Mary Beth Guard by alicejenny


									Security Issues:
Hot Topic Legal Update

               Presented by
          Mary Beth Guard
  Executive Editor,
Mary Beth Guard
               Attorney, 24 years
               B.S., Administration of
               Internships – S.I. Work
                Release Center; Prison Legal
               Former General Counsel,
                Okla. Bankers Association,
                State Banking Department;
               Currently, Executive Editor,
Seeing things through a
lawyer’s eyes
   Imagine you are a trial attorney and
    you’re hearing the facts of a potential
    case you’re being asked to take OR
   Picture yourself sitting in the jury box,
    listening to the evidence
       Bank employee’s family held hostage
       Teller killed
       Fraudulent accounts opened by ID thief
The Security Officer’s Goals
   Ensure the bank is in compliance with
    security-related laws and regs
       Bank Bribery Act
       Bank Protection Act
       Employee Polygraph Protection Act
       Sarbanes-Oxley
       Right to Financial Privacy Act
       Others
Practices and Procedures
   Make sure institution and employee
    practices and procedures are proper:
       Email usage
       Internet usage
       Confidentiality/privacy
       Avoidance of harassment/discrimination
Training and equipment
   You are the driving force behind making
    sure employees are properly trained in
    security-related areas
   It’s your responsibility for seeing to it
    that your institution has the proper
    tools and equipment
Sources of potential liability
   Liability under law or regulation
   Liability under contract
   Liability for negligence
   Liability for breach of a duty
   Liability for deviation from generally
    accepted practices or standards
If harm occurs . ..
   Was it avoidable?
   Was it foreseeable?
   Could the harm have been avoided if
    the bank had done something different?
   Would other banks have done
    something different?
   Was the bank in the best position to
    avoid the harm?
Hottest hot buttons NOW
   Check 21
   Robberies
   Sarbanes-Oxley
   Information security
   Identity theft
Check 21
   New federal law; takes effect 10/28/04
   Allows any bank in the chain to
    “truncate” any foreign (i.e., not “on-us”
    item) and pass on either an image (if
    the next party in line agrees to accept
    an image), or a new negotiable
    instrument called a substitute check
It’s all about “green lights”
   Checks travel via plane, truck, auto from
    BOFD to paying bank
   This new law lays the groundwork for the
    check to travel in image (digital) format
   No bank is required to accept an image; there
    must be an agreement
   Each leg of the journey the item can travel in
    image form is like a green light
Without an agreement to
accept images . . .
   Paper is required (substitute check)
   No bank can demand an original check
   No customer can demand their original
   Some original checks will still come
    through – but it’s out of the paying
    banks control which ones they will be
Substitute check
   Paper reproduction, made from an original
   Printed on check stock
   Suitable for automated processing
   Meets industry standards for such items
    (must show truncating bank, reconverting
    bank, substitute check identifier in position 44
    of MICR line, etc.)
Example of substitute check
Potential problems
   When check is converted to an image,
    you lose paper-based security features
       Micro print signature line
       UV features
       Paper-based watermark
       Thumbprint signatures
   Real substitute checks will be very
    difficult to distinguish from fakes
Indemnity under Check 21
   Bad if you transfer, present or return a
    substitute check
   Good if you receive one, there is
    underlying fraud, AND you can show
    you would have caught it had you
    received the original item, rather than
    the substitute check
Thumbprint signatures
   Most often used in connection with
    cashing on-us checks
   Courts have upheld legality as a valid
    way for the drawee bank to “identify” a
    noncustomer payee
   Think about isolating on-us checks you
    cash that have thumbprint signatures
Best evidence issue . . .
   If you provide imaged statements now
    and your customer needs a copy of his
    check, you provide a copy of his check
   After Check 21 takes effect, courts may
    hold that a copy is no longer the “best
    evidence” – since a substitute check
    would instead be the legal equivalent
Why do you care?
   Banks will want to avoid providing
    substitute checks to the extent possible
    because of liability issues and increased
       Warranties
       Indemnity
       Expedited recrediting procedures
The SO and Check 21
   Get involved in the discussions and
    decisionmaking about:
       Whether your bank will truncate foreign
       How you will store them; how quickly you
        will destroy them;
       Whether your bank will accept images;
       Safeguards for image quality;
Consider . . .
   One fee for a copy of a check; higher fee for
    a substitute check;
   Amending deposit agreement to disclaim
    liability for failure to check paper check
    security features
   Limit the time a customer has to examine
    substitute checks (if you are still returning
    paper items to your customers)
Have a communication plan
   Don’t wait until the last minute to
     Police
     District attorneys

