Download - Managing Emerging Technology Risk
![Page 1: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/1.jpg)
1
Managing Emerging Managing Emerging Technology Risk Technology Risk
Federal Deposit Insurance CorporationFederal Deposit Insurance Corporation
New York Regional OfficeNew York Regional Office
May 16, 2012May 16, 2012
![Page 2: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/2.jpg)
2
Managing Emerging Technology Risk
Regulatory guidance and best practices for managing risks pertaining to:
- payment systems,- social media sites,- mobile banking, and- virtualization/cloud computing
Security and data integrity challenges in safeguarding customer information
![Page 3: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/3.jpg)
3
Payment Systems
Non-Cash Payment Systems in the US:
Check Clearing Systems Automated Clearing House (ACH) Systems Card-based Credit/Debit (e.g., Amex,
Discover, MasterCard, Visa, etc.) Prepaid/Stored Value Card Programs Electronic Funds Transfer Networks (e.g.,
Star, Cirrus, Pulse, etc.) Person-to-Person or P2P (e.g., PayPal, etc.)
![Page 4: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/4.jpg)
4
Payment Systems
Payments risk covers all FDIC supervisory disciplines:
Safety & SoundnessCompliance/Consumer ProtectionBank Secrecy Act / Anti-Money LaunderingTechnology/Operations
![Page 5: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/5.jpg)
5
Corporate Account Takeover
Corporate accounts are targeted because of the large balances and the ACH credits that are generated have expedited funds availability.
![Page 6: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/6.jpg)
6
Corporate Account Takeover
Methods used to obtain valid online banking credentials include:
Keylogging malware – records legitimate user’s keystrokes and sends to perpetrator
E-mail phishing – tricks legitimate user to send credentials or enter them at a web site
![Page 7: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/7.jpg)
7
Security and Data Integrity Challenges
Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing
fraud are continuously evolving.
![Page 8: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/8.jpg)
8
Cyber Fraud and Financial Crime Reports
FDIC Division of Risk Management Supervision
Technology Supervision Branch Cyber Fraud and Financial Crimes Section
![Page 9: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/9.jpg)
9
Computer Intrusions
3rd Quarter 2011
Computer Intrusions
759
369 376
495440
639
396
331
0
100
200
300
400
500
600
700
800
2004 2005 2006 2007 2008 2009 2010 2011
3rd Quarter
Report
s
![Page 10: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/10.jpg)
10
Computer Intrusion Losses by Type Code
3rd Quarter 2011
3Q11 Computer Intrusion Losses by Type Code
70%
12%
11%
1%1%1%
1%
1%
2%ID Theft Account Takeover Wire/ACHFraudCounterfeit Cards
Credit Card Fraud
Computer Intrusion
Check Fraud
ID Theft Debit/Credit Card Fraud
Embezzlement Wire Fraud
Debit Card Fraud
All Other Codes (57)
![Page 11: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/11.jpg)
11
Computer intrusion detection rates 3rd Quarter 2011
Computer Intrusion Detection 3Q11
38%
17%
15%
10%
4%
4%2%
2%2%2%2%2%
Customer Notified Bank
FI Employees
Not Detected
Card Network/PaymentProcessorRDFI
IRC - Employee AcctReviewsMoney Mules Notified
Western Union
Returned Wire Notice
Notified by a Reporter
University Detected
TSP Detected Bad IP
![Page 12: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/12.jpg)
12
Online bank account takeovers3rd Quarter 2011
Online Bank Account Takeover Losses
-
5
10
15
20
25
30
35
40
45
50
4Q2010 1Q2011 2Q2011 3Q2011
MIL
LIO
NS
$$$
$
Other Violations(Online AcctTakeover)
Wire TransferFraud
ComputerIntrusion
![Page 13: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/13.jpg)
13
ID Theft reports
3rd Quarter 2011
ID Theft
11,330
8,937
7,7498,015
-
2,000
4,000
6,000
8,000
10,000
12,000
2008 2009 2010 2011
3rd Quarter
![Page 14: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/14.jpg)
14
Wire transfer fraud reports
3rd Quarter 2011
Wire Transfer Fraud
4,235 4,178
3,4493,392
-
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
2008 2009 2010 2011
3rd Quarter
![Page 15: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/15.jpg)
15
Wire Transfer Fraud Losses
3rd Quarter 2011
Wire Transfer Fraud 3Q11 Losses
56%
8%
7%
6%
4%
3%
3%3%
2%
2%
1% 1% 1%3%
Mortgage Fraud
Credit Card Fraud
Commercial Loan Fraud
Wire Transfer
ID Theft
Counterfeit Checks
Check Fraud
Online Banking
Terrorist Financing/MoneyLaunderingConsumer Loan
Computer Intrusion
Insider Fraud
Telephone Fraud
All Other (834)
![Page 16: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/16.jpg)
16
Wire Transfer Fraud Financial Institution Losses
3rd Quarter 2011
3Q11 Wire Transfer Fraud Financial Institution Losses
34%
32%
23%
5%5% 0%1%
Online Bank AccountTakeoversCorporate AccountTakeoverConsumer AccountTakeoverAdvanced Fee Scams
HELOC Account Takeover
Money Mule ReceivingFundsOnline Classified Scams
Romance Scam
