August 24, 2016
Director of Financial Institution Services• Specializes in audit and consulting
services for financial institution clients– Leads numerous financial statement and
internal audits, SOX 404 and other financial services consulting engagements for the firm’s largest and most complex financial institutions, including SEC registrants
• Works closely with management and audit committees to address technical issues and ensure sound internal controls
• Services as a firm-wide resource for financial institution accounting and auditing matters
Presented by:Beth A. Behrend, CCBCO
Senior Manager• Rehmann• Leader of our firm’s compliance
services for financial institutions.• Worked for and with financial
institutions for more than 30 years. • Expertise includes providing a wide
range of audit and consulting services for our financial institution clients.
• Extensive knowledge of financial institution operations and serves in an advisory role to clients within the BSA and Regulatory Compliance related areas
Military Lending ActFlood Insurance – Escrow Rules
Fairness in Product and Service OfferingsTRID update
Effective October 1, 2015
Compliance date October 3, 2016
• Effective October 1, 2015
• Compliance date October 3, 2016
• Exception: effective date for credit cards is October 3, 2017
• CFPB responsible for enforcement
• Final rule:
– Extends MLA protections to a wider range of credit products
– Modifies the Military APR (MAPR)
– Provides for a safe harbor when ascertaining if a consumer is covered by the rule
– Modifies prohibition on rolling, renewing or refinancing consumer credit
• Provide service members and dependents with specific protections:– Limit the APR (including fees) for covered
products to 36 % (referred to as the MAPR)
– Require military-specific disclosures
– Prohibits creditors from requiring arbitration in the event of default
• Revisions to the rule expands the definition of “consumer credit” to more closely align with the definition of credit in the Truth in Lending Act (TILA)
– Includes credit cards
– Exceptions: residential mortgages and credit secured by personal property
• MAPR to include the following fees or charges, even if not considered finance charges as defined in TILA:– Credit insurance premiums and fees for debt
cancellation,– Fees for credit-related ancillary products sold in
connection with the credit transaction,– Finance charges associated with the consumer credit,
and– Certain application fees and participation fees,
including annual fees
• Lenders will need to verify that each credit applicant is not a service member, spouse, or dependent of a service member.
• Safe Harbor: if use one or more of following methods for verification:– Nationwide consumer reporting agency– MLA Database (maintained by the DOD)– Defense Manpower Data Center (DMDC) Direct
Connection
• Revised rule prohibits all renewals, rollovers, or refinances of payday loan transactions or other deferred presentment transactions by creditors other than banks, thrifts or credit unions.
Do you have your policy and procedures in place for the MLA?
– Yes
– No
• Disclosures required:
– Statement of the MAPR
– Any required TILA disclosures
– Clear description of the payment obligation
• Covered borrowers permitted to recover damages form a creditor who violates a requirement of the MLA
• Changes effective January 1, 2016:
– Required escrow for premiums and fees for flood insurance: residential real estate or mobile homes
– Exempts requirement for coverage of detached structures not serving as a residence
– Specific requirements regarding force-placed flood insurance
• Must escrow all premiums and fees for loans secured by residential improved real estate or a mobile home in a special hazard area
• For all covered loans made, increased, extended, or renewed on or after January 1, 2016
• For loans covered by RESPA, the escrow servicing rules also apply
• Total asset size less than $1 billion either of 2 previous years
• As of July 6, 2012 institution was not required to escrow and did not have a policy of consistently and uniformly requiring escrow
• If Small Lender status is lost – must begin requiring escrow for flood insurance for loans made, increased, renewed or extended on or after July 1 of the first calendar year of status change
• Loans primarily for business, commercial or agricultural purposes
• Loan in subordinate position to a senior lien secured by the same property where flood insurance coverage meets the requirements
• Condos/Homeowners coverage• HELOCs• Nonperforming loans• Terms of 12 months or less
• Flood insurance is no longer required on structures that are part of a residential property, but detached from the primary residential structure and do not serve as a residence
• Even though exempt from mandatory coverage under the regulation, lenders may require coverage to protect collateral
• Cost of force-placed coverage and fees may be charged to the borrower starting on the date on which coverage lapsed
• Lender not required to force-place upon learning of lapse. Notification to borrower must still be sent but lender is permitted to wait 45 days after notice before force-placing insurance
• Goal of the CFPB is to make the marketplace for consumer financial products and services accessible and advantageous for the consumer
• CFPB responsible for restricting unfair, deceptive, or abusive acts or practices
• Focus in on the consumer throughout the product lifecycle
• Third party contracts to provide products or services
• Marketing of add-on products
• Loss mitigation activities
• Evaluation of consumer’s ability to repay
• Compensation practices for employees
• Ongoing interaction with consumers
• Strategic considerations:
– Response to requests from consumers?
