center of regulatory intelligence - capco€¦ · managing director, center of regulatory...

Center of Regulatory Intelligence July 10, 2017

Trending Issues in Fraud

2

Regulatory Intelligence Briefing – July 2017

www.fisglobal.com/RISC

Table of Contents

A. Editorial Note from the Managing Director, Center of Regulatory Intelligence ....................... 3

B. Washington, D.C. Regulatory Roundup ................................................................................. 4

C. Congressional Hearing Summary: State Action Protecting Persons from Fraud ............... 5

D. FOCUS: Trending Issues in Fraud ...................................................................................... 7

E. President Trump’s Executive Order on Cybersecurity .......................................................... 15

F. Did You Know? ..................................................................................................................... 21

G. About FIS’ Center of Regulatory Intelligence ....................................................................... 22

3



A. Editorial Note from the Managing Director, Center of Regulatory Intelligence

This month’s Regulatory Intelligence Briefing provides insight into trends for fraud and summarizes how fraud

remains a hot topic within financial institutions today. We highlight some of fraud’s trending areas, such as call

center and wire fraud, and conclude with ways in which financial institutions can proactively deter both new trends

as well as common practices of fraud.

Today, the necessity of strong cybersecurity measures is self-evident. Cyberattacks and data breaches are

increasingly damaging companies, governments and institutions. President Donald Trump’s recent executive order

on cybersecurity highlights the increasing attention toward risks associated with cybersecurity. We look into the

“Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”

and break down the order by section and follow with an overview of the National Institution of Standards and

Technology (NIST) Cybersecurity Framework. We then explore how cybersecurity policy has advanced over the

years and conclude with some cybersecurity best practices.

We also examine a few recent state legislative trends regarding the desire to protect vulnerable persons from

financial fraud. Some states, in an attempt to keep up with technological developments that place additional classes

of people at risk, have developed laws regarding cyber fraud in areas such as elder abuse and online dating.

A majority of states have passed legislation protecting elders from various forms of abuse; the elderly are common

targets for fraudsters because the victims are generally in better financial situations than younger people and

commonly rely on others in a larger capacity. Fraud related to online dating has also been on the rise and we will

explore the measures certain states are taking to deter online dating fraud. We remain focused on ensuring that

your institution understands state trends and broader regulatory expectations.

.

Peter D. Dugas Managing Director, Center of Regulatory Intelligence

Peter has more than 16 years of government and consulting experience in advising clients on supervisory matters before

the U.S. government and in the implementation of enterprise risk management programs. He is a thought leader in

government affairs and regulatory strategies in support of banks and financial institutions compliance with the Dodd-Frank

Act and Basel Accords. Prior to joining FIS™, he served as a director of government relations at Clark Hill and in senior

government positions, including serving as a deputy assistant secretary at the United States Department of the Treasury.

4



B. Washington, D.C. Regulatory Roundup

Regulatory and Compliance Alerts FTC Releases Annual Financial Acts Enforcement Report to CFPB On June 1, 2017, the Federal Trade Commission (FTC) released its 2016 Annual Financial Acts Enforcement Report to the Consumer Financial Protection Bureau (CFPB). The report covers enforcement and other activities related to Regulation Z (Truth in Lending Act), Regulation M (Consumer Leasing Act) and Regulation E (Electronic Fund Transfer Act).

FDIC Adopts Supervisory Guidance on Model Risk Management On June 7, 2017, the FDIC adopted the supervisory guidance on model risk management the FRB previously issued in SR 11-7 and the OCC issued in OCC Bulletin 2011-12. The guidance addresses supervisory expectations for model risk management, including: model development, implementation and use; model validation; and governance, policies and controls.

Department of the Treasury Requests Comment on Foreign Securities Annual Survey

On June 15, 2017, the Department of the Treasury requested comment concerning the revision of the "Annual

Report of U.S. Ownership of Foreign Securities, including Selected Money Market Instruments" annual survey. The

proposed changes impact the instructions, not the forms (or schedules). Comments are due by August 14, 2017.

OFAC Publishes New FAQs regarding Cuba

On June 16, 2017, the Office of Foreign Assets Control (OFAC) published a FAQ document related to President

Donald Trump's recent announcement regarding Cuba sanctions. The document includes 12 questions and

answers, including a note that the announced changes do not take effect until the related regulations are issued.

SEC Requests Comment on Extension of Broker-dealer Information Collection on OTC Securities

On June 16, 2017, the SEC requested approval of an extension of the previously approved collection of information

related to over-the-counter (OTC) securities, for which Rule 15c2-11 (17 CFR 240.15c2-11) provides under the

Securities Exchange Act of 1934. Comments are due by July 16, 2017

.

HUD Requests Comment on State CDBG Program

On June 16, 2017, the Department of Housing and Urban Development (HUD) requested comment from all

interested parties on the proposed collection of information related to the State Community Development Block

Grant (CDBG) Program. Comments are due by August 15, 2017.

