May 2020 AccumeView: Executive Cybersecurity Pulse Newsletter
Covid-related social engineering attacks continue to make headlines, as most businesses shift work to a stay-at-home model for continued operations. There are numerous articles about attack types and vectors, so make sure your users are aware and informed.
A new zero-day vulnerability has been announced that impacts all supported versions of the Windows operation system. Both vulnerabilities reside in the Windows Adobe Type Manager Library, a font parsing software that not only parses content when open with a 3rd-party software but also used by Windows Explorer to display the content of a file in the ‘Preview Pane’ or ‘Details Pane’ without having users to open it. No patch is yet available, but there are some workarounds that have been published.
Covid-19 still dominates the news and continues to add to the security woes of companies. Of interest is a new study that states that 3 in 4 CFOs plan to shift at least 5% of newly remote workers permanently post-pandemic. I think this is the first of several major shifts in how business will operate moving forward.
A new report finds that there is a 47 percent jump in insider threats in the past two years. To make things worse, the average cost has increased 31% as well. With the rush to expand operations to a work from home posture, many companies may have left security gaps open, allowing for a surge in insider threat incidents. Ensure that your organization is not left exposed.
And finally, the Emotet botnet is back – “New and Improved.” It was the most dangerous malware botnet of 2019, and its new feature lets it spread inside the network once it’s infected a system. It’s dangerous because it delivers malware of a variety of types. Be patched. Be vigilant.
May 2020 Compliance Newsletter
Regulation D Limitations Suspended…What Does it Mean?
On Friday, April 24th, the Board of Governors of the Federal Reserve System published the amended Regulation D (Reserve Requirements of Depository Institutions) to eliminate transaction limitations on certain kinds of transfers and withdrawals that may be made each month from “savings deposits.” The amendments are intended to allow depository institution customers more convenient access to their funds and to simplify account administration for depository institutions.
There are no mandatory changes to deposit reporting associated with the amendments. The effective date was April 23, 2020. Regulation D distinguishes between reservable “transaction accounts” and non-reservable “savings deposits” based on the ease with which the depositor may make transfers (payments to third parties) or withdrawals (payments directly to the depositor) from the account. Prior to this interim final rule, Regulation D limited the number of certain convenient kinds of transfers or withdrawals that an account holder may make from a “savings deposit” to not more than six per month (six transfer limit).Download
March 2020 Compliance Newsletter
Military Lending Act Limitations on Terms of Consumer Credit Extended to Service Members and Dependents
In July 2015, the DOD issued a final rule amending its regulation implementing the Military Lending Act (MLA) primarily for the purpose of extending the protections of the MLA to a broader range of closed-end and open-end credit products, rather than the limited credit products that had been defined as “consumer credit.” Among other amendments, the July 2015 Final Rule modified provisions relating to the optional mechanism a creditor may use when assessing whether a consumer is a “covered borrower,” modified the disclosures that a creditor must provide to a covered borrower and implemented the enforcement provisions of the MLA.
The DOD has received requests to clarify its interpretation of points from the July 2015 Final Rule with an Interpretive Rules issued August 2016 and December 2017. The February 2020 Interpretive Rule amends and seeks to answer the following questions:Download
February 2020 Compliance Newsletter
CFPB’s Statement of Policy Regarding Prohibition on Abusive Acts of Practices
On January 27, 2020, the CFPB issued a Policy Statement to provide more clarity about how it intends to approach its use of the “abusiveness” standard in its supervision and enforcement matters going forward.
The Policy Statement is intended to provide information regarding the CFPB’s general plans to exercise its discretion and does not impose any legal requirements on external parties, nor does it create or confer any substantive rights on external parties that could be enforceable in any administrative or civil proceeding. In addition, the Policy Statement does not impose any new or revise any existing record-keeping, reporting, or disclosure requirements on covered entities.Download
February 2020 AccumeView: Executive Cybersecurity Pulse Newsletter
27% of IT managers believe that attacks against their network can be attributed to nation states. This figure is up significantly from a year ago, and it should wake up anyone involved in Risk and Security. Ensure that you have properly adjusted the risk to your organization for the possibility of a sophisticated attack from a Nation State and calculated for the type of damage that they could inflict.
