August 24, 2016

Director of Financial Institution Services• Specializes in audit and consulting

services for financial institution clients– Leads numerous financial statement and

internal audits, SOX 404 and other financial services consulting engagements for the firm’s largest and most complex financial institutions, including SEC registrants

• Works closely with management and audit committees to address technical issues and ensure sound internal controls

• Services as a firm-wide resource for financial institution accounting and auditing matters

Presented by:Beth A. Behrend, CCBCO

Senior Manager• Rehmann• Leader of our firm’s compliance

services for financial institutions.• Worked for and with financial

institutions for more than 30 years. • Expertise includes providing a wide

range of audit and consulting services for our financial institution clients.

• Extensive knowledge of financial institution operations and serves in an advisory role to clients within the BSA and Regulatory Compliance related areas

Military Lending ActFlood Insurance – Escrow Rules

Fairness in Product and Service OfferingsTRID update

Effective October 1, 2015

Compliance date October 3, 2016

• Effective October 1, 2015

• Compliance date October 3, 2016

• Exception: effective date for credit cards is October 3, 2017

• CFPB responsible for enforcement

• Final rule:

– Extends MLA protections to a wider range of credit products

– Modifies the Military APR (MAPR)

– Provides for a safe harbor when ascertaining if a consumer is covered by the rule

– Modifies prohibition on rolling, renewing or refinancing consumer credit

• Provide service members and dependents with specific protections:– Limit the APR (including fees) for covered

products to 36 % (referred to as the MAPR)

– Require military-specific disclosures

– Prohibits creditors from requiring arbitration in the event of default

• Revisions to the rule expands the definition of “consumer credit” to more closely align with the definition of credit in the Truth in Lending Act (TILA)

– Includes credit cards

– Exceptions: residential mortgages and credit secured by personal property

• MAPR to include the following fees or charges, even if not considered finance charges as defined in TILA:– Credit insurance premiums and fees for debt

cancellation,– Fees for credit-related ancillary products sold in

connection with the credit transaction,– Finance charges associated with the consumer credit,

and– Certain application fees and participation fees,

including annual fees

• Lenders will need to verify that each credit applicant is not a service member, spouse, or dependent of a service member.

• Safe Harbor: if use one or more of following methods for verification:– Nationwide consumer reporting agency– MLA Database (maintained by the DOD)– Defense Manpower Data Center (DMDC) Direct

Connection

• Revised rule prohibits all renewals, rollovers, or refinances of payday loan transactions or other deferred presentment transactions by creditors other than banks, thrifts or credit unions.

Do you have your policy and procedures in place for the MLA?

– Yes

– No

• Disclosures required:

– Statement of the MAPR

– Any required TILA disclosures

– Clear description of the payment obligation

• Covered borrowers permitted to recover damages form a creditor who violates a requirement of the MLA

• Changes effective January 1, 2016:

– Required escrow for premiums and fees for flood insurance: residential real estate or mobile homes

– Exempts requirement for coverage of detached structures not serving as a residence

– Specific requirements regarding force-placed flood insurance

• Must escrow all premiums and fees for loans secured by residential improved real estate or a mobile home in a special hazard area

• For all covered loans made, increased, extended, or renewed on or after January 1, 2016

• For loans covered by RESPA, the escrow servicing rules also apply

• Total asset size less than $1 billion either of 2 previous years

• As of July 6, 2012 institution was not required to escrow and did not have a policy of consistently and uniformly requiring escrow

• If Small Lender status is lost – must begin requiring escrow for flood insurance for loans made, increased, renewed or extended on or after July 1 of the first calendar year of status change

• Loans primarily for business, commercial or agricultural purposes

• Loan in subordinate position to a senior lien secured by the same property where flood insurance coverage meets the requirements

• Condos/Homeowners coverage• HELOCs• Nonperforming loans• Terms of 12 months or less

• Flood insurance is no longer required on structures that are part of a residential property, but detached from the primary residential structure and do not serve as a residence

• Even though exempt from mandatory coverage under the regulation, lenders may require coverage to protect collateral

• Cost of force-placed coverage and fees may be charged to the borrower starting on the date on which coverage lapsed

• Lender not required to force-place upon learning of lapse. Notification to borrower must still be sent but lender is permitted to wait 45 days after notice before force-placing insurance

• Goal of the CFPB is to make the marketplace for consumer financial products and services accessible and advantageous for the consumer

• CFPB responsible for restricting unfair, deceptive, or abusive acts or practices

• Focus in on the consumer throughout the product lifecycle

• Third party contracts to provide products or services

• Marketing of add-on products

• Loss mitigation activities

• Evaluation of consumer’s ability to repay

• Compensation practices for employees

• Ongoing interaction with consumers

• Strategic considerations:

– Response to requests from consumers?

