How to Make Business Impact Analysis, Disaster Recovery Planning and Testing Work While Keeping the Regulators Happy

By Derek Gilmore and Kevin Tsuei, CISA, CISSP, AuditOne LLC

With the myriad regulatory guidance statements related to business contingency planning, it is no wonder that so many community banks continually misinterpret the intent of this practice. We often hear our clients say that between the analyses, policy, procedures and testing, they feel that they would need a dedicated team of staff members to do it correctly. However, with a few practicable recommendations, we intend to show you how to better integrate all areas of your business continuity program into a tailored and manageable process in accordance with FFIEC guidance.

It all begins with the Business Impact Analysis (BIA). A BIA conducted with correct methodology serves as the foundation for the entire program. A good BIA should catalog each and every departmental business function and the systems and applications required for these functions. Taking into account interdependencies between systems and connectivity, the BIA should then go on to assess the impact of a loss in functionality for each of the identified business functions. We recommend assessing loss impact based on, at a minimum, the degrees of financial, operational and regulatory impact, with a loss impact score assigned to each function. That score is then translated into a recovery-time objective (RTO). Functions with what the bank deems to be “critical” RTOs should be subject to the drafting and testing of function-specific disaster recovery procedures. These procedures will require internal coordination among the BCP coordinator, IT and department heads. For example, each department will be responsible for identifying the recovery procedures specific to their functions, including interdependencies such as key systems and software. IT will then be responsible to ensure that their disaster recovery procedures are able to recover these key systems and software within the functional area’s RTO.

Any and all disaster recovery procedures noted in the bank’s Business Continuity Policy (BCP) should directly parallel those functional RTOs listed in the BIA. The RTO should not be a range of hours, days, or weeks, but rather a single digit timeframe. Additionally, when constructing the pandemic planning portion of the BCP, and specifically when assessing resource redundancy/cross training and staffing recovery criticality, this should be done for those very same business functions as cataloged in the BIA.

We have already described how the BIA should be used to determine the need and extent of disaster recovery (DR) procedures testing. That said, we offer the following DR testing recommendations in order to further tie the program together:

Create a standardized DR testing worksheet. This might include the following information: the date and location of the test; the business function which is being tested (from BIA); the systems and applications involved; the personnel and assets involved; the specific test to be performed; the functional DR procedures and test script to be followed; the expected RTO and results; and the actual recovery time and success or failure. It is important to get the proper stakeholders involved as part of the testing. We have observed that many institutions rely on their IT department or vendor to conduct testing without the involvement of departmental manager and employees. Conducting functional disaster recovery testing can also serve as a training for employees. Another issue to keep in mind about having an IT-centric test plan is that there are some processes that are so critical that manual intervention is often needed. One example would be wire transfers. We have observed from time to time that wire recovery procedures are heavily dependent on restoring connectivity to Federal Reserve Bank or a correspondent bank’s systems. The reality is that wires are such a critical function that manual processes (e.g., originating by fax or phone) should be developed and tested at least annually.

Most importantly, we recommend that the worksheet prominently feature a section detailing lessons learned and management review. This section should be used to highlight areas in which DR procedures, Policy, and even the BIA itself should be revised to include previously unconsidered issues discovered during testing. Perhaps the recovery objective was unrealistic, or a key recovery step was missing, or there was an unrecognized systemic interdependency on which the business function relies. These issues should be assigned to owners and prioritized. It is important that they be tracked, resolved, and used to enhance future testing.

While disaster recovery can be seen as a burden to many smaller institutions, management can create a multi-year testing schedule to provide some relief. For example, many institutions elect to conduct table-top testing the first year followed by functional testing for high priority functions for the second and third year. When real-life disasters do happen, the bank should take the time to document the disaster using a similar layout as the worksheet above. There are always many lessons to be learned during a real-life disaster, and any lessons to be learned and they should be properly incorporated to further enhance the bank’s DR procedures.

We strongly encourage banks to regularly revisit their BCP program with lessons learned, as this is the linchpin of an effective but manageable business continuity program.

Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 23 – September 2014.


BSA ALERT: Recent Developments Concerning BSA/AML

By Kevin K. Watson, CAMS, Co-CEO, AuditOne LLC

We recently attended the largest ACAMS Conference in history in Las Vegas where there were 2,000 attendees, up from 1,500 the prior year.  To illustrate the importance of BSA/AML, we counted the number present from the FDIC, FRB, NCUA and OCC on the attendee list at nearly 100, along with numerous other state and federal agencies and law enforcement units.  Aside from most everyone agreeing that regulatory expectations and scrutiny have increased substantially, our key takeaways from the conference are summarized in the following paragraphs.