A new study shows that attackers, once inside your network, are able to stay in longer (aka “dwell time”) in order to get to know your business, processes and technology. The longer they stay in your network, the more damage they can do to you, your clients and your data. Most security systems are designed to monitor the perimeter, not the inside systems, so ensure that you have security controls and alerting for critical internal systems to detect unusual behavior and lateral movement.Download
January 2020 Compliance Newsletter
Nacha Third Party Sender Registration
This rule requires Originating Depository Financial Institutions (ODFIs) to identify and register their Third-Party Sender customers. The registration process promotes consistent customer due diligence among all ODFIs, and serves as a tool to support Nacha’s continuing efforts to maintain ACH Network quality. This requirement became effective on March 1, 2018.
As a result of recent audit’s, Accume Partner’s has become aware of an ongoing issue concerning Nacha requirements. Financial institutions have been receiving a notice regarding failure to register their Third Party Sender status as well as re-registering their direct access status required since March 1, 2018.
Nacha considers this a Class 2 Rules violation and subject to fines up to $100,000 at the discretion of the Nacha panel referenced notice received. Per contacts at Nacha, Accume has been informed that Nacha is aggressively pursuing financial institutions that haven’t registered as required. Registration (confirming or denying) is required for ALL originators.Download
January 2020 AccumeView: Executive Cybersecurity Pulse Newsletter
With tension rising between Iran and the United States, cyber warfare is on the rise. Many government agencies are releasing statements advising company’s and governments to stay protected and aware of potential threats. This past week we have seen pro Iran targets deface government websites and launch multiple attacks. Some of these are effecting entire cities and states. Both the state of Texas and the city of Las Vegas were targets for cyber attacks that believe to either be initiated by Iran or Pro Iran attackers. Thankfully, some of these attacks have been prevented but it is expected that these attacks will continue to rise in numbers. Texas Governor Greg Abbott warned Texans to be vigilant regarding cyberterrorism from Iran. The Texas Department of Information Resources released a statement advising that as many as 10,000 attempted attacks per minute from Iran had been detected over the past 48 hours on state agency networks. This number is especially startling when considering the normal occurrence of these attacks, about 420.Download
December 2019 Compliance Newsletter
Providing Financial Services to Customers Engaged in Hemp-Related Businesses
On December 3, 2019, he Board of Governors of the FRB, the FDIC, the FinCEN, and the OCC in consultation with the Conference of State Bank Supervisors, issued the statement to provide clarity regarding the legal status of commercial growth and production of hemp and relevant requirements for banks under the Bank Secrecy Act (BSA) and its implementing regulations.Download
November 2019 Compliance Newsletter
Initial Preparations for 2020!
The new year will continue to present challenges for financial institutions with balancing expectations and resources. Our accounting, audit, compliance and IT professionals work with a wide range of financial institutions and interact regularly with the regulatory agencies. These relationships give us a broad perspective regarding industry best practices and regulatory expectation and put us in a unique position to assist our clients in navigating current challenges and prepare those the future may present. Here are some of the topics we want to put on your radar as you start to plan for 2020Download
October 2019 Compliance Newsletter
The joint Agencies have issued an amendment to the Appraisal Rule that increases the threshold for residential real estate transactions requiring an appraisal from $250,000 to $400,000. For transactions exempted by the $400,000 threshold, the Appraisal Rule requires an evaluation. The Rule also incorporates the appraisal exemption for rural residential properties provided by the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRCCPA) and requires evaluations for these exempt transactions. In addition, the Appraisal Rule requires appraisals for federally related transactions to be subject to appropriate review for compliance with the Uniform Standards of Professional Appraisal Practice (USPAP).Download