OCC Issues Licensing Manual Booklet on Articles of Association, Charter and Bylaw Amendments

On June 19, 2017, the Office of the Comptroller of the Currency (OCC) issued a new booklet, titled “Articles of

Association, Charter, and Bylaw Amendments,” of the Comptroller’s Licensing Manual. This booklet consolidates

the OCC’s policies and procedures regarding articles of association amendments for national banks, charter

amendments for federal savings associations and bylaw amendments for national banks and federal savings

associations.

https://www.ftc.gov/news-events/press-releases/2017/06/ftc-staff-provides-annual-financial-acts-enforcement-report

https://www.ftc.gov/news-events/press-releases/2017/06/ftc-staff-provides-annual-financial-acts-enforcement-report

https://www.fdic.gov/news/news/financial/2017/fil17022.html

https://www.federalregister.gov/documents/2017/06/15/2017-12361/proposed-collection-comment-request

https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20170616.aspx

https://www.federalregister.gov/documents/2017/06/16/2017-12536/submission-for-omb-review-comment-request

https://www.federalregister.gov/documents/2017/06/16/2017-12570/60-day-notice-of-proposed-information-collection-state-community-development-block-grant-cdbg

https://www.occ.gov/news-issuances/bulletins/2017/bulletin-2017-23.html

5



C. Congressional Hearing Summary: State Action Protecting Persons from

Fraud

Introduction

Recent trends at state legislatures show a desire to pass new laws to protect vulnerable persons from financial

fraud. The development of new technologies is creating new classes of people states are trying to protect. Different

state laws dealing with elder abuse and online dating protections will be explored below.

Elder Abuse Fraud

Elder abuse has been around for centuries. As defined by the Administration on Aging, the term “elder abuse” refers

to “any knowing, intentional, or negligent act by a caregiver or any other person that causes harm or a serious risk

of harm to a vulnerable adult.” As the definition is so broad, all 50 state legislatures have passed some kind of law

protecting elders. Elders make an easy target for fraudsters because they are generally in better financial situations

than younger people and tend to rely on others in a more often.

The laws also range from general to specific for financial elder exploitation. For example, Colorado requires

mandatory reports for the mistreatment of at-risk elders. Under Colorado law, an “at-risk elder” is defined as any

person who is seventy years of age or older. Mistreatment includes abuse, caretaker neglect or exploitation. The

statute is very broad and covers a large group of persons that are required to report mistreatment or are at an

imminent risk of mistreatment within 24 hours after witnessing the mistreatment or risk of mistreatment. Those

required to report vary, capturing anyone providing healthcare services to veterinarians to clergy members—with

some exceptions.

The law also specifically requires, “Personnel of banks, savings and loan associations, credit unions, and other

lending or financial institutions who directly observe in person the mistreatment of an at-risk elder or an at-risk elder

or who have reasonable cause to believe that an at-risk elder has been mistreated or is at imminent risk of

mistreatment,” to report elder mistreatment.

North Carolina takes this further by protecting older adults—those 65 or older—and disabled adults by criminalizing

their exploitation. The law makes it unlawful for a person to “knowingly, by deception or intimidation, obtain or use,

or endeavor to obtain or use, an older adult’s funds, assets, or property with the intent to temporarily or permanently

deprive the older adult or disabled adult of the use, benefit, or possession of the funds, assets, or property, or to

benefit someone other than the adult or disabled adult.” The law also criminalizes a person conspiring with another

to deprive the older adult or disabled adult of their funds, assets or property. A penalty under the North Carolina

statute is a felony, varying in degree depending on the circumstances.

During the 2017 legislative session in Texas, legislation was passed that goes even further than the laws in states

like Colorado and North Carolina. The new law, taking effect September 1, 2017, focuses on suspected financial

exploitation of vulnerable adults, which includes elderly adults and disabled adults. It requires reporting by an

employee of a financial institution to the financial institution when the employee “has cause to believe that financial

exploitation of a vulnerable adult who is an account holder with the financial institution has occurred, is occurring,

or has been attempted, the employee shall notify the financial institution of the suspected financial exploitation.” A

financial institution would then have to file a report to the Texas Department of Family and Protective Services. But,

the law also allows a financial institution, after submitting a report, to notify a third party “reasonably associated with

the vulnerable adult” of the suspected financial exploitation and place a temporary hold on any transaction that

involves an account of the vulnerable adult and the financial institution has cause to believe is related to the

suspected financial exploitation.

6



Online Dating Protections

Similar to elder abuse, fraud related to online dating has been on the rise. When speaking to someone over the

internet in a romantic setting, a person is more likely to disclose personal information that could lead to fraud, for

instance answers to common security questions linked to online accounts like a mother’s maiden name, or your

first car.

States have taken notice of this and have passed legislation to combat some of these practices.

The initial state laws dealing with online dating focused primarily on background checks for those using the websites

to meet others and risk warnings. For example, a New Jersey law passed in 2007 required online dating sites to

inform residents of the state about potential risks of participating in Internet dating services, including whether or

not the internet dating service performed criminal background checks. The state law primarily focuses on risk

awareness.