– Response to competitive forces?

– Is the product or service “bleeding edge”?

– Will product or service complement or cannibalize existing products and services?

• Customer considerations:– Is there a customer need? How does cost impact

customers?

– Features, risks, and terms explained clearly and conspicuously?

– Are fees or penalties structure so that unsuspecting or vulnerable customers could be adversely impacted financially?

– Are there financial incentives for institution employees?

• Assess the resulting fair treatment of or impact on consumers

– Targeted to a specific geographic area, demographic group?

– Does pricing impact a group of consumers in a non-uniform fashion?

• CRA considerations: how does this help meet credit needs of the community

• Where are we today?

– Regulatory oversight

– Common errors

• “Grace Period”

• When to expect “full force” examination

• CFPB Proposal for Update to disclosure rule

Do you have a process in place to track noted disclosure errors?

– Yes

– No

• Loan operating system “glitches”

– Amount Financed – incorrectly categorizing prepaid finance charges

– Verification Total Interest Paid (TIP)

– Accurate dates on revised disclosures

• Loan Estimate:– Lender name and address missing– Loan terms table includes incorrect information or is missing

information– Numerical errors– Estimated closing costs not calculated in same manner as total closing

costs– Prepaids table does not include applicable time period and total

amount paid– Documentation of delivery of LE/revised LE sufficiently in advance of

CD– Fees changed on revised LE not related to change of circumstance– Unsupported Change of Circumstance

• Closing disclosure

– Calculating Cash to Close table does not reflect “yes” whe amounts changed

– Numerical errors

– Loans closed prior to 3 day waiting period

– CD issued same day as or prior to final LE

– Fees not displayed in alphabetical order

• Other

– Calculation discrepancies

– Use of inappropriate abbreviations

– Loan calculation discrepancies and fees listed incorrectly

– Improper rounding

• Continue to scrutinize disclosures

• Document errors noted and follow-up corrective action

• Compare notes in your industry groups

Presented by:Jessica Dore, CISA

Principal

• Technology Risk Management

• Specializes in technology consulting & security and SOX 404 compliance– In-depth knowledge of SOX 404

compliance, GLBA compliance and COBIT standards

– Extensive knowledge of IT systems

• Experience in leading teams and performing IT security assessments for clients

Fraud, Cyber Crime & the Bottom Line

$400 billion lost annually to fraud and misappropriation

by US organizations

6% of annual revenue lost to fraud and abuse by the

average organization

$4 million to resolve the average data breach, not including liability issues

Source: ID Theft Resource Center

Category 2015 2014 2013

Banking/Financial 71 (9.1%)

5,063,04443 (5.5%)

1,198,492 23 (3.7%)

786,789

Business 312 (39.9%)

16,191,017258 (33%)

68,237,914 211 (34.4%)

77,262,781

Educational 58 (7.4%)

759,60057 (7.3%)

1,247,81255 (9.0%)

3,239,748

Government/Military 63 (8.1%)

34,222,763 92 (11.7%)

6,649,319 56 (9.1%)

1,881,803

Medical/Healthcare 277 (35.5%)

112,832,082333 (42.5%)

8,277,991269 (43.8%)

8,811,051

Source: 2016 Verizon Data Breach Report

NUMBER OF SECURITY INCIDENTS CONFIRMED DATA LOSS

Source: progressbangladesh.com

• Cyber warrior ‘mercenaries’ for hire worldwide

• Cyber crime is a multi-billion dollar underground economy

• Cyber crime is an industry of suppliers, distributors and manufacturers

• Information is the commodity

• Don’t believe they will be attacked

• Cybersecurity not a priority

• Weak cybersecurity/ outdated tools

• Poor employee training

• Poor or no data breach response plan

• Lead to bigger fish

Source: ameriscope.com

Ransomware Ransomware Phishing

Ransomware Spyware

Malware/ Spyware

Keylogging Skimming

BOT

Social Engineering

Ransomware

Watering Hole

Source: 2015 Verizon Data Breach Report

• Email from you

• Email from your internal staff

• Email from your member

• Message from friend overseas and in trouble

• “Your tax refund is already taken care of”

Source: Anti-Phishing Working Group

• Your data taken “hostage”

• Ransom email

• Today $300

• Tomorrow more

• If you don’t pay, they destroy your data

Has your institution suffered a ransomware attack?

