Friday, June 13, 2003
( 9:50 AM ) Mary Beth
audblog audio post by Mary Beth Guard on Identity clues found in credit reports: Don't miss them!" #
( 7:52 AM ) Mary Beth
audblog audio post by Ken Golliher.. This audio blog accompanies Ken's article, "Lending and Customer Identification Programs: An Introduction". #
Thursday, June 12, 2003
( 8:15 AM ) Mary Beth
Well, we're back home and the work is piled high! I had to leave on an early flight yesterday, so I'll leave it to others to fill you in on the great sessions from the final day. Tuesday was a blast! BOL and ABA hosted a networking reception, in conjunction with Penley, Inc. (the company behind the BOL-endorsed FastWatch Customer Identification system). Jim Bedsole, Andy Zavoina and I performed magic to a very tolerant, boisterous, and friendly crowd. When you meet Threads Poster SJB, ask him about the cat calls he was making during one part of the presentation. . . ;-)
Jim's Vanishing Bandanna routine was hilarious, as was Andy's "I wouldn't touch that reg with a 10 foot pole".
Paula Kinsey, Barb Piccotti and I were enjoying little umbrella drinks before the magic show. We bought you all virtual umbrella drinks, too. See the evidence on the table below.
One job I would NOT have wanted to have was that of Dorothy Friendlander, the ABA Conference Coordinator. Carrying around a satchel for five days that must have weighed 50 pounds and having to juggle thousands of taks to make everyone happy and make everything flow smoothly is an unbelievable feat, but she carried it off. Here she is, still smiling on Tuesday morning, pictured with one of her team members, Allyson. (Dorothy is on the right).
George Milner is one of the folks behind BOL. He's also the publisher of Lucy Griffin's Compliance Action
newsletter. They enjoyed getting a chance to see each other face to face for a change. If you've ordered from Bankers' Video Library, subscribe to
Compliance Action or Bankers' Hotline, or attended the annual Security Officers' Workshop, you've probably met or talked to George at one time or another.
As noted above, Penley helped to sponsor the reception and also sponsored the giveaway of a Ceiva Digital picture frame. Here, Cleve Schultz from Penley (left) visits with Jerry Panaro (HR lawyer extraordinaire -- a brilliant guy who is also a great communicator. We've been lucky enough to have him present two HR-related webinars for BOL Learning Connect, and I could listen to him all day!); and Carin ("CC") Eisenhauer, BOL partner. Many of you have known Carin since our days producing the old bankinfo.com site, before we left Thomson and formed our own company with Michele Petry.
Paula Kinsey, Chris Spellman and Debbie Barbour enjoy a chat at the reception. Would you look at all those ribbons Debbie has on? That's one busy lady!
Tuesday, June 10, 2003
( 5:10 PM ) Mary Beth
Audblog audio post by David Dickinson on questions to ask while developing your CIP #
( 5:01 PM ) Mary Beth
Thought it would be fun to let you hear from someone OTHER than me, so here we go. We're having a BOL get-together for some of the folks and they are posting for you below.
FCB - Having a great time, wish all of you could be here!
PCashman - More information than my poor "old lady brain" can hold, but well worth the effort. Start begging your boss today for Chicago next year.
Okay, the rest are being uncooperative and unwilling to type, but David Dickinson is going to record an audio blog on CIP now. Back in a few. #
( 3:49 AM ) Mary Beth
I hadn't told you about my session on Sunday. We got started late, so I didn't get to show everything I had planned, but it was still an eye-opener. The subject was ID Theft, and I tried to make the point that the goal of a financial institution should be two-fold in this area: stop data leakage that could provide information that an ID thief could use to perpetrate his crime, and employ measures to prevent an ID thief from using your institution to either open accounts (from loans to safe deposit boxes and deposit accounts) or conduct transactions on existing accounts.