Recently, states have begun to expand their legislation to be more reactive. A law that took effect January 1, 2017,

in Vermont requires an Internet dating service to disclose to all of its Vermont members that they have

communicated with a person who is now a banned from the service. Specifically, an Internet dating service is

required to disclose to all of its Vermont members known to have previously received and responded to an on-site

message from a banned member:

User name/identifier

Information about how the banned member may be using false identity or may pose a significant risk of

attempting to obtain money from members

A reminder that a member should never send money or personal financial information to another member

A hyperlink to online information that addresses the subject of how to avoid being defrauded by another

member of an Internet dating service

7



D. FOCUS: Fraud

Introduction

As technology advances, so does the risk of fraud and the ways it can be committed. There were over three million

complaints filed in 2016 to the Consumer Sentinel Network (CSN), an online database law enforcement uses for

consumer complaints, with 1.3 million of those complaints related to fraud. The top three fraud complaint areas

were debt collection, impostor scams and identity theft. According to a report the Federal Trade Commission (FTC)

issued, Florida, Georgia and Michigan experienced the most fraud, with complaints averaging between 1,083-1,305

per 100,000 people. With these three states at the top of the list, there is a suggested correlation between high

fraud rates and large populations of elderly, immigrants and military personnel.

To better understand these statistics, this article provides a refresher on the basics of insider fraud and how insider

fraud remains present in financial institutions today. Then, the article highlights some of the trending fraud areas

and explores ways in which financial institutions can take a proactive approach to deterring fraud.

Insider Fraud

Insider fraud remains of paramount concern for financial institutions. According to the Association of Certified Fraud

Examiners in a 2016 global fraud study, the banking and financial services industry experiences more cases of

fraud than any other industry. While the technology associated with insider fraud has evolved, the actions

themselves remain the same. Insider fraud is significant because it is a long-term threat to institutions when

employees have unrestricted access to private data and overlapping duties with insufficient oversight. We will

discuss data theft, account takeovers and general ledger fraud and how these types of insider fraud posed a threat

to institutions because of their overarching influence within all business units.

Data theft fraud, broadly speaking, occurs when information that is personal, confidential or financial in nature is

transferred or shared illegally. Account takeover fraud occurs when a criminal takes control of an account illegally

(possibly through phishing, spyware or malware scams) and utilizes the account for personal gain. General ledger

fraud, the central repositories that hold all financial and non-financial accounting data, occurs when this information

is misused for illegal activity. These three types of insider fraud can impact institutions, including: the loss of

intellectual property, infrastructure disruption, monetary loss and reputational damage.

EXAMPLES KEY TIPS FOR FINANCIAL INSITUTIONS

Account Takeovers

Personnel selling a customer’s PIN,

email, credit card or account number

to an external fraudster d

Personnel opening one type of an

account for a customer and setting

up a different type of account without

the customer's knowledge d

Personnel making unauthorized

transactions on an account or giving

the online credentials to an external

fraudster

Be aware of changes to customer

contact information (e.g. phone number,

email or address) followed by new

payment requests (e.g. new card

request, new check order, new online

bill payee, etc.) within a specific

timeframe.

Be aware of changes to contact

information that occur for a short period

and are then restored.

Be aware of changes in an account

setting, such as overdraft limits and

credit limits.

Be aware of changes in relationships

and rights between accounts and

customers.

8



Be aware of changes in access method

followed by maintenance or financial

transactions.

Be aware of repeated cases of returned

mail.

General Ledger Fraud

Misuse of an institution’s account

information, such as using journal

entries to identify repetitive and

unique account sequences

Moving funds between accounts

without authorization

Creating a fake company account

and issuing payments to that

account

Be aware of the debit transactions on

general ledger accounts by having a

specific dollar amount threshold

Track unusual transactions against

internal accounts

Note which employees have access to

certain internal accounts

Pay attention to unusual volume, activity

or dollar amount of transfers or debits

from internal accounts to employee

accounts

What is Trending in Fraud?

When analyzing how fraud occurs in the present day, it is obvious that fraudsters are not trying to reinvent the

wheel. Elements of previous fraudulent schemes can be found in the current types of trending fraud, including:

social engineering, targeting vulnerable persons and masking one’s identity. And while technology is a tool for

positive development within financial institutions, fraudsters also utilize changes in technology, often faster than

financial institutions

New Ways Fraud is Being Introduced

Elder Financial Abuse As previously discussed, elders are very vulnerable to financial exploitation. Family members, friends and other caregivers often carry out some of the most common scams against the elderly and older adults’ utilization of social media sites to stay in touch with family and friends can increase fraud vulnerability. The fraudulent activities can include:

Manipulating the Power of Attorney to steal victims’ money

Taking advantage of joint bank accounts to steal money

Using ATM cards and stealing checks to withdraw money from victims’ accounts

Refusing to obtain needed care for victims until receiving compensation

Through early fraud detection, financial institutions can be key actors in combatting elder financial exploitation. In some states, financial institutions’ personnel are required to report suspected financial exploitation, and in March 2016, The Consumer Financial Protection Bureau (CFPB) issued “Recommendations and report for financial institutions on preventing and responding to elder financial exploitation.”

