Skip to main content

Credit Unions: Prepare for Increased Cybersecurity Exam Scrutiny in 2025

By Mike Detrow, CISSP; Director of IT & IT Audit, Young & Associates

Is Your Credit Union Ready for Stricter NCUA Cybersecurity Examinations?

There have been some signals over the past few years that the NCUA is focusing more attention on cybersecurity and may be increasing scrutiny in this area during upcoming exams. In this article, I will identify these signals and also provide steps that credit unions can take to prepare for this potential in their next exam.

Looking back at the NCUA’s Letters to Credit Unions from January 2022 through present, we see the following regarding cybersecurity:

  • January 2022: The NCUA continues to develop updated information security examination procedures
  • January 2023: The NCUA will continue to have cybersecurity as an examination priority
  • January 2024: The NCUA will continue to prioritize cybersecurity as a key examination focus
  • October 2024: The NCUA provided the following reporting statistics regarding the cyber incident response notification rule: “From September 1, 2023, the effective date of the NCUA’s cyber incident notification rule, through August 31, 2024, federally insured credit unions reported 1,072 cyber incidents. Seven out of ten of these cyber incident reports were related to the use or involvement of a third-party vendor.”
    • This letter also identifies the following four key focus areas for boards of directors:
      • Ongoing cybersecurity education for the board of directors and credit union employees
      • Approval of a comprehensive information security program that includes risk assessments, security controls, and incident response plans and is reviewed and updated at least annually
      • Oversight of operational management
      • Ensuring that an effective incident response plan is in place and includes specific requirements
  • January 2025: Cybersecurity remains a top supervisory priority and the NCUA urges each credit union’s board of directors to prioritize cybersecurity as a top oversight and governance responsibility

What Do These Trends Mean for Credit Unions?

While the NCUA has identified cybersecurity as an examination focus area or priority in their supervisory priority statements for 2023, 2024, and yet again for 2025, the key information that identifies the potential for a more significant regulatory change is identified in the October 2024 letter. This letter states that 1,072 cyber incidents were reported over a one-year period and that seven out of ten of these incidents were related to the use or involvement of a third-party vendor.

While the information provided does not include any details about the severity of these incidents or how many may be attributed to a single vendor or single credit union, it would be hard for this number of reported cyber incidents not to get the attention of examiners and credit union management when it averages out to nearly three incidents per day. At a minimum, these statistics identify the need for better oversight of vendors by credit unions and potentially regulators. It also indicates that approximately 320 of the reported cyber incidents were not specifically attributable to the use or involvement of a vendor, which points to potential deficiencies in cybersecurity controls at the affected credit unions.

How Credit Unions Can Prepare for 2025 Cybersecurity Exams

The identification of key focus areas for boards of directors in the October 2024 letter is also noteworthy. This spells out specific recommendations for a credit union’s training program, information security program, oversight of operational management, and the incident response plan.

The recommendations for the oversight of operational management are very specific and include the following:

  • Set clear expectations regarding the due diligence of third-party vendors with respect to information security
  • Ensure that cybersecurity is a core value within the credit union and influences decision-making
  • Provide access to cybersecurity expertise and an adequate budget for the appropriate cybersecurity technologies and tools
  • Place an emphasis on vulnerability management, patch management, application and website whitelisting and blacklisting, and threat intelligence
  • Engage external parties with appropriate expertise to conduct audits of the cybersecurity program
  • Establish a framework for ongoing reporting of the status of the cybersecurity program including risk assessments, risk management and control decisions, service provider arrangements, results of testing, and any recommended changes to the program
  • Protection of data backups including secure storage and other controls to protect from ransomware as well as periodic testing to verify the recoverability of data
  • Ongoing training for members to promote sound cybersecurity practices

This is a potential indication that there will be more regulatory focus on evaluating the effectiveness of the board’s cybersecurity oversight and additional efforts to hold the board accountable if it does not take steps to promote cybersecurity as a core value within the credit union to mitigate potential cybersecurity threats.

How Should Credit Union Leaders Prepare?

