Thread Options
#669164 - 01/19/07 10:10 PM Incident Response - Notification to Regulator
Expedition Offline
Joined: May 2002
Posts: 54
The incident response guidance clearly recommends notification to your regulator of breaches but it does not provide guidance as to when you should report (i.e. is there a severity level)to your regulator. One recent example: our customers account # and SS# was obtain somehow by another individual but were fairly sure it was not through us. That individual used the account number and ss# to access our VRU and initiate a transaction to transfer funds from savings to checking. The individual also used the account # to attempt to initiate a series of ACH debit transactions. We caught it early and no money was lost. To me this is just a normal ID theft case but because our system was accessed it triggered our incident response program. Would an ID theft case involving one individual warrant reporting to the regulator??

Return to Top
Security - PUBLIC
#671796 - 01/25/07 01:46 PM Re: Incident Response - Notification to Regulator Expedition
DeeQ Offline
10K Club
Joined: Dec 2002
Posts: 40,763
Turnpike Exit 10
I would probably only report system wide failures, such as batches of debit cards lost, data files breached or compromised, things of that nature. I don't think that it is necessary to report an isolated instance of ID theft.
Get your facts first, then you can distort them as you please. - Mark Twain

Return to Top
#1385964 - 05/04/10 10:29 PM Re: Incident Response - Notification to Regulator DeeQ
misha Offline
Joined: Jul 2006
Posts: 56
Bringing up an old post - we have examiners here - they're indicating that we should report to our regulator on all incidents "involving unauthorised access to or use of sensitive customer information." Has anyone got any recent info on this?

Return to Top
#1388254 - 05/10/10 01:46 PM Re: Incident Response - Notification to Regulator misha
Midwest Banker Offline
Gold Star
Joined: Nov 2004
Posts: 349
No, but this would be a huge burden, not only on you, but on your regulator as well. Think about all the debit/credit card that takes place. Is this what they really want, as this is unauthorized access.

Return to Top
#1388355 - 05/10/10 03:25 PM Re: Incident Response - Notification to Regulator Midwest Banker
Kathleen O. Blanchard Offline

10K Club
Kathleen O. Blanchard
Joined: Dec 2000
Posts: 21,277
I have personally received (as a banker) and now have clients who have received requests like this. Usually the regulator will clarify that they want a heads up on any loss of data that could result in the bank's name in the paper - other than debit/credit card stuff that is out there anyway. They want a heads up in case anything hits the paper and they get a call from reporters prior to an SAR reaching them via the regulatory pipeline.

I would discuss it in more detail to clarify what they are trying to accomplish.
Kathleen O. Blanchard, CRCM "Kaybee"
HMDA/CRA Training/Consulting/Mapping
The HMDA Academy

Return to Top

Moderator:  Andy_Z