Garland Group Blog

We had a great turnout of attendees for our August webinar!  Thanks so much to Becky Fredrick from Deluxe Corp. for presenting very valuable information on the current regulatory landscape for examinations and hot topics such as BSA and CFPB.

Here is the PDF presentation:  Best Practice for Examination Readiness

Our next monthly webinar will be on Friday, September 9th.  You can register by clicking this link:  Fri, Sept. 9th, 2011 11:00 AM – 11:30 AM CDT. Please join us for this free webinar!

Link to video here!

Everyone’s got an opinion on the new guidance that was a long time coming. If you haven’t reviewed it yet, you can find it here. Overall, the guidance is vague (like usual) however spends more time and emphasis in some key areas. Here are the highlights and areas where I think examiners will focus for the new guidance that goes into effect in January 2012.

Multi-Factor Authentication/Stronger Authentication Practices: So this isn’t the first time Multi Factor has been required and was first suggested in 2005. However, bankers and auditors have long been critical about the authentication options from vendors. What vendors released 5 years ago was in many cases DUAL factor, NOT multi-factor. True multi factor is two of the following: Something you know, something you have, something you are. Verifying a picture or answering questions AND entering a password is NOT two of the above.They are both something you know. Tokens plus a password have worked well for many banks. Some vendors have successfully implemented IP restriction for authentication which suffices for multifactor (password plus something you have, a specific IP) and has worked well against malicious foes. So, on this guidance I believe examiners are going to be more critical on what is and isn’t true multi-factor as well as accepting a picture verification or questions as a way to authenticate.

Layered Security: Something new I took from this guidance is a layered approach to sessions. For example, a user may just want to check balances and a password is good enough for that. BUT, if they then try to use bill pay then they are prompted for additional authentication; i.e. a one-time use passcode sent via text or token for the user to input. Once successfully authenticated they can use bill pay. This can be great for commercial users who just may check balances without having to be prompted for additional authentication yet.

Better Risk Assessments: Of course, all these new authentication changes will need to be supplemented by a risk assessment. So, defining which transactions require layered security versus just a password. Which accounts require multi-factor and which ones do not. What type of authentication is the financial institution going to use? etc. This risk assessment will be used to verify any type of online banking practices in place, so if you do not plan on changing authentication requirements very often, get it right the first time. Online banking policies should also reference this risk assessment.

Customer and Employee Awareness: Just like there are education requirements for red flags, the same is being suggested for online banking use. According to the guidance, customers need to better informed on the appropriate use of online banking, how to authenticate, what to watch out for online and what to do if they believe their account/machine is compromised. This can be done with just pointing users to sites about online security or putting together videos or banners on your own site. Or, if you really want to be proactive then hold real life training sessions for your customers that touch on authentication and online security in general.

Onsite Reviews!?!?!?! I did not interpret this anywhere specifically from the guidance, but have seen a couple of examiner recommendations recently about site visits to ‘audit’ high risk online banking users (ACH originators). Many of our banks require their customers to fill out self assessments about the security of the machines they use for remote deposit to make sure they are well patched, have active anti-virus, password protected, etc. Best practice would be to do the same thing for ACH originators, but then the argument is that they do not have to use the audited or site visited machines to send files. Anyway, it is something to consider for your high risk customers.

Those are the highlights and my interpretation of the new guidance. Feel free to agree or disagree when we make new recommendations the next time we do an e-banking review for your financial institution.

Auditing is often regarded as a drab, boring, analytical, spreadsheets kind of world. However, I have found that it is not nearly as black and white as some think. It’s just as much art as science, and the personalities involved provide quite a color spectrum. Simply put, who we are affects what we do, or as Ron Washington might say, “how we do.”

How I was raised, the family that I came from, the experiences I had in school, in dating relationships, in athletics, in church… they have all impacted how I view the world. This is significant because it makes me who I am. Your experiences are significant because they make you who you are. And… appreciating the person sitting across the desk is something that’s often missed in the IT Review process. I need to understand that this person may or may not be having a good day. May or may not have stress at home. May or may not feel threatened by my presence. This is important, because this person has to go home when they get off work, and how we treat each other will impact how well we’re both able to love our families.

The black and white world of checklists and policies, procedures and configurations often misses this, and that’s wrong. After all, if people weren’t around, we wouldn’t be auditing. It’s not about the result… it’s about the people. Appreciating the person across the desk isn’t just the right thing to do. It’s also helpful. Many of the recommendations I’ve made over the years have come because the person across the desk cares about their job, they care about their customer, and they care about doing the right thing. Often times, the people we work with understand the risks that we look at far better than we do, and so appreciating them helps them to appreciate what we do. It’s often been said that people don’t care what you know until they know that you care.

I’m as guilty as anyone else of feeling hurried, trying to check the right things off my list and moving on to the next control objective. However, I find if I stop down to actually listen to the person I’m working with, and to hear their life, not only does it make me a better person, but it makes me more effective. If you struggle in the same way…. slow down… breathe. Look someone in the eye. Listen. No… really listen. Don’t think about the next thing you’re going to say… just listen. In the end… we’ll all be better off for it.