Six Key Cybersecurity Controls that are Critical to Banks

Cybersecurity risk heightened with bank wiring

The OCC and FDIC recently issued an interagency statement on heightened cybersecurity risks, prompted in part by a warning from the Department of Homeland Security of potential cyberattacks against U.S. targets because of increased geopolitical tension. The statement reminds banks not only to implement and maintain effective preventive controls, but also to prepare for a worst-case scenario by maintaining sufficient business continuity planning processes for the rapid recovery, resumption and maintenance of the institution’s operations.

The statement describes six key cybersecurity controls that are critical to protecting banks from malicious activity:

1. Response, resilience and recovery capabilities,

2. Identity and access management,

3. Network configuration and system hardening (that is, modifying settings and eliminating unnecessary programs to minimize security risks),

4. Employee training,

5. Security tools and monitoring, and

6. Data protection.

For a detailed discussion of these controls, you can read the statement at https://www.fdic.gov/news/news/financial/2020/fil20003.html.

OCC Annual Report emphasizes BSA/AML risk

The OCC recently issued its 2019 Annual Report. The report warned that compliance risk related to Bank Secrecy Act/anti-money laundering activities remained high last year. It encouraged banks to implement BSA/AML risk management systems commensurate with the risk associated with their products, services, customers and geographic footprint. Noting that BSA/AML compliance remains a priority, the OCC outlined recent guidance that embraces using innovative technologies to meet these compliance obligations. The agency also encourages community banks with lower BSA risk profiles to reduce costs and increase operational efficiency by sharing BSA compliance-related resources.

Debt collection: Handle with care

A recent federal court case, Hackler v. Tolteca Enterprises Inc., illustrates the importance of carefully following the Fair Debt Collection Practices Act (FDCPA). In that case, a collection agency sent a letter to a debtor attempting to collect a debt. It stated, “If you dispute the validity of this debt within 30 days, from receipt of this notice, we will mail verification of the debt to you. If you do not dispute the validity of this debt within 30 days, from receipt of this notice, we will assume it is valid. At your request, we will provide you with the name and address of the original creditor if different from the current creditor.”

Because the letter failed to specify that the debt must be disputed, and the request must be made “in writing,” as required under the statutory notice requirements, the U.S. District Court for the Western District of Texas found the defendant liable for violations of the FDCPA.

© 2020