9



Warning Signs Associated with Elder Account Activity

1. Large increases in account activity, such as daily maximum currency

withdrawals from an ATM

2. Large gaps in check numbers, or “out of sync” check numbers

3. Uncharacteristic non-sufficient funds activity or overdrafts

4. Uncharacteristic debit transactions (including unusual ATM use)

5. Uncharacteristic lapses in payments for services

6. Disregard for penalties when closing accounts or certificates of deposit

7. Abrupt changes to financial documents, such as a new power of attorney, a

change to a joint account or a change in account beneficiary

8. Excessive numbers of payments or payments of large sums to a caregiver or

third party

9. New account use soon after adding an authorized user

10. Statements mailed to an address separate from customer’s residence

10



Source for both charts: CFPB “Recommendations and report for financial institutions on preventing and responding to elder financial exploitation” (March 2016)

Call Center

With an emphasis on cybersecurity after highly publicized cyber-attacks and with the implementation of EMV chips

across the U.S., criminal organizations set their sights on a new medium for fraud in 2016: call centers. “Call center

fraud” can be described as an interaction between a criminal and a call center agent with the motive of completing

a fraudulent transaction. Fraudsters gather copious amounts of intelligence on their victims through other accessible

channels, such as social media or data purchased on illegal black markets, before they decide to strike. Through

the advancement of technology, caller-ID spoofing and voice manipulation software is easier to use and access

than ever before. Call centers are also susceptible to fraud because their primary purpose is not to detect fraud but

rather to handle a large volume of calls quickly and efficiently. Readjusting call center employees’ objectives and

properly training them to be the first line of defense against call center fraud is important.

Institutions can mitigate call center fraud through:

Employee Education: Personnel needs to be properly informed of policies and procedures.

Training: Personnel should be prepared and well-versed in the types of questions they can and cannot

answer.

Verification: Personnel should know what types of transactions should be restricted or limited.

Employee Goals: While call centers thrive on a high call turnover rate, goals should be readjusted so an

employee’s performance is not only tied to the number of calls managed, but also placing an emphasis on

fraud prevention.

Authentication: Financial institutions may want to add steps to their identification verification process, such

as challenge questions in addition to knowledge-based authentication questions.

Wire Fraud

Wire transfers for financial transactions originated with the advent of the telegraph network. At their core, wire

transfers are a cheap method for the transfer of funds from one person or entity to another. As wire transfers have

become more sophisticated, so has the fraud accompanying wire transfers. Fraudsters use malware, social

engineering and phishing to initiate or steal data related to electronic wire fraud. According to the Federal Bureau

of Investigations, “business email compromise” fraud, a type of wire fraud where fraudsters utilize business email

addresses to initiate fraudulent wire transfers, has been on the rise and is now a $5 billion-dollar industry. Some

common types of business email compromise are requests for money from vendors, requests for confidential or

protected information like employee W-2’s, and business executive or attorney impersonation.

11. New activity on an inactive account or joint account

12. Signatures that do not match or appear suspicious

14. Uncharacteristic requests to wire money

http://files.consumerfinance.gov/f/201603_cfpb_recommendations-and-report-for-financial-institutions-on-preventing-and-responding-to-elder-financial-exploitation.pdf

http://files.consumerfinance.gov/f/201603_cfpb_recommendations-and-report-for-financial-institutions-on-preventing-and-responding-to-elder-financial-exploitation.pdf

11



Recently, California and New Mexico issued guidance alerting consumers to ways in which they can be aware of

wire fraud scams. Most notably, the guidance drew attention to scams that involved “government and businesses”

requesting wire transfers, such as phantom debt scams (where fraudsters claim to be a debt collector and demand

funds immediately) or a government relief scam (where the fraudster claims to be a government entity which owes

a restitution, but first needs a wire transfer of a specific amount of money). Also, financial institutions in states

governed by the Uniform Commercial Code (UCC), with additional states codifying similar language, must act “in

good faith,” defined in the UCC as “honesty in fact and the observance of reasonable commercial standards of fair

dealing.” While courts have differed over the level of due diligence required for transactions, banks must be

monitoring transactions to identify likely fraudulent transactions or they could potentially face legal hardship.

Institutions can protect themselves and their customers by paying attention to red flags and implementing

safeguards. Some of the key takeaways include:

Risk Assessment and Strategy

Financial institutions that undergo proper risk assessments and implement a well-developed fraud prevention

strategy will minimize their exposure to risk from fraud. While fraud risk assessments are not one-size-fits-all, the

goal is always the same: conduct a systematic

assessment to remove gaps or weakness within

an institution. This allows an institution to

develop a stronger fraud prevention strategy,

which ties into an institution’s risk appetite. If an

institution does not mitigate its vulnerabilities,

the problems related to fraud can go undetected

and harm an institution over long periods, or

develop quickly and abruptly disrupt the

institution. Risk assessment is also crucial to

product development, customer service and

reputable image sustainment. By assessing

potential impacts and services, institutions can

map a strategy and set it into place.

Ensure the institution has a formal process for transferring funds including segregation of duties between setting up and releasing a wire. Training employees on the proper processes is also key, an example would be requiring a call back to the customer verifying the wire by using the phone number listed on the account not the wire request.

Transfer Procedures

Account Usage Agreements Implement Usage agreements and provide details on who is authorized to execute a transaction and which accounts are eligible for transfers.

Know Your Customers Be aware of your consumer and their typical transaction history.

Training Inform employees who conduct wire transfers of fraud’s warning signs and teach them how to protect sensitive data.

12



When conducting a Fraud Risk Assessment, an institution should asses each of its business areas for the following:

Fighting Fraud

Common best practices for implementing a fraud prevention strategy are:

To deter possible gaps and weakness, institutions should be diligent and check the

following list against their fraud prevention framework.

