Bank Lawyer's Blog

Small Bites of the Apple

2015-10-08T21:57:00-05:00

It's a drop in the bucket, but for hundreds of community banks lost in a regulatory dessert, even a small amount of water is welcome.

The U.S. House of Representatives unanimously passed legislation Tuesday that would ease regulatory rules for small community banks.

Congressman Scott Tipton, R-Cortez, has proposed the Small Bank Exam Cycle Reform Act, H.R. 1553, to help well-managed community banks.

[...]

The Small Bank Exam Cycle Reform Act amends the Federal Deposit Insurance Act to raise the qualifying asset threshold from $500 million to $1 billion for the 18-month exam cycle [as opposed to the current 12-month exam cycle].

This would allow an additional 676 banks across the U.S. to qualify for a longer exam cycle. Under the act, small banks would be able to better focus their employees and resources on serving the banking needs of customers, he said, rather than on onerous paperwork.

The longer exam cycle for smaller banks also should be a cost-saver.

Let's hope that in the land of grid-lock, the Senate can manage to pass what ought to be a fairly noncontroversial bill.

In terms of overall regulatory relief, this may not seem like much. On the other hand, it's something.

**********************************************************************************************************************************

On a completely unrelated subject, I have received a couple of inquiries from readers as to "what I am hearing" about the FFIEC's Cybersecurity Assessment Tool. In the interest of brevity (a welcome relief to most readers), here's what the Chief Cybersecurity Officer of one of my larger ($20 billion+) banks offered me:

We do have it and have looked it over. Basically, if an organization has a decent security program with a foundational framework, it is nothing to worry about. I wouldn’t say it offered much value, but validation.

I suppose that if a bank is behind the curve, then the "Tool" may be more useful than simply a "check" on what you have already considered. As with relatively recent vendor management and social media guidance, and before that, the multifactor authentication guidance for online banking, the regulators seem to be putting out material for folks who are in need of catching up with their more sophisticated brethren. Moreover, even for those who believe that they are locked and loaded, it provides "validation" that you are not missing something fundamental.

Vendor Mismanagement

2015-05-10T14:03:37-05:00

While banks have complained about the crushing burden of regulations in a post-Franken-Dodd world, in one area they could use a little more regulation. Not of the banks, but of third-party service providers to banks.

I have yapped repeatedly on this rag sheet about how banks need to treat regulatory guidance seriously. While some regulators send confusing signals about the legal enforceability of guidance, they have also made clear that they expect banks to comply with it. Period.

One piece of guidance that we have discussed is OCC Bulletin 2013-29 regarding third party relationships, which is a reworking and expansion of guidance first issued in in 2001 (OCC Bulletin 2001-47). Other federal financial institution regulators have issued similar guidance. One portion of that guidance deals with provisions that the OCC expects to be incorporated into written agreements between banks and their service providers. Banks who take regulatory guidance seriously attempt to ensure that their written agreements with their significant vendors meet the regulators' expectations.

If some technology service providers are to be believed, not many banks take the guidance seriously.

Repeatedly, attorneys who advise banks on such agreements will hear a common complaint: the bank asking for such a contractual provision is the only bank that has ever asked the vendor for the same. Putting aside my stock response ("You'll never be able to say that again, will you?"), let's take them at their word and see what this means.

Let's pick two provisions, access by the bank's regulators to the service provider's records concerning the services it provides to the bank, and a binding agreement by the vendor to provide the bank with a disaster recover plan and modifications to it. These aren't the only provisions. There are many more, but I don't make a living off this blog, so they'll have to do for now.

OCC Bulletin 2013-29 provides in part as follows:

In contracts with service providers, stipulate that the performance of activities by external parties for the bank is subject to OCC examination oversight, including access to all work papers, drafts, and other materials. The OCC treats as subject to 12 USC 1867(c) and 12 USC 1464(d)(7), situations in which a bank arranges, by contract or otherwise, for the performance of any applicable functions of its operations. Therefore, the OCC generally has the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself on its own premises.

