Domain: ffiec.gov
Stories and comments across the archive that link to ffiec.gov.
Comments · 21
-
Re:Wrong title
The stakes are high and people will play any game to get a piece of this action.
The MT.GOX theft of 850,000 Bitcoins is 7% of the approximately 12,000,000 [1] in circulation. To put the impact of this into perspective consider that the top-50 largest holding companies have assets totaling $15,681,169,806 in thousands of dollars. Seven percent of this total is $1,097,681,886 which equates to someone stealing all of the assets for Goldman Sachs Group and Capitol One Financial Corp [2].
If this were to happen in the 'traditional' currency market the entire system would be in dire straights. Members of the Bitcoin foundation are trying to minimize the damage and dismiss this as 'bad actor' with poor security. Could it be that this is the first of major faults that will shutter this emerging virtual currency?
[1] - https://blockchain.info/charts...
[2] - https://www.ffiec.gov/nicpubwe... -
Re:Bitcoin again? come on.
The MT.GOX theft of 850,000 Bitcoins is 7% of the approximately 12,000,000 [1] in circulation.
To put the impact of this into perspective consider that the top-50 largest holding companies have assets totaling $15,681,169,806 in thousands of dollars. Seven percent of this total is $1,097,681,886 which equates to someone stealing all of the assets for Goldman Sachs Group and Capitol One Financial Corp.
If this were to happen in the 'traditional' currency market the entire system would be in dire straights. Members of the Bitcoin foundation are trying to minimize the damage and dismiss this as 'bad actor' with poor security. Could it be that this is the first of major faults that will shutter this emerging virtual currency? [1] - https://blockchain.info/charts... [2] - https://www.ffiec.gov/nicpubwe... -
Re:does the FDIC insure them?
Fair enough, I should have scrolled down to 18 USC 1030(e)4, but the current law considers far more than FDIC insured operations.
Credit unions, SEC registered brokers, foreign banks ("obviously" not protected by FDIC), and a few other places are so considered.
I do think it's a good idea to continue to keep computers used in interstate commerce considered "protected computer systems" - someone attacking an e-store and snarfing credit card numbers isn't a good thing. It's probably not a bad idea to list credit card processors, too.
Other federal laws define "financial institution" even more broadly.
-
Re:Ironic
But the bailout required the relatively unregulated investment banks to become commercial banks, members of FDIC, and accept regulation. The Federal Reserve does act as lender of last resort for commercial banks (who do have to be members of FDIC), but had no authorization to lend money to investment banks. I think that's what he was talking about.
I'm actually working on a project related to this topic. For general info, one can look up every bank, bank holding company, saving and loan company, credit union etc., with any business in the US, at Federal Financial Institutions Examination Council's (FFIEC). You can see who owns who, who bought who, etc.
The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).
-
Re:Right ruling
You can find information about the requirement on the FFIEC site at http://www.ffiec.gov/pdf/authentication_guidance.pdf.
I don't think it explicitly requires RSA keys, but it does speak of multi-factor authentictation. RSA is often a reference to a specific company. The government guidelines would be rightly questionable if they endorsed a specific company as the potential solution. However, RSA the company does do a job of (possibly) providing multi-factor authentication.
Generally it works like this: The user is prompted for a username which is then used to check credential information and displays a particular image to the user (previously selected by the user) before the password is entered. That ensures that the user is prompted to enter information, and then is given a chance to recognize or back out of a transaction based on their recognition of their custom image before a password is entered. This provides positive verification in addition to the password requirement. The second factor is based on the device in use by the user where a cookie has been stored if the user has displayed the ability to add additional layers of known information, generally the answers to questions the user has selected and answered previously.
This layered authentication process, username, positive verification, device validation, conditional challenges, is generally considered consistent with the requirement for multiple factors of authentication. I'm not sure that it meets the goals of the guidlines published by the FFIEC, but it does provide layers of authentication which is generally all a financial instutition can implement without running afoul of patents (a whole separate painful issue) which is generally acceptable in a competitive market. Instutitions which require a second channel of authentication, such as a phone number communication, key fob, remote key or other device generally are seen as unnecessarily annoying by customers. Essentially the problem boils down to a compromise between convenience demanded by end users vs security demanded by legislative guidelines. As always, the real problem is the users who don't actually want the hassle of a more secure system.
This says nothing about the security compromises in financial instutitions where a maximum number of password characters defies sanity coupled with a limitation of potential characters. That's just stupid. Also common.
-
Re:OK, OK...
It's not as if the government was forcing banks to make bad loans, despite what certain professional liars may have told you.
Banks were required by the Community Reinvestment Act to relax their standards for lending to minorities. These were bad loans that federal law required banks to make. The law was originally put in place by Jimmy Carter, and has since been revised back and forth by both Bushes and President Clinton.
It's not the sole cause of our economy's poor state, but it's a critical factor that has brought us to where we are, now.
-
Re:Or any committee
The government put pressure on banks to hand out loans to people who could not afford them.
I would have thought the phrase "consistent with safe and sound banking operations" meant exactly the opposite.
