Transcript Security Issues: Hot Topic Legal Update

Security Issues:
Hot Topic Legal Update
Presented by
Mary Beth Guard
Executive Editor, BankersOnline.com
Mary Beth Guard





Attorney, 24 years
B.S., Administration of
Justice
Internships – S.I. Work
Release Center; Prison Legal
Aid
Former General Counsel,
Okla. Bankers Association,
State Banking Department;
Currently, Executive Editor,
BankersOnline.com
Seeing things through a
lawyer’s eyes


Imagine you are a trial attorney and
you’re hearing the facts of a potential
case you’re being asked to take OR
Picture yourself sitting in the jury box,
listening to the evidence



Bank employee’s family held hostage
Teller killed
Fraudulent accounts opened by ID thief
The Security Officer’s Goals

Ensure the bank is in compliance with
security-related laws and regs






Bank Bribery Act
Bank Protection Act
Employee Polygraph Protection Act
Sarbanes-Oxley
Right to Financial Privacy Act
Others
Practices and Procedures

Make sure institution and employee
practices and procedures are proper:




Email usage
Internet usage
Confidentiality/privacy
Avoidance of harassment/discrimination
Training and equipment


You are the driving force behind making
sure employees are properly trained in
security-related areas
It’s your responsibility for seeing to it
that your institution has the proper
tools and equipment
Sources of potential liability





Liability under law or regulation
Liability under contract
Liability for negligence
Liability for breach of a duty
Liability for deviation from generally
accepted practices or standards
If harm occurs . ..





Was it avoidable?
Was it foreseeable?
Could the harm have been avoided if
the bank had done something different?
Would other banks have done
something different?
Was the bank in the best position to
avoid the harm?
Hottest hot buttons NOW






Check 21
Robberies
Sarbanes-Oxley
Information security
PATRIOT Act
Identity theft
Check 21


New federal law; takes effect 10/28/04
Allows any bank in the chain to
“truncate” any foreign (i.e., not “on-us”
item) and pass on either an image (if
the next party in line agrees to accept
an image), or a new negotiable
instrument called a substitute check
It’s all about “green lights”




Checks travel via plane, truck, auto from
BOFD to paying bank
This new law lays the groundwork for the
check to travel in image (digital) format
No bank is required to accept an image; there
must be an agreement
Each leg of the journey the item can travel in
image form is like a green light
Without an agreement to
accept images . . .




Paper is required (substitute check)
No bank can demand an original check
No customer can demand their original
checks
Some original checks will still come
through – but it’s out of the paying
banks control which ones they will be
Substitute check





Paper reproduction, made from an original
check
Printed on check stock
Suitable for automated processing
Meets industry standards for such items
(must show truncating bank, reconverting
bank, substitute check identifier in position 44
of MICR line, etc.)
LEGAL EQUIVALENT OF THE ORIGINAL
Example of substitute check

Potential problems

When check is converted to an image,
you lose paper-based security features





Micro print signature line
UV features
Paper-based watermark
Thumbprint signatures
Real substitute checks will be very
difficult to distinguish from fakes
Indemnity under Check 21


Bad if you transfer, present or return a
substitute check
Good if you receive one, there is
underlying fraud, AND you can show
you would have caught it had you
received the original item, rather than
the substitute check
Thumbprint signatures



Most often used in connection with
cashing on-us checks
Courts have upheld legality as a valid
way for the drawee bank to “identify” a
noncustomer payee
Think about isolating on-us checks you
cash that have thumbprint signatures
Best evidence issue . . .


If you provide imaged statements now
and your customer needs a copy of his
check, you provide a copy of his check
After Check 21 takes effect, courts may
hold that a copy is no longer the “best
evidence” – since a substitute check
would instead be the legal equivalent
Why do you care?

Banks will want to avoid providing
substitute checks to the extent possible
because of liability issues and increased
responsibilities:



Warranties
Indemnity
Expedited recrediting procedures
The SO and Check 21

Get involved in the discussions and
decisionmaking about:




Whether your bank will truncate foreign
items;
How you will store them; how quickly you
will destroy them;
Whether your bank will accept images;
Safeguards for image quality;
Consider . . .



