Regulatory Compliance
This is second question in our five-part series on the FFIEC guidance and what it means Internet banking. If you missed the first question, don't worry, you can still go back. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: What does “multi-factor” authentication actually mean? “Multi- Factor” authentication refers to the combination of different security requirements that would be unlikely to be compromised at the same time. A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication. Even if the customer loses their card, it (theoretically) can’t be used to withdraw cash from the ATM machine without the PIN. _____________ Look for part three of our five-part series tomorrow.
This first question in our five-part series on the FFIEC guidance and what it means Internet banking. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: What does “layered security” actually mean? “Layered” security refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases. Consider a customer who logs onto an on-line banking session to execute a wire transfer of funds to another account. The layers of security applied to this activity might resemble: 1. Layer One- Account log-in. Security = valid ID and Password must be provided 2. Layer Two- Wire transfer request. Security= IP verification/confirmation that this PC has been used to access this account previously. 3. Layer Three- Destination Account provided that has not been used to receive wire transfer funds in the past. Security= Knowledge Based Authentication Layered security provides an organization with the ability to handle simple customer requests with minimal security, and to strengthen security as risks dictate. A layered approach enables the vast majority of low risk transactions to be completed without unnecessary interference while the high-risk transactions are sufficiently verified. _____________ Look for part two of our five-part series tomorrow.
With the most recent guidance newly issued by the Federal Financial Institutions Examination Council (FFIEC) there is renewed conversation about knowledge based authentication. I think this is a good thing. It brings back into the forefront some of the things we have discussed for a while, like the difference between secret questions and dynamic knowledge based authentication, or the importance of risk based authentication. What does the new FFIEC guidance say about KBA? Acknowledging that many institutions use challenge questions, the FFIEC guidance highlights that the implementation of challenge questions can greatly impact efficacy of its usefulness. Chances are you already know this. Of greater importance, though, is the fact that the FFIEC guidelines caution on the use of less sophisticated systems and information that can be easily guessed or obtained from an Internet search, given the amount of information available. As mentioned above, the FFIEC guidelines call for questions that “do not rely on information that is often publicly available,” recommending instead a broad range of data assets on which to base questions. This is an area knowledge based authentication users should review carefully. At this point in time it is perfectly appropriate to ask, “Does my KBA provider rely on data that is publicly sourced” If you aren’t sure, ask for and review data sources. At a minimum, you want to look for the following in your KBA provider: · Questions! Diverse questions from broad data categories, including credit and noncredit assets · Consumer question performance as one of the elements within an overall risk-based decisioning policy · Robust performance monitoring. Monitor against established key performance indicators and do it often · Create a process to rotate questions and adjust access parameters and velocity limits. Keep fraudsters guessing! · Use the resources that are available to you. Experian has compiled information that you might find helpful: www.experian.com/ffiec Finally, I think the release of the new FFIEC guidelines may have made some people wonder if this is the end of KBA. I think the answer is a resounding “No.” Not only do the FFIEC guidelines support the continued use of knowledge based authentication, recent research suggests that KBA is the authentication tool identified as most effective by consumers. Where I would draw caution is when research doesn’t distinguish between “secret questions” and dynamic knowledge based authentication, which we all know is very different.
As I’m sure you are aware, the Federal Financial Institutions Examination Council (FFIEC) recently released its, "Supplement to Authentication in an Internet Banking Environment" guiding financial institutions to mitigate risk using a variety of processes and technologies as part of a multi-layered approach. In light of this updated mandate, businesses need to move beyond simple challenge and response questions to more complex out-of-wallet authentication. Additionally, those incorporating device identification should look to more sophisticated technologies well beyond traditional IP address verification alone. Recently, I contribute to an article on how these new guidelines might affect your institution. Check it out here, in full: http://ffiec.bankinfosecurity.com/articles.php?art_id=3932 For more on what the FFIEC guidelines mean to you, check out these resources - which also gives you access to a recent Webinar.