That's pretty clear. Yet, we have repeatedly encountered service providers, including one of the major technology service providers in the United States, who have resisted such a contractual "stipulation". In one discussion, a service provider that was providing an online banking system and related customer-facing services asked the bank to cite the provision of the law that gave the OCC the right to have such access. When we gave it the citation to 12 USC 1867(c), it responded that its inside counsel did not agree with the OCC's interpretation of the Bank Service Company Act, and that examinations that it had permitted the OCC to make were purely voluntary and could be terminated at any time. We responded that we didn't give a flying fig in a rolling donut what its in-house counsel thought about the OCC's interpretation, since the law was clear on its face. In that case, we compromised on language that required such regulatory access "as is required by applicable law." However, we were told by that vendor that other banks did not insist on such a provision in the agreement.

With respect to business continuity plans, OCC Bulletin 2013-29 provides the following:

Ensure that the contract requires the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements, and when appropriate, regulatory requirements. Stipulate whether and how often the bank and the third party will jointly practice business resumption and disaster recovery plans.

Recently, we have encountered a technology service provider who provides a critical online banking service that absolutely refuses to agree to any provision in the agreement that addresses business continuity plans or procedures. While it states that it has such a plan and that the bank can review it, it will not agree to put anything in the contract regarding such plans. Again, the bank was informed by the vendor that it has never agreed to provide such contractual protection to a financial institution, and that no other bank has insisted upon it. Again, this is a critical service provider whose service, if it went "offline" for any length of time, would cause intense heartburn to the bank.

These are only two examples. There are many, many more. It's as if not only are many vendors unaware of requirements that their bank clients must meet (and that have been required for over a decade), but that many banks do not care about complying with regulatory guidance. In the case of smaller institutions, there is also the problem that they lack the expertise to negotiate, or perhaps they believe that they do not have sufficient importance to the vendor to bargain effectively. Whatever the reasons, many of them are rolling over with their paws in the air instead of trotting in the other direction.

This leaves those banks that take regulatory guidance seriously in a tough position. Some of them are simply walking away and trying to find vendors who "get it," even if they are not the first choice from a purely business standpoint. Others end up negotiating with themselves to arrive at less-than-reasonable contractual compromises.

I have a couple of suggestions for the regulators. First, try enforcing the guidance across the board. There are financial institutions who are trying to "do it right," but who are being undercut by those who aren't. Moreover, use your authority under the Bank Service Company Act and otherwise to bring home to the vendors directly that if they want to play in this arena, they need to play by your rules. Some of them are not getting the message. Perhaps it would be helpful to start naming names on both ends of the spectrum. Perhaps that would get some attention.

In fairness, there are technology service providers who are doing it right. They understand the guidance, and while they are not willing to fall over and play dead, they are willing to make a reasonable attempt to accommodate what is essentially appropriate risk allocation between the parties, and appropriate accommodation to their customers' regulators' expectations. They "get it." Here's hoping that more of them eventually get the message, as well.

What's Good For The Bank Is Good For The Bank Lawyer

2014-11-09T22:13:00-06:00

Recent articles in the Wall Street Journal (paid subscription required) point out an inconvenient truth for many bank law firms: as third party service providers, they, too, must ensure that their information security systems are "up to snuff."

Big banks are demanding that their law firms do more to protect sensitive information to ensure that they don’t become back doors for hackers.

Once given special status as trusted third parties, lawyers, particularly those who get access to sensitive bank information, now are more likely to get full background checks. The number of compliance checklists for law-firm technology systems and security procedures has ballooned. And law firms big and small increasingly are getting on-site audits to check who has access to documents and office servers.

[...]

The demands come as financial regulators are paying more attention to third-party vendors. Benjamin Lawsky , the superintendent of New York state’s Department of Financial Services, last week sent a letter to dozens of banks requesting information on security risks relating to law firms, accounting firms and other third parties.

