Skip to content
BOL Conferences
Thread Options Tools
#39059 - 10/25/02 07:34 PM SAFETY & SOUNDNESS EXAM
Anonymous
Unregistered

One question:
1.Examiners are requesting info about Information Security Program (GLBA 501b) - Is this the privacy opt-out notice, etc?

Return to Top
General Discussion
#39060 - 10/25/02 07:40 PM Re: SAFETY & SOUNDNESS EXAM
ahou Offline
Power Poster
ahou
Joined: Aug 2002
Posts: 3,094
No. There are Interagency guidelines on safeguarding customer information. (issued 2-1-01 Fed Register vol 66 no. 22) You must have a program in place using these guidelines. Who is your regulator. I can give you a cite.
_________________________
Opinions are my own and not of my employer.

Return to Top
#39061 - 10/25/02 07:44 PM Re: SAFETY & SOUNDNESS EXAM
Anonymous
Unregistered

Thank you for such a prompt reply....I think. Our regulators are the FDIC. The examiner referenced Privacy, however, the request list did not correlate with our prvacy notice, etc.
Thanks again for your help.

Return to Top
#39062 - 10/25/02 07:47 PM Re: SAFETY & SOUNDNESS EXAM
ahou Offline
Power Poster
ahou
Joined: Aug 2002
Posts: 3,094
Also see 12 CFR parts 308 & 364
_________________________
Opinions are my own and not of my employer.

Return to Top
#39063 - 10/25/02 07:51 PM Re: SAFETY & SOUNDNESS EXAM
LinMarie Offline
100 Club
LinMarie
Joined: Nov 2001
Posts: 243
We recently completed a safety and soundness exam. They hammered on this issue. They said that since it was so new that any findings would not effect our rating this time but they did cite ALL of their thoughts in the report. Beware!

Return to Top
#39064 - 10/25/02 08:06 PM Re: SAFETY & SOUNDNESS EXAM
Nanwa Offline
Power Poster
Nanwa
Joined: Oct 2001
Posts: 5,564
Clintonville, WI, USA
Does it matter if we have all the areas addressed in other policies, or do I need to repeat myself with yet another policy?
_________________________
Member of the National Sarcasm Society - like we need your support!

Return to Top
#39065 - 10/25/02 08:19 PM Re: SAFETY & SOUNDNESS EXAM
Tina A Sweet Offline
Diamond Poster
Tina A Sweet
Joined: Aug 2001
Posts: 1,033
Marysville, Ca.
Just a note. GLB 501(b) covers the following under 12 CFR 30

II. Standards for Safeguarding Customer Information

A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

B. Objectives. A bank's information security program shall be designed to:

1. Ensure the security and confidentiality of customer information;

2. Protect against any anticipated threats or hazards to the security or integrity of such information; and

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

This program is required to be implemented as a whole using Inforamtion Technology and physical safeguards. We were sited on not having it in one package.




_________________________
Tina A Sweet-Williams
AVP Special Assets
mailto:tsweet@goldcountrynb.com

Return to Top
#39066 - 10/25/02 08:26 PM Re: SAFETY & SOUNDNESS EXAM
Nanwa Offline
Power Poster
Nanwa
Joined: Oct 2001
Posts: 5,564
Clintonville, WI, USA
We have an EDP Policy, Disaster Recovery Policy, Statement of Intergrity of Records, Network Policy, Microcomputer Policy, Privacy Policy, Record Retention Policy, and Imaging Policy, all of which address security of information. Are you saying I still need to repeat it again in a separate policy???

I hate regulators. (Sorry to the Unknown Examiner out there!)
_________________________
Member of the National Sarcasm Society - like we need your support!

