financial institutions & insert presentation title here
TRANSCRIPT
Insert Presentation Title Here Financial Institutions & the Future
July 30, 2013
© 2013 Rehmann
Insert Presentation Title Here
Regulatory Compliance Hot Topics & Trends
Presented by: Beth Behrend
Beth A. Behrend
Senior Manager • Compliance Services Leader
for Financial Institutions • More than 30 years of financial
institution experience – Extensive knowledge of financial
institution operations and serves in an advisory role to clients within the BSA and Regulatory Compliance related areas
Audit & Review Programs
• Who owns your program?
• Scope – is it adequate?
• Risk Assessments
Bank Secrecy Act/Anti-Money Laundering
• Validation of Monitoring Programs
• Risk Rating Customers
• Enhanced CDD Programs
Fair Lending
• Increasing regulatory attention
• Increased “encouragement” to perform internal review
1 2 3
Continues to be high
profile
Check, double check,
triple check
Document procedures
HMDA Data Accuracy
Unfair, Deceptive or Abusive Acts or Practices • UDAAP ramifications should be assessed for every
– Risk assessment performed – New product introduced – New service originated – Office location opening/closing decision – Advertising material
Training Programs
• Detailed
• Complete
• Monitored
Best Exam Practices
• Lead the regulator to the story you want to tell – Formal policies – Detailed procedures – Updated tracking – Regular reporting to Audit Committee/Board of
Directors – Regular review/risk assessment updates
QUESTIONS?
Insert Presentation Title Here
Financial Institutions IT Update Presented by:
Jessica Dore, CISA
Jessica Dore, CISA Senior Manager • Technology Risk Management • Specializes in technology
consulting & security and SOX 404 compliance – In-depth knowledge of SOX 404
compliance, GLBA compliance and COBIT standards
– Extensive knowledge of IT systems • Experience in leading teams and
performing IT security assessments with a wide variety of clients.
IT Trends
By 2016, the number of mobile devices is expected to surpass the world’s population--an 18-fold increase between 2011 and 2016. – Cisco
In 2012, the Identity Theft Resource Center (ITRC) documented 447 breaches in the United States, exposing 17,317,184 records. In the first half of 2013, there have so far been 255 incidents, exposing 6,207,297 records
Before 2015, it’s projected that mobile internet usage will overtake the desktop. – Microsoft
Malicious attacks (defined as a combination of hacking and insider theft) accounted for nearly 47 percent of the recorded breaches in 2012 in the United States. Hacking attacks were responsible for more than one-third (33.8 percent) of the data breaches recorded. - Privacy Rights Clearinghouse
In the 2013 AFP Payments Fraud and Control Survey, it was noted that 61% of organizations experienced attempted or actual payments fraud
Through 2016, the financial impact of cybercrime will grow 10 percent per year due to the continuing discovery of new vulnerabilities. - Gartner
Facts & Statistics
• Anti-Phishing Working Group (APWG) reported in Q4 2012 that Financial Services remains the most targeted industry
Description of the Scheme
• Customer’s e-mail account is compromised
• Financial Institution receives an e-mail that appears to come from a customer’s e-mail account asking the financial institution to wire out money
What You Can Do?
• Ensure that proper internal controls are in place to verify the legitimacy of wires
• Continue to educate customers about IT security
Regulatory Hot Buttons
→ Vendor Management
→
→ Remote Deposit Capture
→ Mobile Computing
Social Media
Vendor Management
• Outsourced Providers – do you know where your data is being stored?
• Review your contract to ensure it clearly identifies where your data is being stored
• Perform annual due diligence review process to ensure the vendor has internal controls and is a viable business
Social Media
• Social Media Strategy – Policies and Procedures – Risk Assessment
• Acceptable Use Agreements • Employee Training • Incident Response • Third Party Vendor Due Diligence • Monitoring
Remote Deposit Capture
• Remote Deposit Capture Policy • Risk Assessment • Audit Plan • Risk Rating of Customers/Customer Due Diligence • Customer Audits • Customer Training • Communication Channel
Mobile Computing
• Mobile Device Strategy – Policies and Procedures – Risk Assessment
• Acceptable Use Agreements
• Authentication & Encryption
• Secure Transmission • Device Management • Employee Training
QUESTIONS?
Insert Presentation Title Here
Physical Security & Critical Incident Planning
Presented by: Steve Kerby
Steve Kerby Director of Security Consulting & Insurance Defense Services • Rehmann CIS
– 1997 to Present – B.A. in Finance, MBA from
Central Michigan University • Specializes in fraud
investigation, security consulting and risk assessments, and insurance defense services
Objectives
• Physical Security
• Importance of a strong physical security program
• Critical Incident Planning
• Are you prepared?
