AuditOne Compliance Advisory – Preparing for HMDA changes

AuditOne Compliance Advisory – From Bud Genovese, Chairman

AuditOne is proud to announce the new issue of our Compliance Advisory written by our Compliance Practice Director, Celeste Burton. Please take a look at it below, and feel free to forward this email to the appropriate people within your financial institution. And remember, when you need the most thorough risk management expertise for compliance audits, credit reviews, and information security audit services, contact the best in the business… AuditOne. Our expertise is your edge, thank you. –Bud

Volume 1 / Issue 1

Preparing for HMDA

We anticipated, we waited, and it’s finally arrived…On October 15, 2015, the Consumer Financial Protection Bureau (CFPB) released a 797-page final rule that expands the scope of mandatory data reporting under the Home Mortgage Disclosure Act (HMDA). The new rule, which
will be implemented in phases through 2020,
represents the most significant changes to HMDA and Regulation C in over a decade. The presiding expectation is that data gathered as a result of this new rule will allow regulators to better identify discriminatory lending patterns, and monitor whether financial institutions are serving the needs of their communities. The requirements can be placed into four categories:

1. New applicability standards: A new 25-loan threshold was established for determining whether a lender is subject to the data collection and reporting requirements.

2. Expansion of types of reportable applications and loans:
Data must now be collected on all “dwelling-secured” or “covered” loans. This would include Closed-end mortgage loans, Open-end lines of credit, Reverse mortgages, and Business-purpose loans and lines of credit secured by a dwelling.

3. Expansion of reportable data: The items of information HMDA lenders must collect and report have more than doubled, with specific – and different- data requirements from both Dodd-Frank and the CFPB.

4. Quarterly reporting for large-volume HMDA lenders:
Lenders that reported at least 75,000 reportable transactions in the prior year would be required to submit data within 60 days following each quarter end.


TRID Grace Period?

While there are varying opinions about the true meaning of a “hold harmless grace period” for compliance with the TILA-RESPA Integrated Disclosure (TRID) rule that became effective October 3, 2015, we do know with certainty that examiners will expect banks to demonstrate evidence of good faith efforts to comply. Efforts to update policies, procedures, processes, systems, training and protocols for handling implementation issues as they arise are all fair game. BUT……regulators can’t protect banks from private lawsuits.
A House bill recently passed that provides some safe harbor protections until January 2016, but the bill still needs to go to the Senate and would need to survive a possible Presidential veto.

Hope for the best – prepare for the worst.

When are financial institutions expected to comply?

January 1, 2017: Institutions that meet certain requirements and did not originate at least 25 home purchased loans (or refinancings of home purchase loans) in 2015 and 2016 become
exempt from HMDA.

January 1, 2018:

· Institutions that did not originate at least 25 covered closed-end mortgage loans or 100 covered open-end lines of credit in the previous two years become exempt from HMDA.

· Lenders must collect and report on the new and amended data points.

· Lenders must use a new web-based submission tool currently being developed by the CFPB to report HMDA data.

· Loans secured by a dwelling will now be covered by HMDA regardless of purpose.

March 1, 2019: Lenders must submit first data sets under the new standards.

January 1, 2020: Each large volume lender reporting at least 60,000 applications and loans must begin submitting quarterly reports.

March 30, 2020: Large volume lenders must submit their first quarterly reports.


Questions to Ask In Preparing For New HMDA Reporting Requirements…

1. Do we currently obtain new required data fields during the application process?

2. Does our system include (or have the capability to retain) required data fields?

3. Do we have a source document matrix that identifies the source (i.e. loan file location) of each data field required for ease of internal and 3rd party review?


“If you fail to plan,
you are planning to fail.” – Benjamin Franklin


AML software tips

Make the most of your investment in BSA Automated Software to assist in achieving compliance with BSA/AML/OFAC regulatory requirements. Whether your software is “Rules” or “Behavior” based (a), there are certain key controls that all institutions should consider in their ongoing
monitoring routines (b):

· Data Integrity

o Alerts

o Quality & Usefulness

o Documented Results of Alert Analysis

o Timely Addressing of Alerts

· Proper Documentation for Cases not Resulting in SAR filings

· Parameters are Appropriate and Aligned with Risk Assessment/Policies/Practices

· Testing of System Changes

· Periodic System Validation

· Model (Performance, Testing, Validation)

· Key Information Reported to the Management

· Appropriate Understanding by Personnel (training)

· Appropriate User Authorities and Controls

· Vendor Management Oversight

a) Rules Based Alerts are based on specific, often logic or activity based, rules. When the criteria for that rule is met then an alert is generated. Behavior Based Alerts are
based on specific customer behavior. Defined parameters exist for
expected behavior (either overall or for specific customers) and alerts are
generated when activity is outside of expected behavior.

b) Typically includes but is not limited to cash, wire transfers, negotiable instruments, ATM/debit cards, ACH, electronic transfers, lending transactions, and deposit activity.