Email AccountCompromisedUnspecified FraudulentWireUnauthorized EFT/ACHDebits
![Page 17: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/17.jpg)
17
Wire Transfer Fraud Customer Losses
3rd Quarter 2011
3Q11 Wire Transfer Fraud Customer Losses
31%
21%16%
16%
14%
0%2%
Online Classified Scams
Romance Scam
Online Bank AccountTakeoversEmail AccountCompromisedUnspecified FraudulentWireAdvanced Fee Scams
Unauthorized EFT/ACHDebitsCorporate AccountTakeoverConsumer AccountTakeoverHELOC Account Takeover
Money Mule ReceivingFunds
![Page 18: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/18.jpg)
18
Wire Transfer Fraud
All Losses 3rd Quarter 2011
3Q11 Wire Transfer Fraud All Losses
31%
24%17%
8%
6%
4%4%
3%
1% 0%2%Online Bank AccountTakeoversCorporate AccountTakeoverConsumer AccountTakeoverOnline Classified Scams
Romance Scam
Email AccountCompromisedAdvanced Fee Scams
HELOC Account Takeover
Unspecified FraudulentWireMoney Mule ReceivingFundsUnauthorized EFT/ACHDebits
![Page 19: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/19.jpg)
19
Wire Fraud Loss- Ingress Channel
3rd Quarter 2011
3Q11Wire Fraud Loss - Ingress Channel
30%
11%
10%10%
6%
5%
4%
3%
3%
3%
3%2%
2%2%2%2%1%
Online Classifieds/Auction
Branch
Phishing/Malware
German/US IPS
Unknown
Email (originating from Malaysia)
UPS Letter
ID Theft/Account Takeover
Logged on from Local IP
Logged on from Customer's PC
Logged in from US IP
Logged in from Korea
FAX
Telephone Transfer
Mobile Device (Malaysia provider)
Other (11)
![Page 20: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/20.jpg)
20
Debit Card Fraud
Volume
Means of Exploitation
![Page 21: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/21.jpg)
21
Risk Mitigation Practices/Controls
Utilize multi-factor authentication
Install and regularly update firewalls, malware/spyware protection, and commercial anti-virus software
Initiate payments under dual control
![Page 22: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/22.jpg)
22
Risk Mitigation Practices/Controls
Limit administrative rights on workstations
Encourage corporate clients to reconcile their bank accounts daily
Use AML/BSA Acct Monitoring Tools
Customer (Public) Awareness and Education and Employee Training
![Page 23: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/23.jpg)
23
Information Technology (IT) Examinations
IT examinations address a wide range of data security issues such as:
Information security programs and compliance with Gramm-Leach-Bliley Act, Sect. 501(b) requirements;
Business continuity planning and physical security;
IT audit coverage and independent review of controls;
IT security strategies and policies and personnel controls
![Page 24: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/24.jpg)
24
Primary Supervisory Examination Issues
Primary supervisory examination issues continue in the areas of :
Gramm-Leach-Bliley Act (GLBA) compliance
Vendor Management programs
Business Continuity/Disaster Recovery planning
IT Audit Coverage
Network/access controls
![Page 25: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/25.jpg)
25
Mobile Device Fraud
Fraudulent Wire Transfer
Exploitation Methods
Risk Assessment
![Page 26: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/26.jpg)
26
Social Media Sites
Security Risks
Reputation Risk
Corporate Governance
Resources
![Page 27: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/27.jpg)
27
Risk Assessment Issues
GovernanceStrategic ConsiderationsPoliciesTopologyControlsContracts/AgreementsAudit
Cloud Services
![Page 28: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/28.jpg)
28
Examination/Financial Institution
Guidance
FFIEC Guidance on Risk Management of Remote Deposit Capture (FIL-
4-2009)
Identity Theft Red Flags, Address Discrepancies, and Change of Address Regulations Examination Procedures (FIL-105-2008)
FFIEC Retail Payment Systems Handbook (FIL-6-2010)
FFIEC Guidance: Authentication in an Internet Banking Environment (FIL-103-2005)
Payment Processor Relationships-Revised Guidance (FIL-3-2012)
FDIC Supervisory Insights Journal (Quarterly)
![Page 29: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/29.jpg)
29
Examination/Financial Institution
Guidance (Continued)
FFIEC Supplement to Authentication in an Internet Banking
Environment (FIL-50-2011)
Special Alert SA-147-2009: Fraudulent Electronic Funds Transfers (August 2009)
Guidance for Managing Third-Party Risk (FIL-44-2008)
National Institute of Standards & Technology (NIST)
Trade Associations (ABA, BITS)
PCI Security Standards Council
US CERT
![Page 30: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/30.jpg)
30
Thank you!
![Page 31: Managing Emerging Technology Risk](https://reader035.vdocuments.us/reader035/viewer/2022062517/5681349e550346895d9b93bd/html5/thumbnails/31.jpg)
31
Contact Information
Stephanie WilliamsExamination Specialist
(Information Technology)New York Regional Office
Gerald SuslakExamination Specialist
(Information Technology)New York Regional Office
Robert SargentExamination Specialist
(Information Technology)Boston Area [email protected]