, this attack employs high volumes of automated calls to overwhelm phone systems and halt legitimate incoming and outgoing calls. Check back soon for a full blog on TDoS attacks.

Sean Martin is an operations center manager and risk expert with Computer Services, Inc. (CSI)’s Managed Services Division, a leading provider of cloud-based managed performance, security and IT-related services.

Compliance Challenges for 2013 Revealed

Thu, 09 May 2013 14:32:24 GMT

by Paul Reymann

Going strictly by the numbers, the 2013 forecast for the financial services industry is bright indeed. According to reports by the Federal Deposit Insurance Corporation (FDIC), industry earnings totaled $141.3 billion in 2012—a 19.3 percent improvement over 2011 and the highest net income since 2006.

The soon-to-be-published CSI 2013 Annual Banking Priorities Study echoes this positive outlook. Now in its second year, this survey of more than 200 financial institution (FI) decision makers shows a clear and growing confidence among industry professionals, many of whom expect the current economy to have a positive effect on their profitability.

As we summarized the results, however, it was no surprise that many of the issues that confronted financial institutions in 2012 will continue this year, including a top concern—compliance. So to help monitor this trend and offer a perspective on how it is changing, here are some of the survey’s compliance questions and subsequent results:

Where will you need compliance services and products to help in 2013? More than half of the respondents (57.2 percent) continue to identify Dodd-Frank Act (DFA) planning as the top compliance priority, exceeding last year’s response of 47 percent. Similarly, DFA self-assessment topped the list again with 45 percent, which is consistent with last year. And 44.2 percent of respondents cited needing help with updating their consumer compliance programs.
Do you have a strategy established to prepare for the DFA regulatory changes in 2013? Almost all FIs have either rolled out a strategy (18 percent) or are creating one to prepare for DFA changes (71.2 percent), a slight increase over 2012. With the January 2014 effective date for the mortgage reform rules on the horizon, all institutions should immediately begin to assess and administer policies, procedures, disclosures and other compliance program aspects.
How often do you update your IT risk assessment and control evaluation? About 60 percent of respondents perform annual IT risk assessments, but depending on how often material changes occur or the FFIEC implements new guidance, once a year might not be enough.

Overall, the survey responses—along with other industry data—suggest that 2013 will be the year FIs focus on executing strategies to address unprecedented compliance pressures, which is good news.

The CSI 2013 Annual Banking Priorities Study, which addresses a broad range of issues, will be published the week of May 13. You can visit csiweb.com to download the full report once it’s available.

Paul Reymann is chief risk officer with CSI Regulatory Compliance, where he leads the company’s managed compliance initiatives and services. With more than 27 years of experience working within the financial services industry, he has authored several key regulatory directives and advisories on emerging risk management issues. Paul actively educates financial institution audiences on regulatory developments, new compliance mandates debated in legislation, and their effects on the industry.

Stop Debit Card Fraud Before it Starts

Wed, 01 May 2013 09:10:00 GMT

by Matt Herren

Each year, debit card fraud grows in sophistication. Years ago, it might’ve been a petty thief looking over your shoulder at the ATM, and while that kind of fraud still happens today, it’s more likely that your banking customers will be hit by the mounting numbers of professional crooks out there. Debit card fraud has become an organized, billion-dollar business.

Case in point—a Midwest grocery store chain recently reported that approximately 2.4 million credit and debit cards were potentially compromised during a single security breach.

Large scale debit card fraud generally operates on a two-tier system. First there’s the technical side of harvesters, comprising IT experts who—from anywhere—perpetrate the initial theft through malware and phishing attempts on merchants, card processors and cardholders. They then sell the siphoned information to the second tier, the “cash-out” perpetrators, who use the stolen account information to create counterfeit cards. They sell the cards by way of fraud forums on little-known underground Internet sites.

Fortunately, your financial institution doesn’t need to bear the burden of fraud prevention alone. An excellent means to detect debit card fraud is a monitoring solution that provides 24x7 transaction screening and blocks suspicious activities, which can greatly reduce, even prevent, fraud losses.

But not all monitoring solutions are created equal. Many rely solely on automation to identify threats, and fraud generally changes too quickly for that. Criminals can easily find their way around barriers, and even if an automated solution detects fraud within 12 to 24 hours, a card can be maxed out by then.

More sophisticated solutions, including CSI’s Card Sentry, merge automation with the human element to better anticipate rapidly changing trends. Skilled analysts track and adapt to these trends, issue denials in real-time, and quickly re-issue new cards to customers. And they can pick up on unusual activity by such variables as merchant type and geography, and deny authorizations from ever taking place.

But perhaps the most crucial step toward mitigating risk is developing a strong line of communication with your solutions provider. In addition, learn everything you can about fraud, and ensure your customers protect themselves through malware and anti-virus software and by reporting lost cards and suspicious texts and emails.

Remember, the onus is on your financial institution to safeguard customers. Arm yourself with knowledge and a strong partnership to keep losses to a minimum.

Matt Herren, CSI fraud specialist, has worked to fundamentally expand how fraud is investigated within the industry. Through advanced analytics and data analysis, he is encouraging financial institutions to shift their focus from not only reacting to fraud, but also working to prevent it before it occurs.