One important pronouncement, FIN-2014-A007, released August 11 by FinCEN and entitled, “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance” will have significant repercussions for financial institutions.  Because of their significance, we will summarize them here for you.

  1. Leadership should be engaged
  2. Compliance should not be compromised by revenue interests
  3. Information should be shared throughout the organization
  4. Leadership should provide adequate human and technological resources
  5. The program should be effective and tested by an independent and competent party
  6. Leadership and staff should understand how their BSA reports are used

FIN-2014-A007 emphasizes regulatory expectations regarding governance of a financial institution’s BSA/AML program.  We can expect examiners to consider the extent that each financial institution conforms to the culture as an important element of the overall BSA examination rating.  We recommend that directors, managers, and BSA Officers make a careful read of the document that can be found at

Currently, out for comment is a FinCEN proposed rulemaking regarding “Customer Due Diligence Requirements for Financial Institutions”.  One of the key elements will be an explicit requirement to collect information on the beneficial owners of legal entities, defined as a 25% ownership interest by an individual, regardless of how many ownership layers are in place between the legal entity and the individual owner.   Individuals with a significant control responsibility, are also considered to be beneficial owners.  This will prove to be a time consuming effort in many cases.   Interestingly, the 25% ownership cutoff is actually less onerous than some jurisdictions, where the cutoff is 10%.  Financial institutions will need to establish written procedures or polices to ensure identification is established for all such beneficial owners as examiners will certainly be scrutinizing new account files once the guidelines becomes effective.  The proposed rulemaking can be found at

There is no agreement yet on the form or content of Automated AML system validations, except to provide assurance that AML monitoring systems, customer risk rating models, and sanctions (OFAC) checking features are reliable and efficient.  Examiners are naturally expecting to see such independent validations completed on a periodic basis.   Independent validators will need to follow the validation concepts of OCC 2011-12/FRB SR-11-7, “Supervisory Guidance on Model Risk Management” issued by the OCC and FRB, but also adhered to by the FDIC.

AML and OFAC risk assessments were also much discussed at the conference.  Such risk assessments are critical elements to an AML program and should assess all products, services, geographies and customer types, with generous documentation of the relevant activity levels and other risk drivers of each.  They should address inherent risk, mitigating controls and resulting residual risk for each risk category and be maintained up to date in order to always be representative of the financial institution’s structure and environment.

There were many areas of concern noted by regulators speaking at the conference, but some common issues that caught our attention were as follows.

  • BSA Officer qualifications
  • BSA Program resources
  • Problems associated with turnover of key BSA personnel
  • Inability to identify high risk customers
  • Unique risks presented by exporters with specific reference made to the recent L.A. garment district sweep where 1,000 federal agents made nine arrests and confiscated $100 million cash associated with money laundering where drug cartel funds were being indirectly used to pay for exports from the garment district into Mexico, where they could later be converted to pesos.  Friday’s Los Angeles Times noted that 2,000 more garment district businesses were subsequently individually warned that for the next 180 days, they must file reports for any cash transaction in excess of $3,000.   Bankers to these businesses will also need to be mindful.
  • Foreign correspondent banks involved in the clearing of USD
  • Physicians defrauding private and public insurance companies by making referrals for unnecessary services in exchange for kickbacks

While all of these issues are cause for alarm, we believe the most important will be the FinCEN Culture of Compliance Advisory.  It effectively will serve as an entry barrier into the financial services industry against those that don’t “get it”, while financial institutions that embrace the new compliance culture paradigm will be successful in the long run.


Developing a Successful Service Provider Oversight Program

By Kevin Tsuei, CISA and CISSP, and Vivian Wei, AuditOne LLC

Outsourcing certain technology operations can undoubtedly be a cost-effective means by which an institution meets its needs. However, reliance on a third-party provider is always accompanied by an unknown degree of risk. Not only are effective risk management practices imperative to protecting the security and interests of an institution, they are also an expectation, as the board of directors and senior management bear the full responsibility of the safety and soundness of all activities regardless of whether they are performed in-house or outside.

As an increasing number of community banks are upping their use of cloud computing (one of the many examples of increased reliance on third-party providers), regulators have become more stringent on how management evaluates and monitors outsourced vendors. In this article, we will explain how management can create and implement an effective service provider oversight program. We will also discuss an appropriate response plan for when a vendor is impacted by negative news or regulatory orders.