The board of directors and senior management should ensure that each of the recommendations identified in the October 2024 Board of Director Engagement in Cybersecurity Oversight (24-CU-02) letter is put into practice at the credit union. While some credit unions may have internal resources to help with this process, many credit unions will benefit from having an independent consultant review their information security program, policies and procedures, incident response plan, vendor management practices, and technical security controls to identify areas for improvement to comply with the NCUA’s recommendations. The consultant can then provide templates and other resources for management to use to implement the recommended improvements, or the consultant can be engaged to assist the credit union with the implementation of the recommended improvements.

How can Young & Associates Help?

Young & Associates offers the following services to both evaluate and improve your cybersecurity program and security controls by identifying weaknesses and assisting with corrective actions to help you better protect your credit union from current cybersecurity threats.

  • IT Audits
  • Internal and External Vulnerability Assessments
  • Internal and External Network Penetration Testing
  • Social Engineering Tests
  • Policy templates, including an Incident Response Plan designed specifically for credit unions
  • Cybersecurity Program Development

For more information about our cybersecurity consulting services, contact us today.

The Rising Need for Virtual Chief Information Security Officers

By Mike Detrow, CISSP, Director of IT & IT Audit, and Noah Lennon, CISA, Consultant, Young & Associates

Emerging trends in technologies, such as cloud computing and artificial intelligence, have significantly increased the complexity of the IT environments at community financial institutions. This has led to heightened regulatory requirements and demands for increased compliance efforts from an already stressed internal staff. Even the most skilled internal staff may find it challenging to manage the increased workload of managing the information security program, IT audits, and regulatory risk, which can lead to repercussions from regulators or security incidents.

For many, the need for dedicated information security management is abundantly clear, but affording and finding dedicated professionals in their communities is not an easy task. While you may already be using the services of a managed services provider (MSP) that may provide some support in this area, most MSPs are focused on IT infrastructure rather than information security programs. Virtual Chief Information Security Officers (vCISOs) are growing in popularity as a solution to this problem as they offer numerous benefits over a dedicated ISO, which are not only limited to cost savings.

Key Benefits of vCISO Services for Financial Institutions

Some of the benefits that a vCISO can provide include:

Document Templates

vCISOs maintain templates for documents such as policies, incident response plans, business continuity and disaster recovery plans, or can simply provide recommendations for enhancements of existing documents. Additionally, vCISOs have exposure to a breadth of policies across the many clients using their services, which allows constant improvements to the financial institution’s own policies and documentation.

Audit/Exam Preparation

vCISOs can help financial institutions prepare for an audit or exam by making sure that documentation is kept up to date and can help with the documentation gathering process to make sure it is well organized when it is provided to the regulator or auditor. vCISOs are also aware of recent audit/exam findings received by other clients and can help prevent your financial institution from receiving these same findings by addressing the identified issues prior to your next audit/exam.

Routine Tasks

vCISOs are aware of the activities that need to be completed each year and can skillfully lead them. These activities include vendor reviews, user access reviews, employee and board training, policy revisions and approvals, strategic planning, end of life monitoring, IT steering committee meetings, and more.

Security Monitoring

vCISOs can help to verify that appropriate security controls are implemented for the financial institution’s information systems, ensure that appropriate logging is configured, and help to monitor logs and alerts to detect and investigate security events.

Vendor Contacts

vCISOs work with a variety of vendors in the financial industry and can attest to their quality of work, which can assist the financial institution in choosing quality service providers. Leveraging existing rapport between the vCISO and service providers enables smoother transitions between vendors and clarity in the expectations for the relationship.

Plan Testing Exercises

vCISOs routinely help their clients perform business continuity and incident response tests, so they have testing scripts already developed to help make the testing process more efficient and productive. vCISOs can also help to ensure that these tests are appropriately documented for regulatory compliance and board reporting.

Incident Response

vCISOs may have experience in responding to incidents that their other clients have experienced. This knowledge can be used to implement controls that will help to prevent an incident at your financial institution or respond more efficiently should you experience an incident.