Inside Insider Fraud

Wed, 24 Apr 2013 09:15:06 GMT

by Amber Goodrich

It’s hard enough protecting your financial institution from the various types of criminals out there, but what if the worst offender is sitting the next office over? None of us wants to think our trusted employees and co-workers could be capable of insider fraud, but it’s an unpleasant reality.

Financial institution employees have many methods for committing fraudulent schemes, including through wire and credit card transactions. But two avenues are vastly prevalent: loan fraud and money laundering. In fact, fraudulent lending practices are rising at an alarming rate, and are particularly unsettling since they often involve trusted employees in authority positions. For example, an employee could enter into an outside venture involving a shell company that may—or may not—be a legitimate business. Either way, the employee could finance the shell company by providing false information on a loan application and pushing for its approval.

This abuse of power happens more often than you think. According to recent investigations by the Secret Service, more than 50 percent of insider fraud is perpetrated by such highly trusted employees as managers, and their average time on the job before committing a scheme is five years. They’re good at avoiding suspicious behavior and have been with the bank long enough to know the policies and procedures, as well as ways to get around them—which makes insider fraud exceedingly hard to detect.

Still, it’s prudent to keep a lookout for activities that don’t feel right, including employees who work excessively long hours and refuse assistance from others. Also, an employee experiencing numerous account overdrafts could be dealing with financial problems.

In addition to a watchful eye, consider the following preventive practices and tools:

Utilize a segregation of duties to ensure only certain employees know what you’re monitoring, as well as the criteria that raise flags. In turn, maintain a review of controls to “monitor the monitors” and confirm each employee’s level of access along with who can override system messages and approve certain transactions. A consulting firm also can perform audits.
Install software that detects when proprietary information is downloaded to such devices as flash drives. Additional software is available to screen transactions.
Regularly monitor all employees’ personal accounts at the bank to detect suspicious patterns and activities.
Pay special attention to departing employees. Watch their accounts for signs of concern and have IT personnel ensure they’re not downloading proprietary information to flash drives or personal email accounts. This is particularly important in cases of downsizing.
Encourage fellow employees to file suspicious activity reports to help determine negative trends. The reports, which are logged with FinCEN, are given to the board of directors and remain confidential.

While we all hope insider fraud is something that would never happen to us, ere on the side of caution and use these tools to protect your financial institution from this unnecessary loss.

Amber Goodrich, Consumer Compliance Consultant for CSI, has more than 10 years of financial industry experience, most recently specializing in compliance. She is a Certified Community Bank Compliance Officer (CCBCO) and Certified Bank Secrecy Act (BSA) Professional (CBAP).

Best Approach to P2P? It’s All About the Receiver

Wed, 17 Apr 2013 08:49:31 GMT

by: Steve DuPerrieu

Your customers want easier ways to exchange money from one to another. And while cash and checks don’t cut it anymore, savvy consumers still expect “instant” ways of trading money. Enter person-to-person (P2P) payments.

Individuals, as senders, are finding P2P payments make life less complicated, since they can replace cash and checks with digital payments enabled by their phones. While various providers have offered such services for years, it’s the convenience for the receiver that will ultimately drive mass adoption and give financial institutions that deploy this service the competitive advantage.

But all P2P offerings aren’t the same: Those not facilitated through a financial institution are not convenient for the receiver. But since receivers are the ones owed money, shouldn’t the experience be just as easy for them.

For example: If I send my mother $50 through a non-financial institution, she must create an account with that provider (if she doesn’t already have one), login to the site and set up her checking account. Once some small transactions post to her account in a few days, she must return to the site to verify her account with those amounts, make the request to transfer the money to her bank account and wait three to five days for the funds to clear. So, my mother’s response will likely be, “Just mail me a check.”

The good news is that banks can offer a more direct P2P payment method—and make funds available more quickly—which amounts to happier customers. To accommodate this process, such bank technology providers as CSI make it easier for financial institutions to offer more convenient P2P functionality that enables funds to clear in near real time, leveraging the card networks rather than the ACH system. After all, who doesn’t have at least one VISA® or MasterCard® debit or credit card?

So, if my bank offers the latest P2P functionality, I could send my mom $50 using her debit or credit card number—no expiration date and no security code. She has nothing more to do, and she’s much more likely to agree to this payment scenario over the previous one. That is the critical path to P2P adoption.

Given these new technology developments, the time is now for financial institutions to enter the P2P arena. If bankers examine the stats—the usage and transaction volumes—and want to own the transaction instead of ceding that payment to a non-financial competitor, they need to offer P2P. Additionally, these payments will boost both mobile banking adoption, which is a lower-cost channel to serve, and transaction volume. And at the end of the day, it’s going to prevent customers from going outside the bank to other payment providers.

P2P constitutes a trend toward social payments that make life—and banking—easier for your customers. Again, it’s all about creating convenience for the receiver not only of the payment, but also of your bank’s services.

Steve DuPerrieu is director of product management for CSI. In his role, he oversees the strategic direction of many CSI products, including mobile and Internet banking. Steve also is heavily involved in key strategic partnerships and such new product innovations as P2P.

Are You Ready for the Qualified Mortgages Rule?