– Response to competitive forces?
– Is the product or service “bleeding edge”?
– Will product or service complement or cannibalize existing products and services?
• Customer considerations:– Is there a customer need? How does cost impact
customers?
– Features, risks, and terms explained clearly and conspicuously?
– Are fees or penalties structure so that unsuspecting or vulnerable customers could be adversely impacted financially?
– Are there financial incentives for institution employees?
• Assess the resulting fair treatment of or impact on consumers
– Targeted to a specific geographic area, demographic group?
– Does pricing impact a group of consumers in a non-uniform fashion?
• CRA considerations: how does this help meet credit needs of the community
• Where are we today?
– Regulatory oversight
– Common errors
• “Grace Period”
• When to expect “full force” examination
• CFPB Proposal for Update to disclosure rule
Do you have a process in place to track noted disclosure errors?
– Yes
– No
• Loan operating system “glitches”
– Amount Financed – incorrectly categorizing prepaid finance charges
– Verification Total Interest Paid (TIP)
– Accurate dates on revised disclosures
• Loan Estimate:– Lender name and address missing– Loan terms table includes incorrect information or is missing
information– Numerical errors– Estimated closing costs not calculated in same manner as total closing
costs– Prepaids table does not include applicable time period and total
amount paid– Documentation of delivery of LE/revised LE sufficiently in advance of
CD– Fees changed on revised LE not related to change of circumstance– Unsupported Change of Circumstance
• Closing disclosure
– Calculating Cash to Close table does not reflect “yes” whe amounts changed
– Numerical errors
– Loans closed prior to 3 day waiting period
– CD issued same day as or prior to final LE
– Fees not displayed in alphabetical order
• Other
– Calculation discrepancies
– Use of inappropriate abbreviations
– Loan calculation discrepancies and fees listed incorrectly
– Improper rounding
• Continue to scrutinize disclosures
• Document errors noted and follow-up corrective action
• Compare notes in your industry groups
Presented by:Jessica Dore, CISA
Principal
• Technology Risk Management
• Specializes in technology consulting & security and SOX 404 compliance– In-depth knowledge of SOX 404
compliance, GLBA compliance and COBIT standards
– Extensive knowledge of IT systems
• Experience in leading teams and performing IT security assessments for clients
Fraud, Cyber Crime & the Bottom Line
$400 billion lost annually to fraud and misappropriation
by US organizations
6% of annual revenue lost to fraud and abuse by the
average organization
$4 million to resolve the average data breach, not including liability issues
Source: ID Theft Resource Center
Category 2015 2014 2013
Banking/Financial 71 (9.1%)
5,063,04443 (5.5%)
1,198,492 23 (3.7%)
786,789
Business 312 (39.9%)
16,191,017258 (33%)
68,237,914 211 (34.4%)
77,262,781
Educational 58 (7.4%)
759,60057 (7.3%)
1,247,81255 (9.0%)
3,239,748
Government/Military 63 (8.1%)
34,222,763 92 (11.7%)
6,649,319 56 (9.1%)
1,881,803
Medical/Healthcare 277 (35.5%)
112,832,082333 (42.5%)
8,277,991269 (43.8%)
8,811,051
Source: 2016 Verizon Data Breach Report
NUMBER OF SECURITY INCIDENTS CONFIRMED DATA LOSS
Source: progressbangladesh.com
• Cyber warrior ‘mercenaries’ for hire worldwide
• Cyber crime is a multi-billion dollar underground economy
• Cyber crime is an industry of suppliers, distributors and manufacturers
• Information is the commodity
• Don’t believe they will be attacked
• Cybersecurity not a priority
• Weak cybersecurity/ outdated tools
• Poor employee training
• Poor or no data breach response plan
• Lead to bigger fish
Source: ameriscope.com
Ransomware Ransomware Phishing
Ransomware Spyware
Malware/ Spyware
Keylogging Skimming
BOT
Social Engineering
Ransomware
Watering Hole
Source: 2015 Verizon Data Breach Report
• Email from you
• Email from your internal staff
• Email from your member
• Message from friend overseas and in trouble
• “Your tax refund is already taken care of”
Source: Anti-Phishing Working Group
• Your data taken “hostage”
• Ransom email
• Today $300
• Tomorrow more
• If you don’t pay, they destroy your data
Has your institution suffered a ransomware attack?