Selecting the Right Virtual CISO

So now that you are considering the idea of hiring a vCISO, how do you know what to look for?  To help with this process, we have identified some of the criteria that you should consider when selecting a vCISO.

Industry Expertise and Regulatory Understanding

One of the first characteristics to look for is a partner that focuses exclusively on financial institutions, or at a minimum has a division with this focus and understands the specific regulatory requirements from the FFIEC and your specific regulatory agency. While some firms may claim to cover all industries, there are differences in the regulatory requirements for various industries and you need a partner that truly understands the requirements that you must meet. In addition, while there may be many similarities that are shared by financial institutions, there are also differences in available local providers, customer demands, regulators, technology, and complexity, so you need to make sure that your partner has the flexibility to customize their processes and deliverables to your specific needs.

Proactive Approach and Value Addition

A vCISO should also provide value by regularly introducing new ideas to enhance the information security program, strengthen the security culture, and improve efficiency in routine processes.  You should not need to continuously ask your partner for recommendations for improvements.

Integrated Documentation Systems

Another consideration is the process used by the vCISO to maintain documentation. While some smaller and less complex institutions may do okay with multiple standalone documents and spreadsheets, having an integrated system that is used to share data for various purposes such as the information security risk assessment, vendor risk assessment, and business continuity plan may save time and ultimately money as well as limit the potential for errors as data is updated.

Maintaining Service Quality

One potential concern with using a vCISO is that unlike an CISO employed by the financial institution, vCISOs have multiple clients and may be less loyal to your financial institution than a full-time employee. To avoid potential issues associated with this type of relationship, just like any other vendor, you must perform appropriate due diligence and continuously monitor your vCISO to ensure that they are providing an acceptable level of service for your institution.

The Strategic Value of Virtual CISO Services

In closing, not only can vCISOs help financial institutions meet regulatory and technological goals without the costs associated with a full-time employee, they also bring a broad range of prior experience from working with multiple financial institutions. If you are struggling to stay on top of increasing technologies and related regulations, a vCISO can be an invaluable resource in ensuring your financial institution is successful.

Your Trusted IT Consulting Partner 

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services are tailored to help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs. 

Internal Audit: Your Third Line of Defense in Third-Party Risk Management

By Jeanette McKeever, CCBIA, Director of Internal Audit, Young & Associates

In today’s financial landscape, banks and credit unions increasingly rely on third-party vendors to meet regulatory demands, leverage technological advancements, and maintain competitive edges. However, these relationships introduce various types of risks in internal audit, from compliance and operational risks to reputational and strategic risks. Amidst economic uncertainty, increased digitalization, and growing supervisory attention, many financial institutions are reviewing their third-party risk management (TPRM) frameworks to ensure they are robust and comprehensive.

Here, the role of internal audit becomes indispensable. Internal audit’s role in TPRM goes beyond mere compliance. By leveraging their unique skills and perspectives, internal auditors can help institutions identify, monitor, and control risks while achieving strategic goals.

Understanding Third-Party Risk in Banking

Third-party relationships and their associated risks require careful management. Ineffective oversight of the complex operational, financial, technological, and legal agreements governing these extended business relationships can lead to brand or reputation damage, data security breaches, and significant financial losses. Additionally, such oversight failures can result in errors in financial reporting, compounding the challenges and potential impacts on the institution.

Financial institutions are entrusting an increasing percentage of their operations to third parties, prompting regulators to scrutinize these relationships more closely. The updated interagency guidance from the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC) outlines the regulatory expectations for managing third-party risks throughout the relationship lifecycle: planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination.

Monitoring vendor performance is also a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) specifies the criteria for assessing vendor performance in their 2007 supervisory letter SL No. 07-01, “Evaluating Third-Party Relationships.” This guidance emphasizes key areas for third-party relationship management, including risk assessment and planning, due diligence, risk management, monitoring, and control.

The Role of Internal Audit in Third-Party Risk Management

Though Chief Risk Officers are typically responsible for managing third-party risks, internal audit plays a crucial role as the third line of defense. Internal auditors bring essential skills, capabilities, and perspectives to thoroughly examine TPRM programs, identifying gaps or areas for improvement that might have been missed by the second line of defense. The board relies on internal auditors as an extra layer of security to ensure that third-party risks are properly identified and assessed, appropriate internal controls are in place, and timely risk intelligence is generated to inform decision-making.