Thu, 11 Apr 2013 08:30:50 GMT

by Bill Kane

With the introduction of the new qualified mortgage (QM) definition as well as its concurrent proposed rule requesting comments on a safe harbor exception, you have much to consider and do in 2013 to plan for your 2014 lending program.

The safe harbor, as proposed, would apply to institutions under $2 billion in total assets and originating less than 500 residential loans per year. Whether you are affected by the safe harbor provision or not, we’ve identified suggested next steps for all financial institutions.

For institutions with more than $2 billion in assets or 500 in first-lien mortgage loans, the important steps you need to accomplish before Jan. 10, 2014, are:

Compare your current underwriting policies and procedures against the final QM rule and close any gaps that may exist to ensure your compliance.
Assess your current mortgage products and target markets and determine your institution’s risk appetite for offering loans that fall outside the QM definition and its safe harbor protection.
Estimate your profitability model based on your market analysis.
Review your fair lending compliance policies and procedures to ensure they are not inadvertently affected as a result of your compliance with the QM rule.
Evaluate the probability and impact of potential fair lending litigation that could follow if borrowers default or in the event of foreclosure.

For institutions with less than $2 billion in assets or 500 in first-lien loans per year, these questions should be addressed by your board and senior management now:

Should we:

Make a concerted effort to reduce our residential loan originations to stay under the 500 threshold? What happens if we hit that mark by third quarter? Do we forego the profitability of the additional loans for fear of the consequences?
Limit the number of smaller residential loans to low- and moderate-income borrowers, and instead focus on originating larger residential loans to earn more profit and stay within the loan limit? If we do, what is the effect on our CRA efforts?
Branch out into other types of loan products, e.g., commercial, auto, etc.?
Retain more loans in portfolio accepting the delinquency and default risk?
Originate more residential balloon loans to manage interest-rate risk and meet community needs?

How will this rule affect:

Our growth strategy, especially if we are just below the $2B asset threshold?
Our compensation program for loan officers?
Specific loan products and programs designed to assist troubled borrowers?

Effective strategic planning must consider all the possible scenarios and derive intelligent contingencies. Only then will your institution be able to make informed decisions that are right for you, your customers and your community.

For a more in-depth look at the qualified mortgages rule, please click here.

Bill Kane, senior MCS risk consultant for CSI Regulatory Compliance, has more than 25 years of financial experience, including his role as a bank examiner for the Federal Deposit Insurance Corporation (FDIC). Prior to that, Bill was a controller for a community bank, where his duties included coordinating the annual risk assessment of the bank’s internal control systems and managing the internal audit program.

Steps to Cloud Adoption—One Size Does Not Fit All

Wed, 03 Apr 2013 08:49:44 GMT

by Cliff Skrdlant

Does all the talk about cloud computing and its many capabilities make you feel that your organization must jump feet first into full cloud adoption to compete in today’s financial industry?

Depending on your current situation, full adoption might be your best choice, but it’s not necessarily for everybody. Many financial institutions and other businesses are taking a measured approach to cloud adoption by creating a strategic roadmap for migration.

An assessment process, powered by an ethical and experienced cloud provider, is crucial to determining your level of readiness for cloud solutions. The assessment should examine several factors, including:

Business Goals and Objectives—where do you see your organization going in the next year or two? Your strategies for growth can help guide your cloud decision.
Total Cost of Ownership (TCO)—understand your current TCO—including costs for hardware, downtime, security and risk—and compare it with the TCO of cloud adoption.
Hardware Depreciation/Software Licensing—consider the depreciation on your equipment. It might make sense for your organization to incorporate the cloud once it’s due for a major upgrade.
Internet Bandwidth and Redundant Connectivity—anticipate the costs and feasibility of both redundancy and Internet bandwidth requirements of cloud solutions.
Application Compatibility—some applications, including those from your core provider, may not yet be supported in a cloud environment.
Service Levels—certain cloud solutions provide added value that can’t be achieved in-house, including a 24x7 highly available and fully redundant IT infrastructure with a clear path to disaster recovery.

Breaking down your decision by these factors can point you in the direction of one of the three main steps of cloud readiness: quick wins, customized solutions and infrastructure, and full cloud adoption.

Institutions starting with the first step—quick wins—generally are looking to decrease capital expenditures and increase employee productivity while maintaining regulatory compliance. They may also face challenges finding and retaining qualified IT staff. The next step, customized solutions and infrastructure, usually applies to institutions already implementing the quick wins while also seeking to minimize onsite system complexity and technology investments, and looking to add new technology services. The last step is full cloud adoption, whereby organizations receive IT services in a utility-based model, paying only for what they use and receiving the benefits of a larger, more redundant infrastructure than what typically would be built onsite.

Remember to do your due diligence for selecting the right cloud provider to guide you through these decisions. For financial institutions, it’s critical to know how a cloud provider is properly securing and segregating data from other customers and itself. It’s also important to know the locations of the provider’s datacenters to ensure that data is always within U.S. borders.

For an in-depth look at cloud adoption readiness, download our whitepaper, Taking the Individualized Approach to Cloud Adoption and our topical recorded webinar.

Cliff Skrdlant is senior product manager for CSI’s Managed Services division. With more than 20 years of experience in financial services and information technology, Cliff has worked with a wide range of financial institutions, leaders, bankers and technology providers to develop relevant solutions that deliver value in today’s marketplace.

