Posted September 13, 2016
On July 1, the FDIC released the Information Technology Risk Examination program (InTREx), which replaced its IT risk management program.
Since the release, several states have adopted InTREx, and more states are likely to follow suit. One reason: InTREx is considerably smaller than most IT risk questionnaires, and it has a quantifiable ability to determine scope and resources needed for exams. Many states have modified the program to fit their needs; they also have the option of building sections to further define each exam.
At least 90 days prior to an IT exam, the bank will receive an Information Technology Profile from FDIConnect. The profile made up of 26 questions, under the categories of: Core Processing (4); Network (6); Online Banking (4); Development and Programming (1); Software and Services (2); and Other (9).
For the examination, banks will be assessed using four core analysis modules: Audit; Management; Development and Acquisition; and Support and Delivery. Two workpapers contained within InTREX—one covering information security standards and one applicable to cybersecurity—are referenced in the core analysis modules.
Also built into the document are two expanded analysis sections—one specific to management, the other pertaining to support and delivery. Examiners may opt to complete either or both expanded sections if certain procedures are not specifically addressed in the core modules, or if an examiner determines the bank needs additional analysis.
All questions and referenced materials (modules, expanded sections, workpapers) are incorporated in the downloadable InTREx document, which is posted to the FDIC website via this link: https://www.fdic.gov/news/news/financial/2016/fil16043a.pdf
InTREx will markedly change how a bank prepares for and conducts IT examinations and audits. The new InTREx process can help banks wanting to adopt a more proactive stance to risk while devising their IT strategy. Overall, a bank that completes the initial questions and reviews the modules and workpapers will be better prepared for an exam by the FDIC or by a state that has adopted InTREx.
InTREx is also a publicly available, examiner-approved and organized way to internally audit a bank’s IT functions with a heavy emphasis on cybersecurity.
An October 2014 paper—2014 ICBA American Millennials and Banking Study—details surprising findings from a nationwide study by the Independent Community Bankers of America® and The Center for Generational Kinetics LLC. The survey results indicate, among other things, that as a group, Millennials are driven by entrepreneurial ambitions and eager for financial education.
The paper, which is accessible online to ICBA members, summarizes the study results. Further, it lays out strategies and action steps for community banks seeking to engage and serve Millennials. To download the paper, visit the Press Room at icba.org. Log in and click on News Releases. (The study was released October 15, 2014.)
Defend your bank against hackers: Verify your originators
A number of banks are reporting that their customers’ emails have been hacked. Hacking can trigger a chain of events aimed at defrauding financial institutions. The most effective precaution your bank can take is to completely and consistently follow best practices. The following story illustrates why.
Bank XYZ receives an email that appears to be from its good customer. The email instructs the bank to wire funds to a beneficiary in a foreign country. An employee at Bank XYZ, relying on the email alone for authorization, wires the funds according to the instructions in the email.
What went wrong in this example? The good customer’s email had been hacked. The emailed wire request was sent by a fraudster in a distant country, and the funds are long gone by now.
And because the employee at Bank XYZ failed to call the customer to confirm the originator’s identity, it’s Bank XYZ that suffered the loss.
Unfortunately, U.S. financial institutions have incurred large financial losses as a result of this type of fraud. We urge you stress the importance of always making a call-back to your customer to verify any faxed or emailed wire transfer request before releasing payment. Whether your bank uses passwords or PINs to verify the identity of customers, following this step without exception will help safeguard both your customer and your bank.