Leveraging Internal Audit to Improve Third-Party Risk Controls

Internal audit can contribute significantly to managing third-party risks through various areas:

  • Pinpointing Critical Contracts: Internal auditors can assist in identifying high-risk third parties and ensure they receive more frequent scrutiny. This can help with prioritizing risk management efforts.
  • Assessing Risk Management Programs: They can evaluate the effectiveness of third-party due diligence processes and controls, conducting research to gauge the risk level and reputation of third parties.
  • Reviewing Compliance with Governance Standards: Internal auditors can verify if the financial institution’s processes for selecting and managing third parties adhere to governance requirements and include necessary risk and compliance clauses in contracts.
  • Evaluating and Improving Risk Controls: They can assess the effectiveness of risk management controls, ensure regulatory compliance, and check for “right to audit” clauses in third-party agreements.
  • Facilitating Informed Decision-Making: Auditors offer valuable insights into third-party risks. They also evaluate decision-making and contract management processes. This ensures that these processes align with the bank or credit union’s strategic objectives. Additionally, auditors verify that the processes provide sufficient risk protection.
  • Assessing Performance and Identifying Opportunities: They review global third-party performance, detect inconsistencies, and recommend best practices for effective risk and performance management.

Integrating Internal Audit into Third-Party Risk Management Strategies

1. Independent Vendor Risk Assessment and Identification

Conducting a risk assessment is essential for the initial decision-making process regarding whether to establish a third-party relationship. Internal auditors bring an independent perspective to the assessment and identification of third-party risks. They can perform thorough risk assessments to identify all third-party relationships and associated risks. This independent evaluation helps ensure no significant risk is overlooked, and it provides a holistic view of the financial institution’s third-party risk landscape.

2. Vendor Due Diligence and Selection Oversight

The due diligence process equips management with the necessary information to evaluate both the qualitative and quantitative aspects of potential third parties, determining whether a relationship will support the financial institution’s strategic and financial goals while mitigating identified risks.

If your financial institution has its own internal audit team, involving them in the due diligence process for vetting potential third-party relationships can be highly beneficial. Though not prevalent practice in community banks and credit unions yet, leveraging your institution’s third line of defense can enhance third-party risk management processes and provide an extra layer of protection.

Internal audit teams can provide oversight during the due diligence and selection phases of third-party relationships. They can assess the processes used for selecting third parties to confirm that the institution has effective policies and procedures in place. By ensuring thorough due diligence, internal auditors help identify potential risks early on. Their oversight includes evaluating the third party’s operational quality, compliance capabilities, risk profile, and long-term viability.

3. Contract Management and Compliance

Financial institution management should ensure that the specific expectations and obligations of both the financial institution and the third party are clearly defined in a written contract before finalizing the arrangement. Board or committee approval is required for many material third-party relationships, and significant contracts should be reviewed by appropriate legal counsel before finalization. The level of detail in contract provisions will depend on the scope and risks associated with the third-party relationship. Effective contract management is crucial for mitigating third-party risks. This involves not just due diligence but also thorough processes in agreement formation, publication, activation, compliance with service delivery, analysis, optimization, and offboarding.

The internal audit function can engage in contract management in two key areas:

  1. Auditing the overall contract management process.
  2. Reviewing active contracts with critical vendors.

Auditing the Contract Management Process

An effective contract management process is crucial for maintaining strong performance across your institution. Even minor inefficiencies can lead to significant issues, particularly when your financial institution aims to grow and scale. A robust contract management system contributes to a thriving institution.

Regular audits of your contract management lifecycle can reveal hidden costs and growth opportunities. These audits should assess process deficiencies, compliance issues, and historical management practices. Start by identifying key stages in your process and setting benchmarks for measurement. Key stages often include planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination, as outlined in regulatory guidance.