Law firms “can have access to a very large volume of sensitive data on a recurring basis and that makes them a point of vulnerability,” Mr. Lawsky said.

When "Gentle Ben" Lawsy speaks, lawyers better listen. Not because he possesses any special insight into the banks he regulates (his background in actual banking is non-existent), but because he's demonstrated that he intends to follow in the footsteps of his role model, Eliot "Mess" Spitzer, by pursuing publicity-laden enforcement actions against victims that the public loves to loathe. Banks and lawyers might as well have a bulls-eye painted on their foreheads.

Thus far, it appears that big banks and their big firm minions are first in line for proctoscopic examinations. However, how long will it be before the "trickle down" theory of bank regulation that we've seen prove itself again and again since the creation of Franken-Dodd and its dark spawn, the CFPB, will spread this "closer look" process to smaller banks and their law firms? Not long, I think, even if you measure the passage of time in dog years.

It's hard to argue that law firms for banks of any size should be cut any slack. The Interagency Guidelines Establishing Information Security, the relevant regulatory guidance on third party relationships (such as OCC Bulletin 2013-29), and basic ethical requirements to protect the confidentiality of client information, should have impelled lawyers for banks to take information security in an online world quite seriously long before this point. In many cases, engagement agreements between law firms and bank clients already specifically require that law firms take the kind of security precautions that big banks are requiring of their law firms. True, "one size does not fit all" may be as true of bank law firms as it is of the banks they represent, so, perhaps, not every law firm will need to have inn place all of the precautions described in the linked article.

Some firms instruct attorneys not to open documents sent via email unless they are in a secure environmentin the office, or using a firm laptop on an encrypted line. For particularly sensitive matters, firms might restrict work to stand-alone computers that don’t connect to the Internet, said Mary E. Galligan, a Federal Bureau of Investigation veteran who now is a director of cyberrisk services at consulting and accounting firm Deloitte & Touche LLP.

Mobile devices are a particular focus. Many firms can wipe data from smartphones and laptops that are lost or stolen, and most firms install some level of encryption.

Law firm Davis Polk & Wardwell LLP in recent weeks added a new precaution: Lawyers must have a special application installed on their smartphones to open attachments sent to their firm addresses.

On the other hand, those security measures make sense and many of them are not unreasonably expensive to implement. Those firms that don't want to encounter a nasty (and expensive) surprise would be wise to take this concern seriously, and prepare for such an examination, whether or not one is ever actually performed.

BancSouth Wins Big

2014-06-22T21:57:00-05:00

A recent Eighth Circuit Court of Appeals decision in favor of BankSouth bodes well for financial institutions who understand their obligations under UCC Article 4A and take those obligations seriously. Unlike consumer customers, who are pretty much protected against unauthorized funds transfers by Regulation E if they examine their monthly bank statements and promptly inform their banks of any unauthorized transactions, business customers whose bank accounts are compromised by cybercrooks have much less protection. As the 8th Circuit points out, the inquiry in such instances is focused on whether the bank and customer had agreed upon commercially reasonable security procedures that the bank would use to determine whether or not a purported funds transfer was authorized by the customer and, if so, whether or not the bank employed those security procedures in good faith. If the bank meets that two-pronged test, the business customer is stuck with liability for any unauthorized transfer.

The controversy usually arises when an employee of the business customer has fallen for a "phishing" scheme, clicking on link in an email that causes malware to be downloaded that allows the crooks to learn the user name and password that the employee uses to log in to the online banking system of the bank. In the BancSouth case, that apparently occurred. However, regardless of how access to the password and user name was obtained, the focus of the court was, as it should have been, whether the agreed upon security procedures used by the bank were commercially reasonable and employed by the bank in good faith. In this instance, the court (and the trial court) found that they were.

