Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers

Transcription

1 Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Tony DaSilva, AAP, CISA S&R Senior Technical Expert Federal Reserve Bank of Atlanta

2 Disclaimer The opinions expressed are those of the presenters and are not those of the Federal Reserve Bank of Atlanta, the Federal Reserve System, or its Board of Governors.

3 Banks in Payments Services Who charters and regulates and supervises? FFIEC Agencies State banking authorities The CFPB & Consumer Protection The familiar regulations: TILA, Reg E, etc UDAP Compliance: OFAC, FinCEN & BSA/AML

4 The Examiner s Hot Topics Vendor Management Electronic Banking Mobile Cybersecurity

5 Vendor Management

6 What Constitutes Significant TP Relationship? Relationship is new or involves new FI activities Has material effect on FI s revenues or expenses TP performs critical functions TP stores, access, transmits, or performs transactions with sensitive customer information Increases FI s geographic market Performs a service involving lending or card payment transactions Poses risks that could affect earnings, capital, or reputation Provides product or service that covers large number of consumers Provides product or service that implicates higher risk consumer protection regulations Involves deposit taking arrangements Markets products directly to FI customers that could pose risk of financial loss to individual 6

7 What Is the Guidance? Consists of SR 13-19/CA letter (Guidance on Managing Outsourcing Risk) and an attached policy statement on managing outsourcing risk Supplements existing guidance for technology service providers Refer to the FFIEC Outsourcing Technology Services Booklet (June 2004) at Applies to all financial institutions supervised by the Federal Reserve 7

8 What s New? Applicability of guidance to outsourced activities beyond core bank processing and information technology-related services Enhanced risk management that institutions should have for better oversight and management of outsourcing risk Additional guidance pertaining to key aspects (attributes, governance, and operational effectiveness) of an institution s service provider risk management program 8

9 Areas of Emphasis Types of risk exposure Board of directors and senior management responsibilities Service provider risk management programs Additional risk considerations 9

10 Third Party Risk Types Strategic: Adverse business impact Reputation: Negative public opinion Operational Failed internal processes, people or systems Transactional: Problems with service or product delivery Financial: Unable to meet contractual arrangements Compliance: Violations of laws, regulations or internal policies Foreign: Country, culture, or geopolitical 10

11 Risk Tiers Based on Inherent Risk Inherent Risk is a function of Organizational and Profile risk TIER 1 Define Risk Severity Levels TIER 2 Highly integrated High reliance Interruption leads to significant operational impact High transition cost/effort Some integration Some reliance Interruption leads to moderate operational impact High transition cost/effort TIER 3 No integration Cost & performance drives relationship Interruption leads to limited operational impact Moderate transition cost/effort TIER 4 No integration Cost & performance drives relationship Interruption has no operational impact Minimal transition cost/effort

12 Board and Senior Management Responsibilities Ensuring outsourced activities are conducted in a safe and sound manner and in compliance with appropriate laws and regulations Approving institution-wide vendor management policies that mitigate outsourcing risk Reporting to the board of directors on adherence to policies governing outsourcing arrangements 12

13 Elements of the Service Provider Risk Management Program Risk assessment Due diligence for the selection of service providers Contract provisions and considerations Incentive compensation review Oversight and monitoring of service providers Business continuity and contingency plans 13

14 Due Diligence what is required Existence and corporate history Qualifications and experience/including background checks Ability in implementing and monitory the proposed activity Contact references Review audited financial statements Strategy and reputation Service delivery capability Technology and systems architecture Scope of internal controls Legal and regulatory compliance Business reputation complaints filed Underwriting criteria Insurance coverage Ability to meet disaster recovery and business continuity requirements Service philosophies, quality initiatives, and management style 14

15 Contract Components Scope of Service Performance Standards Security and Confidentiality Controls Audit Reports Business Resumption and Contingency Plans Subcontracting/Multiple Relationships Cost Ownership and License Duration Dispute Resolution Indemnification Limitation of Liability Termination Assignment Foreign-based service providers Regulatory Compliance 15

16 Lack of Board Approved Policy Common Gaps in Vendor Management Program Limited Board of Directors involvement Vendor Management Program not viewed as a whole Lack of Risk Rating Vendors Inadequate Monitoring of SLAs SLAs have not been defined Limited ongoing monitoring Business continuity 16