Staying a step ahead

Meeting heightened regulatory expectations in today’s environment requires a gradual and continuous shift in focus on improving specific processes to fully integrating risk management and compliance into the bank’s culture. Below are a few tips on how to stay ahead:

· Boards should continually challenge senior management’s risk assumptions and business plans, documenting such instances in Board minutes.

· Chief Risk Officers should collaborate with business lines as compliance and risk management continue to be an enterprise-wide focus.

· Risk Management and Compliance responsibilities should be clearly reflected in performance management programs and reinforced in employee training.

· Continually integrate the evaluation of potential Consumer Protection impacts on new or changing products, services, practices and disclosures into existing compliance monitoring protocols.


On the horizon…



Flood Insurance (12CFR Part 339) · Requires institutions to escrow premiums and fees for certain
designated loans that are made, increased, extended, or renewed on or after January 1, 2016.

· Requires lenders to offer and make available to consumers the option to escrow premiums and fees for certain loans outstanding as of January 1, 2016. Implements exemptions to the escrow requirement provided under the Homeowner Flood Insurance Affordability Act.

January 2016Military Lending Act

The Department of Defense (DOD) issued a final rule (amending the implementing regulations of the Military Lending Act of 2006 (MLA)) that “expands specific protections provided to service members and their families, and addresses a wider range of credit products than the DOD’s previous regulation.”

“The Final Rule:

· Extends MLA protections, to a wider range of credit products, including credit cards.

· Modifies the MAPR to include fees for credit-related ancillary products sold in connection with the credit transaction, finance charges associated with consumer credit, and certain application and participation
fees. Also, for credit cards, the MAPR excludes certain fees if bona fide and reasonable.

· Provides a safe harbor for creditors ascertaining whether a consumer is covered by the final rule’s protections.

· Modifies the existing prohibition on rolling over, renewing or refinancing consumer credit.

· Subjects creditors to civil liability and administrative enforcement for MLA violations.”

institutions and other creditors must comply with the rule for new covered
transactions beginning October 3, 2016.
credit extended in a new credit card account under an open-end consumer
credit plan, compliance is required beginning October 3, 2017.


Celeste Burton is Compliance Practice Director at AuditOne and can be reached on our Team & Contact page.

Bud Genovese is Chairman of AuditOne LLC, a California-based risk management firm that focuses only on financial institutions. Mr. Genovese pioneered the concept of providing comprehensive internal audit, compliance and credit review services by assembling extraordinary expertise within one firm.

AuditOne now serves over 200 clients throughout the Western United States, and nationally. Contact Kevin Watson, Co-CEO at 562.802.3581 or Jeremy Taylor, Co-CEO at 650.299.9185. Both may also be reached on our Team & Contact page.

Bud Genovese, Chairman
AuditOne LLC


Our Expertise, Your Edge™



AuditOne Advisory: On The Horizon – The Current Expected Credit Losses (CECL) Model

AuditOne Advisory

From Bud Genovese, Chairman

Our Co-CEO Jeremy Taylor’s advisory below covers CECL and how to prepare now as it appears it will become a reality sooner than later. Please feel free to forward this informative presentation to any appropriate people in your bank.  And remember, contact us to best serve your risk management needs, as we are the industry leading expert for internal audit and credit review.  Thank you.  –Bud

“Waiting for CECL”

The Allowance for Loan and Lease Losses (ALLL) is a hugely important figure for financial institutions (FIs).  The current, Incurred Loss approach is laid out in the last significant guidance statement on the subject, FIL-105-2006, released back in 2006.  Now that everyone’s finally got themselves more or less comfortable with it, it’s all about to change.  FASB will soon be releasing guidance on the Current Expected Credit Loss (CECL) methodology.  It was expected last year, then Q2/15, now slated for later this year.