Celebrating the Power of Community Financial Institutions

Mon, 01 Apr 2013 10:02:44 GMT

by Steve Powless

Most of us are truly glad when April rolls around, with the promise of new beginnings literally in the air and all around us. But April 1 marks another reason to celebrate, as it officially kicks off Community Banking Month. It’s an honor bestowed with good reason; after all, where would our industry be without the contributions of community financial institutions?

We know community banks create jobs and stimulate local economies, but I also wanted to reiterate what we work so hard to accomplish by sharing some statistics you can all be proud of:

According to Independent Community Bankers of America (ICBA), community banks constitute 96.6 percent of all banks in the United States, and serve as the primary source of lending to small businesses and farms.
BankLocal.org states that community banks made 67 percent of outstanding loans to small businesses in 2011.
The FDIC reports that one out of every five U.S. counties has a community bank only.

We at CSI consider it a privilege to partner with community banks and stand by your side as you continue to foster economic growth in your areas. We hope that today serves as the starting point to a full year of success for you and your customers.

Steve Powless is chief executive officer of CSI, and has served in several roles with the company since 1987.

The Widespread Effects of the Prepaid Access Rule

Wed, 27 Mar 2013 08:36:30 GMT

by Lori Moore

One of the biggest consequences to emerge in the year since the Financial Crimes Enforcement Network’s (FinCEN) Prepaid Access Rule went into effect is that regulators have placed greater focus on a financial institution’s responsibility for managing and monitoring all aspects of compliance related to third-party providers. But this new awareness goes well beyond prepaid access and third-party payment providers to include any product, service or relationship involving a third party.

An early indication of the need for this regulatory involvement arose slowly between 2001 and 2011 as two vastly different groups—one, criminals and the other, financial institutions—began to realize the benefits of prepaid access. The criminals loved its usability and anonymity; financial institutions saw it as a way to reach an untapped market of the legitimately under-banked, including college students and lower income earners.

In 2010, regulators began to take notice of the high levels of prepaid access use, along with the slew of regulatory violations that came along with it, including those involving BSA/AML, OFAC and UDAAP.

Of the regulatory authorities that weighed in on the matter, the Office of the Comptroller of the Currency (OCC) in June 2011 issued its bulletin, Risk Management Guidance and Sound Practices, which focuses on risks surrounding prepaid access programs.

According to the OCC, banks offering prepaid access to consumers should have a comprehensive risk management program to monitor and control the related risks. Program components should include clearly defined objectives as well as:

policies and procedures including a due diligence process for selecting third-party service providers and an oversight process for monitoring their performance and any suspicious activity
policies and procedures to ensure clearly outlined disclosures to consumers about pricing, fees and transaction limits
robust audit and compliance functions to ensure ongoing compliance with internal policies as well as applicable laws and regulations
regular reporting to the bank’s board of directors, to enable it to evaluate management’s effectiveness in executing the prepaid program and to determine if changes are needed

The OCC’s guidance offers a comprehensive approach to third-party risk management that is applicable and useful for any financial institution, and its common-sense approach can be used for not only prepaid access, but also any product or service type involving a third-party provider.

There are many benefits that outweigh the risk related to third-party relationships. And they have become a necessary part of a financial institution’s day-to-day operations. However, it is no longer enough to accept verbal or "check-the-box" claims of compliance, expertise or financial soundness by third-party providers. Although not all inclusive, a holistic approach that considers all aspects of risk should encompass financial stability, information security and consumer protection regulations, as well as BSA/AML. With adequate due diligence your institution can reap the rewards of third-party relationships and avoid the consequences of violations.

Lori Moore is a Certified Regulatory Compliance Manager (CRCM) and the Director of Compliance for CSI’s Regulatory Compliance division. With more than 26 years of experience within the financial industry, Lori has served in key positions within both small and large community banks. She attended the Texas Bankers Association Operations School where she received the outstanding graduate designation.

Tips for Increasing PFM Adoption

Fri, 22 Mar 2013 15:12:27 GMT

by Derik Sutton

For many people, trying to keep track of their finances using ordinary spreadsheets just doesn’t cut it anymore. Fortunately, Personal Financial Management (PFM) tools provide the ideal one-stop location for Internet banking customers to gain a firm understanding of their individual financial picture. With such features as a dashboard, cash flow calendar and net worth calculator, customers can create budgets while they plan and monitor their financial goals.

But, do your online banking customers even realize this service is available to them? Of those who do, how many of them understand just how far PFM can go toward helping them manage their finances?

If the numbers are less than stellar, it might be time to bolster your marketing efforts. After all, boosting PFM adoption can help you increase profitability by driving higher user engagement to your website and allowing you to learn more about each customer’s specific needs. Consider these options:

First, become an expert advertiser. You can get creative and do this in a variety of ways:

Consider utilizing a splash page, which pops up before customers log on to the actual home page, to entice them to learn more about PFM. Use this technique sparingly, perhaps on a weekly rotating basis, to ensure customers don’t tire of the message
Target individual PFM functions, like aggregation or budgeting, to specific customers most likely to use them
Use statement stuffers or in-bank marketing collateral
Feature PFM prominently on your Internet Banking page
Launch seasonal promotions throughout the year, e.g., “Treat your budget to a good spring cleaning with PFM”

Next, educate your staff. Employees who fully understand what you’re selling are much more likely to introduce customers to new and innovative products and services.