1. Maintain a Strong Grasp on Internal Controls

Internal controls should provide a high level of confidence in your operations. They should be reviewed and revised, and some institutions may benefit from setting specified review periods. Internal controls also allow an institution to review its progress and implement new ways of limiting exposure to risk by limiting fraud opportunities.

2. Involve Senior Management in the Process

Involvement from the top sets the stage for an internal antifraud culture and serves to increase the ethical reputation of an organization. Inclusive environments create effective governance processes, which supports the significance of fraud prevention to the culture of the institution through the development and implementation of fraud programs and ethics policies.

3. Hire Experienced and Qualified Personnel in Oversight Roles

Personnel overseeing operations should have a deep awareness and understanding of the risks fraud creates. They should also know how to interact with other employees to instill the importance of fraud prevention and reporting. These individuals can aid in the creation and implementation of policies and procedures specific to fraud. It is also crucial to have staff at all levels who are aware that part of their responsibility includes reporting any suspicions of fraud.

THE TYPES OF FRAUD THAT CAN OCCUR AND LIKELIHOOD OF A SIGNIFICANT FRAUD OCCURRING

To identify types of fraud to which an institution is

vulnerable, the institution should develop a methodology

within their fraud risk assessment that reflects its overall

culture and risk appetite.

THE ADEQUACY OF EXISTING ANTI-FRAUD PROGRAMS, MONITORING AND PREVENTATIVE CONTROLS

An institution’s anti-fraud program should be preventive in

nature, and should mitigate or deter risk. The controls’

effectiveness should also be monitored. Having

preventative controls in place is a proactive approach to

reducing the risk of fraud.

THE BUSINESS IMPACT OF FRAUD

Properly monitoring risk within in each business unit allows

financial institutions to accurately assess what type of fraud

impacts different types of business. By breaking fraud

down individually, it allows for a more precise assessment

and therefore better protection.

THE POTENTIAL GAPS IN FRAUD CONTROLS

To identify gaps within the fraud controls, a financial

institution needs to determine if current fraud controls are

sufficiently designed and implemented to mitigate risk. The

institution should pay close attention to management

override of controls and evaluate the residual fraud risk that

occurs when people in senior positions commit fraud.

13



4. Require Independent Audits

Independent auditors can objectively assess whether controls are designed, implemented and working properly and effectively. They can also make recommendations on how to improve internal controls. The independent auditor's role is to ensure the institution is on the forefront of corporate policies, practices, procedures and technology, as well as new products and services.

5. Educate Employees on Fraud

Employees should receive training on fraud and understand they are the first line of defense in fraud prevention. Employees should also be encouraged to report fraud they observe. Some people may be more likely to participate in fraud reporting, particularly insider fraud reporting, if their submissions are made anonymously through a whistle blower hotline.

6. Maintain Proper Lines of Authority

Companies with strong internal controls view the process of fraud prevention as an all-

inclusive effort. A structured reporting line ensures that employees are aware of with

whom they should communicate regarding fraud.

The Main Principles of Fraud Risk Management

Fraud risk management is an integral component of corporate governance and internal controls. Corporate

governance monitors fraud, addressing how the board of directors and management meet their respective

obligations to achieve the organization’s goals (fiduciary, reporting and legal responsibilities to stakeholders). The

internal control environment then creates the discipline that supports the assessment of risks, which is necessary

to achieve these goals.

An institution is most prepared when they are aware of how to detect, prevent and monitor fraud.

1. CONTROL ACTIVITY

The risk assessment process helps determine the need for a control activity. Control activities are the policies, procedures, and mechanisms that help ensure that the response to reduce risks are identified in the risk assessment and are carried out efficiently.

Fraud control activities are generally classified as either:

- Preventive, to avoid a fraudulent activity at the time of initial occurrence; or

- Detective, to discover a fraudulent activity after the initial processing occurred.

14



3. MONITORING ACTIVITIES

Institutions could use fraud risk management monitoring activities to ensure they select automation that supports fraud prevention and detection strategies. Examples of monitoring activities include:

Ongoing evaluations of controls, processes, risk assessments and operating procedures which should be built into the organization’s business process

Separate (periodic) evaluations, such as specialized training and surveying anonymous systems used for whistleblowing to see how effective it has been in deterring fraud

A combination of ongoing and periodic evaluations

2. INVESTIGATION AND CORRECTIVE ACTION

By establishing a process for investigation and corrective action, an institution can improve its chances of loss recovery while minimizing exposure to litigation and reputational damage. It is important to note, however, that control activities cannot provide absolute assurance against fraud, and an institution should therefore ensure a system is developed for:

Prompt review

Confidential investigation

Resolving non-compliance of company protocol

Source: https://www.coso.org/Documents/COSO-Fraud-Risk-Management-Guide-Executive-Summary.pdf

https://www.coso.org/Documents/COSO-Fraud-Risk-Management-Guide-Executive-Summary.pdf

15



E. President Trump’s Executive order on Cybersecurity According to reports, 34 percent of federal government agencies surveyed have experienced a data breach within

the last year and 96 percent of federal agencies surveyed consider themselves vulnerable. In May, the WannaCry

hack, affecting more than 150 countries, brought attention to how susceptible information is to attack. The hack

also brings to light the importance of expanding cybersecurity workforce development as it relates to cybersecurity

expertise. It reminds us that each industry and institution should be diligent and proactive within their own operations

to ensure the safety and soundness of their customers’ data.