The main idea of CECL is that loss reserving should reflect losses expected over the life of a loan and not just losses already incurred (even if not yet recognized), or in standard current practice, losses expected over the next 12 months.  While the 2006 Qualitative & Environmental adjustments (or “Q-factors”) bridge between the historical loss period and today’s conditions and circumstances, you can think of CECL as requiring you to do the same thing out through each loan’s remaining life.  In practical terms, “expected” implies some measure of long-term average losses for that type of loan (i.e., based on its type, industry, location, vintage, etc.), before applying Q-factors. It’s less clear how scenario effects might also be incorporated.  (The literature on this subject generally emphasizes holding reserves against expected losses and capital against the unexpected (or adverse scenario, right-tail) losses.  It remains to be seen how this potential double-counting of reserves and capital will play out.)

Note, too, that FASB is proposing to apply CECL not just to loans but also to securities, thereby replacing the current OTTI (Other Than Temporary Impairment, the credit (not interest rate) effects) approach.  This means that, like loans, they’ll have a reserve against expected credit losses rather than being directly written down to reflect OTTI. Lengthening the relevant time horizon over which potential future losses are to be assessed (from 12 months to life of loan) immediately highlights one critical and much-discussed aspect of CECL: upward pressure on the level of required reserves.  In the absence of details on computation and implementation, it’s too early to determine this with any precision.  Tom Curry, the OCC head, is on the record as suggesting typical increases in the range of 30 – 50%.  That’s material, especially considering that roll-out will overlap with (or follow shortly after) phase-in of increased Basel III capital requirements; the main purpose of the ALLL, like capital, is to absorb losses.  CECL means that booking a loan will require booking the statistically expected loss right away.  But keep in mind the intended counter-cyclicality of CECL: booking higher reserves in today’s more benign macro environment is intended to better buffer institutions against future downturns and necessitate less aggressive provisioning under such less benign conditions.

One more thing before we provide a few practical, pre-CECL suggestions.  We’re all used to thinking in terms of general versus specific reserves (or FAS 5 versus FAS 114, or ASC 450-20 versus ASC 310-10-35).  But CECL essentially applies the impairment (FAS 114) mindset to the non-impaired portfolio, requiring all loans (whether impaired or not) to be assessed based on expected repayment prospects.  However, for practical purposes we’ll still want to think about using homogeneous pools for the good stuff; for most institutions (whatever your size) doing discounted cash flow (DCF) analysis at the loan level is too daunting in terms of the data and computing requirements.  DCF (or net realizable value calculation, for collateral-dependent loans) will likely continue to be worthwhile only for those loans with uncertain repayment/recovery prospects.  Related to this, the projected increase in reserves under CECL are expected to come in the non-impaired portfolio much more than in the impaired.

Again, CECL’s details remain murky, but let’s finish with a few things to keep in mind in preparation:

Yes, higher required reserves, though with many smaller (and non-public) FIs currently holding excess (or “unallocated”) reserves, above what their model calculations now suggest, that effect (in terms of a need for a significant, one-time increase in reserves) may be less pronounced.  Nor is it clear whether that might flow through income (via loss provisioning), versus an adjustment to capital (i.e., like the difference between treatment of mark-to-market losses for AFS versus HTM securities holdings). More likely the latter, though still to be confirmed.

Given the more onerous demands (per #3 and 4, below), it is expected that CECL will have a multi-year phase-in.  That, too, will mitigate the “headline effects” of CECL, though the expected 3 – 4 years must cover the demands associated with not just #3 and #4 but also a parallel-run period.

Data requirements will rise significantly, both in time series (i.e., number of years’ history) and cross-sectionally (i.e., the number of variables).  FIs will be expected to collect loan-level data on a wider range of loss and other loan performance variables than is currently expected.  Internal data on portfolio performance can be supplemented with outside sources such as FDIC and RMA (Risk Management Association).  You’ll also need to be able to tie it in with prevailing external data (e.g., how the local/regional economy was doing), though that’s typically easier to procure.  Ditto for forecasts of such driving, external variables.  A couple of related points:

  1. Loss migration becomes much more important: not just the loss rate by loan type and, if available, risk grade.  It’s also the migration patterns – i.e., movement up and down between grades – by loan type, origination vintage and other identifiers.  You’ll need to be able to assess (with, of course, due supporting data) the probability of a grade 3 loan, for example, being downgraded to 4, and then to 5, and eventually all the way to default.
  2. Community banks and credit unions will be expected (even if not for day one) to follow down the path already taken by larger institutions towards splitting loss rates into probability of default (PD) versus severity (or loss given default (LGD)) rates; the former reflect risk grade/borrower characteristics while the latter are driven by loan structure (in particular, collateral value).

