Comply or Die

Don't skimp on compliance, especially as it relates to security.

August 27, 2010

Think you can put off data security compliance to stretch a limited operating budget? Think again. Regulators are becoming more insistent that credit unions not only comply with federal and state financial regulations, but also with minimum standards for data handling and protection.

“Regulators are pushing data leakage prevention, where credit unions are required to know where all of their sensitive data is stored and who has access to it, and tracking when it goes out and where it goes,” says Kevin Prince, chief technology officer (CTO) at Perimeter e-Security.

Subscribe to Credit Union MagazineThe National Credit Union Administration (NCUA) is making sure credit unions have implemented firewalls, antivirus software, and intrusion protection, says Jim Stickley, CTO at TraceSecurity. “The current emphasis is on multifactor online banking protection, where you throw up more challenges to people coming in online. This includes asking for identification and answers to personal questions, or requiring visitors to have a certain cookie embedded in their computers.”

Another new emphasis, says Stickley, is vendor management—an outgrowth of regulators’ concerns with identity (ID) and data theft. For example, say Credit Union X has third-party data storage, which gives the vendor full access to confidential information. How does the credit union protect that data? The answer is to conduct due diligence on those vendors.

“The problem is that most credit unions are small operations that might have one person doing all information technology (IT) tasks—from data storage and server maintenance to replacing toner cartridges in the printers,” Stickley says. “That’s why we offer VendorTrack, a vendor management service, in conjunction with CUNA Strategic Services.”

Next: Compliance needs drive purchases

Compliance needs drive purchases

Vendors wish it were otherwise, but pressure from auditors is often what it takes to make credit unions address security issues. “What drives most credit unions to buy our solutions is compliance,” says Prince. “We get a tremendous number of calls along the lines of, ‘The auditor is coming,’ or ‘The auditor has just arrived,’ and they need to be compliant.”

On average, credit unions spend 6% of their technology budgets for IT security, and 3% for online security/fraud prevention, according to the Credit Union National Association’s (CUNA) 2008 Technology and Spending Report. The most common security measures credit unions have in place are firewalls (95%), antivirus protection (94%) and spam filters (75%).

Andrew King, vice president of customer relations at Verafin sees the same thing. “Some credit unions will only change or adapt when they see examinations looming, or afterward, when they come to us and say, ‘We’ve been audited and we need new technology to help us meet regulatory requirements.’ Security and compliance are a cost, and most credit unions have limited resources.”

Complicating the issue, King says, is the perception that anti-money laundering efforts, Office of Foreign Assets Control checking, case management, and fraud detection are all separate issues, therefore separate distractions. “Our response has been to roll all those tasks into one package, converting them from worrisome cost factors into a whole new capability. When an employee who has been doing paper reports suddenly has the capability to create value-added data and deep analysis, everybody wins.”

Still, says Stickley, in too many cases policy compliance is a mess. “Many credit unions have outdated or unwritten policies. Sometimes credit unions have no policy about how they deal with vendors onsite. Do they check drivers’ licenses? Provide escorts? Allow access to only certain sites or rooms?

“A computer may have a virus that was picked up unknowingly by an employee browsing in the wrong place,” he continues. “That’s why former suggestions, such as ‘Don’t go to such-and-such sites,’ now must become firm policies. It used to be that you could cut and paste policies you found online. But now policies have to be so specific and granular that you can’t get away with not writing your own.”

The newest compliance requirements involve “red flag guidelines,” regulations that call for policies to protect member data and other sensitive information. “Most regulations don’t say what technology to deploy,” says Prince. “They’re more about policies and procedures—what you’re going to protect and do to protect it.”

He says credit unions must be able to answer these questions:

  • Do we have policies in place?
  • How are we detecting incidences of red flag activity?
  • What are we doing in response?
  • How are we training staff? Are employees prepared to deal with someone who comes in with a false ID, and do they know how to look for fraudulent elements in a loan application?

Next: What to ask vendors

What to ask vendors

Stickley advises scrutinizing software or services in seven ways. Make sure it:

1. Meets regulators’ needs.
2. Is continually updated, not just at set intervals but on an as-needed basis.
3. Has reporting capabilities, including standard reports, which address all compliance issues, and ad-hoc reports, which address more specific issues.
4. Ties back to IT and risk-assessment audits; no piecemeal approach.
5. Can manage policies seamlessly and tie them all together so there’s no scampering around when an auditor arrives.
6. Is user-friendly. Is this a one-time buy or is it living, breathing, evolving, and updating?
7. Explains regulations clearly and in language everybody can understand.

King advises paying attention to how vendors update their compliance software, using Fair and Accurate Credit Transaction (FACT) Act compliance as an example. “On one hand, you can create a separate product or item that addresses FACT Act requirements and then encourage credit unions to buy it. Or you can ask what the new regulations are trying to do.

“In the FACT Act’s case,” he continues, “the concern is over ID theft, the majority of which is via card fraud—nothing new. So, we asked, can we adapt our current software and adjust our current technology to treat FACT Act requirements as just another scenario? That’s what we did.”

The coming year

King observes that the regulatory burden on all financial institutions increases year by year. “When the economy slacked, regulators eased up a little, but now they’re getting super-focused again. You’ll see a push among credit unions in certain asset classes and locations. Big states like California, Texas, New York, and Illinois always received the toughest regulation. But now regulators are looking harder at the heartland.”

Nevertheless, King advises, credit unions should be careful when new regulations come out. “Don’t jump and react quickly. Assess the impact of regulatory changes before deciding to purchase software. Good compliance software vendors should be able to adapt and have you covered in no time.”

Next: Risk-Rate Members

Risk-rate members

Wolters Kluwer Financial Services in Minneapolis offers Wiz Sentri RiskID, a set of tools that automate ID verification operations from account opening to record archiving. It streamlines credit unions’ workflow and ensures compliance by risk-rating and risk-scoring new and existing accounts, verifying individual and business IDs, and screening applicants and accountholders against government watch lists.

Wiz Sentri RiskID allows credit unions to:

  • Verify the IDs of applicants opening new accounts and confirm the IDs of current members;
  • Screen potential and current members against lists of high-risk individuals and businesses;
  • Speed up member due diligence by automatically evaluating member risk at account opening, and using customized evaluation parameters that fit individual credit unions’ policies, procedures, demographics, and risk tolerance; and
  • Risk-rate members as low, medium, and high risk, and apply the appropriate due diligence reviews according to risk.