This article breaks down President Donald Trump’s “Executive Order on Strengthening the Cybersecurity of Federal

Networks and Critical Infrastructure” by section, followed by an overview of the National Institution of Standards

and Technology (NIST) Cybersecurity Framework. Next, the article explores how cybersecurity policy has advanced

over the years. We conclude with some cybersecurity best practices.

Trump’s Executive Order

Trump signed the executive order on May 11, 2017. It lays out guidelines for federal agencies’ required reports to

the Department of Homeland Security (DHS) and Office of Management and Budget (OMB). The reports must

outline where each agency stands in terms of risk management and information technology (IT) standards, among

other related matters. To clarify the new expectations the executive order has set forth, we have broken down the

executive order by sections and highlighted some key areas.

Section One: Cybersecurity of Federal Networks

Section one of the executive order addresses cybersecurity risk management and goes into detail regarding the

“Framework for Improving Critical Infrastructure of Cybersecurity” (the Framework) and IT architecture within the

government.

The executive order states that the heads of executive departments and agencies will be held accountable for

managing cyber risk to their enterprises. Each agency’s risk management decisions could potentially cause risk to

national security and the executive branch as a whole. Agency heads will therefore be accountable to the President

for implementing risk management measures and ensuring that cybersecurity risk management processes are

aligned with strategic, operational and budgetary planning.

Section one also puts emphasis on the U.S. government’s IT and data, along with planning for future modernization

and fixing known vulnerabilities. Effective risk management requires agency heads to lead integrated teams of

senior executives with expertise in the following, among other areas: IT, budget, security, law, privacy and human

resources.

The executive order requires each agency head to use the Framework and deliver a risk management report to the

Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of

the order. The report must outline an agency’s risk mitigation efforts and the strategic, operational and budgetary

considerations that help inform its choices, along with an action plan to help implement the framework. The

Secretary of Homeland Security and the Director of the OMB will assess the reports to see if the risk mitigation

actions are sufficient to manage cybersecurity risk.

Further, the Director of the OMB, in coordination with the Secretary of Homeland Security, with support from the

Secretary of Commerce and the Administrator of General Services, will create a plan to properly protect the

executive branch enterprise; to attempt to identify any insufficiencies; to evaluate the budget needs; and to ensure

policies, standards and guidelines are in line with the Framework.

https://www.thales-esecurity.com/company/press/news/2017/april/federal-government-agencies-experienced-data-breach

16



Section one also outlines a policy for the executive branch to build and maintain a modern, secure and more resilient

IT architecture.

The Director of the American Technology Council must coordinate a report to the Secretary of Homeland Security,

Director of the OMB and the Administrator of General Services, in consultation with the Secretary of Commerce, on

the modernization of Federal IT within 90 days of the order. The report must outline how the agencies will transition

consolidated network architectures and shared IT services (defined as email, cloud and cybersecurity services).

As previous administrations, have demonstrated, detailed further in the article, the importance of information sharing

between executive agencies is imperative for a successful cybersecurity network. Trump’s executive order not only

emphasizes the importance of the relationship between the private and public sectors but also between the

agencies. Section two of the executive order further discusses the issue of a growing cybersecurity infrastructure.

Section Two: Cybersecurity of Critical Infrastructure

The second section of the executive order addresses the cybersecurity infrastructure of the executive branch. This

section discusses the greatest risks for attacks that could result in catastrophic effects on the U.S., and requests

input on possible efforts to support the cybersecurity management related to these risks. The Secretary of

Homeland Security, in coordination with the Secretary of Defense, the Attorney General, the Director of National

Intelligence, the Director of the Federal Bureau of Investigation (FBI) and the heads of other appropriate sector-

specific agencies, is required to:

1. Identify the authorities and capabilities agencies could employ to support efforts to protect the areas

identified to be at greatest risk of attack pursuant to former President Barack Obama’s Executive Order

13636 from February 2013, including public health or safety, economic security or national security

2. Evaluate if the resources available will support the cybersecurity risk management efforts

3. Provide a report within 180 days of the order that covers the authorities and capabilities that agencies could

employ to support the cybersecurity efforts of critical infrastructure; the results of the engagement and

determinations on resources available; and further findings and assessments to better support

cybersecurity risk management efforts

4. Provide an updated report to the President on the matters discussed on an annual basis

The executive order also addresses areas such as: supporting transparency in the marketplace; resilience against

botnets and other automated threats; the assessment of electricity incident response capabilities; and the

Department of Defense (DOD) warfighting capabilities and industrial base. Each section will need to provide a report

to the President outlining the different objectives and priorities listed below.

Supporting transparency in the marketplace

The Secretary of Homeland Security, in coordination with the Secretary of Commerce, must submit within 90 days

a report that examines the existing Federal policies and practices which promote market transparency of

cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded entities.

Resilience against botnets and other automated threats

The Secretary of Commerce and the Secretary of Homeland Security, in consultation with other named agencies,

must submit a preliminary report within 240 days, detailing how to improve the resilience of the internet and

communications ecosystem and to encourage collaboration with the goal of reducing threats that are perpetuated

by automated and distributed attacks (for example, botnet attacks). A full report is due within one year.