-
FFIEC exam guide
Take a minute to peruse through the Federal Financial Institutions Examination Council IT Handbook at http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm There's a section on remote access. NOTE: this is for financial institutions, and the information therein may or may not be relevant to your particular organization. But there is some helpful information within.
-
Re:Totally agree
But then Obama and ACORN didn't have to twist bankers arms too much to get em to loan money to people who had damned near zero chance of repaying the loan.
In fact, a law was passed in 1977 and strengthened in 1995 requiring banks to do just that. Banks had to enter the sub-prime market to boost their CRA ratings, which was a prerequisite to acquiring other institutions.
Getting back on topic, though, it does really demonstrate how institutions can go up in a puff and flash of smoke. And if your date is with them, it's gone in a puff as well. Yeah, I'm afraid I have to agree with RMS here. Anyone who would entrust any sort of vital data to these schemes is insane.
-
Re:Computer systems need security audits.
forgot to mention a really big one for financial institutions http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm
-
Re:Imagine what they could do with 700 Billion....Well, it seems that the CRA (Community Reinvestment Act) was a major start to this problem. This was passed under Carter. In and of itself, the original program wasn't too bad...and had its heart in the right place.
However, it appears that updates to the program under the Clinton admin. (read the section here) really started the slide downhill with not only encouraging banks to give out bad loans to those who really could not afford homes....and in cases after this..banks that didn't want to give loans were sued and often branded as having racist policies because often they didn't want to invest in riskier areas which are in lower income and minority neighborhoods. So...prodded by this...they kept giving the loans.
A few years later....when there were bills trying to be passed for oversite of Freddie and Fannie amidst concerns over the building economical problems...these bills were shot down by the party in charge of congress at the time...
People knew this was coming....and the govt. regulations fueled the fire early on. But they refused to do what was right, and fact facts that while it would be nice if everyone could own a home...not everyone can afford to do so, and is NOT a good credit risk.
Take a look into these issues...and some names DO start to stand out....I hope voters in their districts take note of this....
-
Re:Flamebait backfires
Wow...
I knew that people might not understand where we stand economically, but to look at the long chain of events that caused this mess and think that there should be more deregulation is really impressively blind.
This was not caused by regulation "forcing the banks to take on risky loans" (While I understand your qualms with the CRA. The regulation it imposes was necessary due to "geographic profiling" that certain banks were using to deny credit or impose loan-shark rates to certain demographic groups [read racial discrimination]. The CRA in fact contains language stating that all loans issued should be consistent with safe and sound banking operations, negating your argument.)
The current credit market failure was caused by unscrupulous loan officers / mortgage brokers who were only looking to receive their quick percentage on the loan, and had no concern with the subsequent risk. The loan officers would do what it took to get the loan through an underwriting process (including lying or omitting key facts - both to the underwriter, and to the loan applicant), and once "approved", immediately turn around and sell the loan to a large bank / mortgage lender.
The large bank / mortgage lender would then run a group of these (poorly documented) loans through a rating process to determine their relative worth, and package groups of like-rated loans into securities; once again immediately selling them to investment banks / firms / managers.
We are now three steps removed from the holder of the loan, with the person who actually cares about the risk (the investor) receiving information on risk from parties who are financially motivated to make the loan look as good as possible. Given that these packaged mortgage loans stood for real houses (physical assets), the investment banks / firms / managers used these "assets" to increase their "book value", thus increasing the amount of debt they were able to obtain in the form of credit or margin (at this point we are backing one kind of debt with another).
The problem started when the housing market collapsed, and the value of the house was indeterminate. The investment groups had used the full value of the house (or underlying mortgage) when inserting the security into their "asset" column and taking out debt. But the value of that house (and thus the security) was now an unknown, with the market setting a value anywhere from 70%-0% (the 0% is really unreasonable, but considering the bundled securities were now unable to sell at any price on the open market, their value short term was, in fact, $0).
Again the problem was that these backed additional loans. If your debt/asset ratio reaches certain set limits, your credit is revoked or you are held to a margin-call. The cascade started when the assets were marked down (even to the 70% number), throwing off the debt/asset ratio, initiating a margin call. The securities could not be valued, and thus could not be sold to pay off the margin calls, so any asset (including good assets) had to be sold at fire sale prices to make sure the debt was paid off. If the debt couldn't be paid off, Boom, no more investment bank / firm / etc.
How does this impact you if you are not an investment firm? The credit market tightened when the housing market slide began its downturn, as the value of mortgage backed assets could not be determined. As these unknown values continued to slide in the market, and as more and more of these types of securities were discovered on more and more businesses' investment books, credit continued to tighten as no one knew who was affected. When margin call ratios were not being met, and banks could not cover their debt, the credit market completely halted; not only does no one know if a company is holding these "toxic" assets, but they do not know if your company will exist next week to pay back the loan.
While there are several companies that operate with cash-on-hand, -
Re:Add them to the buying spree.
You can't get the fed buying google, only losses get socialized
Sure you can, it just takes a while to set it up. Require google to feature sites that don't bring them ad revenue (Not that well meaning government would ever meddle in a market that was working reasonably well otherwise just for social engineering) and then when Google fails, blame it on their own greed and socialize them. -
No longer relevant?