By: Staci Baker In my last post about the Dodd-Frank Act, I described the new regulatory bodies created by the Act. In this post, I will concentrate on how the Act will affect community banks. The Dodd-Frank Act is over 3,000 pages of proposed and final rules and regulations set forth by the Consumer Financial Protection Bureau (CFPB). For any bank, managing such a massive amount of regulations is a challenge, but for a median-size bank with fewer employees, it can be overwhelming. The Act has far reaching unintended consequences for community banks. According to the American Bankers Association, there are five provisions that are particularly troubling for community banks: 1. Risk retention 2. Higher Capital Requirements and Narrower Qualifications for Capital 3. SEC’s Municipal Advisors Rule 4. Derivatives Rules 5. Doubling Size of the Deposit Insurance Fund (DIF) In order meet new regulatory requirements, community banks will need to hire additional compliance staff to review the new rules and regulations, as well as to ensure they are implemented on schedule. This means the additional cost of outside lawyers, which will affect resources available to the bank for staff, and for its customers and the community. Community banks will also feel the burden of loosing interchange fee income. Small banks are exempt from the new rules; however, the market will follow the lowest priced product. Which will mean another loss of revenue for the banks. As you can see, community banks will greatly be affected by the Dodd-Frank Act. The increased regulations will mean a loss of revenues, increased oversight, additional out-side staffing (less resources) and reporting requirements. If you are a community bank, how do you plan on overcoming some of these obstacles?
By: Staci Baker The Durbin Amendment, according to Wikipedia, gave the Federal Reserve the power to regulate debit card interchange fees. The amendment, which will have a profound impact on banks, merchants and anyone who holds a debit card will take effect on October 1, 2011 rather than the originally announced July 21, 2011, which will allow banks additional time to implement the new regulations. The Durbin Amendment states that card networks, such as Visa and Mastercard, will include an interchange fee of 21 cents per transaction, and must allow debit cards to be processed on at least two independent networks. This will cost banks roughly $9.4 billion annually according to CardHub.com. As stipulated in the Amendment, institutions with less than $10 billion in assets are exempt from the cap. In preparation for the Durbin Amendment, several banks have begun to impose new fees on checking accounts, end reward programs, raise minimum balance requirements and have threatened to cap transaction amounts for debit card transactions at $50 to $100 in order to recoup some of the earnings they are expected to lose. These new regulations will be a blow to already hurting consumers as their out of wallet expenses keep increasing. As you can see, The Durbin Amendment, which is meant to help consumers, will instead have the cost from the loss of interchange fees passed along in other forms. And, the loss of revenue will greatly impact the bottom line of banking institutions. Who will be the bigger winner with this new amendment - the consumer, merchants or the banks? Will banks be able to lower the cost of credit to an amount that will entice consumers away from their debit cards and to use their credit cards again? I think it is still far too soon to tell. But, I think over the next few months, we will see consumers use payment methods in a new way as both consumers and banks come to a middle ground that will minimize risk levels for all parties. Consumers will still need to shop and bankers will still need their tools utilized. What are you doing to prepare for The Durbin Amendment?
By: Kari Michel On March 18th 2011 the Federal Reserve Board approved a rule amending Regulation Z (Truth in Lending) to clarify portions of the final rules implementing the Credit CARD Act of 2009. Specific to ability to pay requirements, the new rule states that credit card applications generally cannot request a consumer's "household income" because that term is too vague to allow issuers to properly evaluate the consumer's ability to pay. Instead, issuers must consider the consumer's individual income or salary. The new ruling will be effective October 2011. Given the new direction outlined in the latest rules, we've been hard at work on developing 2 income models to support these regulatory obligations and enhance the underwriting and risk assessment process - Income InsightSM and Income Insight W2SM. Both income models estimate an individual’s income based on an individual credit report and can be used in acquisition strategies, account management review and collection processes. Why two models? Income InsightSM estimates the consumer’s total income, including wages, investments, rentals and other income. Income Insight W2SM estimates wages only. Check them out - and let us know what you think! We want to hear from you.