I've been talking about id theft since last year when my identity was stolen, but have found a general apathy on the subject among bankers. I wanted to do something this time that would leave mouths hanging open. Apparently, I succeeded, as I demonstrated necrolarceny, taking the identity of Mister Rogers (Yes, THAT Mister Rogers), and showed how it could be assumed by someone else (in this instance, Andy, then Jim Bedsole), complete with drivers' licenses and all kinds of collateral ID documents. In very short order, we had authentic-looking DLs, birth certificate and much more. Before it was over, we had Andy outfiited with everything from fake DLs in Mister Rogers' name to a concealed weapons permit, press pas, pilots license, you name it.
Then we spoofed Lucy Griffin taking over my identity and being outfitted, via downloaded templates from nasty sites and a little Photoshop magic, with all necessary identity documents, from picture IDs to library card. I got a special kick out of creating the fake card below, since I don't drive.
Seeing is believing. With an endless array of fakes popping up before their eyes, they saw, they believed. If you're constructing your CIP and your thought is, "Hey, if this person can show a DL or State ID and some secondary ID, it MUST be them," you should have seen this presentation. Chances are, your folks can easily be fooled by fakes, the fakes are readily available, and you need to think more creatively if you really want to identify your customer.
Well, gotta go. Tonight is the big BOL reception. We'll buy you all a virtual umbrella drink. I promise!
In terms of data leakage, that means several things. One is screening employees properly, monitoring them, training them. One temp employee of an insurance company stole bank account information on customers and used it to create 4300 ACH drafts to debit funds from those customers' accounts. The crooked employee used two stolen identities to set up bank accounts into which the ACH payments, totaling $764,000 were deposited. If a TEMP can do that much damage, imagine how big the potential risk really is. #
Monday, June 09, 2003
( 8:55 PM ) Mary Beth
The information security session this afternoon was interesting. One panelist talked about the level of detail given in the Al Qaeda Training Manual for how to use our banking system, get IDS and more.
If there is one word I have heard more than any other at this conference, it's RISK. Risk assessment, risk management, risk tolerance. Friday is the FDIC's Cybersecurity Risk Management Forum. Wish I was still going to be in town. Jeff Kopchik from FDIC noted that Dell has a new deal where, for an extra fee, they will configure a server you buy from them so it meets the CIS Level 1 standards. That allows you to basically start out in a more secure position.
He, or Cliff Wilkes (OCC), also mentioned that the Center for Internet Security Web site offers a template to lead you through how to do a risk assessment. I'll be looking for it on cisecurity.org You can also look there for free scanning software and Level 1 benchmarks.
Cliff talked about doing a risk assessment, then marrying it to strategy. He emphasized that until you really test it, you don't know if it works or not. As yourself: Does our institution have sufficient technical expertise to really be able to tell if a vendor is doing what it needs to do in the way it should be doing it?
This is my favorite type of moment at the conference -- the opportunity to just relax and chat with old and new colleagues. Unfortunately, there are so many good sessions that there's not much time for this sort of thing.
Did we tell you Louvera is adopting two little girls, ages 6 and 11? They arrive this weekend and she'll be taking some time off this weekend. Congratulations, Louvera!
Louvera is a member of the BOL Advisory Roundtable, as are Al Miller, Leslie Callaway and Allan Virr (in terms of those members who are here at this conference.
Leslie's the one in the center of the back row. . . Louvera is in last night's group photo and was in on the Vatican mischief, as was Al Miller.
Highlights from the recent compliance officers' survey were covered today. Interesting stuff! Mike Maher introduced the session in his inimitable way.
Peggy Wilson (Bankers Systems), BOL Guru Barb McGuire, Tom Bernowski, and ABA Banking Journal's Steve Cocheo discussed the results. I found interesting the fact that 20.6% of the 1,000+ respondents said they wear four hats in their role as compliance officer -- the CRA hat, privacy hat, BSA/AML cap, and OFAC cap. The full, comprehensive version of the report will be available for sale this summer, but you can begin using the summary now to examine what the survey shows on how each compliance dollar is allocated; how compliance is set up and where it reports; how much respect compliance gets; who does compliance; compliance officer profiles; and accountability.