Return to Top
#39067 - 10/25/02 08:34 PM Re: SAFETY & SOUNDNESS EXAM
MackenzieS Offline
Diamond Poster
MackenzieS
Joined: Jul 2002
Posts: 1,722
Oklahoma
We are regulated by the FDIC and when this was all the hot topic a while back, I actually called our local examiner-in-charge and talked to him about this. We are a small community bank that has had policies in place for everything and I didn' want to create one just because we had to. He would ask me questions about certain issues and I would answer which policy they were already covered under. Finally he conceded that as long as these issues were covered in other policies and we could provide evidence, there was no reason to reinvent the wheel. We refered to our 1)HR policies: employees sign that they will keep all customer information confidential...., 2) Microcomputer policies: Discusses the security of information on PC's, virus protection, procedures backup and security of tapes, etc.., 3) EDP policy: no access to the Data Processing room without authorization or a business need to be there, password controls to core processing system, adding/deleting users, 4) audit program: audit reviews all existing/new/deleted users to core system, performs audits over record retention/destruction, reviews and investigates all activity on the core system each day for any maintenance/modifications/unusual user access...
Anyway, I could go on but this was basically the types of issues I covered with our examiner. Of course there is much more to it than this, it really depends on how much you can verbally convince them and how much you can provide in writing with other policies. Good luck!

Return to Top
#39068 - 10/25/02 08:39 PM Re: SAFETY & SOUNDNESS EXAM
downstown Offline
Gold Star
Joined: Aug 2001
Posts: 295
St. Louis, MO
We were faced with the same issue of repeating existing policies. What we did was create an Information Security Policy that references other polices that address information security (much like an index).

Return to Top
#39069 - 10/25/02 10:00 PM Re: SAFETY & SOUNDNESS EXAM
Miss Kitty Offline
Platinum Poster
Joined: Mar 2002
Posts: 721
California
Last year when FDIC was in (Compl & CRA) they did look at our Privacy Program. I put together a binder which includes our Privacy Policy, all committee minutes, board review minutes, intrusion testing results & training etc.

They were quite impressed and because everything was housed under one binder did not look further. They already cover all other safeguarding issues with IS (and policies & procedures) and with the new guidelines just published for IS you would hope you've already got them covered and reviewed & approved by the BOD. With the change of the annual notice going to the end of the year, we (the committee) will meet at least annually now, take minutes etc. and everything will be in one spot for future audits etc.

Note: We also recently had an audit in NDIP, and one of the requested items was the "Privacy Policy".

Return to Top
#39070 - 10/25/02 11:47 PM Re: SAFETY & SOUNDNESS EXAM
Tina A Sweet Offline
Diamond Poster
Tina A Sweet
Joined: Aug 2001
Posts: 1,033
Marysville, Ca.
I would say listen to those who have the same regulator as you and then call and be sure that is what they want you to do. Actually email them, and take a copy.
_________________________
Tina A Sweet-Williams
AVP Special Assets
mailto:tsweet@goldcountrynb.com

Return to Top
#39071 - 10/28/02 03:49 PM Re: SAFETY & SOUNDNESS EXAM
Anonymous
Unregistered

We currently have OTS on the premises. They are going over Customer Information Security with a "fine toothed comb". In answer to several of the other posters above...no, they are not looking for additional policies. They want to see "procedures". We had all of the written policies in place, but they want to know what we are actually doing to implement those policies. What are the risks to customer information in any form...paper, electronic, micro-fiche, loan files, etc.? And what are you doing to protect that infromation wherever it is located? Much of their focus is on technology...password protection, firewalls, intrusion detection software, etc. but they also want to know about paper sitting on a loan officer's desk or how your trash is disposed of. Very interesting exam to say the least. They said that "this time" their findings will not affect ratings, but "next time" they will not be as kind and gentle.

Return to Top
#39072 - 10/28/02 04:06 PM Re: SAFETY & SOUNDNESS EXAM
BankerMama Offline
Diamond Poster
BankerMama
Joined: Jun 2001
Posts: 1,543
Isn't it interesting how the regulators are so intense on "programs" right now? Customer Identification PROGRAM, Information Security PROGRAM..............