The next time a consumer asks about his or her credit score, consider it an opportunity. Recent changes to the Risk-Based Pricing (RBP) rule may provide new opportunities to strengthen relationships by educating consumers about what their credit scores mean, how they’re used, and how they can be improved. For many lenders and other businesses, this could be the first time they’ve had a chance to speak directly and openly with customers about their credit scores. The RBP rule is intended to improve financial literacy As we’ve discussed, the Risk-Based Pricing Rule was instituted in response to policymaker concerns that consumers were not being sufficiently informed of the impact that credit reports can have on their annual percentage rate (APR). Now, when a lender makes a credit decision based on a consumer credit report and does not offer the best possible rate, or denies credit, the RBP Rule requires lenders to notify the customer about the decision – through either an explanation of the rate offered or disclosing a credit score. New requirements take effect on July 21 RBP compliance is changing following recent passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Companies will now be required to provide all customers with a credit score within a Risk Based Pricing Notice, along with educational material. The new requirement is effective July 21, 2011. This is also the date when the new Bureau of Consumer Financial Protection (CFPB) is set to be fully operational. How to prepare for consumer questions about credit scores Experian offers a number of resources to help lenders answer consumer questions. Online resources, including the Ask Experian column and our extensive Credit Education section, provide fundamental information to help consumers better understand credit scores and credit reports. The Experian Credit Score Basics booklet, plus more than 20 other educational documents, are available electronically and formatted for easy printing and distribution. All documents, PowerPoint presentations, virtual seminars and education videos are available on a free mini-disk. Customized training and education is available The Experian Public Education team can also provide customized, live Internet-based training and education for our clients’ employees to help them effectively answer customer questions about credit reports and credit scores. For a free mini-disk or more information about training events, please contact Rod Griffin, Experian’s Director of Public Education, at 1 (972) 390-3528, or email clientcorner@experian.com. Take a moment to check out our Risk-Based Pricing microsite, too. Note: While Experian is happy to provide our observations related to the new Risk-Based Pricing Rule, please work with your own legal counsel to ensure that you comply with your obligations under the rule.
By: Staci Baker There has been a lot of talk in the news about the Dodd-Frank Act lately. According to the Dodd-Frank Resource Center of the American Financial Services Association (AFSA), “The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which passed on July 21, 2010, is unprecedented in magnitude, and will impact every sector of the financial services industry.” The aim of the Act is to put measures in place that address the issues that led to the financial crisis. This is done by setting up new regulatory bodies, and limiting the dealings of banks and other financial institutions. For the purpose of this blog, I will focus on describing the new regulatory agencies. The Bureau of Consumer Financial Protection (CFPB), is an independent watchdog housed within the Federal Reserve. The CFPB has the authority to “regulate consumer financial products and services in compliance with federal law.”[ii] They are responsible for the accuracy of information, hidden fees and deceptive practices for consumers from within the following industries – mortgage, credit cards and other financial products. The Financial Stability Oversight Council is “charged with identifying threats to the financial stability of the United States, promoting market discipline, and responding to emerging risks to the stability of the United States financial system.”ii Through the Treasury, this council will create a new Office of Financial Research, which will be responsible for collecting and analyzing data to identify and monitor emerging risks to the economy, and publish the findings in periodic reports. These new regulatory agencies are critical to US business processes, as they will more closely monitor business practices, create new tighter legislation, and report findings to the public. The legislation that is created will decrease risk levels posed by large, complex companies, as well as address discrepancy that has been raised throughout the financial crisis. What are your views of the Dodd-Frank Act? Do you believe this is the legislation needed to stem future financial crisis? If not, what would help you and your business?
By: Kari Michel What are you doing to prepare for the new credit score disclosure requirements for taking adverse action on the basis of information contained in a consumer credit profile report, including scoring models? The Dodd-Frank Wall Street Reform and Consumer Protection Act (CFPB) which was signed by President Obama on July 21, 2010, have prescribed new rules for Adverse Action and Risk Based Pricing notifications. The new credit score disclosure rules will become effective July 21, 2011. The rules have NOT been finalized at this time. With the information currently available, the new rules will impact all lenders who take adverse action against a consumer due to information in a consumer credit report. Lenders will be required to disclose to the consumer: · The actual numerical score used in the adverse decision (new requirement) · The range of possible scores under the model used (new requirement) · All key factors that adversely affected the credit score - This legislation mandates the delivery of 5 factor codes (when applicable). The notice must include the top 4 and then a 5th when inquiries play a negative part in the score calculation (new requirement) · The date on which the credit score was created · The name of the entity that provided the score If you have questions regarding the FCRA sections that are changing, you can refer to the Dodd-Frank legislation section 1100F.