While the customer's attorneys argued that the use of a user name and password was "one-factor authentication" that is contrary to FFIEC guidance that advises that "multi-factor authentication" processes should be used, the court countered that argument by finding that the bank offered "dual controls" for wire transfer (separate persons must authorize the initial funds transfer request and the confirmation of that transfer order), the customer opted not to use such a procedure on the grounds that it was "inconvenient." More cautious banks not only offer dual controls, they require it unless the customer signs a separate agreement or waiver under which it indemnifies the bank from any claims, loss, or liability arising out of unauthorized transfers from the account under a single-control authorization process. BancSouth had such a waiver and the customer signed it.

BancSouth's online banking agreement also contained an indemnification provision that is common in online banking agreements in one form or another, pursuant to which the customer agreed to indemnify and hold the bank harmless from claims, losses, liabilities, costs and expenses, including reasonable attorneys' fees, arising out of the bank's provision of services, as long as the bank fulfilled its obligations. The appellate court ruled that this provision provided a sufficient basis for the bank to pursue a claim against its customer for payment of attorneys' fees, and overturned the trial court's denial of a counterclaim by the bank for such fees. Again, well-drafted online banking agreements ought to contain a similar provision.

Dan Mitchell, an attorney who has been involved in other high-profile litigation on this subject, and another commenter, had some cogent observations on the implications of this decision.

Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm.

"The bank had asserted a counterclaim that the customer should pay the bank’s legal fees," said Mitchell, who battled similar claims in which Patco — a Maine construction firm — successfully sued its bank over a $588,000 cyberheist. "There’s no other federal circuit court case other than Patco that has gotten up to that level. The appeals court said the bank can now pursue its legal fees against the customer. And that may end up being the important part of this opinion in the long run if [plaintiffs are] looking at not only have to pay their lawyers to pursue a loss but also those of the bank."

Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said the appeals court decision means that indemnification is now the ‘law of the land’ in the 8th Circuit.

Castagnoli said she expects two results from this decision: that banks which don’t already have these clauses in their online banking agreements will add them; and that cyberheist victims will think more cautiously about bringing a lawsuit.

"This is the first time a court has ruled on fee shifting, and that will certainly have a chilling effect on litigation," Castagnoli said.

The opinion contains other nuances that are worth considering. The linked article from Brian Krebs' excellent blog contains a link to the opinion.

When Curry Speaks, All Banks Should Listen

2014-04-17T21:45:00-05:00

The Comptroller of the Currency Thomas Curry gave a speech the other day (paid subscription required), and emphasized a couple of points that vendor management folks at financial institutions with various charters--state and federal, bank and credit union--and the lawyers who represent them, would be wise to heed.

Comptroller of the Currency Thomas Curry said his agency is increasingly concerned about the cybersecurity risks from banks relying too much on certain vendors and using service providers in foreign countries.

Banks can end up becoming dependent on certain vendors because of consolidation in the service provider industry, Curry said in his prepared remarks for the Consumer Electronics Show's Government Summit in Washington. They can also be exposed to risks when they assign critical functions to outside vendors, including those that use foreign-based subcontractors.

"Banks need to consider the legal and regulatory implications of where their data is stored or transmitted, and make a determination as to whether geographic limitations are needed in their contracts," Curry said. "Finally — and perhaps most importantly — we are concerned about the access third parties have to large amounts of sensitive bank or customer data."

Here are a few take-aways:

First, cybersecurity due diligence of your vendor assumes critical importance when that vendor has access to customer data and other sensitive information of the institution. Access to sensitive information ought to make that vendor a "critical" vendor regardless of the dollar "value" of the contract. The institution needs to be able to document that it examined the information security procedures and systems and found that they met industry standards.

Second, the provisions of the agreement between the institution and such vendors on confidentiality and information security need to be "robust." This is especially critical when one or a couple of vendors of the institution have access to a lion's share of sensitive data. Read OCC Bulletin 2013-29, FFIEC's handbooks on the outsourcing of technology services, and other regulatory guidance. Make sure you know what contractual assurances you need and then make sure they're in the agreement.

Third, the financial institution needs to monitor the compliance of these vendors with information security safeguards throughout the life of the relationship. If a critical vendor's not providing an annual SASE 16 audit report of an appropriate type (SOC 1 vs. SOC 2), and not addressing problems raised by such annual reviews, you've got a problem.