In 2012, the FFIEC issued a revised IT Examination Booklet on the Supervision of Technology Service Providers (TSP Booklet). A year later, the OCC issued Bulletin 2013-29 which detailed risk management guidance for third-party relationships. The general purpose of the OCC guidance is to help banks implement a proper risk management process to identify risks, conduct appropriate vendor due diligence, inspect written contracts, implement ongoing monitoring, ensure a contingency plan is in place if the relationship terminates, identify appropriate parties to oversee the vendor, retain proper documentation/reporting, and conduct independent reviews of this area.

As with any risk management process, a service provider oversight program should begin with a vendor risk assessment. There are many types of risks to consider when evaluating service providers. However, the risk assessment process need not be overly complex. For example, it can be a simple scoring system based on several inherent risk factors: GLBA, strategic, operational, reputational, compliance/regulatory, and transactional risks.

We will develop a robust methodology for GLBA risks as an example. A typical evaluation of GLBA risks includes the following: What types of sensitive information does the vendor store or have access to? Does the service provider transport the data? We generally recommend management evaluate GLBA risks by using a four-tier risk scoring system:

  • A score of 0 indicates the vendor does not store or have access to any sensitive customer information.
  • A score of 1 indicates the vendor has access to basic customer information such as names and contact information (e.g., marketing companies).
  • A score of 2 indicates the vendor has access to account specific information such as account balances and activities (e.g., statement printing vendor).
  • A score of 3 indicates the vendor has sensitive information such as customer Social Security numbers, birthdays, etc. (e.g., core processor).

The remaining risk factors should be given similar treatment, but due to space limitations, we will not be addressing them in detail.

After the risk scores have been tallied for all service providers, management can classify them into multiple categories (high, medium, or low risk). A risk management program or policy can then be created to minimize residual risk. This policy would address the initial due diligence and ongoing monitoring based on the risk of the vendors.

  • For example, for high-risk vendors, we typically observe that management reviews vendor due diligence materials such as SSAE16 or third-party audit reports, financials, BCP plans, penetration test results, insurance, references, etc.
  • Obtaining other documentation should be considered as well. For example, management should ask for a Red Flags policy from vendors that hold critical customer sensitive information (e.g., core processors). Also, a Certificate of ACH audit should be obtained from ACH service providers. The certificate will ensure the vendor has been audited against NACHA rules.
  • In addition to reviewing materials for initial due diligence and ongoing monitoring, management should review contracts thoroughly. At minimum, a contract should contain common clauses such as confidentiality, service level agreement (SLA), and termination.
  • However, if the service provider stores your data, it is important to search for clauses such as data ownership and security breach monitoring clauses. Data ownership defines who owns the data being stored by your vendor. It should also discuss what will be done with the data upon termination. That is, will the data be returned to its rightful owner? Will it be disposed of securely? Security breach reporting is crucial for vendors that possess your data (e.g., cloud computing provider). The clause should clearly state the timeframe in which the vendor must report the breach.
  • Another important clause to look for in a vendor contract is an auto renewal clause. Many technology vendors have auto renewal clauses, which commonly require a termination letter 90 days prior to contract expiration. Some vendors may even have automatic fee increase clauses: if termination is not sent 90 days prior to the contract renewal date, fees are automatically increased.
  • Lastly, it is important to determine whether the Bank has the right to obtain audit reports or inspect the service provider’s environment. This clause is often overlooked but can be important as part of your vendor due diligence.

In recent years, a few technology vendors have been faced with regulatory orders. A C&D order was issued against Fundtech Corporation and BServ, Inc. just in December. When responding to such an order, it is important for the Bank to document the process leading up to the decision of parting or remaining with the technology vendor. If management decides to stay with the vendor, document reasons and ways in which it will affect the Bank. It is recommended that the analysis be submitted to both the IT Steering Committee and the Board for review.

To decrease audit and regulatory risks, it is important for banks to document their initial due diligence and ongoing monitoring of vendors. For example, a contract clauses checklist can aid management in documenting the review to ensure the consistency of the process. When reviewing due diligence material, it is important to record the analysis and report it in your annual Information Security Report.


Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 21 – March 2014.


Protecting Your Infrastructure from Modern Malware, Insider Misuse and Miscellaneous Error

By Robert Kluba, CISM, MCSE and Kevin Tsuei, CISA, CISSP, AuditOne LLC

According to a 2014 Verizon data breach investigation report, 17 percent of all data breach incidents against the financial services industry fall under either insider misuse, miscellaneous error, crimeware (malware) or cyber espionage. The remaining 83 percent includes web application attacks, denial of service, payment card skimmer, theft/loss, point of sales intrusion and everything else. While web app attacks, payment card skimmer and denial of service make up the top three data breach incident sources, these topics will not be our focus today since most community banks outsource their informational website and online banking platforms to third-party service providers. Our focus will be on the first four categories – the 17 percent – since they directly impact smaller banks’ internal IT infrastructure.

