Gramm-Leach Bliley Act (GLBA) Compliance

The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition among banks, securities companies and insurance companies. The Glass-Steagall Act prohibited a bank from offering investment, commercial banking, and insurance services. The Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. For example, in its wake Citibank merged with Travelers Group, an insurance company, and formed the conglomerate Citigroup, a corporation combining banking and insurance underwriting services. However, the law was not passed until some major mergers in the financial sector had already taken place such as the Smith-Barney, Shearson, Primerica and Travelers Insurance Corporation combination in the mid-1990's. This combination announced in 1993 and finalized in 1994 already violated the Glass-Steagall Act by combining insurance and securities companies. The law was passed to legalize these mergers. Historically, the combined industry has been known as the financial services industry.

> View Reference Kit

Identity Theft

Identity theft is defined as when someone fraudulently obtains personal information from another person and uses it for financial gain. This term is commonly used in reference to fraud that is of a financial nature, although it can also be applied in other areas such as illegal immigration and terrorism. There are many ways in obtaining the data such as going through people’s trash or eavesdropping, however these are more conventional approaches. High-tech methods of obtaining information and personal data are becoming more popular. Some examples are through the infiltration of places that store personal information such as computer databases, phishing and spam.

The financial service industry is especially vulnerable to identity theft as the methods of obtaining information become more sophisticated in nature. Banks and other financial institutions are faced with the responsibility of keeping their clients’ information secure. Financial institutions invest a great deal of resources to protect against the breach of their databases. Due to the interdependent nature of financial institutions and consumers, the threat of identity theft is more devastating.

> View Reference Kit

Incident Response

The immediacy of response when a computer incident occurs at your institution is important. The creation of a computer incident response team who are trained to pick up the trail of a unknown occurrence, determine if it is valid, and then take the appropriate measures to stop the damage, repair the system, and restore service is not a list of people that can be put together over a few minutes. During an IT Regulatory exam, your examiner will closely look at your Incident Response team, and its and ability to respond to any situation.

> View Reference Kit

IT Risk Assessments

An effective risk management program protects your company and its ability to perform its mission. A component of risk management is performing an information technology (IT) risk assessment and should be part of any institution’s IT security program. How will you know what risks are inside your IT systems? An IT risk assessment must be performed in order to gauge the level of risks within your operation. There are numerous regulations and guidelines from federal and state regulatory agencies issued that outline what is acceptable and where strong security controls should be implemented within your IT systems.

> View Reference Kit

PCI Compliance

Stopping cybercrime by keeping credit card and debit card information secure is the driving force behind the Payment Card Industry (PCI)'s standards for data security.

The Payment Card Industry Data Security Standard (PCI- DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI-DSS was created by the PCI Security Standards Council, which was founded by five major credit card companies in 2004. (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International were the first members). The council provides a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the Data Security Standard. Merchants, banks, processors and point of sale vendors participate as members, and there are now more than 230 participating organizations in the council.

Before the Payment Card Industry (PCI) Data Security Standard (DSS) was created, credit card merchants had individual means for organizations to secure customer data. Organizations were forced to perform similar audit reviews for each type of merchant card. PCI was developed as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. A company processing, storing, or transmitting credit card numbers must be PCI-DSS compliant or they risk losing the ability to process credit card payments. Organizations that accept payment card transactions are duly bound to comply to PCI-DSS by end of 2007. Organizations that fail to comply, risk not being allowed to handle cardholder data and fines of up to $500,000 if the data is lost or stolen.

How do organizations know what are the requirements to achieve and maintain PCI compliance? Reviewing the PCI-DSS in depth, along with learning the merchant and service provider’s definitions and levels and what is needed in order to achieve compliance and how these measures will help stem fraud. Organizations will want to know common issues merchant and service providers are running into in order to achieve compliance without sacrificing financial loss and reputation. In addition, organizations will want to know potential solutions that merchant and service providers can consider to eliminate non-compliance issues.

> View Reference Kit

Phishing

Phishing is defined as, "the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information." (Webopedia)

Phishing is a rampant form of identity theft in the credit union information security sector. With this type of scam effecting hundreds of thousands of people a day, it becomes harder and harder to secure not only your personal information, but the private information of your clients. Therefore, both the various regulatory agencies as well as industry professionals have put together information in order to help educate banking institutions about the affects of phishing, and how to prevent it. This reference kit will keep you up-to-date on the latest regulations and articles related to phishing, as well as present educational data to help keep you one step ahead.

> View Reference Kit

STRONG Authentication

In October 2005 the Federal Financial Institutions Examination Council (FFIEC) issued new guidance affecting the Internet Banking systems of all financial institutions. This guidance impacts all federally insured financial institutions including Community Banks, savings institutions and Credit Unions.

This guidance has generated a significant number of very important questions among the financial institution community. Will banks have to issue electronic tokens to all their users? What will Internet Banking service providers do in response? How can financial institutions comply in only 14 months?

> View Reference Kit