"We expect the board and management to ensure that appropriate risk management practices are in place, that clear accountability for day-to-day management of these relationships is established, and that independent reviews of these relationships will be conducted periodically," Curry said in his remarks Wednesday.

That's a red flag, no?

Fourth, you need to read between the lines of what Curry's saying about "certain vendors." Pay attention to what's happening in the marketplace. If an article appears in the press that notes problems with a critical vendor, investigate and assure your self that any problems are being addressed. Review the web sites of the regulators for enforcement actions, and pay attention to what you find if a vendor is the subject. Pay attention to your own due diligence. If you gather necessary information but don't act upon it appropriately, your regulator will not be pleased.

Fifth, foreign subcontractors have become a "hot button" concern. I would recommend that in your vendor agreements with critical vendors you have adequate restrictions on the use of subcontractors. Among those restrictions ought to be that the use of a non-US based subcontractor requires your prior written consent. I represent banks that would never consent, but that's a story for another day.

If the vendor pushes back, that vendor ought to be a cause for grave concern. They're not doing you a favor by selling you their technology, although a few of the larger ones act that way, especially if you're a smaller institution. These concerns are regulatory concerns, matters of safety and soundness. If the vendor is large and representing a number of financial institutions, none of these issues should come as surprise to them. If you have concerns about a vendor, give your federal regulator a call and tell him or her about those concerns. As Curry makes clear, your regulator will be interested. Very interested.

Too Late To The Party

2013-08-25T22:00:00-05:00

A couple of months ago, I wrote a post about how "hagglers" hired by banks to help negotiate major technology service agreements might be useful, as long as the banks who used them didn't forget to include other experts in the mix, including legal counsel. Apparently, my readership is extremely small.

I received a telephone call from a community bank CFO not long ago in which he asked me to review a "signature-ready" core servicing agreement with one of the nation's largest technology service providers. I asked him to explain to me what he meant by "signature-ready." He stated that the contract had been negotiated with the assistance of a well-known technology service consulting firm over an extended period of time, that all outstanding issues had been resolved, and that the agreement was ready for signature.

"The why are you calling me?" I inquired.

"Our consultants tell us that regulatory guidelines 'require' that we have the contract reviewed by an attorney, so that's what we need you to do."

"In other words," I replied, "you need a lawyer to 'bless' the agreement but not raise any issues that might delay execution of the agreement."

My interlocutor sounded offended, but not for the reason you might suspect. "There won't be any issues that your review would uncover because, after all, we hired [Insert Name of Consulting Firm Here]. They wouldn't have missed anything."

"Then, hiring me is a useless gesture made solely to check a box on a form and to snooker the regulators into thinking that legal counsel actually had input into the analysis and negotiation of the agreement," I observed, reasonably. "By the way, is [Insert Name of Consulting Firm Here] authorized to practice law in your state? If not, then they couldn't possibly have given you legal advice concerning such matters as the legal enforceability of crucial contract provisions, the legal implications of risk allocation provisions such as warranties, indemnifications, dispute reolution, default triggers and remedies, disclaimers, damages and liability limitations, and the like. Or did they?"

I cut through the ensuing sounds of crickets chirping by telling him that he should have hired us when the first draft hit his inbox. It was too late in the game to give his financial institution much meaningful input, other than point out whatever the consultants might have missed. I told him that the next time he needed someone to sprinkle holy water on a contract, he should call his local parish priest.

If his call was an isolated incident, it would be worthy of a head shake and then consignment to the one-off file. Unfortunately, it's not the first phone call with that scenario that I've received.Those of us who advise financial institutions on technology service agreements have little of value to add when were called in at the eleventh hour and fifty-ninth minute. From sad experience, we can anticipate the hostility of the reaction that will ensue if we point out any inconvenient truths at that late an hour. Usually, they will be rationalized away by business people who are too far in love with the deal to jeopardize its consummation.