Evaluate your management practices within each stage. Is the contract management process clearly defined? Are roles and responsibilities assigned? Who ensures compliance with service-level agreements (SLAs)? Addressing these questions through a contract management audit can help identify risks and gaps, ensuring a more effective and efficient process.

Reviewing Active Contracts with Critical Vendors

Begin by inventorying and segmenting critical vendors based on risk levels to identify those most critical to audit. Incorporate audits of high-risk and important service provider contracts into your annual audit plan. Gain an understanding of the key risks associated with each service provider and thoroughly review their contracts.

Internal auditors can review critical third-party contracts to ensure they include comprehensive risk and compliance clauses. This includes verifying that contracts have “right to audit” provisions, which allow the institution to monitor third-party compliance continuously. Once you’ve established your audit rights, you can start the contract audit by assessing key legal and business risks. Look for deficiencies and compliance issues in the contract, and consider conducting on-site reviews if your audit rights permit. An efficiency audit may also be warranted to ensure services are delivered as per the contract and service level agreements.

After completing the audit, validate the results, identify root causes, and propose solutions. Finally, communicate the results to the contract owner and key stakeholders, ensuring they are informed of the findings and recommended actions.

4. Ongoing Monitoring and Reporting

Once a third-party relationship is established, continuous monitoring is essential to manage evolving risks. Internal audit can play a vital role in developing and implementing monitoring frameworks that track third-party performance, compliance, and risk exposure. Regular audits and reviews can provide senior management with timely risk intelligence, enabling informed decision-making and ensuring that effective internal controls are in place.

5. Internal Audit Collaboration with Risk Management Functions

Internal audit of third-party risk management becomes more effective when auditors and risk managers collaborate and share information, leveraging each other’s abilities and tools. By working closely with risk, compliance, and other departments, internal auditors can ensure that third-party governance policies and procedures are consistently applied across the bank or credit union.

By integrating third-party risk assessments with audit plans, both auditors and risk management teams can eliminate redundancies in the risk evaluation processes. This approach also helps standardize the risk language used and offers management teams and boards a comprehensive view of the financial institution’s third-party risk profile. This collaboration integrates TPRM into the overall risk management strategy, enhancing the institution’s ability to manage third-party risks.

Building a Robust Third-Party Risk Management Framework

To effectively manage third-party risks, financial institutions should establish a comprehensive TPRM framework. TPRM necessitates a framework that holds the board of directors and senior management accountable, requiring them to adjust the principles based on the size, scope, and criticality of the products or services provided by third parties. This framework should be consistently applied across the institution and integrated into its operational, risk, and compliance management activities. As discussed, key components of a robust TPRM framework include:

  • Defining and Inventorying Third-Party Vendors: Internal audit can assist in identifying and inventorying all third-party relationships, categorizing them by risk level and criticality.
  • Risk Appetite Assessment: Assessing the bank or credit union’s risk appetite concerning third-party relationships, particularly those in high-risk locations or industries.
  • Enhanced Vendor Due Diligence: Conducting enhanced due diligence for critical third-party relationships, ensuring alignment with the institution’s risk profile and regulatory requirements.
  • Ongoing Monitoring and Performance Standards: Establishing and maintaining rigorous monitoring and performance standards for third-party relationships, ensuring continuous compliance and risk management.
  • Training and Awareness: Providing training for stakeholders on TPRM processes and the importance of effective third-party risk management.

Risk-Based Internal Audit for Financial Institutions

With regulatory bodies calling for enhanced third-party oversight, the imperative for thorough risk and assurance functions has never been greater. These functions must delve deeply into the third-party network to ensure that critical risks and compliance requirements are diligently managed and monitored. Internal auditors are pivotal in this endeavor and should seek to broaden their role in fortifying third-party risk management.

At Young & Associates, we understand the critical importance of robust TPRM processes and offer expert consulting services to help banks and credit unions strengthen their internal audit functions, risk management, and more. By leveraging our expertise, financial institutions can enhance their third-party risk management frameworks, ensuring compliance, mitigating risks, and achieving strategic objectives. Ultimately, effective TPRM is not just about regulatory compliance; it’s about creating a resilient and thriving financial institution.