Consider recruiting one employee to own the educational project—someone who conveys energy and drive—and allow them to train the rest of your staff on PFM’s various functions
Have each employee choose specific PFM functions and tout them to customers in small sound bites that will entice them to go online and investigate the service on their own
Invite your PFM provider to conduct engaging product demonstrations onsite and reach large groups of employees all at once

In the coming months, leading providers are expected to roll out some exciting updates to their PFM services, the biggest of which will be a mobile PFM app. The expanded capability to offer this service to your customers across all channels, combined with some additional marketing efforts, should give your institution’s PFM adoption rate a very positive boost.

Derik Sutton is CSI’s director of Business Development and Internet Services, a role in which he is responsible for understanding the latest trends in digital banking and helping translate the latest innovations into CSI’s solutions. Derik focuses on channel integration, customer experience and data analytics.

Rate Change Notices Add Simplicity, and Challenges, for Lenders

Tue, 19 Mar 2013 09:00:00 GMT

by Steve Shoulta

Many of the Regulation Z changes that arose from the Dodd-Frank Act (DFA) include a small servicer exception based either on the number of loans serviced or on a financial institution’s asset size along with the number of loans serviced and the geography where the mortgage loans are originated. None of these exceptions, however, apply to the new rate change notices for adjustable rate mortgages (ARMs) or the new requirement for the “initial” rate change notice that will be in play for most ARMs beginning in January 2014.

Some simplicity—the new format for the rate change notices, found in model forms H-4(D)(1) and (2), provides concise, simple language to describe the anticipated change for the consumer. The required time frame of “at least 60, but not more than 120, days before the first payment at the adjusted level is due,” actually fits nicely with most current processes. Generally, most financial institutions determine the new rate 45 days before the rate change, with the new payment amount that goes into effect a month after the rate change date. This gives you a combined 75 days between the “review date” and the “new payment” date. The new rules allow banks that have less than 45 days between the index ”review date” and the “rate change” date to use the existing 25- to 120-day notice period for the next two years.

Some challenges—the new form is not without its tasks:

For the first time the notice must contain a description of where to find the index, and how frequently the index value is published, so that the consumer can verify the index value.
The new notice also requires the old and new rate and old and new payment information to appear in a table “substantially similar” to the model form.

Benefits to consumers—the new requirement for an “initial” rate change notice helps consumers with “hybrid arms” by giving them seven to eight months to consider their options before the rate change goes into effect. The notice provides an estimate of the new payment amount and alerts the consumer to contact the bank if they anticipate that they will have a problem with the new payment amount. The initial notice provides “alert” and homeownership counseling information along with the anticipated new rate and payment amount that are in the same format as the regular rate change notices. Model forms H-4(D)(3) and (4) provide samples of the new notices.

Changes to Your Core—strong core providers will be ready to lend support in various ways. For example, the core provider will need to add the index publication source information as part of the processing parameters whenever rate index values are updated. Input screens may need to provide for a longer description for each index rate, as well as a publication frequency and a description of the source of the index value.

By working together with your core partner, your institution will rise to meet the challenges of these new notices for mortgage loans and readily extend the benefits to your customers.

Business and Compliance Analyst Steve Shoulta has been with CSI since 1977. He is responsible for monitoring regulatory compliance and for supporting the implementation of changes for regulatory compliance for CSI’s NuPoint division.

10 Tips to Ensure Mobile Device Security

Wed, 13 Mar 2013 08:00:00 GMT

by Chris Walcott

Mobile devices have the potential to store large amounts of private user information as well as sensitive corporate data, including personal account info, website login IDs and passwords, email, and location information. Consequently, mobile device malware is on the rise.

In 2012, according to PC Advisor, malware on smartphones increased more than 780 percent compared to 2011. These attacks almost exclusively targeted Android devices, but Apple, BlackBerry and Microsoft have had issues as well.

Recently, the Federal Communications Commission (FCC) recommended the following steps to reduce your exposure to mobile threats:

Set PINs and Passwords—The first line of defense is setting a password or PIN to access your device, then configure it to lock after being idle for two minutes or less. Also, devices that support SIM cards should use the SIM password capability. The following are links to sites with instructions on setting a password or PIN for popular mobile devices:
Do Not Modify Built-In Security Features—Jailbreaking, rooting or tampering with your device’s factory settings increases the risk of compromise.
Back up and Secure Data—Frequently back up your device’s stored data to enable its recovery if your device were lost, stolen or erased.
Only Install Apps from Trusted Sources—Research apps prior to installing them to ensure they are legitimate. You can do this by checking reviews and the app store, and comparing the app developer’s official website to confirm they are consistent.
Understand App Permissions Before Accepting—Think twice before granting an app access to data or functions on your device. Also, always check the privacy settings for each app prior to installation.
Install Security Apps that Enable Remote Location and Wiping—Most devices, either as an app or system function, have the ability to remotely locate and erase all settings and data. The “Find My iPhone” app for iOS and “Locate My Droid” app for Android are popular options. You can find a complete list of anti-theft apps at the following CTIA website:
- http://www.ctia.org
Install System Updates when Released—Doing so when prompted will reduce the risk of exposure to known malware and cyber threats.
Beware of Open Wi-Fi Networks—Data transmitted on unencrypted Wi-Fi networks can be viewed by anyone connected to the same network. If you are not asked to enter a key when attempting to connect to the network, it is not secure, so use your company’s VPN or such apps as HotSpot Shield (available for both iOS and Android).
Wipe Data Prior to Donating, Selling or Recycling Old Devices—In order to keep sensitive information private, data should be completely erased, and the device reset to its initial factory settings, prior to disposal.
Report Stolen Devices—The major wireless service providers established a stolen phone database, in coordination with the FCC. You should report your phone as stolen to your local law enforcement and inform your wireless provider. This will prevent your stolen phone from being activated on any wireless network.

