This section highlights examiner insights and sound practices gained from examinations of community banks within the Fifth District.
Information Technology — Authentication in an Evolving Cyberthreat Environment
Due to heightened and evolving cyberthreats in the online environment, regulatory agencies have issued SR 11-9 (Interagency Supplement to Authentication in an Internet Banking Environment), which updates the 2005 guidance of the same name and stresses the importance of implementing more refined alternative approaches to detect and respond to suspicious activity.
This guidance clarifies and increases supervisory expectations in the areas of online activity risk assessments, customer authentication, layered security controls, and customer awareness and education programs. The guidance speaks directly to the sufficiency of certain techniques currently in use, such as challenge questions and simple device identification, and offers alternative approaches to better safeguard against cyberthreats that continue to change with increasing speed. While none of the controls suggested by the guidance provides absolute assurance in preventing or detecting an attack, it does suggest the possible implementation of specific controls.
The agencies acknowledge that not all online transactions pose the same level of risk. Financial institutions should apply more robust controls for transactions with increased risk levels. Although there are multiple ways to authenticate, institutions should ensure that controls are commensurate with the level of risk associated with the online transactions’ risk exposures. Institutions should also ensure that they have considered the additional controls and exposures addressed in the SR letter, as examiners will follow up to gauge compliance.
Consumer Affairs: Home Mortgage Disclosure Act
Regulation C — Home Mortgage Disclosure Act (HMDA) — requires a covered institution to complete a Loan Application Register (LAR) with applicant and transaction data for certain mortgage loan applications and to report this information to its regulator. Examiners test reported data, and when error levels exceed certain thresholds, the data must be corrected and resubmitted. Ex-post correction of data can be time-consuming and expensive; therefore, a bank should consider proactive steps to improve the HMDA data collection process. All business lines, such as commercial lending, must be included so that any loans subject to reporting are captured. Internal controls, such as training and monitoring, are important tools for preventing, identifying and correcting errors. Smaller institutions that manually collect and maintain data may find that centralized data collection and validation can be an effective control for improving data accuracy. Some larger reporters might consider utilizing automated systems that integrate the loan application, loan processing and data collection functions to populate the LAR. Regardless, testing of data for accuracy before it is reported is critical.
If you have any questions about any of these or other topics, please contact your Fifth District relationship manager or email BKSRCommunications.RICH@rich.frb.org.
The analyses and conclusions set forth in this publication are those of the authors and do not necessarily indicate concurrence by the Board of Governors, the Federal Reserve Banks, or the members of their staffs. Although we strive to make the information in this publication as accurate as possible, it is made available for educational and informational purposes only. Accordingly, for purposes of determining compliance with any legal requirement, the statements and views expressed in this publication do not constitute an interpretation of any laws, rule or regulation by the Board or by the officials or employees of the Federal Reserve System.
Supervision, Regulation & Credit