A big part of our IT Security budget is spent on GLBA compliance. Are we doing something wrong?
An examiner (FDIC) found that we should have a formal referral system for reporting what is suspected to be suspicious activity to me, the BSA Officer. She suggested that I create a form available to all employees to be completed by any employee who sees what he or she considers suspicious activity. Does such a form exist and if so, where can I find it? If not, what information would you think I need to include in the form?
How can a bank achieve assured compliance given the constrained information security budgets today?
A banker was dismissed for dishonesty and has since applied for employment at another bank. Should we inform the other bank of his or her past?
Among credit risk, market risk and operational risk, developing a good operational risk management program seems to be the most challenging. Can't our existing compliance processes (e.g., AML, Red Flags, GLBA, etc.) contribute to operational risk management?
Are government agents or law enforcement employees exempt from providing their personal information for CIP when they open accounts?
Should training on our business continuity plan be separated into two training sessions? For example, should we conduct one for management / supervisory positions on how to execute the BCP and another for non-management / supervisory positions on whom to contact during a disaster?
Where can I find a specific reference showing the requirements for annual background checks on employees?
I have attended the Security Institute and have a question. Should security know if an employee is going through a foreclosure? In these desperate times people may become capable of desperate measures, but their personal privacy is also important. How do we handle this from a security standpoint?
We have a business owner who is insisting on cashing employee checks. The checks are made payable to the employee, signed on the back by the employee and then endorsed by the business owner. This does not seem right since we have no real way of knowing if the employee really exists or if the employee is getting all the money from the cashed item.