Our examiners told us to survey our ACH origination customers to determine what security measures they have in place to prohibit outsiders from hacking their systems. Has anyone developed a survey for their customers to use to assess their onsite IT security environment? Would you be would be willing to share?

i would assume that your contract with your originators covers that they will use commercialy reasonable means to prevent unauthorized access, any breach is required to be reported immediately, use of tokens or other acces devices, that you send periodic reminders about security, etc? If so, I'd tell the regulators to buzz off, you aren't about to open that can of worms with the customer...

That is a new one to me. We do the same thing as Happy. The FFIEC guidance references customer education, etc., but not micro-managing the security measures on our customers' systems.

On the other hand, this week's reversal of last year's PATCO v. Ocean Bank decision, should give bank security officers pause. When I read that decision, I was amazed that the lower district court had ever found in favor of the bank. According to the appeals court decision, the bank had a nice sophisticated and apparently high-end security system in place to detect and prevent unauthorized transactions via its internet banking portal, including unauthorized access by compromised commercial customer computers. But the bank either failed to read the "user manual" or found the management of the system too cumbersome, because it failed to pay attention to what should have been wildly waving red flags in system reports until after PATCO sustained a loss of over $345,000 in an account takeover. The bank allegedly even made some "tweaks" to the system parameters that made PATCO and other customers more susceptible to such takeovers.