There are lawyers out there who will wave a magic wand over your contract and state with conviction "It looks industry standard to me!" For example, the vice-chairman's brother-in-law who does the occasional sublease review and residential loan foreclosure, the guy with the office over the Rexall Drugstore down at the corner of State and Main. You might as well give him a tumble at that point, for all the real benefit you'll derive.

OCC Bulletin 2001-47 states that "at the outset," banks should conduct a risk assessment of third party relationships that "should include the identification of performance criteria, internal controls, reporting needs, and contractual requirements. Internal auditors, compliance officers, and legal counsel could help to analyze the risks associated with the third-party relationship and to establish the necessary control and reporting structures." The Bulletin also lists a number of contractual issues that should be analyzed and addressed, many of which necessarily involve legal expertise.

Calling in legal counsel when your pen is poised above the signature is way too late do provide any actual value.

Compounding The Problem

2013-07-29T21:55:00-05:00

I've been critical of "blown" foreclosure seizures in the past, especially of Bank of America's repeated FUBARs and its seizure of pet parrots and similar heinous crimes against nature. Unfortunately for the banking industry, it's not only the giant whipping boys who step in piles of mud pies and make headlines in this regard.

A woman in McArthur, Ohio, about 70 miles south of Columbus, said a bank mistakenly cleared items from her home, confusing it for a foreclosed house across the street, then demanded receipts when she asked to be compensated for her missing possessions.
Katie Barnett, 36, a nurse, said her family had left for about two weeks last month and returned to find the locks on their home had changed and many of their belongings had been taken.

"We called the cops and they said they thought it was a squatter," she said.

Two dressers and clothing for her five children were taken, as well as items from outside their home, including pool cleaning supplies and patio furniture, she said.

Weeks later, she said, police told her that a bank representative had contacted them, saying someone was living in a foreclosed home: the Barnett's one-story, three-bedroom home.

"Obviously I wanted to find out what bank it was. I was mad about the whole situation," said Barnett.

She later learned First National Bank in Wellston, of which she is not a customer, had mistaken her home for a bank-owned property across the street.

A bank employee told 10TV News that the bank is trying to come to an agreement with Barnett.

"A GPS had led them to my house, the president of the bank told me," Barnett said. "They also said my grass hadn't been mowed so they just assumed that was the house."

You have to wonder whether the crack about the unmowed lawn was an Epic Fail of a snark attack or an accurate statement of the extent of the due diligence conducted by the bank's personnel in determining the location of the actual property that was the subject of the foreclosure. Either way, it was apparently pouring salt on Ms. Barnett's open wound. If the bank had stopped there, it would have been bad enough. However, it wasn't through digging its own public relations grave.

When Kate asked for $18,000 to compensate her and her family for the lost items, the bank demanded receipts, because they weren't going to "pay retail." Seriously, they said that. On its web site, the bank, which refused to respond to questions from one of America's most popular morning network television shows, ABC's "Good Morning America," claimed that while it wants to compensate Ms. Barnett "fairly and equitably...the written list of items that she provided to us – and the value she assigned to those items – is inconsistent with the list and descriptions of items removed that was prepared by the employees who did the work, and with the list and values of missing items provided by the homeowner herself as recorded in an earlier telephone conversation with one of our representatives." The bank states that it needs to reconcile those differences before compensating the homeowner whose house it broke into and from which it removed items that did not belong to it and which it had no lawful right to remove. You understand how a bank wouldn't want to pay more than depreciated present value of those household items, don't you? I mean, that wouldn't be FAIR!

When I recently discussed on this blog the concerns that federal banking regulators have with the use of social media by banks, I mentioned that fact that "reputational risk" was a legitimate safety and soundness concern. Getting a black eye in the main stream media (or social media) can hurt the bank's "brand." Therefore, regardless of whether or not the bank has a legitimate concern about the nature and number of items claimed to have been lost or their current value, it seems to me that one of the factors a bank might want to weigh in deciding what to pay or whether or not to pay at all, is the damage to reputation that can occur when "Good Morning America" plasters your name on television and the world wide web in a context that gives the average American consumer one more reason to hate another bank, as if he or she needed another reason.