     Judges

    There’s a Powerpoint presentation you can
      download from the BOL Check 21 page:
Good news about Check 21
   Image-survivable security features are
   Return item notifications will, in some
    cases, come more quickly
   New fraud fighting tools
       Electronic positive pay
       Digital signature verification
   Major increases in some parts of the
   The “No Hats” movement is catching
Stay attuned to industry
   Alarms                Bandit barriers
   Training              Dye packs
   Locks                 GPS tracking devices
   Lighting              What else? Do you
   No hats policies       let employee’s
                           friends or relatives
                           wait for them inside
                           the bank?
Tempted to have a buzz-in?
   Buzz-in doors offer potentially higher
    security in high-crime branches
   Watch out for potential unlawful
Sarbanes-Oxley Act
   Applies directly to banks with over $500
    million in total assets or those that are
    a public company or subsidiary of one
   Regulators urge others to implement, to
    the extent feasible, the same sound
    corporate governance practices
SO for Security Officers
   Auditor Independence
   Code of ethics
   Whistleblower hotlines
Information security
   Must have infosec program approved by
       Not static
       Not just digital information
       Must constantly identify and assess threats
            Wells Fargo independent contractor
            Colorado bank lending employees
            Keystroke logging
            Computers sold to reseller
“Phishing” scams skyrocket
   The Anti-Phishing Working Group says:
       “Phishing attacks use 'spoofed' e-mails and
        fraudulent websites designed to fool recipients
        into divulging personal financial data such as
        credit card numbers, account usernames and
        passwords, social security numbers, etc. By
        hijacking the trusted brands of well-known banks,
        online retailers and credit card companies,
        phishers are able to convince up to 5% of
        recipients to respond to them. “
   Search for “phishing” on BOL
   Several examples, advice
   What is YOUR bank doing to protect
How would a customer know?
   Information on your Web site about
   How to recognize a legitimate email
    from you – or – state that you don’t
    send them at all
   Numbers to contact
   Form/email address to report
Newest phishing danger
   Keystroke logging
   All customer has to do is follow the link
   Doesn’t have to fall for the phony “put
    your info in”
   How easy is your bank’s site to
   New CIP exam procedures
       One of the things the examiners are
        supposed to ask for is a written
        explanation of the bank’s rationale for
        excluding existing customers from CIP
   314(b) information sharing
   314(a) – maintaining the confidentiality
    of the list and using it for the right
BSA is huge!
   Now examined under safety and
   Find your weaknesses BEFORE the
    examiners do
       Wig flipping case
       Broadway National Bank
       Riggs - $25 million penalty
Employee issues …
   Do you do background checks? Remember
    the “golden rule!”
   What are you doing to avoid
   How are your opening and closing
   Is your staffing adequate?
   Do you have information accessible on the
    Web that you shouldn’t? See
ID Theft
   Every 60 seconds, another 17 or 18
    people become victims
   Legal experts expect the next big thing
    to be lawsuits against “leaky”
    institutions who facilitated the ID thefts
    due to shoddy practices or poor training
ID Theft and your bank
   Three potential dangers:
       ID thief obtaining information through or from
        your bank that he uses to steal an identity;
       ID thief successfully posing as someone else in
        order to open accounts or obtain loans;
       ID thief posing as your existing customer and
        conducting transactions or obtaining information
What are you doing about it?
   How do you verify identity?
       New customers
       Existing customers who call or come in
   Would you “see dead people?”
   Do you have the proper tools?
       ID checking guide
       UV lights
       Fraud databases
Would your employees know
how to recognize a fake?
Fakes are easy to make
What keeps you up at night?
   Safe deposit liability?
   Right to Financial Privacy Act issues?
   Check fraud?
   Software piracy?
   Employee concerns?
   Defamation?
   Physical security? Terrorists?
Steps to take
   Stay informed – about the law, your
    responsibilities, what’s going on within your
    institution, threats/risks
   Assess the risks
   Figure out your options
   Think long and hard about your
   Document
   Press hard for what you know is right

   Questions?

Want to follow up? Email me at:

To top