August 2003 - Weblinking, DR and BCP, IDS, Patch Management October 2003 - Recent exam hot spots - IT audit, FedLine, Internet Banking January 2004 - BCP, GLBA, IT risk maangement, network security, access controls March 2004 - Vendor due-diligence, Check 21, Worms, Internet safeguards July 2004 - Patch management, ID theft, Contingency plans, SANS top 10 November 2004 - Phishing, instant messaging, virus protection February 2005 - Recent exam hot spots April 2005 - Email encryption IT nsurance guidelines June 2005 - Why perform network penetration testing August 2005 - Incident response and credit monitoring December 2005 - ID Theft statistics and overview February 2006 - PBX fraud, email phishing fraud, single-factor auth April 2006 - GLBA and Skimming June 2006 - Hiring policy, pandemic flu, business impact analysis November 2006 - Fedline Advantage BCP, laptop security January 2007 - SANS statistics on cyber crime, March 07 - Vista, IBM vPro chip, iPods, USB June 07 - Intrusion detection and response Sept 07 - GLBA overview Oct 07 - Robberies, firewall policy, Jan 08 - Smartphones / PDAs, pandemic prep, IDS and logs March 08 - trojan.silentbanker April 08 - Fedline Advantage reports, IP based ATMs June 08 - Virtualization, USB drives, insecure websites October 08 - Postal safety, Red Flag ID Theft December 08 - Firewall policy, virtualization, Nettop PCs February 2009 - Remote Deposit Capture March 2009 - Adobe PDF security flaw, public enforcement IT actions April 2009 - BLU3 management anouncement May 2009 U1 - DR and BCP lessons learned May 2009 U2 - BCP and swine flu (H1N1) May 2009 U3 - IAT ACH compliance August 2009 - Audit Policy, Ten questions to ask before investing in new technology October 2009 - Reg GG, NACHA operating rules enhancement summary January 2010 - Exam/audit exception and tracking items February 2010 - Incident response plan changes, credit bureau fraud depts. March 2010 - Top seven predictions of 2010 April 2010 - Digital copiers, multifunction devices, ACH risk assessment August 2010 - Social engineering, Reg Z, FIL 43-2010 August 2010 U2 - Reg E with teeth, Visa news, Foreclosure Act of 2009 October 2010 - USB drives, hacks (Zeus), and Social networking protection October 2010 U2 - Digital certificates and ATM / ADA upgrades December 2010 - Social etworking sites and services December 2010 U2 - Cyber attach approaches used by fraudsters February 2011 - Notice Requirements for Noninterest-bearing Transaction Accounts March 2011 ACH Origination, Wire Transfer, Bill Pay - Risk Based Pricing Guidance April 2011 - The Zeus Trogan (bankers trojan) July 2011 - FFIEC Supplement of Authentication July 2011 U2 - Internet Security Tips September 2011 - ACH, Wire, and Electronic Banking Fraud November 2011 - Risk Assessing iCloud and others February 2012 - Authentication in an Internet Banking Environment
March 2012
2. Card Fraud (Again!): Something else to watch for. You have probably already heard of our latest data breach that is connected to a processor, Global Payments, and possibly centered more in the New York City area. Here are two links on the topic: http://nyti.ms/GYcJZm http://krebsonsecurity.com/ The first link is the New York Times article on the topic and the second is a link to our buddy Brian Krebs' security blog. In that blog, you will want to read both his April 2 post and from March 30. Brian was the first reporter on the story and his estimates are that up to 10 million could have been breached, while Global Payments is putting the number at 1 to 1.5 million. We all remember how the numbers kept increasing on the old Heartland breach, so it is wise to stay posted on the scope of this newest breach.
COMPLIANCE SECTION (Thanks to Shaun Harms and Bankers Assurance):
1. ATMs: In March 2011 we first heard of a bank in Arkansas get hit with a lawsuit due to the fee notice not being posted at the ATM. This week we have heard from another bank going through the same lawsuit and this person has hit another 6 banks in Arkansas in the last 6 months. He is from California and is traveling around to smaller banks looking for an ATM with no notice and slapping the bank with a class action suit! Please check all of your ATM machines immediately! Especially machines recently replaced for the ADA compliance rules. This is a matter of great importance….don’t be the next one.
2. More on Overdraft Fees (Thanks to Blair Rugh of TriComply): Institutions are required by their debit card networks to honor certain small dollar and some authorized transactions that exceed the authorized amount even if the transaction will cause an overdraft in the member or customer's account. Regulation E provides that an institution may not charge an overdraft fee on a one-time point of sale (POS) debit card or ATM transaction, unless the institution has the member or customer's prior written consent. Consequently, many institutions which do not have formal overdraft programs sent their members or customers the Regulation E prescribed request for consent, and many apparently consented. The result was that an overdraft fee for the force paid transactions was charged to the consenting members and customers and not to those that did not consent.
The FDIC initially determined that this practice was an unfair and deceptive act and practice. Banks being examined were instructed to reimburse all of the offending fees it had collected since July 1, 2010 when the Regulation E rule became effective. But then, the FDIC told at least one bank that it had criticized that it had changed its mind. The practice was determined not to be an unfair or deceptive act or practice and that the bank was not required to reimburse.
So far, so good. But now, the FDIC has backed off its back off. It recently told the Independent Community Bankers Association (ICBA) that they would not cite banks for the practice as unfair or deceptive. But, and it's a big BUT, the FDIC also stated it would not allow banks, which do not have a formal overdraft program, to charge a fee for POS debit card and ATM overdrafts going forward, even though the customer has consented. Also, banks are encouraged to reimburse the offending fees to mitigate litigation risk, but they are not required to do so and they will not be criticized if they do not. Further, the FDIC indicated that such a practice would not affect compliance ratings, which has been confirmed in at least one instance.
If your bank does not have a courtesy overdraft program but you sent the Regulation E notice to your customers, you must cease charging those customers fees for the transactions that you force pay, but you are not required to reimburse for prior transactions. In other words, when the only time you pay an overdraft is when you have a force pay situation, you must cease charging an overdraft fee for your force pay POS and ATM transactions. If you have a courtesy overdraft program, be it formal or ad hoc, you do not need to cease charging such overdraft fees for which you have consent from the customer as provided under Regulation E.
We have not heard of any other agency taking the FDIC's position. Moreover, the CFPB still has not made any decision despite having authority over Regulation E and are tasked with ensuring consistent examinations as proscribed under Dodd Frank.
Copyright 2012 BLU3 Technologies Incorporated All Rights Reserved