Carin and I enjoyed spending some time with former colleagues from TFP, Tim White and Glenn Gottfried.
These are some of the folks from the ABA Bank Compliance magazine -- new editor Joe Kelly, publisher Larry Price, and advisory board members Bonita Jones and Judy Gauthier.
Dennis Algiere and Richard Harvey have been doing awesome jobs as co-chairs of the conference. Rumor has it that Dennis will be making a run for Congress. . .
Did I mention that Andy got a standing ovation this morning?
Paul Smith from ABA meets up with BOLers Anna Rentschler and Andy. Anna was recounting her daughter's ID theft tale to me and mentioned that when her daughter tried to report it to the police, they just "pushed the TS button". I had never heard that expression before (must be a Mexico, Missouri special!), but I didn't need an interpreter and mentally bookmarked it as one to remember.
Bankers' Hotline Editor and BOL Essential Person Barb Hurst and ABA Banking Journal Editor Steve Cocheo swap stories on the crush of print deadlines and the cow collection Steve never wanted, but got anyway.
Above, Andy poses with a new poster they'll be using for their CIP program.
BTW, great food here, too. Can you tell?
( 8:26 AM ) Mary Beth
News Flash! Guess who won ABA's Distinguished Service Award? Hint: He's probably the best known person on the BOL Site -- a prolific poster, an original guru. You guessed it! Andy Zavoina. Congratulations! Very well-deserved.
Normally, I'm not too excited about politicans, but Mike Rogers, this morning's first speaker, pictured below, is an exception. He was instrumental in drafting the PATRIOT Act and as a former FBI special agent, before becoming a Congressman, he had valuable expertise to contribute to the process. His message was inspirational -- like a pep talk and thank you message rolled into one to tell bankers how valuable their PATRIOT Act efforts really are.
Sessions today focus on INFORMATION SECURITY, AML/OFAc, GOVERNMENT LISTS, DEPOSIT REGULATIONS UPDATE, CONSUMER LITIGATION'S IMPACT ON COMPLIANCE, CRA AND MORE. Details on those as we get them.
Since we were in the Vatican Room last night at the restaurant (we joked that we were really at the Vatican embassy), David Dickinson (who is such a ham!) kissed my ring as I sat in the throne chair. We were cracking up.
More later! Gotta run to a session. #
( 4:48 AM ) Mary Beth
Up way too late last night. These conferences are all about sleep deprivation.
I left this pic big so you could really see a few of your BOL compatriots. Click here to see it.
News? The regulators are working on a set o Q&As on Section 326. They're hoping to address many of the still-unanswered questions. Then, it's on to the examination procedures.
The FTC is working on an information security checklist/audit-type guide for businesses that will aid businesses in assessing risks to info security and figure out what they need to do.
Factoid I didn't know -- sily me -- the FATF NCCT list (non-cooperating countries and territories list relating to money laundering matters) is affectionately known as the "Name and Shame" list.
I'll dig out my notes later from yesterday, but the real meat on 326 and 314 will come tomorrow. Gotta go right now. Another session is calling to me. #
Sunday, June 08, 2003
( 4:07 AM ) Mary Beth
WE'RE HERE! Arrived in DC mid-afternoon yesterday. It was raining, but that didn't dampen anyone's enthusisasm. This is a view of the hotel room's pool. A few minutes later, I noticed a lone swimmer doing laps. He kept it up for over an hour. A banker, do you think?
Just so you'll feel like you're practically here, welcome to the hotel! Come on in and make yourself at home. This is my room. The way I pack, I needed plenty of room to spread out. Huge purse, briefcase, then two suitcases -- each of which exceeded the weight limit. Paid a fine because my bags were nearly 80 pounds each, and the limit is 60!
Since I am giving an ID theft presentation and performing magic with Jim and Andy, I have a bizarre assortment of "stuff". Lots of fake ID info and examples, in print and on computer, magical paraphernalia, hundreds of BOL buttons. Yikes. I'm sure security had fun looking when they opened BOTH big bags. I expected to be put in a little room and interrogated, but am happy to report I was not.