17



Assessment of electricity disruption incident response capabilities

The Secretary of Energy and the Secretary of Homeland Security, in consultation with other named agencies, must

submit within 90 days an assessment of the potential scope of a prolonged power outage associated with a

significant cyber incident, along with how prepared the U.S. is for such an attack, if any gaps or shortcomings exist

and what is required to mitigate such an incident.

DOD warfighting capabilities and industrial base

The Secretary of Defense, the Secretary of Homeland Security and the Director of the FBI, in coordination with

other named agencies, must submit a report within 90 days, assessing the cybersecurity risks facing the defense

industrial base, including its supply chain, U.S. military platforms, systems, networks and capabilities. The report

must also address recommendations on how to mitigate these risks.

Section Three: Cybersecurity for the Nation

The final section of the executive order addresses cybersecurity for the nation. It aims to ensure the internet remains

valuable for future generations by maintaining the highest level of security and privacy. The section is broken down

in to three subsections: deterrence and protection, international cooperation and workforce development. Each of

the three sections require different types of reports to be filed.

The deterrence and protection report will focus on the nation’s strategic options for deterring adversaries and better

protecting the U.S. population from cyber threats. The international cooperation reports require named agencies to

identify their cybersecurity priorities and the Secretary of State to document an engagement strategy for

international cooperation in cybersecurity. Finally, there are three reports required within the workforce development

subsection, with a focus on the U.S. maintaining a competitive advantage. The reports will cover the following topic

areas:

1. Education and Training

2. Assessment of Foreign Cyber Systems

3. Cyber Capabilities

The Framework

While much of this article has focused on the executive order’s reporting requirements for executive agencies, it is

also important to better understand the NIST Framework. The Framework started when President Obama issued

Executive Order 13636 in 2013, tasking NIST to build the Framework.

The Framework provides the outline for the creation and improvement of a cybersecurity program. A cybersecurity

program is most often led by a chief information security officer (CISO) or similar person. A CISO should understand

risk from both a business and IT perspective as well as possess an understanding of risks, vulnerabilities and

exposures associated with that institution. The CISO should also possess the authority to enforce and sustain the

cybersecurity program, which includes handing out disciplinary measures when policies are violated or

circumvented. In general, when following the Framework an institution will focus on:

Their current cybersecurity posture

The opportunities for cybersecurity improvement within the context of risk management

Assessment of preventive measures in relation to risk appetite

Communication procedures for internal and external stakeholders about cybersecurity risk

18



The Framework builds on the private sector effort by providing institutions with a means of measuring institutional

security standards against federal guidelines, in addition to providing additional guidance on how to prepare a

cybersecurity program. The Framework does this by allowing each institution to use specific measurements at their

own discretion. This includes listing key critical infrastructures that intuition’s may rely on and utilizing the

Framework to provide an approach that will help identify, asses and manage cyber risk.

Organizations are not expected to replace their cybersecurity process with the Framework, but rather to implement

it into their current processes and identify areas to improve cybersecurity risk management.

19



The Growth of US Cybersecurity Policy

Since President Ronald Reagan, administrations have progressively taken stronger stances on cybersecurity and

effected cybersecurity change. Some common threads among administrations include expanding shared expertise

and lessening the divide between the public and private sectors. The chart provided displays the cybersecurity

policy progression throughout the past 30 years.

How Cybersecurity Has Advanced Throughout Administrations

Ronald Reagan Bill Clinton George W. Bush Barack Obama

1984 – National Security Decision Directive (NSDD) 145 NSDD 145 provided the initial objectives and policies regarding safeguarding systems that process sensitive information. Further, NSDD 145 gave the National Security Agency (NSA), Department of Defense and National Security Council more prominent roles in the development of certain areas of safeguarding and technical development. 1987 – Computer Security Act of 1987 (CSA) The CSA limited the NSA and reaffirmed the NIST would oversee the security of non-government systems and information, with help from the NSA.

1996 – Executive Order 13010 Critical Infrastructure Protection Executive Order 13010 highlighted “cyber-threats,” at the time described as “threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures.” The executive order stressed the immediate threat of cyberattack to national security and the need for a public-private partnership.

2009 – Cyberspace Policy Review

This review highlighted several main points, including measuring the performance and accountability of U.S. cyber polices; strengthening standards regarding the security of and operations in cyberspace; and investing in research and education to encourage innovation and development.

2011 – Executive Order 13587- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information

This executive order directed structural reforms to ensure responsibility in sharing and safeguarding computer networks and was enacted as a defense against insider threats within every agency and department in the U.S. executive branch.

2013 – Executive Order 13636- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information

This executive order tasked NIST to work with the private sector on policy, procedure and industry best practices to build a cybersecurity Framework.

2003 – National Strategy to Secure Cyberspace

A portion of the larger National Strategy for Homeland Security, the main objectives of the National Strategy to Secure Cyberspace were to design an overall system of protection for the nation on cybersecurity by implementing things like a cyberspace security response system and a cyberspace security awareness and training program. The National Strategy to Secure Cyberspace also encouraged national and international cyberspace security cooperation.

2006- National Infrastructure Protection Plan

The DHS published this plan to protect and ensure resilience of all infrastructure sectors and resources central to the nation.