Ready for Risk-Based Pricing? The New Year always marks a start. A new year. New resolutions. And, this year, it marks the start of the Risk-Based Pricing Rule. Just to review, risk-based pricing involves setting or adjusting a customer’s interest rate and other terms of credit based on that consumer’s credit history and other factors used to measure risk. Established by the Federal Reserve Board and the Federal Trade Commission (FTC) last December, and effective as of Jan. 1, 2011, the Risk-Based Pricing (RBP) Rule addresses the concern by policymakers that consumers are not sufficiently informed of the impact their credit report can have on the annual percentage rate (APR) they get charged for new credit. When a lender makes a credit decision based upon a consumer credit report and does not offer the best rate possible, the RBP Rule requires lenders to notify the customer about the decision. Currently, there are two options to comply with the RBP Rule: 1) Send a notice to inform customers that they didn’t get the best rate possible. 2) Or, provide customers with a credit score, along with educational information. The Rule is changing With passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act earlier this year, the compliance options for organizations will soon become more complicated. Companies will still have the option to send a risk-based pricing notice, but they will be required to provide all customers with a credit score within that notice. Standard adverse action notices, given when the consumer is denied credit, will also have to include a score disclosure. The new requirement will likely take effect as early as July 21, 2011 (the target date for the new Bureau of Consumer Financial Protection (CFPB) to be fully operational). Most companies have already begun instituting compliance policies, but they may need to take a longer view. Opportunities Beyond compliance, the rule change and the Dodd-Frank law provide new opportunities to educate consumers about what credit scores mean to them and how they’re used by lenders. This presents new ways to strengthen customer relationships and improve overall financial literacy among the public if companies are willing to take the initiative. Three important RBP Rule issues to keep in mind: The effective date for compliance is January 1, 2011.Companies will have two options: (1) inform customers that they didn’t get the best rate based upon their credit report or (2) provide a credit score. Requirements for risk-based pricing could change as early as July 21, 2011, when oversight transfers to the CFPB and all companies must begin providing customers with a credit score. With an increase in the number of credit scores organizations are disclosing, customers will come to creditors with questions about their credit report and score. In coming posts, I’ll explore the various facets of the Risk-Based Pricing Rule and the challenges and opportunities communications companies will be presented with. Note: While Experian is happy to provide our observations related to the new Risk-Based Pricing Rule, please work with your own legal counsel to ensure that you comply with your obligations under the rule.
The U.S. Senate passed legislation recently that would exempt certain businesses from complying with the Red Flags Rule. Sponsored by Senator John Thune (R-SD), the bill (S. 3987) creates an exception to the Red Flags Rule for businesses that do not advance funds to a customer. The bill would, for example, redefine the term “creditor” as currently described under the Red Flags Rule guidelines, to apply only to those businesses who advance funds to, or on behalf of, a customer, and based upon an obligation to repay those advanced funds. The legislation also still provides the Federal Trade Commission with authority to require certain organizations to comply with the Red Flags Rule. The legislation now moves to the U.S. House of Representatives, where the chamber must approve the bill before the end of the year in order for the bill to become law. This may alleviate many businesses in industries such as law practices, healthcare providers (particularly solo practitioners), and perhaps some service providers in telecommunications and utilities. However, it is likely that many businesses in the utilities space will still fall under Red Flags Rule enforcement given their accessing of consumer credit profiles in many of their application processing procedures. Again, one has to wonder what the original intent of the Red Flags Rule was. If it was to protect consumers from identity theft and other fraud schemes via a robust identity theft prevention program, then vastly narrowing the businesses under which potential enforcement applies seems counter-productive. The advancement of funds or not doesn’t necessarily add to or reduce risk of fraud, as much as the actual obtainment of accounts and services with identity information…regardless of industry. More to follow…