Mobile devices have added conveniences to our lives in ways most people never dreamed possible. And following these best practices can protect private and sensitive data from individuals with malicious intent.

Chris Walcott is the information security coordinator for CSI’s Regulatory Compliance division. He formerly served as a consultant for CSI’s Risk and Information Security Consulting (RISC) Services, and has more than 10 years of experience conducting information security reviews and IT audits for a variety of financial institutions. He is a Microsoft Certified Systems Engineer (MCSE) and also is certified in Risk and Information Systems Control (CRISC).

Protecting Your Data From Hacktivists

Tue, 05 Mar 2013 15:23:39 GMT

by Jon Welborn

Although weeks have passed since the Feb. 3 hacktivist attack that leaked the confidential data of more than 4,600 banking executives from a Federal Reserve website, it’s a good bet those bankers are still reeling from a lost sense of security.

So, where’s that data now?

Once obtained, the information initially was posted on another U.S. government-owned website—the Alabama Criminal Justice Information Center. This is typical of the methodology often employed by hacktivists—utilizing something of a “spray and pray” approach to attacks, during which weak points are then targeted manually for verification, data exfiltration or site defacement.

While that posting was quickly removed, CSI consultants have located the leaked information in various places, including the cached web history of the original posting. This leads us to believe that the information is still available. At this point, if you think you might have been affected, it would be wise to reset your passwords for any Fedline-related accounts, and do the same anywhere else that password might have been in use.

What You Should Do to Further Safeguard Your Institution

As always, we recommend using unique, complex passwords for all accounts. While typical password strength can be determined by length and complexity, you should avoid common words, months or names that can easily be cracked with modern hardware. Most best practice recommendations advise passwords that are at least eight characters in length, and consist of upper-case letters, lower-case letters, numbers and symbols.

While this approach meets most compliance standards, hashed passwords (those that are mathematically encrypted) that meet these requirements, in all likelihood, will be cracked in less than 30 minutes. Because of this, you can consider implementing much longer passwords using phrases or sentences as a significant defense against many password-cracking approaches.

There’s a phrase that gets thrown around in the information security industry: “Comply the same; die the same.” This is to say—with all the compliance regulations and as beneficial as they are—just because you pass a compliance audit does not mean that you won’t suffer a breach. A proper security program consisting of regular vulnerability assessments, policy and procedure reviews, and penetration testing can help identify gaps beyond what may constitute a baseline requirement for compliance.

Employing these tactics now is a solid step toward protecting the confidential data of your institution and its customers from similar attacks.

Jon Welborn is a penetration tester with experience and training in vulnerability assessment and perimeter (network/physical) penetration. Experienced as a systems administrator and consultant in network, server, phone system and desktop deployment, maintenance, and security, Jon has a broad knowledge of DoD, PCI-related, and GLBA compliance requirements, with in-depth knowledge developing and implementing controls and procedures.

Customer Service Tips the Scale in Your Favor

Fri, 22 Feb 2013 09:05:00 GMT

By: Don Stokes

How does your financial institution approach customer service? Competition is stiff among banks, and many institutions use service as their key differentiator. Sure, through service you establish a stronger connection with your customers, but we often think that grand gestures make the biggest impact.

More often than not, though, it’s the small things that accumulate in your customers’ minds that comprise the big picture. As your bank considers ways to define—or redefine—the customer experience, here are a few examples of exceptional service:

Offer educational seminars: Customers want to learn about the latest trends and opportunities in investments, fraud, Internet banking and mobile banking. Holding educational events allows you to engage customers and the community, while demonstrating your staff’s expertise.
Always follow up with customers: When a customer has an issue that’s been resolved, you should have a manager or bank officer call him or her personally to verify the resolution was satisfactory.
Host a Shred Day: Typically held on the weekend, these events allow customers to bring sensitive documents into the bank to be shredded. It’s added security for both you and them.
Sponsor customer or community events: By helping cover the cost of such events as ballgames or scenic tours, you can build relationships with both current and prospective customers.
Be active in the community: Your customers should see you as more than just a business, so don’t just sponsor events—participate in them. Enter a team in the next Relay for Life, encourage staff members to get involved with local charities or host a casual Friday in honor of a community event.
Keep customers in the loop: We live in a connected world, and customers want to be a part of the conversation. You can use this as an opportunity to promote events, share new products or ask for feedback through your newsletter and on social media.
Roll out the red carpet: The way the bank staff interacts with customers will be what they remember most. That said, don’t just point them in the right direction when they arrive for a meeting, escort customers to the appropriate office and offer them a beverage.
Thank customers for their business: As we rush through the day, we sometimes forget the obvious. Always remember to let your customers know you appreciate their business and that the business relationship is important to you.