Physical Security
Centralized Program • A model security program consists of cohesive policies and
procedures managed by a qualified individual with the responsibility and authority to fully implement and manage the program – The policies should address the four main areas of security:
• physical security • information security • personnel security • critical incident management and response
• Consistent between locations • Introduce security and safety component to all team meetings • Conduct period training and testing on following procedures • Well published policies signed off on by all employees annually • Team approach with one leader involving tellers, location managers,
business/member development, and I/T
Balanced Approach to Physical Security
CRITICAL INCIDENT PLAN STAFF TRAINING/TESTING
SECURITY/RISK ASSESSMENT THREAT ASSESSMENT
Risk Analysis
• Place Facility in Context of its Environment – Institution incident reports – Police/Fire/EMS Reponses – Financial Procedures and Controls
• Cash • Inventory • Purchasing
Methodology
• Staff Interviews
• Building Tours
• Physical Security Inspection
• Comparison
• Periodic testing
The case of the missing backup tapes
The Weak Link?
EVERYONE
Critical Incident Planning
What Are We Protecting Against • A critical incident is any event that poses a risk to the
assets, people, or reputation of your institution. – Data intrusions – Ponzi schemes – Weather events – Health pandemics – Robberies – Workplace violence
The First 5 Minutes Activate the critical incident plan
Contact 911
Secure or evacuate facility
Render first aid
Verify information with law enforcement
Notify appropriate institution locations and personnel
1
2
3
4
5
6
Post-Incident • Media attention
• Fact finding
• Blame assigning
• Emergency plan critique
• Emergency response critique
• Political rhetoric
• Grief counseling
The Planning Process
Major Considerations in Planning • Incident Scene Coordinator • Command Center • Incident Response Team • Assessing Threat Level
– Monitor: potential for risk – Stand-by: real risk exists – Emergency: event has occurred
• Site Control Options – Normal movement – Suspended movement – Lockdown – Stay-In – Evacuation
• Evacuation & Business Continuation
Your Role • Know your office
• Be aware of your surroundings
• Escort members and vendors
• Document security
• Company conversations
• See something, report it
Impact to You • Individuals harmed, injured or killed
• Disruption of business / customer service
• Financial Loses
• Employee and Customer Retention
• Reputation Damage
• Compliance Problems
Scenario One • A teller at you’re a location is working diligently at
her station. She handles a transaction with an individual going through a divorce. This individual happens to be married to a teller that works at a different location. Upon learning that the account has been closed, this individual launches into a tirade and discloses that he/she is going immediately to the other branch and is going to kill their spouse.
• What do you do?
Scenario Two
• It is a busy day at your location with several individuals in your branch meeting with tellers and other members of the staff. Without much warning the fire alarms sound and within seconds the branch is filled with smoke.
• What do you do?
QUESTIONS?
Insert Presentation Title Here Due Diligence
Presented by: Liz Ziesmer, CPA, CBA
Liz Ziesmer, CPA, CBA Principal • Director of Rehmann Financial
Institutions Services • Serves as a firm-wide resource for
internal and external financial institution engagements as well as consulting to a variety of financial institutions, including community banks and SEC engagements
• Involvement in numerous financial statement, internal audit, consulting services and employee benefit plan engagements for Rehmann’s largest and most complex financial institutions
Key to Success
• Develop a Plan! – Define your overall strategy
– Develop areas of focus, including
• Geography • Culture • Products • Financial stability
Key to Success • Establish roles, responsibility and method of
reporting – Understand the abilities of internal team
• Consider limiting number of people involved – but more than one!
• Sound project management skills • Interpersonal skills • Self assessment
– Areas where a third party will be necessary or most beneficial
– Establish a timeline and tracking of projects – Expectations of those reporting to
Due Diligence Establish pricing, assumptions, financial modeling and risk tolerances
Use of various outside parties to provide experience, unbiased opinions, and reduce use of internal resources time
Establish letters of intent and confidentiality/non-disclosure agreements
Establish timeline -Time is often limited -Prioritize -Frequent communication & updates -Open and up front discussions
Documentation of assessment
Focus Areas
• Often, deals hit a “roadblock” based on some common areas – Pricing – Board and management composition – Loan quality and allowance adequacy – Proper full disclosure – integrity concerns – Regulatory issues – Contracts
QUESTIONS?
Thank you for attending!