Since this study was conducted all bank websites have implemented FFIEC guidelines outlined at http://www.ffiec.gov/pdf/authentication_guidance.pdf (PDF warning...)
This is why you have to answer the multiple questions and choose an image, etc. It's called multi-factor authentication.
-
Re:Digital leakage is getting to be more like
What you suggest is NOT the purpose of The Department of Homeland Security.
There is already a government regulating body with intent to prevent such gross errors by financial institutions, the FFIEC, in addition to other state and federal audits.
-
Re:In which case
Completely OT for this thread, but the gubment pressured the banking industry for years to provide more options for lower income/higher risk individuals to buy homes. The sub-prime market developed in part from that pressure. It is easy to blame big bad banks for the subprime meltdown, but big brother's hands are dirty too. It may even be possible to argue that without government intervention, this mortgage mess may not even exist.
-
Re:So many things wrong with this summary....
To further elaborate on this point, the Statute of Frauds is used as a defense only. If the contract falls within the statute of frauds, then writing is required. If a contract falls out of the statute of frauds, than a writing is not required in order to have a binding contract.
For a contract to fall within the statute of frauds (in other words, for a contract to require writing) it has to meet one of the following:
1) Marriage contracts
2) Contract must be able to be performed within one year
3) Land (real estate)
4) Sale of goods
5) Executor (of estate)
6) Surety
I have not read a lot of case law regarding email communications as contracts, but I would not doubt that email communication is as valid written communication as the written letter. It would have to meet all the criteria of a contract (offer/acceptace/consideration) but assuming these elements are met, it would make sense that email could be used as evidence of writing or a basis of a contract.
Technically, a contract could be written on a napkin or toilet paper or anything else. It is the content of the contract and the meeting of the minds that is relevant, not the medium by which this information is conveyed.
The only issue left is the formality of the contract, whether the two parties agreed to a promise in writing. This includes a signature of the party to be charged. I would not even bring up old "Kings Bench" law from England to discuss the merits of electronic signatures as valid signatures. We already have a statute that says that electronic signatures are valid: Electronic Signature in Global and National Commerce Act (2000)
The important section 101(a) of E-Sign provides that a signature or contract may not be denied legal effect "solely because it is in electronic form." In turn, an electronic signature is defined as any "electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or accepted by a person with the intent to sign the record." [http://www.cfg-lawfirm.com/articles/oneclick.html ]
So because there is federal legislation covering interstate commerce in regards to electronic signatures, an American lawyer would not need to drag up any old English common law. Now if we are discussing the exchange of goods, there may be UCC provisions directly applicable to these type of transactions, but I don't know the specifics. After I finish UCC this summer, I may be better informed of this matter :)
Here is a link to the legislation: http://www.ffiec.gov/ffiecinfobase/resources/elect _bank/fdi-fil-72-2000_e_sign_glob_and_nat_comm_act .pdf -
Re:Standards
I work in banking, too. Please note that you need only look as far as the savings and loan industry (12 years ago) to see what happens when the government is not sufficiently involved (and oh, yeah - ENRON and WorldCom). If you really think GLB is just about sending a privacy notice to your customers once a year, you should look here to see the other ways the government wants you to protect your customers' assets.
I personally have a lot of faith in the people around me, and in the people at the top of my institution. But even when good prople are working hard for safety and privacy, profit motive and merely the need to survive is a strong force in the opposite direction. The support of laws like GLB is appreciated by those in the intustry who want to be sure they do their jobs right. -
New Handbook Explains All
The FFIEC recently posted a new information security examination handbook. Because the booklet "serves as a supplement to agency GLBA 501(b) expectations", it may answer your questions.
-
GLBA Compliance RequirementsIf you are a sysadmin trying to understand what you need to do to comply with GLBA, some of the best resources are:
Interagency Guidelines Establishing Standards For Safeguarding Customer Information
Interagency Guidelines .. Federal Reserve System Examiner Guidance
In our GLBA audits, some of the things examiners were looking for the most were:- A written security program that coordinates all aspects of the physical and electronic data security
- A risk assessment that details systems and the data they contain, vulnerabilties and threats, controls in place to mitigate threats, and the overall effectiveness of controls
- Vendor management policies and practices
- Involement, approval, and annual reporting to the board of directors of the security program
One last excellent resource is the FFIEC Information Technology Examination Handbook.
Kevin -
GLBA Compliance RequirementsIf you are a sysadmin trying to understand what you need to do to comply with GLBA, some of the best resources are:
Interagency Guidelines Establishing Standards For Safeguarding Customer Information
Interagency Guidelines .. Federal Reserve System Examiner Guidance
In our GLBA audits, some of the things examiners were looking for the most were:- A written security program that coordinates all aspects of the physical and electronic data security
- A risk assessment that details systems and the data they contain, vulnerabilties and threats, controls in place to mitigate threats, and the overall effectiveness of controls
- Vendor management policies and practices
- Involement, approval, and annual reporting to the board of directors of the security program
One last excellent resource is the FFIEC Information Technology Examination Handbook.
Kevin