By: Staci Baker Top five things to know about the Risk-Based Pricing Rule As many of you are preparing for the new Risk-Based Pricing Rule to take effect on January 1, 2011, I want to give you an overview of the top five things you need to know to ensure your business is compliant. 1. Applicability: Any company that uses a credit report or score in connection with a credit decision will be required to comply with the Risk-Based Pricing Rule. 2. Obligation: A lender is obligated to send a notice to a consumer when they use a credit report or score in connection with a credit transaction. When the lender provides credit to the consumer on material terms* that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that lender (any consumer who does not receive the lender’s best rate) based on the credit report or score, the lender is required to take action. 3. Compliancy: Lenders will be required to provide applicable consumers with the following: • A Risk-Based Pricing Notice, or • A Credit Score Disclosure Exception Notice • Model forms are available in the final ruling issued by the Federal Reserve Board and Federal Trade Commission 4. Exceptions to the Rule: There are several exceptions to the Rule, including: • When a lender is making a pre-screened offer or providing an adverse action notice, or • When a consumer applies for specific credit terms or business credit (all credit that is not for personal, family or household use is excluded from the rule.) 5. Exclusions to the Rule: Any lender who does not use a credit report or score in connection with a credit decision is excluded from the ruling. The ruling does not apply to small business lenders also. These top five key components of the Rule should get you on the way to compliancy by the beginning of the year. A pre-recorded webinar is available to give you additional information on compliancy and requirements of the Risk-based Pricing Rule. The Federal Reserve, http://www.federalreserve.gov/reportforms/formsreview/RegV_20100115_ffr.pdf * “Material terms” in most cases of the Rule are defined as the APR of the loan
In my last entry I mentioned how we’re working with more and more clients that are ramping up their fraud and compliance processes to ensure Red Flag compliance. But it’s not just the FACT Act Identity Theft Program requirements that are garnering all the attention. As every financial institution is painfully aware, numerous compliance requirements exist around the USA PATRIOT Act and Know Your Customer, Anti-Money Laundering, e-Signature and more. Legislation for banks, lenders, and other financial services organizations are only likely to increase with President Obama’s appointment of Elizabeth Warren to the new Bureau of Consumer Financial Protection. Typically FI’s must perform due diligence across more than one of these requirements, all the while balancing the competing pressures of revenue growth, customer experience, fraud referral rates, and risk management. Here’s a case where we were able to offer a solution to one client’s complex needs. Recently, we were approached by a bank’s sales channel that needed to automate their Customer Information Program (CIP). The bank’s risk and compliance department had provided guidelines based on their interpretation of due diligence appropriate for CIP and now the Sales group had to find a tool that could facilitate these guidelines and decision appropriately. The challenge was doing so without a costly custom solution, not sacrificing their current customer service SLA’s, and being able to define the criteria in the CIP decisioning rather than a stock interpretation. The solution was to invest in a customer authentication product that offered flexible, adaptable “off the shelf” decisioning along with knowledge based authentication, aka out of wallet questions. The fact that the logic was hosted reduced costly and time consuming software and hardware implementations while at the same time allowing easy modification should their CIP criteria change or pass and review rates need to be tweaked. The net result? Consistent customer treatment and objective application of the CIP guidelines, more cross selling confidence, and the ability to refer only those applicants with fraud alerts or who did not meet the name, address, SSN, and DOB check for further authentication.
By: Staci Baker On September 12, 2010, the new Basel III rules were passed in Basel, Switzerland. These new rules aim to increase the liquidity of banks over the next decade, thereby mitigating the risk of bank failures and mergers that transpired during the recent financial crisis. Currently, banks must maintain capital reserves of 4% on their balance sheet to account for enterprise risk. Starting January 1, 2013, banks will be required to progressively increase their capital reserves, known as tier 1 capital, to 4.5%. By the end of 2019, this reserve will need to be 6%. Banks will also be required to keep an emergency reserve, or “conservation buffer,” of 2.5%. What does this mean for banks? And, what are some tools that banks can use in assessing credit risk? By increasing capital reserves, banks will be more stable in times of economic hardship. The conservation buffer is meant to help absorb losses during times of economic stress, which means banks will be in a better position to maintain economic progress in the most challenging economic circumstances. The capital reserve designated by the Group of Governors and Heads of Supervision is the minimum requirement each bank will be held to. Each bank will need to assess their current risk levels, and run stress tests to ensure they are in a good financial position, and are able to sustain strong financial health during a failing economy. Stress tests should be run for different time intervals, which will allow lenders to assess future losses and to plan capital satisfactoriness accordingly. This type of credit risk analysis is possible through applications such as Moody’s CreditCycle Plus, powered by Experian, that allow for stress testing, and profit and loss forecasting. These applications will measure future performance of consumer credit portfolios under various economic scenarios, measured against industry benchmarks. ______________ Bank for International Settlements, 9/12/10, http://bis.org/press/p100912.htm
Learn More Image