While we may be getting only one side of the story from the linked article, in large part that's because the bank has chosen not to respond directly to ABC News, but to respond solely through a web site posting. When only the plaintiffs and their attorneys do the talking, the press reports are sure to be slanted in their favor. Barnett claims that she's hired an attorney and that she plans to sue the bank, that her kids' summer has been ruined, and that other emotional stress has ensued to the family members.Therefore, the publicity in this case for the bank is not likely to improve.

Let's say that Kate is "overestimating" the value of the removed items. Let's say, purely for the sake of argument, that she's doubled their "actual value." Would having payed her the extra $9,000 she demanded, having obtained a full release of liability, and having put her under an agreement of confidentiality right from the start have been worth the cost? Each bank must make its own decision, but I can see how many banks in the same position might think that it would be worth it. They would consider the "overpayment" as additional compensation for "emotional pain and suffering" and as an additional cost of doing business when the folks doing your foreclosure property takeovers have a tough time distinguishing the street addresses "509" and "514."

During a time in our history when bankers rate as low as lawyers in the public's view, the extra payment to mitigate the reputational risk might just be justified.

The Help Was Not Helpful

2013-07-16T12:18:40-05:00

I gave a presentation a couple of weeks ago in New York City to credit union officers about the legal risks of engaging in social media activities. One of the entities that I told my audience I thought was doing a decent job in social media was Bank of America's "Help" Twitter feed. From my personal observations, their "youngsters" seem to do a good job of handling customers who may be frustrated dealing with other segments of the giant bank's customer service octopus.

I guess I should monitor BofA Help more frequently. Digiday's Saya Weissman recounts a series of tone deaf tweets by a BofA Help "tweeter" that lead a casual observer to wonder whether someone was on Quaaludes and, if so, who. Responding to an allegation by Occupy LA that the bank should stop stealing people's homes by offering to review Occupy LA's account make you wonder about a number of things, including the following speculation by Ms. Weissman: "The immediate and understandable assumption was that the bank’s Twitter feed is run by a bot – a program that automatically replies to tweets that mention it. Bafflingly, this turns out not to be the case. A bank spokesperson explained to Digiday that real people are, in fact, behind all of the brand’s tweets."

A spokesperson for the bank insisted that real, live, human "bots" are tweeting those gems. Weissman claims that the bank's "utter lack of online competence...merely reinforced these angry tweeters’ view of the company as a faceless, heartless conglomerate." She concludes that if this is the best "help" that BofA can offer, "who needs enemies?"

I guess I wouldn't have been that harsh on the tweeter, who was likely proceeding in compliance with a carefully scripted line that he or she was required to follow. On the other hand, you have to wonder about the bank's guidelines for initiating "conversations" on Twitter. If it's whenever the bank's name is mentioned, then there ought to be some requirement that before the BofA employee "tweet"s, they be required to actually comprehend the content of the tweet to which they are "responding."

The proposed FFIEC Guidelines on social media compliance that we've previously discussed are shot through, from stem to stern, with concern about "reputational risk." Such risk is posed not only by technical violation of laws or regulations. It's also posed by ineptness.

You don't have to be perfect all of the time. However, if you're going to be incompetent any of the time, expect to pay a reputational price. Even (or, perhaps, especially) in cyberspace, it's hard to hide.