17 Steps to Follow Follow these steps to establish a safe and sound vendor management program: Step 1 - Ensure that proper internal risk analysis is performed, proper approval is obtained. Step 2 - Perform due diligence prior to contracting with a vendor. Step 3 - Ensure contracts are appropriate. Step 4 - Monitor performance of the vendor and vendor s compliance with contractual and regulatory requirements. Perform ongoing due-diligence and appropriate intervals. 17

18 Electronic Banking

19 Electronic Banking

20 Electronic Banking Account Activity Internal Transfers Bill Pay RDC ACH Wire Transfer External Transfers Mobile Payments New Accounts

21 OPPORTUNITY!

22 Cybercrime Cybercrime is a well-funded, organized business with sophisticated technology. It is driven by a powerful combination of actors ranging from organized crime, nation states, and decentralized cyber gangs. They executed recent massive credit card and identity data breaches, using this data to profit from all types of fraud card not present, account takeover, and new account creation across all businesses across all regions.

23 Cybercrime Where & Why? Where do cyber attacks come from? What is the motivation? Ideology making a political statement Extortion demand for payment to avoid website attack Competition disrupt a competitors online services Fraud used as a tool to aid in unauthorized financial gain 23

24 How do Cyber Criminals gain Access? Deception via DDoS Spam Phishing attempts Spoofed web pages Popup ads and warnings Malware (Trojans, worms, etc.) Theft (laptops, thumb drives, etc.) attachments Downloads Social mediums 24

25 Bank Info Security Enews December 23, 2014 Russian Ring Blamed for Retail Breaches by Tracy Kitten A sophisticated hacking group in Eastern Europe with ties to banking Trojans like Carberp has now been linked to attacks waged against 16 U.S. retailers. Could U.S. banks be the next big targets?

26 Bank Info Security Enews February 16, 2015 Cybercrime Gang: Fraud Estimates Hit $1B Experts Say Anunak/Carbanak Malware Attacks Still Underway By Mathew J. Schwartz A notorious cybercrime gang continues to target financial services firms and retailers. A new report estimates that the Anunak - a.k.a. Carbanak - gang has now stolen up to $1 billion from banks in Russia, the United States and beyond, in part by using "jackpotting" malware that infects ATMs and which attackers can use to issue cash from ATMs, on demand.

27 Regulatory Guidance

28 Three Primary Requirements FFIEC Guidance Effective January 1, 2012 Risk Assessments Layered Security Customer Education & Awareness 28

29 Note Similar to the 2005 guidance, the June 2011 supplement applies to all electronic banking delivery channels, including the mobile banking channel. Whether financial institutions provide all or part of their electronic banking activities to customers through inhouse systems or outsourced, service-provider arrangements, the institutions are responsible and accountable for conformance with the 2005 guidance and the 2011 supplement. VENDOR MANAGEMENT 29

30 SR 15-3 February 6, 2015 Strengthening the Resilience of Outsourced Technology Services Third-party management addresses a financial institution s responsibility to control the business continuity risks associated with its TSPs and their subcontractors. Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer s ability to restore services to multiple clients. Testing with TSPs addresses the importance of validating business continuity plans with TSPs and provides considerations for a robust third-party testing program. Cyber resilience addresses aspects of BCP unique to disruptions caused by cyber events.

31 Mobile Rapid adoption of mobile banking Increasing adoption of mobile banking by customers Majority of banks have adopted/are adopting mobile banking Mobile banking functionality is increasing Cyber criminals are following the money Banks need to assess and manage associated risks 31

32 Cybersecurity

33 National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 February 12,

34 Cybersecurity The process for managing cyber threats and vulnerabilities and for protecting information and information systems by identifying, defending against, responding to, and recovering from attacks. 34

35 Cybersecurity Assessments The FFIEC Cybersecurity and Critical Infrastructure Working Group (CCIWG) was formed in June 2013 at the direction of the Task Force on Supervision and the Council on Supervision. Member agencies include the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Consumer Financial Protection Bureau, the National Credit Union Administration, and the State Liaison Committee.