The message here is clear: better start collecting the data now.

While an in-house spreadsheet model has generally sufficed for most smaller institutions under the current methodology, the volume of data and more complex analytics required for CECL may well warrant consideration of dedicated software.  There are various vendors out there with existing models that will no doubt be customized for CECL when details become available.

AuditOne will continue to monitor this area closely.  We have considerable expertise and experience in assisting institutions with their ALLL methodology in both an auditing and consulting capacity.  We will be sure to carry all that forward into the brave new world of CECL, whenever he decides to step forward to introduce himself.

AuditOne LLC sole focus is financial institutions. AuditOne performs many dozens of ALLL audits every year, along with credit review audits delivered by our expert staff auditors that have hands-on, in-depth credit experience.    Please note, too, that many of these audits are done on a completely offsite basis, using our secure client portal for secure sharing of documents.  For more information, please call one of our Co-CEOs: Jeremy Taylor Contact Us), or Kevin Watson Contact Us. Both may also be reached on our Team & Contact page.


AuditOne Advisory – Interest Rate Risk: Responding to Rising Regulatory Expectations

AuditOne Advisory

From Bud Genovese, Chairman

Our Co-CEO Jeremy Taylor recently presented to a CFO group in Oregon on the subject of rising regulatory expectations for interest rate risk (IRR) management.  We thought you might find his Powerpoint helpful.  You can find it on our website by clicking here.   Please feel free to forward this informative presentation to any appropriate people in your bank.  And remember, when you need industry leading expertise for internal audit and credit review and the highest level of hands-on technology service, contact the best in the business….AuditOne.  Thank you.  –Bud

Jeremy was able to draw on two very valuable sets of (non-public) data in order to come up with concrete guidance in such critical areas as determination of modeling assumptions and appropriate IRR limits.  First, at AuditOne we have assembled a database of almost 100 of our IRR clients (without client identifiers, of course).  Second, the Risk Management Association (RMA) recently conducted a survey of IRR management practices at community banks which Jeremy helped prepare.  Because there is so little publicly available peer data to assist in IRR measurement and management, I think you will find Jeremy’s presentation particularly useful and timely.  He also has incorporated best-practice and how-to suggestions for things like customizing and validating key model assumptions.  Board/ALCO governance topics also get attention.  Besides these two surveys, Jeremy was able to reflect our ongoing IRR audit experience, Safety & Soundness exam reports, client conversations, and other inside information sources.

I would also draw your attention to an article Jeremy prepared on the RMA survey results that has just appeared in the Oct./15 issue of the RMA Journal.  You’ll find that article on our website.

AuditOne LLC is a risk management firm with sole focus on financial institutions. AuditOne performs many dozens of IRR audits every year, along with audits of other ALM areas like Liquidity, Investments and Capital.  We have highly experienced ALM practitioners on staff.  Please note, too, that many of these audits are done on a completely offsite basis, using our client portal for secure sharing of documents.  For more information, please call one of our Co-CEOs:  Jeremy Taylor Contact Us for the northern half of our client base, or Kevin Watson Contact Us for the southern half. Both may also be reached on our Team & Contact page.


The FFIEC Cybersecurity Assessment Tool and what it means to your institution

AuditOne Regulatory Advisory

From Bud Genovese, Chairman

In our ongoing efforts to keep you abreast of news in the regulatory environment, we periodically issue AuditOne Regulatory Advisories. Please feel free to forward it to the appropriate people in your bank. Thank you, –Bud

Cyber threats have been evolving and increasing at an exponential rate. We are seeing more frequent and sophisticated attacks than before. Financial institutions rely on technology for critical operations. However, technology service providers and general IT investments can often leave institutions exposed to vulnerabilities that criminals would exploit.

Unfortunately, the regulators do not expect this problem to be resolved because the primary factors that drive these cyber attackers include espionage, money, disruption/destruction, political/social statement, and notoriety. There are also many different types of attackers including nation-states, terrorists, criminal, and insiders. These attackers often have technical expertise, financial sponsors, limited legal reach, and anonymity.

In a response to this complex problem, the FFIEC has created a dedicated page on this issue ( and issued multiple statements and alerts. Many of the FFIEC resources on the page contain recommended controls for institutions to implement, but it is difficult for smaller institutions to determine which controls to implement based on their size and complexity.

