Commonly cited violations have long been a source of important information for the design and management of compliance programs.
We have separated our Customer Information Security Review into "two" sections - one relating to our information system (computers, software,etc,) and one for security of the customer information (documents, information we give out over the phone, etc). Can anyone recommend an audit program relating to the security of customer information?
In the past, we sent mortgage loan closing documents to the title company via the internet. We stopped this practice because we feel that without having a secured e-mail line, and without encrypting the data, we would be in violation of GLB. Same with sending our Good Faith Estimates, or other disclosures. We stopped sending via e-mail to customers because of GLB issues. Are we correct in that it would be a violation of GLB to send non-public financial information electronically over a non-secure line?
Our bank has a "Mortgage Bank" that is housed in a building separate from other bank operations. They do not accept deposits or handle cash. Under the Bank Protection Act, is this building required to have security devices such as cameras, alarms, etc.?
As it relates to IT examinations, what are the top "hot buttons" for regulators?
Do you think your customer accounts are safe? Do you think hackers only attack computer systems? Do you believe your institution is too small to be of interest to international criminals?
When opening an account for a new customer must the individual present his or her social security card or provide documentation to verify the SS#, as a result of the provisions of the USA PATRIOT Act? Is not providing the SS# along with proper ID enough? Many individuals don't have anything with the SS# on it or carry it with them. We don't want to turn prospective account holders away for not having their SS Card.
Our branches save their teller trash for one week in tied plastic bags. There is a long tradition of doing this in banking for researching out of balance situations or disputes. In our highly computerized environment, and concern for customer information security, it does not seem that there would be any value from a research standpoint in saving this garbage now. Anything with customer information would be shredded. I am interested in your thoughts on this.
An examiner (OCC) told me all employees have to be trained on each regulation every 18 months. Where can I find this requirement in the regulations?