2008 – The Comprehensive National Cybersecurity Initiative (CNCI)

The CNCI was an initiative that sought to protect government computer systems and begin the process of addressing the protection of private sector computer systems.

20



Actionable Intelligence

Best Practices for Financial Institutions for Cybersecurity Preparation

Conclusion

As displayed in Trump’s budget proposal, $971 million was committed to DHS’s cyber operations, along with a

$41.5 million raise in cyber spending at the Justice Department. Trump has also vowed to improve cyber programs

and networks. As more governmental and private institutional operations come online, the need for institutions to

implement and maintain robust cybersecurity programs increases every day. Institutions should continue to

implement and maintain robust cybersecurity programs to mitigate the chance of cyberattacks.

01 02 03 04

Conduct an internal

compliance risk assessment.

Develop and

implement

corporate

policies and

procedures

required for

compliance with

federal and state

privacy and

security laws.

Establish secure

data backup

protocols to ensure

that, even if the

company is under

attack, important

company records

are secure (may

also be part of an

institution’s

business continuity

plan).

Establish

protocols to

handle common

forms of

cyberattacks.

05

Perform periodic auditing of

cybersecurity practices.

06 07 08 09

Ensure the CEO

and executive

leadership are

properly

informed about

the cyber risks to

the company

and are involved

in the oversight

and decision-

making process

related both to

cyberattacks and

proactive

cybersecurity

measures.

Review

cybersecurity

programs to

ensure they

apply industry

standards and

best practices.

Store sensitive

information

securely,

encrypting where

appropriate.

Conduct

appropriate data

security due

diligence on

third-party

service providers

with access to

personal

information and

sensitive

business

information.

10

Perform

company-wide

training, tailored

to the personnel

at issue, to

ensure

adherence to all

electronic

security

measures.

21



Fraud Risk Management

E. Did You Know?

With organizations losing an estimated five percent of their annual revenues

to fraud, regulators are demanding more proactive management of fraud risk.

Financial institutions must have a strong understanding of where their

vulnerabilities lie in order to effectively combat fraud.

Fraud Risk Management

FIS fraud risk management (FRM) solutions are tailored to support and meet

your organization’s needs. Our experienced financial crime management

consultants can assist your institution with establishing a comprehensive FRM

program or enhance your existing program using client and industry best

practices.

We can assist your institution with the following components of a FRM

program:

Fraud risk assessment to evaluate the risk to the organization of

various types of fraud, both external and internal

Fraud policy development (including code of contact, ethics and

whistleblower)

Documentation of procedures for a fraud program

Fraud training for employees, management and the board to support

understanding of the nature, causes and characteristics of fraud

Design and implementation of controls to detect and prevent fraud

Assistance in consolidation of decentralized fraud functions

Fraud program and best practice review

Fraud investigation

Risk Managed Services Center

With our Risk Managed Services Center (RMSC), we also provide a back-

office solution that can assist your organization with assigning, researching,

resolving and reporting on system alerts generated by financial crime

monitoring systems:

FIS Memento fraud management applications

FIS Prime Compliance Suite

FIS Prime watch list filtering

Non-proprietary BSA/AML and fraud monitoring tools

The RMSC team also can conduct due diligence assessments on vendors,

commercial customers and other third-parties to identify high-risk entities that may

pose significant threats to your organization.

FIS RISC Solutions is your trusted partner for all things risk and compliance. Contact us today to help with your RISC needs. Contact Us: 800.822.6758 Email us: [email protected] Visit us online: fisglobal.com/RISC

22



F. About FIS’ Center of Regulatory Intelligence

FIS™ (NYSE: FIS), a global leader in banking and payments technology as well as consulting and outsourcing

solutions, opened its Center of Regulatory Intelligence (CRI) in Washington, D.C. on June 16, 2015. The primary

goal of CRI is to translate policy, legislative and regulatory developments into actionable intelligence for FIS clients

to enable knowledge advantage. The unique perspective gained by monitoring regulatory change in such close

proximity to the policymakers and regulators enables CRI to empower FIS clients to stay one step ahead, identify

impact precisely, make smart business decisions and succeed. FIS clients receive insights from CRI through

regularly published regulatory intelligence briefings and thought leadership insights intended to give client

institutions deep intelligence into regulatory initiatives coming out of the legislature, administration and regulatory

agencies. Input from CRI also helps drive FIS research and development efforts as well as consulting services

aimed at helping address regulatory changes prior to implementation.

CRI provides the latest intelligence, thought leadership and cutting-edge regulatory insights into risk, information

security and compliance issues facing the financial services industry. This FIS thought leadership center provides

early insight on regulatory changes, helping financial services clients stay compliant with new regulations. Through

CRI, FIS interfaces with key policymakers to provide industry perspectives on the potential impacts of regulatory

mandates to financial institutions.

Contact Us

FIS Center of Regulatory Intelligence

1101 Pennsylvania Ave., NW Suite 300

Washington, DC 20004

E: [email protected]

P: 202.756.2263

©2017 FIS and/or its subsidiaries. All Rights Reserved.

Register your colleagues to receive regular updates from FIS’ Center of Regulatory Intelligence.

http://www.fisglobal.com/

mailto:[email protected]