FDIC's Take On FFIEC's Social Media Guidance

2013-04-22T22:01:00-05:00

I ran across an interview recently that the FDIC's Elizabeth Khalil gave to InfoSecurity's Tracy Kitten about the FFIEC's proposed guidance on social media. Among my take-aways are the following:

The push for the guidance came from smaller banks that wanted the regulators to give them some free advice. We all understand the fact that because small banks have less money available to pay for expensive lawyers, they look to leverage off of every free resource they can glom onto. Trade associations aren't free, but if you're paying your dues, you look to them to give you your money's worth. Since banks pay the federal bank regulators assessments, they want some bang for those bucks, as well. I get it.
While Ms. Khalil mentioned "reputational risk" as the second major risk of the three she discussed ("compliance issues" was number one and "third party risk" was the third), I think reputational risk layers through much of the regulators' concerns. For example, misuse of consumers' personal information may be a compliance risk issue, and a Facebook vulnerability to hackers is a third-party risk. However, they both can impact the bank's reputation. Bad things that happen in a bank's social media endeavors often pose a reputational risk as an additional risk, and that's a safety and soundness concern which, in turn, is a regulatory compliance concern.
None of what's in the guidance is new, and banks that are already engaged in social media activities should already be familiar with the elements of the guidance. If they're not, they better become familiar in a hurry and hope that no one notices.
Due diligence on third party service providers that you intend to use is critical. The due diligence needs to be ongoing. A third party's faux pas can bite the bank in the backside as well as the third party. Monitoring is essential.
As is the case with online banking security, the regulators encourage banks to educate consumers on social media risks. For example, the regulators will look favorably on a bank educating its social media users on the risk of fraudulent bank sites, how to recognize the real deal from the fraudster, and that they should never give up personal information over social media.
Whether or not a bank is actively using social media to interface with current or potential customers, it needs to have a social media use policy. The bank's employees are using social media, and other people may be saying bad things about you in cyberspace. The bank should have a policy that deals with these issues.

The final guidance is expected to be out in the near future (the comment period closed March 25th), depending on the nature of the comments received.Interested bankers should keep their eyes peeled (although, don't hold your breath).

I'll be giving a breakout session on social media compliance on July 3, 2013 at CUNA’s America’s Credit Union Conference in New York City. If you're a reader and are attending that conference, say hello.

Eductaing Customers About Online Fraud: A Case Study

2013-04-01T21:34:00-05:00

Two years ago, we discussed the fact that, pursuant to supplemental guidance issued by the FFIEC, financial institutions were going to have take seriously the need to educate their online banking customers about ways to prevent online banking fraud. BankInfoSecurity's Tracy Kitten recently interviewed the heads of social media and information security for Bank of the West about their efforts in this area. In addition to posting educational videos for customers on the bank's web site, the bank is uploading to the bank's Youtube channel in an attempt to make those videos "go viral." In other words, the bank is blending its internal information security technology and social media expertise to do what the bank regulators want them to do: help combat online banking fraud by educating their customers.

While the entire, relatively short, interview is worth a listen, I took away the following points:

If you want social media content to "go viral" (for the social media challenged: "circulate widely via social media"), you have to make the content "relevant and compelling." You also must update it frequently. Easier said than done. It's why I believe that banks need to blend their internal talents, the way that Bank of the West is doing. Social media is not the sole province of either marketing or "technologists." It takes folks with a variety of skills to make it rock.
To banks like this one, that have been in the social media game for a while, the recently proposed FFIEC social media guidelines are no big deal. They should be well positioned to meet those guidelines with little, if any, modification to their existing procedures. As one of the gentlemen interviewed observed, they've been expecting these guidelines for years.
Social media (videos) is only one arrow in the educational quiver. The bank is also using seminars targeted to specific groups of customers (small businesses, primarily, since that's the customer group that is most at risk for online banking fraud losses).
Of most concern to information security officers is the movement of organized criminal organizations into this arena. They bring with them the money and skill set (not to mention the ruthlessness) to pull off the most successful heists, targeting not the banks but their customers.
Quality is more important than quantity in online education efforts. Throwing everything against the wall and seeing what sticks will likely not be a successful approach.
You need cooperation from different areas of the bank to do this successfully. Therefore, you need "buyoff" internally before you launch, not after.
Most of these efforts are too new to be able to measure their effectiveness, but using the tools that are available to do so on an ongoing basis is important. If your efforts aren't paying off, then you need to consider tweaking them.