Ran into Allan Virr (left) from New England and Richard Noble (who works with Chuck Lewis at UMB Financial Consulting) down in the lobby and had a great chat. Dennis Algiere and his wife were there, too. It was nice to meet Dennis in person, after doing an ABA teleconference with him months ago on information security. Lucy Griffin emerged from a full day of meetings and told us of her negotiations with her insurance company (following a car accident not her fault last month) that led to a new car. I was glad to see she is fine -- no lingering pain.
Andy Zavoina, Jim Bedsole and I went off to dinner, then back to my room to plot out our strategy for the magic show at Tuesday's networking reception. We got on quite a roll, performing illusions for each other, and it was after 11:00 before they departed. Andy was headed downstairs to get online at that point. Doesn't that sound just like him? The pics below show us having fun playing with props and supplies. More later! I've got to go find ice for a much-needed shot of Diet Coke. I didn't end up getting to bed until after 1:00 AND It's time for me to get ready for a meeting of joint ABA compliance-related committees. I'm going because I'm on the magazine editorial advisory board. Then it's freak-out time before my presentation!!
Thursday, June 05, 2003
( 7:39 AM ) Mary Beth
Just a couple more days before we head out for DC to attend the ABA NRCC. If you haven't told us you'll be there, please do. Send me a private message on the threads, or shoot me an email at firstname.lastname@example.org.
Wednesday, June 04, 2003
( 8:40 AM ) Mary Beth
audblog audio post -- Is your board squriming yet?
Tuesday, June 03, 2003
( 7:24 PM ) Mary Beth
If you thought your frontline folks were confused before, wait until the CIP rules take effect. I'd love to be a fly on the wall when you have some of these conversations:
I know we used to only worry about getting a SSN for the first-named party on a joint account, but things are different now. We need TINs on all joint owners.
Yes, you need little Johnny's TIN for the UTMA account. But the "customer" for CIP purposes is his dad, the custodian, so you'll also need his dad's TIN and information.
When you're opening an account for an informal entity, like the Class of 2003 Reunion Committee, you need to require a TIN to be obtained for the entity, because IRS says they're supposed to have one. And you need to style the account in the name of the entity so you have a match between the TIN and the name. But don't forget that for CIP purposes, the "customer" is whoever shows up to open the account and you have to get their identifying number and verify their identity. Got it?
Start your training early . . .
Have you ever noticed how being in the banking business skews the way you look at things that go on in the world?
I woke up in the middle of the night thinking about the challenges institutions will face in trying to decide whether to rely on documentary or nondocumentary means for identity verification and what they might want to require from customers. Chad (the BOL graphics genius) helped me turn my midnight musings into the cartoon below.
You'll find a matching ecard in the BOL eCard Exchange.
I just read that Visa USA said it processed $1 trillion worth of transactions during a 12 month period. Don't you wish they had published some really important corollary statistics -- like how many Reg E claims had been made by cardholders in that span of time; how many PINs are written on the back of the debit cards used to make those transactions; what percentage of cardholders actually read the disclosures given to them?
The company redoing the pool in our backyard has performed so badly that we were tossing a coin this weekend trying to decide whether to file suit or register an anti-domain (soandsopoolcompanystinks.com) and vent our frustration. I couldn't help but wonder which bank is financing these bozos and whether they realize its business practices could hurt its ability to repay borrowings . . .
I've enjoyed the tv drama "John Doe" this year about a guy who wakes up naked on an island with no memory of who he is or what has happened to him. Although he knows nothing about himself, he has instantaneous recall of virtually every other fact on the planet. He gives himself the name John Doe and uses his mental gifts to solve crimes, make big money in the market, and impress others. Every time he visits his brokerage firm, we scream at the tv. "How did he open an account if he has no name, no identity?"
Only one conclusion. Bankers are weird. Banking lawyers are even stranger. . .
Hope to see big bunches of you in DC next week. Be sure to get a BOL button and a Threads name tag from me! It's going to be soooo much fun. But just wait until we have the first BOL real-world conference!