The FFIEC Cybersecurity Assessment Tool and what it means to your institution

AuditOne Regulatory Advisory

From Bud Genovese, Chairman

In our ongoing efforts to keep you abreast of news in the regulatory environment, we periodically issue AuditOne Regulatory Advisories. Please feel free to forward it to the appropriate people in your bank. Thank you, –Bud

Cyber threats have been evolving and increasing at an exponential rate. We are seeing more frequent and sophisticated attacks than before. Financial institutions rely on technology for critical operations. However, technology service providers and general IT investments can often leave institutions exposed to vulnerabilities that criminals would exploit.

Unfortunately, the regulators do not expect this problem to be resolved because the primary factors that drive these cyber attackers include espionage, money, disruption/destruction, political/social statement, and notoriety. There are also many different types of attackers including nation-states, terrorists, criminal, and insiders. These attackers often have technical expertise, financial sponsors, limited legal reach, and anonymity.

In a response to this complex problem, the FFIEC has created a dedicated page on this issue ( and issued multiple statements and alerts. Many of the FFIEC resources on the page contain recommended controls for institutions to implement, but it is difficult for smaller institutions to determine which controls to implement based on their size and complexity.

On July 2, 2015, the FFIEC issued a new Cybersecurity Assessment Tool for all institutions under $1 billion in total assets. The Tool uses a risk assessment process so that institutions can come up with an overall inherent risk level based on Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Once management determines the Bank’s inherent cybersecurity risks, the Cybersecurity Assessment Tool contains a list of recommended controls based on these risks. These controls are based on the Cybersecurity Framework by NIST (National Institute for Standards and Technology) and FFIEC Information Technology Handbook.

While this assessment is voluntary, regulatory examiners plan to discuss this tool with institutions’ management during examinations starting in the fourth quarter of 2015. To help prepare for this, Insight Risk Consulting (IRC), an affiliate of AuditOne LLC, has been providing assistance to financial institutions in creating their a Cybersecurity Risk Assessment consistent with the FFIEC Cybersecurity Assessment Tool, as well as assessing cybersecurity preparedness and whether the current controls align with the overall cybersecurity risk. We also assist management in determining risk management practices and controls that can mitigate cybersecurity risks. If you are interested in any of these areas, please contact Kevin Watson, Co-CEO or Jeremy Taylor. Both may also be reached on our Team & Contact page.


ACAMS Meeting Summary “Meeting the Regulators” June 2015

AuditOne Regulatory Advisory

From Bud Genovese, Chairman

In our ongoing efforts to keep you abreast of news in the regulatory environment, we periodically issue AuditOne Regulatory Advisories.

The article below is written by AuditOne’s Co-CEO Kevin Watson. Kevin, who also is CAMS certified, just attended an ACAMS meeting in Long Beach, CA. Please feel free to forward it to the appropriate people in your bank. Thank you, –Bud

ACAMS Meeting Summary: “Meeting the Regulators” June 8, 2015

ACAMS is the largest international membership organization dedicated to enhancing the knowledge, skills and expertise of AML/CTF and financial crime detection and prevention professionals. Members of ACAMS include representatives from a wide range of financial institutions, regulatory bodies, law enforcement agencies and industry sectors. AuditOne is pleased to have multiple employees who have earned the Certified Anti-Money Laundering Specialist (CAMS) certification and are members of ACAMS.

The ACAMS meeting that I attended this June included representatives from the FRBSF, OCC, FDIC and CDBO (California Department of Business Oversight). Summarized below are some of the major points made in the meeting in an easy to track bullet point format. The panelists stressed that these are not necessarily the official views of their organization. However, the points made provide good examples of questions that may be raised in some BSA audits. We hope this information is useful to you and that you can learn from and take action on as applicable:

Common violations cited in Examinations

  • Failure to file SAR
  • Failure to update risk scores and CDD information
  • Failure to risk rate at account opening
  • Inadequate detail on EDD reviews
  • Auditors not customizing test and report for higher risk areas
  • Inadequate depth of audit testing
  • Failure of audit to opine overall and on each scope area

BSA Risk Assessment

  • Should include every product and service offered by the Bank
  • Also include element for employees and regulatory orders
  • Indicate metrics for each element including number and dollar for at least two years
  • Indicate inherent risk for each element
  • Best practice is to explain the specific risks for each element
  • OFAC risk can be embedded in the BSA risk assessment and should indicate history of OFAC hits


  • The FinCEN Advisory on compliance culture was stressed. Examiners and auditors should evaluate the authority, Board access, objectivity and staffing levels.


  • Ensure controls in place to ensure Third Party Payment Processors don’t deviate from agreed upon activities

· Bank should ask for statements for other banks where the TPPP maintains accounts


  • For complex customer account relationships, bank should prepare a master document describing the relationships


  • Customer responses to specific activity questions should make sense


  • Bank should obtain copy of statements for accounts maintained at other banks
  • Out of area and large check deposits should be investigated (bank should ask for CTRs on those)
  • Determine how many remittance transfers to each country, especially the high risk countries
  • Banks should ask for better quality independent audits or reviews completed on the MSBs
  • Ensure MSBs are properly licensed

Automated AML System

  • Validations consider 1) data accuracy 2) model calculations 3) appropriateness of rules and parameters
  • Most validations are being issued in separate reports, but there is no set format
  • Validations should be annual
  • Validate alerts, risk rating, watch list (OFAC) and other important features being used
  • Obtain independent validations from vendor, especially when the formulas supporting risk ratings or alerts are not disclosed


  • BSA Policy should include account closure requirements, stipulating the threshold of repeat filings triggering account closure.
  • New beneficial ownership guideline release date still unknown

Kevin K. Watson, CAMS, is our Co-CEO based in our Buena Park office in Southern California. Kevin can be reached at Contact Us

AuditOne LLC is a risk management firm with sole focus on financial institutions. Mr. Genovese pioneered the concept of providing comprehensive internal audit and credit review services by gathering wide-ranging, extraordinary expertise within one firm. AuditOne now serves over 200 clients throughout the Western United States, and nationally. Contact Kevin Watson, Co-CEO or Jeremy Taylor, Co-CEO how we can deliver to you our cost effective, quality services. Both may also be reached on our Team & Contact page.