On July 2, 2015, the FFIEC issued a new Cybersecurity Assessment Tool for all institutions under $1 billion in total assets. The Tool uses a risk assessment process so that institutions can come up with an overall inherent risk level based on Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Once management determines the Bank’s inherent cybersecurity risks, the Cybersecurity Assessment Tool contains a list of recommended controls based on these risks. These controls are based on the Cybersecurity Framework by NIST (National Institute for Standards and Technology) and FFIEC Information Technology Handbook.

While this assessment is voluntary, regulatory examiners plan to discuss this tool with institutions’ management during examinations starting in the fourth quarter of 2015. To help prepare for this, Insight Risk Consulting (IRC), an affiliate of AuditOne LLC, has been providing assistance to financial institutions in creating their a Cybersecurity Risk Assessment consistent with the FFIEC Cybersecurity Assessment Tool, as well as assessing cybersecurity preparedness and whether the current controls align with the overall cybersecurity risk. We also assist management in determining risk management practices and controls that can mitigate cybersecurity risks. If you are interested in any of these areas, please contact Kevin Watson, Co-CEO or Jeremy Taylor. Both may also be reached on our Team & Contact page.


ACAMS Meeting Summary “Meeting the Regulators” June 2015

AuditOne Regulatory Advisory

From Bud Genovese, Chairman

In our ongoing efforts to keep you abreast of news in the regulatory environment, we periodically issue AuditOne Regulatory Advisories.

The article below is written by AuditOne’s Co-CEO Kevin Watson. Kevin, who also is CAMS certified, just attended an ACAMS meeting in Long Beach, CA. Please feel free to forward it to the appropriate people in your bank. Thank you, –Bud

ACAMS Meeting Summary: “Meeting the Regulators” June 8, 2015

ACAMS is the largest international membership organization dedicated to enhancing the knowledge, skills and expertise of AML/CTF and financial crime detection and prevention professionals. Members of ACAMS include representatives from a wide range of financial institutions, regulatory bodies, law enforcement agencies and industry sectors. AuditOne is pleased to have multiple employees who have earned the Certified Anti-Money Laundering Specialist (CAMS) certification and are members of ACAMS.

The ACAMS meeting that I attended this June included representatives from the FRBSF, OCC, FDIC and CDBO (California Department of Business Oversight). Summarized below are some of the major points made in the meeting in an easy to track bullet point format. The panelists stressed that these are not necessarily the official views of their organization. However, the points made provide good examples of questions that may be raised in some BSA audits. We hope this information is useful to you and that you can learn from and take action on as applicable:

Common violations cited in Examinations

  • Failure to file SAR
  • Failure to update risk scores and CDD information
  • Failure to risk rate at account opening
  • Inadequate detail on EDD reviews
  • Auditors not customizing test and report for higher risk areas
  • Inadequate depth of audit testing
  • Failure of audit to opine overall and on each scope area

BSA Risk Assessment

  • Should include every product and service offered by the Bank
  • Also include element for employees and regulatory orders
  • Indicate metrics for each element including number and dollar for at least two years
  • Indicate inherent risk for each element
  • Best practice is to explain the specific risks for each element
  • OFAC risk can be embedded in the BSA risk assessment and should indicate history of OFAC hits


  • The FinCEN Advisory on compliance culture was stressed. Examiners and auditors should evaluate the authority, Board access, objectivity and staffing levels.


  • Ensure controls in place to ensure Third Party Payment Processors don’t deviate from agreed upon activities

· Bank should ask for statements for other banks where the TPPP maintains accounts


  • For complex customer account relationships, bank should prepare a master document describing the relationships


  • Customer responses to specific activity questions should make sense


  • Bank should obtain copy of statements for accounts maintained at other banks
  • Out of area and large check deposits should be investigated (bank should ask for CTRs on those)
  • Determine how many remittance transfers to each country, especially the high risk countries
  • Banks should ask for better quality independent audits or reviews completed on the MSBs
  • Ensure MSBs are properly licensed

Automated AML System

  • Validations consider 1) data accuracy 2) model calculations 3) appropriateness of rules and parameters
  • Most validations are being issued in separate reports, but there is no set format
  • Validations should be annual
  • Validate alerts, risk rating, watch list (OFAC) and other important features being used
  • Obtain independent validations from vendor, especially when the formulas supporting risk ratings or alerts are not disclosed


  • BSA Policy should include account closure requirements, stipulating the threshold of repeat filings triggering account closure.
  • New beneficial ownership guideline release date still unknown

Kevin K. Watson, CAMS, is our Co-CEO based in our Buena Park office in Southern California. Kevin can be reached at Contact Us

AuditOne LLC is a risk management firm with sole focus on financial institutions. Mr. Genovese pioneered the concept of providing comprehensive internal audit and credit review services by gathering wide-ranging, extraordinary expertise within one firm. AuditOne now serves over 200 clients throughout the Western United States, and nationally. Contact Kevin Watson, Co-CEO or Jeremy Taylor, Co-CEO how we can deliver to you our cost effective, quality services. Both may also be reached on our Team & Contact page.


