0

Managing Emerging Managing Emerging Technology Risk Technology Risk

Federal Deposit Insurance CorporationFederal Deposit Insurance CorporationNew York Regional OfficeNew York Regional Office

May 16, 2012May 16, 2012

1

Managing Emerging Technology Risk

Regulatory guidance and best practices for managing risks pertaining to:

- payment systems,- social media sites,- mobile banking, and- virtualization/cloud computing

Security and data integrity challenges in safeguarding customer information

2

Payment Systems

Non-Cash Payment Systems in the US:

Check Clearing Systems Automated Clearing House (ACH) Systems Card-based Credit/Debit (e.g., Amex,

Discover, MasterCard, Visa, etc.) Prepaid/Stored Value Card Programs Electronic Funds Transfer Networks (e.g.,

Star, Cirrus, Pulse, etc.) Person-to-Person or P2P (e.g., PayPal, etc.)

3

Payment Systems

Payments risk covers all FDIC supervisory disciplines:

Safety & SoundnessCompliance/Consumer ProtectionBank Secrecy Act / Anti-Money LaunderingTechnology/Operations

4

Corporate Account Takeover

Corporate accounts are targeted because of the large balances and the ACH credits that are generated have expedited funds availability.

5

Corporate Account Takeover

Methods used to obtain valid online banking credentials include:

Keylogging malware – records legitimate user’s keystrokes and sends to perpetrator

E-mail phishing – tricks legitimate user to send credentials or enter them at a web site

6

Security and Data Integrity Challenges

Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing

fraud are continuously evolving.

7

Cyber Fraud and Financial Crime Reports

FDIC Division of Risk Management Supervision

Technology Supervision Branch Cyber Fraud and Financial Crimes Section

8

Computer Intrusions3rd Quarter 2011

Computer Intrusions

759

369 376

495440

639

396331

0

100

200

300

400

500

600

700

800

2004 2005 2006 2007 2008 2009 2010 2011

3rd Quarter

Rep

orts

9

Computer Intrusion Losses by Type Code

3rd Quarter 2011

3Q11 Computer Intrusion Losses by Type Code

70%

12%

11%

1%1%1%

1%1%

2%ID Theft Account Takeover Wire/ACHFraudCounterfeit Cards

Credit Card Fraud

Computer Intrusion

Check Fraud

ID Theft Debit/Credit Card Fraud

Embezzlement Wire Fraud

Debit Card Fraud

All Other Codes (57)

10

Computer intrusion detection rates 3rd Quarter 2011

Computer Intrusion Detection 3Q11

38%

17%

15%

10%

4%

4%2%2%2%2%2%2%

Customer Notified Bank

FI Employees

Not Detected

Card Network/PaymentProcessorRDFI

IRC - Employee AcctReviewsMoney Mules Notified

Western Union

Returned Wire Notice

Notified by a Reporter

University Detected

TSP Detected Bad IP

11

Online bank account takeovers3rd Quarter 2011

Online Bank Account Takeover Losses

-5

101520253035404550

4Q2010 1Q2011 2Q2011 3Q2011

MIL

LIO

NS

$$

Other Violations(Online AcctTakeover)

Wire TransferFraud

ComputerIntrusion

12

ID Theft reports 3rd Quarter 2011

ID Theft

11,330

8,9377,749

8,015

-

2,000

4,000

6,000

8,000

10,000

12,000

2008 2009 2010 2011

3rd Quarter

13

Wire transfer fraud reports 3rd Quarter 2011

Wire Transfer Fraud

4,235 4,178

3,4493,392

-

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

2008 2009 2010 2011

3rd Quarter

14

Wire Transfer Fraud Losses3rd Quarter 2011

Wire Transfer Fraud 3Q11 Losses

56%

8%

7%

6%

4%

3%

3%3%

2%2%

1% 1% 1%3%

Mortgage Fraud

Credit Card Fraud

Commercial Loan Fraud

Wire Transfer

ID Theft

Counterfeit Checks

Check Fraud

Online Banking

Terrorist Financing/MoneyLaunderingConsumer Loan

Computer Intrusion

Insider Fraud

Telephone Fraud

All Other (834)

15

Wire Transfer Fraud Financial Institution Losses

3rd Quarter 2011

3Q11 Wire Transfer Fraud Financial Institution Losses

34%

32%

23%

5%5% 0%1%

Online Bank AccountTakeoversCorporate AccountTakeoverConsumer AccountTakeoverAdvanced Fee Scams