36 The 9 Domains 1. Cyber Governance, Leadership & Resources 2. Security Culture & Training 3. Risk Management 4. Cyber Resilience 5. Cybersecurity Controls 6. External Dependency Management 7. Threat Intelligence & Collaboration 8. Vulnerability Management 9. Cyber Incident Management

37 The institution s progress within each domain will be represented by a maturity rating Initiating (least mature) Developing Implementing Managing Optimizing (most mature) Note: Each maturity rating is supported by a collection of considerations known as assessment factors.

38 Six-Step Cyber Threat Intelligence Process for Financial Institutions 1. Know your SPECIFIC threats and vulnerabilities. 2. Establish outside sources of threat intelligence for your threats. 3. Actively and continuously adjust your security controls and monitoring as appropriate to mitigate those threats. 4. Have detailed incident plans for responses to the threats, and update these plans periodically as appropriate. 5. Actively adjust your intelligence-gathering goals to address the changes in your threats and risks. 6. Additionally conduct a cyber threat analysis as part of your overall risk management governance and compliance program.

39 Threat Intelligence Information Sources Government and Institutional Resources Federal Bureau of Investigation (FBI) Infragard United States Secret Service (USSS) Electronic Crimes Task Force Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) National Cybersecurity and Communications Integration Center (NCCIC) Financial Crimes Enforcement Network (FinCEN) Common Vulnerability Enumeration Database (CVE) National Vulnerability Database Sector, Industry and Technology-Focused Resources Financial Services-Information Sharing and Analysis Center (FS- ISAC) Competitors, partners, and financial industry associations Industry news sites, e.g. krebsonsecurity.com, bankinfosecurity.com Information security sector sites, e.g. Internet Storm Center, Open Threat Exchange (OTX), ATLAS Managed security service providers (MSSPs) blogs and feeds 39

40 Regulatory Guidance SR 15-3: Strengthening the Resilience of Outsourced Technology Services SR 12-14: Revised Guidance on Supervision of Technology Service Providers SR 11-9: Interagency Supplement to Authentication in an Internet Banking Environment SR 09-2: FFIEC Guidance Addressing Risk Management of Remote Deposit Capture SR 06-13: Q&A Related to Interagency Guidance on Authentication in an Internet Banking Environment 40

41 Regulatory Guidance continued SR 05-23: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice SR 05-19: Interagency Guidance on Authentication in an Internet Banking Environment FFIEC Risk Management of Remote Deposit Capture FFIEC Information Security Booklet SR 01-15: Standards for Safeguarding Customer Information SR 01-11: Identity Theft and Pretext Calling (attachment) Interagency Guidelines Establishing Standards for Safeguarding Customer Information 41

42

43 Who s Regulating Whom & What are the Requirements: Non Bank Payments Services Providers Richard Fraher VP & Counsel Retail Payments Office Federal Reserve Bank of Atlanta

44 If you re not a bank. The Bitcoin dudes: Nobody regulates us! Who are the non banks in payments? Traditional walk up providers Online payment service providers Virtual currency exchanges Social media Games/apps

45 Non Banks in Payments If you re not a bank, and you provide any of the following services (except as an agent of another money services provider), Money orders, traveler s checks; money transmission; check cashing; or currency exchange, You are a Money Services Business

46 So, where does an MSB turn? For its charter/license(s)? To register? To find out what it must, may, or can t do? Permissible activities Consumer protections

47 The Regulatory Roadmap MSB registration requirements: FinCEN The states primary regulatory responsibility BSA/AML examination authority over MSBs resides in the IRS BSA/AML exam manual much like the FFIEC s BSA/AML manual Substantive requirements the same as for banks

48 The Rest is Less Clear What state(s) tell an MSB what it must/may/can t do? Licensure Estimated up front fees to license in 53 jurisdictions: $176k Annual est. fees for renewals: $137k Substantive state by state differences: check casher v. money transmitter v. virtual currency exchange Consumer issues: CFPB, state AGs

49 Thinking Forward Some banks are at least sometimes resistant to non bank entrants into payments But in other parts of the world, public authorities are making a space for non bank providers As the U.S. considers the future of our payments systems, is there a simpler way to structure & regulate MSBs?

50 Questions 50