For more information on how Young & Associates can support your internal audit needs, click here.

Qualities of a Good Managed Services Provider (MSP)

By: Mike Detrow, CISSP, Director of IT & IT Audit at Young & Associates

Due to the challenges of finding qualified employees to fill internal IT positions and the increased complexity of technology solutions, many community financial institutions have either outsourced the management of their information systems to a managed services provider (MSP), or they are considering this move.  

But how do you know that you currently have, or you are choosing the right partner? In this article, we will discuss the qualities you should look for in an MSP to help you evaluate your current MSP and select the right partner if you want to outsource the management of your information systems. 

Understanding Financial Institution Needs 

First, it is important to understand that financial institutions are unique from other industries, and a local MSP that primarily works with manufacturing companies may not understand the security requirements of a financial institution. Financial institutions are highly regulated and undergo routine IT audits/assessments due to the significant amount of sensitive and personally identifiable information that they maintain, alongside the substantial financial assets under their protection. 

Many MSPs may not be familiar with the regulatory and security requirements associated with banking and therefore may not be prepared to work with examiners/auditors or respond effectively to exam/audit recommendations. 

The Drawbacks of National MSPs 

A national MSP may not be appropriate for a small community financial institution either as you may end up being a little fish in a big pond and may not get the attention that you need. Financial institutions that we work with have already experienced this with some of the large core processing vendors where it is difficult to get good support as a small institution. Additionally, obtaining managed IT services from your core processing vendor may make converting to a different core processor more challenging. 

The Value of Local and Regional MSPs 

So, how do you find a good partner? Based on our experience working with numerous MSPs through the IT Audit process, we typically see that community financial institutions get the most value from working with local or regional MSPs that have existing experience working with numerous financial institutions.  

These MSPs already understand the regulatory and security requirements that financial institutions face, and they have experience with the appropriate tools and configuration practices to secure the institution’s information systems.  

5 Key Qualities of Good MSPs 

Some of the good qualities that we see from these MSPs include: 

  • Proactively identifying and presenting new tools to enhance the institution’s information security posture 
  • Working as a partner by learning about the institution and customizing solutions to its unique needs 
  • Maintaining detailed and accurate documentation for the institution’s system configurations and ongoing monitoring 
  • Being responsive to initial and follow up exam/audit documentation requests 
  • Being responsive to exam/audit recommendations by implementing remediation measures in a timely manner 

MSP Red Flags to Watch Out For  

Some of the red flags that we see from other MSPs include: 

  • Providing security status reports that contain errors or are hard to understand 
  • Lack of detailed and accurate documentation for the institution’s system configurations and ongoing monitoring 
  • Failing to notify the institution prior to making changes that may compromise security or impact system availability 
  • Slow response to documentation requests for exams/audits or charging additional fees to provide this information 
  • Refusing to implement exam/audit recommendations due to lack of technical knowledge or in cases where the recommendations do not fit into the MSP’s “standard configuration” 

Ensuring the Right Partnership 

In closing, it is important to remember that as a financial institution, you are ultimately responsible for any problems that occur from selecting the wrong MSP, whether this decision leads to an insecure environment or just makes your job more difficult as the liaison between the institution and the MSP.  

Just like any other vendor, you must continuously monitor your MSP to ensure that they are providing acceptable service levels for your institution and consider replacing the MSP if they are not meeting your expectations. While it may seem like a big task to replace your MSP, having the right partner will not only help to ensure that appropriate security controls are implemented, but it should also make your job easier as the liaison. 

Your Trusted IT Consulting Partner 

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services are tailored to help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs. 