One fee for a copy of a check; higher fee for
a substitute check;
Amending deposit agreement to disclaim
liability for failure to check paper check
security features
Limit the time a customer has to examine
substitute checks (if you are still returning
paper items to your customers)
Have a communication plan

Don’t wait until the last minute to
educate:
Police
 District attorneys
 Judges
There’s a Powerpoint presentation you can
download from the BOL Check 21 page:
http://www.bankersonline.com/check21/

Good news about Check 21



Image-survivable security features are
available
Return item notifications will, in some
cases, come more quickly
New fraud fighting tools


Electronic positive pay
Digital signature verification
Robberies


Major increases in some parts of the
country
The “No Hats” movement is catching
on.
Stay attuned to industry
standards





Alarms
Training
Locks
Lighting
No hats policies




Bandit barriers
Dye packs
GPS tracking devices
What else? Do you
let employee’s
friends or relatives
wait for them inside
the bank?
Tempted to have a buzz-in?


Buzz-in doors offer potentially higher
security in high-crime branches
Watch out for potential unlawful
discrimination
Sarbanes-Oxley Act


Applies directly to banks with over $500
million in total assets or those that are
a public company or subsidiary of one
Regulators urge others to implement, to
the extent feasible, the same sound
corporate governance practices
SO for Security Officers



Auditor Independence
Code of ethics
Whistleblower hotlines
Information security

Must have infosec program approved by
board



Not static
Not just digital information
Must constantly identify and assess threats




Wells Fargo independent contractor
Colorado bank lending employees
Keystroke logging
Computers sold to reseller
“Phishing” scams skyrocket

The Anti-Phishing Working Group says:

“Phishing attacks use 'spoofed' e-mails and
fraudulent websites designed to fool recipients
into divulging personal financial data such as
credit card numbers, account usernames and
passwords, social security numbers, etc. By
hijacking the trusted brands of well-known banks,
online retailers and credit card companies,
phishers are able to convince up to 5% of
recipients to respond to them. “
Example



Search for “phishing” on BOL
Several examples, advice
What is YOUR bank doing to protect
customers?
How would a customer know?




Information on your Web site about
phishing
How to recognize a legitimate email
from you – or – state that you don’t
send them at all
Numbers to contact
Form/email address to report
Newest phishing danger




Keystroke logging
All customer has to do is follow the link
Doesn’t have to fall for the phony “put
your info in”
How easy is your bank’s site to
replicate?
PATRIOT Act

New CIP exam procedures



One of the things the examiners are
supposed to ask for is a written
explanation of the bank’s rationale for
excluding existing customers from CIP
314(b) information sharing
314(a) – maintaining the confidentiality
of the list and using it for the right
purposes
BSA is huge!


Now examined under safety and
soundness
Find your weaknesses BEFORE the
examiners do



Wig flipping case
Broadway National Bank
Riggs - $25 million penalty
Employee issues …





Do you do background checks? Remember
the “golden rule!”
What are you doing to avoid
harassment/discrimination?
How are your opening and closing
procedures?
Is your staffing adequate?
Do you have information accessible on the
Web that you shouldn’t? See
www.johnny.ihackstuff.com
ID Theft


Every 60 seconds, another 17 or 18
people become victims
Legal experts expect the next big thing
to be lawsuits against “leaky”
institutions who facilitated the ID thefts
due to shoddy practices or poor training
ID Theft and your bank

Three potential dangers:



ID thief obtaining information through or from
your bank that he uses to steal an identity;
ID thief successfully posing as someone else in
order to open accounts or obtain loans;
ID thief posing as your existing customer and
conducting transactions or obtaining information
What are you doing about it?

How do you verify identity?




New customers
Existing customers who call or come in
Would you “see dead people?”
Do you have the proper tools?



ID checking guide
UV lights
Fraud databases
Would your employees know
how to recognize a fake?
Fakes are easy to make
What keeps you up at night?







Safe deposit liability?
Right to Financial Privacy Act issues?
Check fraud?
Software piracy?
Employee concerns?
Defamation?
Physical security? Terrorists?
Steps to take






Stay informed – about the law, your
responsibilities, what’s going on within your
institution, threats/risks
Assess the risks
Figure out your options
Think long and hard about your
recommendations
Document
Press hard for what you know is right
THANKS!

Questions?
Want to follow up? Email me at:
[email protected]