managing emerging technology risk1 managing emerging technology risk regulatory guidance and best...
TRANSCRIPT
0
Managing Emerging Managing Emerging Technology Risk Technology Risk
Federal Deposit Insurance CorporationFederal Deposit Insurance CorporationNew York Regional OfficeNew York Regional Office
May 16, 2012May 16, 2012
1
Managing Emerging Technology Risk
Regulatory guidance and best practices for managing risks pertaining to:
- payment systems,- social media sites,- mobile banking, and- virtualization/cloud computing
Security and data integrity challenges in safeguarding customer information
2
Payment Systems
Non-Cash Payment Systems in the US:
Check Clearing Systems Automated Clearing House (ACH) Systems Card-based Credit/Debit (e.g., Amex,
Discover, MasterCard, Visa, etc.) Prepaid/Stored Value Card Programs Electronic Funds Transfer Networks (e.g.,
Star, Cirrus, Pulse, etc.) Person-to-Person or P2P (e.g., PayPal, etc.)
3
Payment Systems
Payments risk covers all FDIC supervisory disciplines:
Safety & SoundnessCompliance/Consumer ProtectionBank Secrecy Act / Anti-Money LaunderingTechnology/Operations
4
Corporate Account Takeover
Corporate accounts are targeted because of the large balances and the ACH credits that are generated have expedited funds availability.
5
Corporate Account Takeover
Methods used to obtain valid online banking credentials include:
Keylogging malware – records legitimate user’s keystrokes and sends to perpetrator
E-mail phishing – tricks legitimate user to send credentials or enter them at a web site
6
Security and Data Integrity Challenges
Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing
fraud are continuously evolving.
7
Cyber Fraud and Financial Crime Reports
FDIC Division of Risk Management Supervision
Technology Supervision Branch Cyber Fraud and Financial Crimes Section
8
Computer Intrusions3rd Quarter 2011
Computer Intrusions
759
369 376
495440
639
396331
0
100
200
300
400
500
600
700
800
2004 2005 2006 2007 2008 2009 2010 2011
3rd Quarter
Rep
orts
9
Computer Intrusion Losses by Type Code
3rd Quarter 2011
3Q11 Computer Intrusion Losses by Type Code
70%
12%
11%
1%1%1%
1%1%
2%ID Theft Account Takeover Wire/ACHFraudCounterfeit Cards
Credit Card Fraud
Computer Intrusion
Check Fraud
ID Theft Debit/Credit Card Fraud
Embezzlement Wire Fraud
Debit Card Fraud
All Other Codes (57)
10
Computer intrusion detection rates 3rd Quarter 2011
Computer Intrusion Detection 3Q11
38%
17%
15%
10%
4%
4%2%2%2%2%2%2%
Customer Notified Bank
FI Employees
Not Detected
Card Network/PaymentProcessorRDFI
IRC - Employee AcctReviewsMoney Mules Notified
Western Union
Returned Wire Notice
Notified by a Reporter
University Detected
TSP Detected Bad IP
11
Online bank account takeovers3rd Quarter 2011
Online Bank Account Takeover Losses
-5
101520253035404550
4Q2010 1Q2011 2Q2011 3Q2011
MIL
LIO
NS
$$
Other Violations(Online AcctTakeover)
Wire TransferFraud
ComputerIntrusion
12
ID Theft reports 3rd Quarter 2011
ID Theft
11,330
8,9377,749
8,015
-
2,000
4,000
6,000
8,000
10,000
12,000
2008 2009 2010 2011
3rd Quarter
13
Wire transfer fraud reports 3rd Quarter 2011
Wire Transfer Fraud
4,235 4,178
3,4493,392
-
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
2008 2009 2010 2011
3rd Quarter
14
Wire Transfer Fraud Losses3rd Quarter 2011
Wire Transfer Fraud 3Q11 Losses
56%
8%
7%
6%
4%
3%
3%3%
2%2%
1% 1% 1%3%
Mortgage Fraud
Credit Card Fraud
Commercial Loan Fraud
Wire Transfer
ID Theft
Counterfeit Checks
Check Fraud
Online Banking
Terrorist Financing/MoneyLaunderingConsumer Loan
Computer Intrusion
Insider Fraud
Telephone Fraud
All Other (834)
15
Wire Transfer Fraud Financial Institution Losses
3rd Quarter 2011
3Q11 Wire Transfer Fraud Financial Institution Losses
34%
32%
23%
5%5% 0%1%
Online Bank AccountTakeoversCorporate AccountTakeoverConsumer AccountTakeoverAdvanced Fee Scams
HELOC Account Takeover
Money Mule ReceivingFundsOnline Classified Scams