HELOC Account Takeover

Money Mule ReceivingFundsOnline Classified Scams

Romance Scam

Email AccountCompromisedUnspecified FraudulentWireUnauthorized EFT/ACHDebits

16

Wire Transfer FraudCustomer Losses 3rd Quarter 2011

3Q11 Wire Transfer Fraud Customer Losses

31%

21%16%

16%

14%0%2%

Online Classified Scams

Romance Scam

Online Bank AccountTakeoversEmail AccountCompromisedUnspecified FraudulentWireAdvanced Fee Scams

Unauthorized EFT/ACHDebitsCorporate AccountTakeoverConsumer AccountTakeoverHELOC Account Takeover

Money Mule ReceivingFunds

17

Wire Transfer FraudAll Losses

3rd Quarter 2011

3Q11 Wire Transfer Fraud All Losses

31%

24%17%

8%

6%

4%4%

3%

1% 0%2%Online Bank AccountTakeoversCorporate AccountTakeoverConsumer AccountTakeoverOnline Classified Scams

Romance Scam

Email AccountCompromisedAdvanced Fee Scams

HELOC Account Takeover

Unspecified FraudulentWireMoney Mule ReceivingFundsUnauthorized EFT/ACHDebits

18

Wire Fraud Loss- Ingress Channel3rd Quarter 2011

3Q11Wire Fraud Loss - Ingress Channel

30%

11%

10%10%

6%

5%

4%

3%

3%

3%3%

2%2%2%2%2%1%

Email

Online Classifieds/Auction

Branch

Phishing/Malware

German/US IPS

Unknown

Email (originating from Malaysia)

UPS Letter

ID Theft/Account Takeover

Logged on from Local IP

Logged on from Customer's PC

Logged in from US IP

Logged in from Korea

FAX

Telephone Transfer

Mobile Device (Malaysia provider)

Other (11)

19

Debit Card Fraud

Volume

Means of Exploitation

20

Risk Mitigation Practices/Controls

Utilize multi-factor authentication

Install and regularly update firewalls, malware/spyware protection, and commercial anti-virus software

Initiate payments under dual control

21

Risk Mitigation Practices/Controls

Limit administrative rights on workstations

Encourage corporate clients to reconcile their bank accounts daily

Use AML/BSA Acct Monitoring Tools

Customer (Public) Awareness and Education and Employee Training

22

Information Technology (IT) Examinations

IT examinations address a wide range of data security issues such as:

Information security programs and compliance with Gramm-Leach-Bliley Act, Sect. 501(b) requirements;

Business continuity planning and physical security;

IT audit coverage and independent review of controls;

IT security strategies and policies and personnel controls

23

Primary Supervisory Examination Issues

Primary supervisory examination issues continue in the areas of :

Gramm-Leach-Bliley Act (GLBA) compliance

Vendor Management programs

Business Continuity/Disaster Recovery planning

IT Audit Coverage

Network/access controls

24

Mobile Device Fraud

Fraudulent Wire Transfer

Exploitation Methods

Risk Assessment

25

Social Media Sites

Security Risks

Reputation Risk

Corporate Governance

Resources

26

Risk Assessment Issues

GovernanceStrategic ConsiderationsPoliciesTopologyControlsContracts/AgreementsAudit

Cloud Services

27

Examination/Financial Institution Guidance

FFIEC Guidance on Risk Management of Remote Deposit Capture (FIL-4-2009)

Identity Theft Red Flags, Address Discrepancies, and Change of Address Regulations Examination Procedures (FIL-105-2008)

FFIEC Retail Payment Systems Handbook (FIL-6-2010)

FFIEC Guidance: Authentication in an Internet Banking Environment(FIL-103-2005)

Payment Processor Relationships-Revised Guidance (FIL-3-2012)

FDIC Supervisory Insights Journal (Quarterly)

28

Examination/Financial Institution Guidance (Continued)

FFIEC Supplement to Authentication in an Internet Banking Environment (FIL-50-2011)

Special Alert SA-147-2009: Fraudulent Electronic Funds Transfers(August 2009)

Guidance for Managing Third-Party Risk (FIL-44-2008)

National Institute of Standards & Technology (NIST)

Trade Associations (ABA, BITS)

PCI Security Standards Council

US CERT

29

Thank you!

30

Contact Information

Stephanie WilliamsExamination Specialist

(Information Technology)New York Regional Office

SteWilliams@fdic.gov

Gerald SuslakExamination Specialist

(Information Technology)New York Regional Office

GSuslak@fdic.gov

Robert SargentExamination Specialist

(Information Technology)Boston Area OfficeRSargent@fdic.gov