There are a number of steps community banks can take to limit the inherent risk of these incidents. A layered approach is one of the most effective ways to protect your institution. Such an approach includes not only malware protection on the end-point workstations, servers and web gateways but also, with user training, security measures and access controls.

Web Security Gateway
To block malware from reaching servers and workstations, the first layer should be a web security gateway. An effective gateway can scan for malicious URLs and malware before it reaches the internal network. According to a 2014 report published by Osterman Research, nearly three in four organizations have experienced malware infiltration through web surfing in the past year. A bank can configure a web security gateway to scan Internet requests and stop employees from downloading malware or accessing potentially dangerous websites. A proactive web security gateway provider can also scan web traffic to identify legitimate websites that may have been infected with malicious links.

Mail Security
The second most common type of malware infiltration is through email. According to Osterman Research, this is where 64 percent of malware infiltration occurs. Banks should ensure that mail is scanned for malware at the gateway level before reaching the mail server. The mail server should also have an antivirus client installed to scan for malicious attachments. In addition, management should consider restricting employees from accessing their personal webmail. Personal webmail is not scanned as rigorously as the bank’s inbound emails, so the chance of opening an infected attachment or an email with malicious links is greater.

Reduce the Attack Surface
In order to reduce the attack surface, or targets available for malware to exploit, management can take a number of steps. A bank should conduct a vulnerability assessment periodically in addition to its annual penetration test. This can help management identify the attack surface and reduce potential vulnerabilities. The IT department should also periodically review firewalls, security appliances, network devices and its server to ensure these devices are configured properly and updated periodically. We have conducted a number of penetration tests where we observed that unnecessary inbound firewall rules exposed critical server resources to the public Internet. In addition to reviewing device configurations, management should employ a hardening checklist to ensure all devices are configured with the same standards. The complexity of the checklist can be based on the institution’s risk profile. Lastly, a proper change management system can help detect unauthorized changes and misconfiguration done by IT personnel.

Ensure All OSs, Applications and Browsers are Patched
Banks should ensure they have a patch management program in place which is audited on a regular basis. Operating system and application vendors release hotfixes, service packs and security patches to correct known defects. These defects are known not only to the vendors but also to malicious hackers who design malware to exploit these vulnerabilities. Your managed service provider or internal IT personnel need to have a plan to test and apply patches when they are released. According to Trustwave’s 2013 Global Security Report, the top three client vulnerabilities are from Microsoft Internet Explorer, Adobe Flash and Oracle Java. Since many malware attacks occur with web browsing activities, it is critical that attackers are not able to exploit weaknesses with these web-based software programs. This can be done by keeping the browsers and plug-ins up-to-date or better yet by disabling unnecessary plug-ins when possible. In addition, application whitelisting can also help reduce the number of attack vectors. We observed from many of our clients that some of the vulnerabilities are a result of unapproved third-party browsers and software installations.

Restrict User Accounts
According to an article published by Avecto, a company specializing in Windows privilege management, removing local administrative rights on users’ workstations can mitigate 92 percent of critical Microsoft vulnerabilities. The research is based on Avecto’s analysis of all of the security bulletins issued by Microsoft in 2013. In fact, the most frequent online attack vector is Internet Explorer, and based on Avecto’s assessment, 100 percent of all vulnerabilities within Internet Explorer could have been stopped by removing access rights.

Data Loss Protection and Autorun
Another solution to stop common malware attacks is to disable autorun within Microsoft Directory Services and limit the use of portable storage devices. Disabling autorun stops malware from executing when a USB drive or CD/DVD media is accessed on the workstation. Malware can easily spread from these portable devices because they bypass the layered security that you have in place for Internet based malware. To limit the exposure of critical data, management should also enforce security group permissions and data classification so they can restrict who can access each type of data at the bank. In addition, periodic reviews of user accounts can help limit attack vectors. This includes reviewing for terminated users and vendor accounts; eliminating any generic, shared and default accounts; reviewing user and group access; and enacting unique and complex password policies across different applications.

Centralized Log Collection and Analysis
Management should also consider employing a SIEM device. A SIEM (Security Information Event Management) system can collect logs from firewalls, intrusion prevention systems, network devices, servers and workstations. The log collection is analyzed against a set of rules to help identify unusual activities and security events. In addition to implementing a SIEM system to monitor real-time security events, management should review the setting periodically to ensure data is being captured and the system is fine-tuned to eliminate noise and identify critical security events.