Romance Scam
Email AccountCompromisedUnspecified FraudulentWireUnauthorized EFT/ACHDebits
16
Wire Transfer FraudCustomer Losses 3rd Quarter 2011
3Q11 Wire Transfer Fraud Customer Losses
31%
21%16%
16%
14%0%2%
Online Classified Scams
Romance Scam
Online Bank AccountTakeoversEmail AccountCompromisedUnspecified FraudulentWireAdvanced Fee Scams
Unauthorized EFT/ACHDebitsCorporate AccountTakeoverConsumer AccountTakeoverHELOC Account Takeover
Money Mule ReceivingFunds
17
Wire Transfer FraudAll Losses
3rd Quarter 2011
3Q11 Wire Transfer Fraud All Losses
31%
24%17%
8%
6%
4%4%
3%
1% 0%2%Online Bank AccountTakeoversCorporate AccountTakeoverConsumer AccountTakeoverOnline Classified Scams
Romance Scam
Email AccountCompromisedAdvanced Fee Scams
HELOC Account Takeover
Unspecified FraudulentWireMoney Mule ReceivingFundsUnauthorized EFT/ACHDebits
18
Wire Fraud Loss- Ingress Channel3rd Quarter 2011
3Q11Wire Fraud Loss - Ingress Channel
30%
11%
10%10%
6%
5%
4%
3%
3%
3%3%
2%2%2%2%2%1%
Online Classifieds/Auction
Branch
Phishing/Malware
German/US IPS
Unknown
Email (originating from Malaysia)
UPS Letter
ID Theft/Account Takeover
Logged on from Local IP
Logged on from Customer's PC
Logged in from US IP
Logged in from Korea
FAX
Telephone Transfer
Mobile Device (Malaysia provider)
Other (11)
19
Debit Card Fraud
Volume
Means of Exploitation
20
Risk Mitigation Practices/Controls
Utilize multi-factor authentication
Install and regularly update firewalls, malware/spyware protection, and commercial anti-virus software
Initiate payments under dual control
21
Risk Mitigation Practices/Controls
Limit administrative rights on workstations
Encourage corporate clients to reconcile their bank accounts daily
Use AML/BSA Acct Monitoring Tools
Customer (Public) Awareness and Education and Employee Training
22
Information Technology (IT) Examinations
IT examinations address a wide range of data security issues such as:
Information security programs and compliance with Gramm-Leach-Bliley Act, Sect. 501(b) requirements;
Business continuity planning and physical security;
IT audit coverage and independent review of controls;
IT security strategies and policies and personnel controls
23
Primary Supervisory Examination Issues
Primary supervisory examination issues continue in the areas of :
Gramm-Leach-Bliley Act (GLBA) compliance
Vendor Management programs
Business Continuity/Disaster Recovery planning
IT Audit Coverage
Network/access controls
24
Mobile Device Fraud
Fraudulent Wire Transfer
Exploitation Methods
Risk Assessment
25
Social Media Sites
Security Risks
Reputation Risk
Corporate Governance
Resources
26
Risk Assessment Issues
GovernanceStrategic ConsiderationsPoliciesTopologyControlsContracts/AgreementsAudit
Cloud Services
27
Examination/Financial Institution Guidance
FFIEC Guidance on Risk Management of Remote Deposit Capture (FIL-4-2009)
Identity Theft Red Flags, Address Discrepancies, and Change of Address Regulations Examination Procedures (FIL-105-2008)
FFIEC Retail Payment Systems Handbook (FIL-6-2010)
FFIEC Guidance: Authentication in an Internet Banking Environment(FIL-103-2005)
Payment Processor Relationships-Revised Guidance (FIL-3-2012)
FDIC Supervisory Insights Journal (Quarterly)
28
Examination/Financial Institution Guidance (Continued)
FFIEC Supplement to Authentication in an Internet Banking Environment (FIL-50-2011)
Special Alert SA-147-2009: Fraudulent Electronic Funds Transfers(August 2009)
Guidance for Managing Third-Party Risk (FIL-44-2008)
National Institute of Standards & Technology (NIST)
Trade Associations (ABA, BITS)
PCI Security Standards Council
US CERT
29
Thank you!
30
Contact Information
Stephanie WilliamsExamination Specialist
(Information Technology)New York Regional Office
Gerald SuslakExamination Specialist
(Information Technology)New York Regional Office
Robert SargentExamination Specialist
(Information Technology)Boston Area [email protected]