– Yes
– No
– No, but I know of an institution that has
Source: 2016 Verizon Data Breach Report
The time to compromise is almost always days or less, if not minutes or less.
97% of breaches
featuring stolen credentials leveraged legitimate partner access.
95% of
confirmed web app breaches were financially motivated.
63% of
confirmed data breached involved weak, default, or stolen passwords.
Source: 2016 Verizon Data Breach Report
85% of
successful exploit traffic leverage the top 10 vulnerabilities.
• The difference a year makes
• The average total cost of a data breach increased from $3.79 to $4 million (+5.3%)
– Up 29% since 2013
• The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 (+2.6%)
– Up 15% since 2013
Source: Poneman 2016 Cost of Data Breach Study
Source: Poneman 2016 Cost of Data Breach Study
• 123456 (Unchanged)• password (Unchanged)• 12345678 (Up 1)• qwerty (Up 1)• 12345 (Down 2)• 123456789 (Unchanged)• football (Up 3)• 1234 (Down 1)• 1234567 (Up 2)• baseball (Down 2)
• Cyber Criminals sell personal identifying information or use it to:
– Open false bank accounts
– File false IRS returns
– Open false credit cards
– Steal from bank accounts
– Hack into other accounts/businesses
• Negligent insiders are the top cause of data breaches
• Clicking on links in emails
• Sending work email to personal accounts
• Using data on insecure lines
• Not following corporate policies
• Not securing mobile devices
• Poor access controls
• Poor patch management
• Improper device configuration
• Lack of security audits
• Weak enforcement of remote login policies
Source: 2015 Verizon Data Breach Report
• Data
• Perimeter
• Access
• Patching
• Backups
• Vendor
• Mobile
• Human
• Data – What is it and where is it?
• Risks - What is it worth?
• Access Paths – How can you get to the data and what are the control points?
• Access - Who can get to your data?
Source: intelymind.com
• Do you have a firewall?
• Do you have a DMZ?
Source: www.linklogger.com
• Do you have an Intrusion Detection System?
• Do you have an Intrusion Prevention System?
• Are alerts turned on?
• Are they monitored?
Source: infosecprimer.wordpress.com
• Conduct:
– External Vulnerability and Penetration Test
– Internal Vulnerability and Penetration Test
– Social Engineering Test
Source: dstudio.ubc.ca
• Access Control
• Restrict Administrative Access
• Perform Access Reviews
• Leverage Least Privilege
Source: blog.lookout.com
• How often do you patch?
• Best Practice = 30 Days
Source: gfi.com
• Daily Backups
• Rotated Offsite
• Testing
Source: itservicesalbuquerquenm.com
Does your institution backup data daily?
– Yes
– No
– I’m not sure
• Selection Due Diligence
• Contract Reviews
• Annual Due Diligence
Source: questproductsinc.com
How do you know you are making a the right decision?
Source: data-hive.com
Source: mobileappbuilders.co
• Mobile Device Strategy
• Acceptable Use Agreements
• Authentication & Encryption
• Device Management
• Employee Training
• Train users on:
– Information Security Program
– Incident Response Plans
– Business Continuity Plans
– Security Threats
Source: afgenvac.org
Create & enforce security policies
Educate employees
Update security software and patch systems
Backup & encrypt data
Secure wireless devices
Secure mobile devices and remote access points
Have an IT Security Assessment Performed
© 2015 Rehmann
Beth Behrend, CCBCO
Phone: 616.975.4100
Email: [email protected]
Jessica Dore, CISA
Phone: 989.797.9580
Email: [email protected]
Liz Ziesmer, CPA, CBA
Phone: 616.975.4100
Email: [email protected]
© 2015 Rehmann