Every bank takes a different approach, but we all have the same goal in mind—to be known for consistent and professional customer service. After all, it is one of the best ways to distinguish your bank from others. You now have to compete with the “bank across the street,” online providers and other non-financial institutions. How you treat your customers—and how your customers feel when they interact with your institution—will make a big difference to them and to you.

Successful customer service requires you to think both inside and outside the branch. After all, a few small gestures pay large dividends in customer loyalty for financial institutions.

Don Stokes is a customer service manager with Computer Services, Inc. (CSI)’s NuPoint Division, which specializes in core banking technologies and platforms. Don may be reached at dstokes@csiweb.com.

Who is “Anonymous”?

Wed, 20 Feb 2013 15:23:39 GMT

by Jon Welborn

Following the late January attacks on U.S. Government websites, Feb. 3 marked the public disclosure of sensitive account information from the Fedline notification system. This disclosure included more than 4,600 banking executives’ confidential data—primarily from community financial institutions and credit unions.

This particular breach was part of Operation Last Resort (#OpLastResort), a campaign launched by the hacktivist collective Anonymous, in response to the death of programmer and Internet activist Aaron Swartz, who had been indicted for downloading a large number of academic articles through access on MIT’s “open campus.” Additional OpLastResort breaches continue to emerge, and are not likely to stop anytime soon.

But what about Anonymous? What is known about them?

There is a major misconception that Anonymous employs an organized structure that operates from the top down, but it would be inaccurate to even refer to Anonymous as a group. The name was coined in 2003 through a popular imageboard, where users submit images and threads without giving personal identification, but labeled as submitted by “anonymous.” This is the origin of the name; no conspiratory secret meetings and no ornate infrastructure. At best, Anonymous should be considered an adhocracy, a loosely structured consortium that features flexibility, low standardization of procedures, and non-bureaucratic principles. Anonymous is simply Internet culture. With minimal and intentionally confusing “central concepts,” there remains a particular focus on the idea that “Internet censorship is bad.”

In the history of Anonymous, there have been several sporadic efforts—or raids—that garner attention for a short period and then either die out or are somehow shut down. For instance, Anonymous regularly targets the Westboro Baptist Church (WBC), a group known for protesting the funerals of soldiers. Multiple WBC websites have been compromised by Anonymous, including an incident in December 2012 in which the collective publicly disclosed the names and phone numbers of numerous WBC members.

What This Means to You

The breach of information from a Federal Reserve website by Operation Last Resort is a perfect example of how community financial institutions and credit unions can go down as collateral damage even though they’re not the intended target.

In the coming weeks, we will look into the specific details of the tactics used during the Feb. 3 information disclosure, as well as details on its effects and ways to further protect your financial institution. Check back soon for our next related post.

Not Getting Social? Stand Guard Anyway

Wed, 13 Feb 2013 15:23:39 GMT

by Lori Moore

Even if your institution chooses not to actively engage in social media, you’re going to be pulled into the conversation, whether you like it or not. Someone out there—be it a customer or employee—is going to post a comment about your organization, and you must know how to respond in a compliant manner. So say federal regulators.

In January, the FFIEC proposed “Social Media: Consumer Compliance Risk Management Guidance,” to answer questions it has received regarding consumer protection and compliance regulations and how they apply to social media activities conducted by financial institutions as well as certain nonbank entities. In it, the FFIEC specifically states, “a financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that arise within the many social media platforms … and provide guidance for employee use of social media.”

In fact, sometimes it’s the very lack of an official social media presence that spurs disgruntled consumers to create one for you. This can be as drastic as creating a negative Facebook page using your institution’s name, or as simple as lodging grievances on consumer complaint websites. Bottom line, there are no more excuses for any institution to ignore social media.

Once the proposed guidance is finalized, financial institutions will be expected to employ a risk management program that identifies, measures, monitors and controls the risks related to social media activity. According to the proposed guidance, a thorough program should include:

A governance structure whereby senior management directs social media usage toward meeting strategic goals and establishes controls and ongoing risk assessments of social media activities
Policies and procedures that take consumer protection laws and regulations into consideration and address risks from online postings, edits and replies
A due diligence process for selecting and managing third-party social media service providers
An employee training program that incorporates the institution’s policies for official, work-related use of social media and defines impermissible activities
An oversight process that monitors information posted to social media sites that are administered by the financial institution or a contracted third party
Audit functions to ensure ongoing compliance with internal policies as well as applicable laws, regulations and guidance
Parameters for providing appropriate reporting to the board of directors that enables periodic evaluation of the effectiveness and success of the social media program

So, ready or not, your institution must improve your social standing, even if just with examiners. And if you’re going to have a social media presence, you might as well do it on your own terms. Just keep federal rules and regulations in mind as you enter the conversation.

Lori Moore is a Certified Regulatory Compliance Manager (CRCM) and the Director of Compliance for Computer Services, Inc. With more than 26 years of experience within the financial industry, Lori has served in key positions within both small and large community banks. She attended the Texas Bankers Association Operations School where she received the outstanding graduate designation.