Social Engineering’s Wolf in Sheep’s Clothing

By Robert Kluba, CISM, MCSE, AuditOne, LLC

Social Engineering is a technology threat that every bank faces. Banks make an ideal target for criminals employing social engineering tactics. This article will discuss the types of social engineering threats facing banks and the ways banks can attempt to mitigate their exposure to those threats.

Reformed computer criminal and later security consultant Kevin Mitnick points out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.

Social engineering can take a number of forms, such as pretexting, diversion theft, phishing, quid pro quo, tailgating or shoulder surfing. The focus of this article will be on pretexting and phishing, the two most common forms that banks face and the two forms that we, as a social engineering testing firm, place the most focus on with our testing. Pretexting is the act of creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. Phishing is a technique of fraudulently obtaining private information, most commonly through an email which contains a link to a fraudulent web page that seems legitimate.

As an introduction to the social engineering pretext attack, I will reference an attack which took place in December 2011 at Wells Fargo and was reported by Forbes magazine. This pretext incident allowed an attacker to trick Wells Fargo into wiring $2.1 million to a bogus bank account in Hong Kong. The attacker impersonated a client of Wells Fargo, obtained publicly available signatures and convinced an escrow office to wire funds to an offshore account. Banks of all sizes are susceptible to this kind of risk and steps need to be taken to mitigate that risk. The following are some basic steps any bank can take to reduce the threat of a social engineering pretext attack.

Step 1: Don’t trust caller ID. Technology can be fooled. Customer verification procedures need to be followed no matter what the caller ID says.

Step 2: Don’t rely on what an unknown or untrusted source says or implies. Successful pretext calling is all about gaining the trust of the person being called.

Step 3: Put policies in place. Effective policies cause minimal offense to legitimate requesters but can potentially deter pretext callers.

Step 4: Effective policies incorporate features pretext callers are known to dislike such as customer verification procedures which go beyond social security number.

Step 5: Remember that you, not the caller, are in control.

Step 6: Use diplomacy and tact in declining a request.

Step 7: Invest in a security education and awareness program to raise security awareness regularly.

Step 8: Train your employees to contact their manager and information security officer if a call seems suspicious.

Step 9: Management should support staff when they follow policy.

The second type of social engineering attack is the phishing email attack. According to a recent Huffington Post article, JPMorgan Chase customers were targeted by such an attack as recently as August 2014, when hackers sent bogus emails that prompted the customer to enter their account credentials and in an attempt to download malicious software onto their computers. This type of attack can happen to any bank of any size. The example above is a common example of a customer phishing attack. As this article is more focused on mitigating internal threats, the following are some steps a bank can take to reduce the risk of a successful phishing attack which targets bank employees.

Step 1: Invest in a security education and awareness program to raise security awareness.

Step 2: Organize regular campaigns to maintain user awareness. Education is not a once a year deal.

Step 3: Train your employees to call the bank’s help desk or contact their manager if an email seems suspicious.

Step 4: Tell users not to click on links, download files or open attachments in emails from unknown senders. Think before you click.

Step 5: Using a spam appliance or add-in is not a “fit and forget” exercise; maintenance is required, from manual oversight of the spam queues to maintenance of its parameter settings.

Step 6: Limit the impact. Ensure that anti-virus, anti-spyware and anti-malware applications are maintained and up-to-date, and that applications and operating systems are up to date and fully patched.

Pretext calling and targeted phishing emails are two major social engineering attack scenarios that all banks face. Pretext calling has been and will continue to be a threat for the foreseeable future. Steps can be taken to better protect the bank and the bank’s customer information against these attacks. Technology may help solve phishing email attacks in the future, but steps such as ensuring training and education are ongoing can be taken today to mitigate current risk. The protection of nonpublic personal information should be a goal of all financial institutions, and proactive steps are available to mitigate the risk of these threats.

Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 24 – December 2014.