Return to Top
#39073 - 10/28/02 08:12 PM Re: SAFETY & SOUNDNESS EXAM
Tina A Sweet Offline
Diamond Poster
Tina A Sweet
Joined: Aug 2001
Posts: 1,033
Marysville, Ca.
We were asked the same questions. We actually have procedures in place and have them on our intranet. What we did not have was the physical and technical portions of the risk assessment combined into one policy and procedure. This is where our criticism was and we were required to complete it within 60 days after the exam. Never the less, since we had all in place, putting them in one package was easy.
_________________________
Tina A Sweet-Williams
AVP Special Assets
mailto:tsweet@goldcountrynb.com

Return to Top
#39074 - 10/28/02 08:30 PM Re: SAFETY & SOUNDNESS EXAM
complyguy Offline
Gold Star
complyguy
Joined: May 2001
Posts: 494
PA
May I assume that those of you who have been criticized for not having a unified program are larger banks? The reason I am asking is that the OCC examination procedures for small, noncomplex banks specifically state that the various elements do not have to be in one place. Since we are a small, noncomplex bank, I have based my audit program for Safeguarding Customer Information on their procedures.

Return to Top
#39075 - 10/28/02 08:33 PM Re: SAFETY & SOUNDNESS EXAM
Tina A Sweet Offline
Diamond Poster
Tina A Sweet
Joined: Aug 2001
Posts: 1,033
Marysville, Ca.
No, actually complyguy I am a bank with only 94M in assets.
_________________________
Tina A Sweet-Williams
AVP Special Assets
mailto:tsweet@goldcountrynb.com

Return to Top
#39076 - 10/29/02 02:36 PM Re: SAFETY & SOUNDNESS EXAM
complyguy Offline
Gold Star
complyguy
Joined: May 2001
Posts: 494
PA
The statement I referred to is located in OCC Bulletin 2001-35, Attachment A, page 2, in the right-hand column of item C.1. http://www.occ.treas.gov/ftp/bulletin/2001-35a.pdf

It simply states that there must be coordination of the elements. "One master program is not required."

Return to Top
#39077 - 10/29/02 04:01 PM Re: SAFETY & SOUNDNESS EXAM
BANNED BY BOL MANAGEMENT Offline
Platinum Poster
BANNED BY BOL MANAGEMENT
Joined: Oct 2002
Posts: 524
It's the political climate. Privacy isn’t a safety and soundness issue, nor is BSA. They both belong on the compliance exam, but they are hot issues and it looks like everyone gets one exam before privacy issues are actually cited in the report.

Return to Top
#39078 - 10/29/02 07:41 PM Re: SAFETY & SOUNDNESS EXAM
Anonymous
Unregistered

Has anyone attempted to design their Information Security Policy to replace many of the other policies addressing security concerns........Internet Banking Policy, Microcomputer Policy, Telephone Banking Policy, etc?

Return to Top
#39079 - 10/29/02 10:26 PM Re: SAFETY & SOUNDNESS EXAM
Rangers Fan Offline
Gold Star
Rangers Fan
Joined: Dec 2001
Posts: 345
Just making sure-are you saying you disagree with the fact that privacy and BSA are included in S&S exams and you think they should be included in compliance?

Return to Top
#39080 - 10/29/02 10:28 PM Re: SAFETY & SOUNDNESS EXAM
Lestie G Offline

Power Poster
Joined: May 2002
Posts: 3,608
Near the Land of Enchantment
The OCC considers BSA a safety and soundness issue.
_________________________
Opinions my own.

Return to Top
#39081 - 10/29/02 10:35 PM Re: SAFETY & SOUNDNESS EXAM
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
In reply to:

it looks like everyone gets one exam before privacy issues are actually cited in the report


Caveat, Unless they are flagrant violations.

And different agencies do vary somewhat on BSA and Reg. O. Also, IT is an issue that can be mixed between S&S, compliance and BIS (or whatever they call it now, IT, IS). They may be looking at safeguarding customer info, LAW/WAN security, etc.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top