Educate Users
Many current malware attacks use social engineering. Management should provide information security training on a regular basis which explains the various social engineering threats and steps that can be taken to prevent a malware attack at the bank. Creating a security-aware culture at a bank requires time and involvement by senior management.

Often, a bank invests in door locks and security guards to deter the security threats it faces. Similarly, a bank can implement the methods highlighted above in order to deter malware security threats. Creating a multi-layered approach, reducing the number of attack vectors, maintaining your systems, restricting user access and administrative capabilities, blocking portable devices, and providing effective education are key steps to securing your bank from potential malware attacks.

Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 22 – June 2014.


Strategic Moves to Ensure Your Bank is Proactively Managing Risk

By Bud Genovese, AuditOne LLC

Bank directors need to know that in the eyes of regulators, risk management is trending up and trending hot. Because what impacts large banks often trickles down to smaller community banks, directors in banks under $10 billion should pay close attention to the new requirement from the Dodd-Frank Act requiring larger banks to set up separate Risk Committees. Regulators have “heightened expectations” for banks to enhance risk management processes in order to be able to maintain ratings.

This is not a bad development. Many banks already incorporate risk management into their Audit Committees. Directors need to ensure the proper monitoring and management of risk, whether as a separate group or within the charter of the Audit Committee. Remember that managing risk is a strategic business function and is forward-looking. Directors must keep the objectives separate from the auditing objectives, which review results of past activity.

Enhanced Risk Management Can Boost Business
There are business benefits for banks of all sizes to enhance risk management. Banks can gain competitive advantage by being better able to grow profits and meet strategic goals while better managing risks. Banks benefit when they understand what their risk appetite is and put in policies and controls to make sure that throughout the organization they truly understand the risks in the business, and not just discount something as not probable or not possible.

Create a Risk Appetite Framework
Many banks are implementing a Risk Appetite Framework (RAF) as the way to provide an overall governing risk management architecture. The RAF serves as the operating principle to align bank strategy, capital allocation and risk. In the past, the focus was on strategy and capital; however, risk is now a key consideration.

The RAF states the maximum level of risk that a bank is prepared to accept in order to achieve business objectives. The RAF should be used to develop the RAF Statement with collaboration from the CEO, CRO and CFO. This RAF Statement translates the overall strategy into measurable targets and thresholds across material risk categories. These risk tolerances enable performance monitoring and management which aims to identify optimal growth options considering the risk involved and the allocation of available capital resources to drive sustainable performance.

The RAF Statement should not be complex, but rather a concise statement that identifies the most important and applicable risk tolerances and limits. This statement needs to specify the action to be taken if exceptions or out-of-tolerance conditions surface. From the RAF Statement the risk appetite tolerance levels are established and should be set at different trigger levels, with clearly defined escalation requirements which enable appropriate actions to be defined and implemented as required. In cases where the tolerance levels are breached, it is the responsibility of the bank managers of that functional area to bring it to the attention of the board. The board should review and approve the RAF and RAF Statement on an annual basis to ensure that it is consistent with bank strategy, business and the regulatory environment.

Risk Assessments are Key Tools
Directors should insist their bank performs an annual Enterprise Risk Assessment (ERA) that takes into consideration the bank’s strategic plan and regulatory risk factors (CAMELS). The ERA can be performed in-house if staff expertise in this area is available or contracted with an independent risk management consulting firm.

The ERA should analyze each operational bank function and calibrate the precise level of risk and internal control auditing necessary to meet safety, soundness and the latest regulatory requirements. The ERA methodology should a) risk-score each area and activity, b) translate that score into a risk rating, and c) map that rating to a recommended audit frequency. Ensure that stress testing is regularly performed that covers the major risk areas. The ERA can save banks money by identifying and applying appropriate risk-based resources.

Regular Review of Risk Management Program
Regular – meaning at least annual – review of the effectiveness of the risk management program is essential. Employ the resources of your bank’s internal auditor or a third-party consultancy to provide an independent assessment and resulting audit report of the effectiveness of the risk management function. Regulators will be placing this new expectation on the bank’s internal audit function to assess the bank’s risk management program.

The Role of Directors in Risk Management
Directors need to train, prepare for, and demand enhanced risk management at their banks. Strong risk management should proactively point to potential problems, and better handle new risks that technology and the economy present, all adding to greater operating and profit results.

Published in Western Independent Bankers Association’s Directors Digest, Issue 81 – March 2014.