A Prevention Piece


Consumer compliance activities can be a foundation to overall data security efforts

By Mary Thorson

The cause is hidden. The effect is visible to all,” said the Roman poet Ovid.

Criminal threats on electronic fund transfers can result in compromised data, reduced productivity, system downtime and monetary theft. We recognize the effects of cybercrime, but where should a community bank start to combat the roots of cybercrime when there are so many potential points of vulnerability?

One defense against this dynamic, continually evolving menace for community banks can begin with the consumer protection obligations already associated with their internal compliance programs. Compliance controls and processes performed by employees or third-party vendors, such as account opening and monitoring procedures, issuing access devices, and data mining through the error resolution process, can act as plates of armor integral to data security.

Managing EFT security

In particular, Regulation E covers consumer accounts and the EFT services offered on those accounts—debit cards, prepaid cards, ATM transactions, ACH transactions, remittances and telephone transfers. As one step in an overall program to safeguard its customers’ information, your community bank should review its EFT products and services for potential risk and for consistency with measures.

One such valuable regulatory source, the Safeguards Rule issued by the Federal Trade Commission implements Gramm-Leach-Bliley Act customer information protection requirements for financial institutions. The rule requires:

  • a written security plan (which should include electronic fund transfers);
  • an assessment of the risks to customer information; and
  • a safeguards program that includes …
  • periodic monitoring and testing;
  • third-party service provider selection, contract coverage and oversight; and
  • change management to address changes in the bank’s business or operations or the results of security testing and monitoring.

Handling security breaches

Despite efforts to manage and secure data and maintain controls for accounts, breaches may occur. The Safeguards Rule outlines the steps banks should take to preserve the security, confidentiality and integrity of customer information if a breach is suspected, including:

  • taking immediate action to secure any information that has or may have been compromised;
  • preserving and reviewing files or programs that may reveal how the breach occurred;
  • bringing in security professionals to help assess the breach as soon as possible, if needed; and
  • notifying the bank’s primary federal regulator and consider notifying consumers, law enforcement and businesses of a security breach. For example, such notifications could involve:
    • consumers, if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;
    • law enforcement, if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;
    • credit bureaus and other businesses that may be affected by the breach. The FTC’s “Information Compromise and the Risk of Identity Theft: Guidance for Your Business” is another useful source; and
    • checking if breach notification is required under applicable state law.

Currently, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands require private or government entities to notify individuals of security breaches of information involving personally identifiable information, according to the National Conference of State Legislatures. Each state law contains specifics about who must comply, definitions of “personal information,” what constitutes a breach, requirements for notice and exemptions from the requirements.

Cybercrime continues to grow in volume, sophistication and type. It is a real and increasing threat to protected information and financial assets, and a comprehensive strategy, including electronic fund transfers, is required to combat it.

Mary Thorson, a former Federal Reserve managing examiner and compliance consultant, is a financial writer in Virginia.