Hacktivism—Is it on Your Radar?

Thu, 07 Feb 2013 15:23:39 GMT

by Tyler Leet

The term hacktivism is an “it” word popping up across multiple industries. The concept isn’t new—it’s just gaining momentum as computer technology continues to advance.

Hacktivism refers to highly sophisticated groups of hackers representing various political agendas. Essentially, it’s a virtual sit-in during which such hacktivist groups as Anonymous, AntiSec, and many others aim to cause reputational harm and a barrage of headaches to organizations with which they take moral issue.

Hacktivists shut down websites, crack databases, launch DDoS attacks, and release sensitive, confidential information, called doxing, to the masses. Recent, notorious acts include groups taking down the CIA’s public-facing website and initiating relentless DDoS attacks on America’s biggest banks.

Stealing money is rarely the hacktivist’s goal. However, their actions can lead to significant loss of funds by causing their prey to lose customers as well as spend money undoing the damage.

Are Community Financial Institutions (CFIs) and Credit Unions at Risk?

So far, so good. The brunt of the “hactions” have targeted big corporations and banks as well as governmental agencies, partly because this tactic garners the most media attention. However, hacktivist attacks on CFIs and credit unions are entirely possible. Say your bank extends a loan to a controversial person or group—that action might unknowingly land you on a hacktivist’s radar and incite an attack. So although community banks and credit unions aren’t currently at dire risk for hacktivism, it’s prudent to remain aware of the current climate.

Now, there’s little you can do to prevent a hacktivist attack. The basic security measures—patching browsers, employing multi-layered defenses and educating users and staff on proper safeguards—are critical and go a long way. But, if they want to hit you, they will.

So, what are the warning signs of an attack? Keep an eye out for the obvious tells—site defacement, DoS condition, and site source code changes—and remember that these events typically are publicized on social media outlets. Automated searches for your organization’s name and notifications of mention against these resources serve as proactive measures toward knowing if you’ve been targeted.

But it’s how you respond that matters, which essentially means being prepared to handle the crisis swiftly and completely. Have an incident response plan in place to dispel negative publicity, quell customer fears and combat the reputational assault.

These crafty people have thousands of ways to smear your name. Be prepared to defend it.

Tyler Leet is the RISC Services Manager for Computer Services, Inc. He conducts information security reviews for a wide variety of financial institutions, specializes in external penetration testing and is experienced in network/security administration. Tyler is a Certified Information Systems Security Professional (CISSP), GIAC Certified Incident Handler (GCIH), GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), EC-Council Certified Ethical Hacker (CEH) and is certified in Risk and Information Systems Control (CRISC).

What Mobile Banking Means to Banks

Wed, 06 Feb 2013 10:40:09 GMT

By: Robb Gaynor

Offering mobile banking to your customers is no longer a question of “do we need to offer it,” but “when do we start?” Currently, 20 percent of all banks have a mobile banking app, making it clear that this is a convenience customers want. Many banks understand that already. But in addition to meeting customers’ needs, are they aware of what mobile banking means to them?

Customer Insights

Mobile banking apps are constantly collecting analytics about how they are used—from login failures to what types of transfers are made. It’s how you translate the data into insights and action that can impact your financial institution. For example, one institution we work with was experiencing a high login failure rate on their mobile banking app, so they implemented an auto-login feature to view the account balance; this minor adjustment decreased the login failure rate significantly.

And beyond usability modifications, the analytics engine contained in many mobile banking platforms allows you to establish behavioral patterns and profiles for your customers. These customer profiles, sometimes called personas, range from the “Satisfied Sams,” who login once a month to pay bills, to the “Nervous Nellys,” who login up to six times a week to check their balance. From these personas, you can shape the development of new features to make sure end-users are continually satisfied.

Revenue Opportunities

Mobile apps create another touch point for advertising specific promotions or products. The analytics mentioned previously can help guide you as to which mobile customers don’t use a particular service, such as bill pay, giving you a targeted audience to whom you could promote your bank’s offerings on their mobile app. Cross-sell opportunities are brought to the forefront and made more effective by leveraging mobile analytics.

Such new services and features as P2P payments and Picture Pay also allow financial institutions to charge a small convenience fee to customers. These types of unique mobile app enhancements occur regularly, allowing you to stay competitive and profitable in today’s banking market.

Stickier Customers

Mobile apps have an average login of three times per week—how many of your customers stop by the branch that often? The app deepens the relationship with your customers by building engagement. Mobile banking allows smaller banks to emulate bigger banks by offering the same features that make for a better user experience and increase account interaction.

During the past 12 months, we’ve seen the number of active mobile users grow to nearly 70 percent for our customers that have been live with mobile banking longer than one year (active users are those who log at least every 90 days). Mobile banking is here to stay—users have made that clear. Now, the choice is what opportunities from mobile banking apps does your institution want to use to increase profits, engagement with customers and the overall customer experience?

Robb Gaynor is the chief product officer at Malauzai Software Inc., the provider of mobile banking SmartApps, which includes a robust analytics engine. Robb specializes in financial services technologies with deep experience in launching innovative customer solutions.