– Yes

– No

– No, but I know of an institution that has

Source: 2016 Verizon Data Breach Report

The time to compromise is almost always days or less, if not minutes or less.

97% of breaches

featuring stolen credentials leveraged legitimate partner access.

95% of

confirmed web app breaches were financially motivated.

63% of

confirmed data breached involved weak, default, or stolen passwords.

Source: 2016 Verizon Data Breach Report

85% of

successful exploit traffic leverage the top 10 vulnerabilities.

• The difference a year makes

• The average total cost of a data breach increased from $3.79 to $4 million (+5.3%)

– Up 29% since 2013

• The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 (+2.6%)

– Up 15% since 2013

Source: Poneman 2016 Cost of Data Breach Study

Source: Poneman 2016 Cost of Data Breach Study

• 123456 (Unchanged)• password (Unchanged)• 12345678 (Up 1)• qwerty (Up 1)• 12345 (Down 2)• 123456789 (Unchanged)• football (Up 3)• 1234 (Down 1)• 1234567 (Up 2)• baseball (Down 2)

• Cyber Criminals sell personal identifying information or use it to:

– Open false bank accounts

– File false IRS returns

– Open false credit cards

– Steal from bank accounts

– Hack into other accounts/businesses

• Negligent insiders are the top cause of data breaches

• Clicking on links in emails

• Sending work email to personal accounts

• Using data on insecure lines

• Not following corporate policies

• Not securing mobile devices

• Poor access controls

• Poor patch management

• Improper device configuration

• Lack of security audits

• Weak enforcement of remote login policies

Source: 2015 Verizon Data Breach Report

• Data

• Perimeter

• Access

• Patching

• Backups

• Vendor

• Mobile

• Human

• Data – What is it and where is it?

• Risks - What is it worth?

• Access Paths – How can you get to the data and what are the control points?

• Access - Who can get to your data?

Source: intelymind.com

• Do you have a firewall?

• Do you have a DMZ?

Source: www.linklogger.com

• Do you have an Intrusion Detection System?

• Do you have an Intrusion Prevention System?

• Are alerts turned on?

• Are they monitored?

Source: infosecprimer.wordpress.com

• Conduct:

– External Vulnerability and Penetration Test

– Internal Vulnerability and Penetration Test

– Social Engineering Test

Source: dstudio.ubc.ca

• Access Control

• Restrict Administrative Access

• Perform Access Reviews

• Leverage Least Privilege

Source: blog.lookout.com

• How often do you patch?

• Best Practice = 30 Days

Source: gfi.com

• Daily Backups

• Rotated Offsite

• Testing

Source: itservicesalbuquerquenm.com

Does your institution backup data daily?

– Yes

– No

– I’m not sure

• Selection Due Diligence

• Contract Reviews

• Annual Due Diligence

Source: questproductsinc.com

How do you know you are making a the right decision?

Source: data-hive.com

Source: mobileappbuilders.co

• Mobile Device Strategy

• Acceptable Use Agreements

• Authentication & Encryption

• Device Management

• Employee Training

• Train users on:

– Information Security Program

– Incident Response Plans

– Business Continuity Plans

– Security Threats

Source: afgenvac.org

Create & enforce security policies

Educate employees

Update security software and patch systems

Backup & encrypt data

Secure wireless devices

Secure mobile devices and remote access points

Have an IT Security Assessment Performed

© 2015 Rehmann

Beth Behrend, CCBCO

Phone: 616.975.4100

Email: beth.behrend@rehmann.com

Jessica Dore, CISA

Phone: 989.797.9580

Email: jessica.dore@rehmann.com

Liz Ziesmer, CPA, CBA

Phone: 616.975.4100

Email: liz.ziesmer@rehmann.com

© 2015 Rehmann