NCUA Cybersecurity Priority: What Credit Unions Need to Know

In the ever-changing landscape of financial services, cybersecurity emerges as a paramount concern for credit unions and their members. As regulatory scrutiny on information security intensifies each year, it’s essential for credit unions to stay vigilant and adaptable. This involves drawing insights from incident response exercises, threat intelligence, and industry benchmarks to bolster resilience and agility while ensuring compliance amidst evolving threats

Understanding the NCUA Supervisory Priority of Information Security

In 2024, the National Credit Union Administration (NCUA) emphasizes the critical importance of cybersecurity as part of its regulatory oversight. This highlights the urgent need for credit unions to strengthen their cyber defenses and resilience. In the face of an increasingly complex threat landscape, credit unions must prioritize cyber security measures to protect member data and maintain seamless operations. From rigorous information security examinations to strict compliance with NCUA’s information security requirements, credit unions must uphold stringent standards to ensure operational continuity and safeguard sensitive information. In today’s digitally interconnected and rapidly advancing technological landscape, it’s vital to adopt a proactive approach to detecting and responding to cyber risks with utmost precision.

Six Key Considerations for Credit Union Cyber Security Compliance

1. Holistic Risk Assessment and Management

Credit unions must adopt a proactive stance towards risk management by conducting thorough assessments of cyber threats, vulnerabilities, and potential impact scenarios. At the core of effective cybersecurity governance lies the comprehensive risk assessment process. By identifying and prioritizing potential threats, vulnerabilities, and impact scenarios, credit unions lay the groundwork for developing targeted risk mitigation strategies.

2. Vendor Risk Management 

Ensuring effective cybersecurity compliance for credit unions demands vigilant vendor risk management. The NCUA underscores the criticality of reviewing third-party contracts to discern incident reporting obligations. This comprehension of responsibilities and liabilities outlined in vendor contracts fosters seamless collaboration, prompt response to cyber incidents, and adherence to reporting requirements.

3. Incident Monitoring and Documentation Protocols

Credit unions must implement robust incident monitoring and documentation protocols to strengthen cyber resilience. Swift detection and containment of cyber threats are facilitated by effective incident monitoring, while comprehensive documentation enables timely reporting and compliance with regulatory mandates. By maintaining detailed records of cyber incidents, credit unions enhance transparency and accountability in their cybersecurity practices.

4. Robust Incident Response Plans

Establishing robust incident response plans is pivotal for credit union cybersecurity compliance. It is imperative to update these plans to align with reporting requirements. By ensuring that response protocols are synchronized with regulatory mandates, credit unions can streamline incident resolution and minimize potential damages effectively. Simplify compliance with NCUA cybersecurity standards and cyber incident reporting requirements using Y&A’s customizable Incident Response Plan for Credit Unions. With a detailed incident response policy, guidance for specific incidents, a sample membership notification letter, and an incident response form, ensure your credit union is well-prepared for any security event. Read more about the plan here.

5. Adherence to NCUA Regulatory Standards

Compliance with regulatory standards, including the NCUA’s Cyber Incident Notification Reporting Rule, is non-negotiable. Credit unions must ensure timely and accurate reporting of cyber incidents, enhancing transparency, accountability, and regulatory compliance.

6. Continuous Monitoring and Improvement

Cybersecurity is not a static endeavor; it demands continuous monitoring, evaluation, and improvement. Credit unions should embrace a culture of vigilance and adaptation, empowering stakeholders to remain abreast of emerging threats and evolving best practices. This commitment to continuous improvement ensures that credit unions remain resilient in the face of evolving cybersecurity challenges.

Empowering Credit Unions: Tailored Cybersecurity Solutions From Young & Associates

As the NCUA places increased emphasis on information security, credit unions must prioritize compliance, resilience, and proactive risk management strategies. At Young & Associates, we understand the nuanced challenges and opportunities inherent in cybersecurity governance. Our dedicated team of professionals stands ready to support credit unions in navigating the complexities of cybersecurity risk management, compliance, and strategic planning.

We offer tailored solutions to address your specific needs and concerns. Our customizable Incident Response Plan provides a structured framework for swift and effective response to cyber incidents, ensuring the protection of member data and the integrity of your institution.

Additionally, our full suite of IT consulting services offers comprehensive support to credit unions. Our IT audits provide an independent assessment of your environment, helping you implement controls to manage your risk effectively. Furthermore, our vulnerability assessments and penetration tests identify any weaknesses in your network, enabling proactive threat mitigation.

You’re not alone on your cybersecurity journey. With Young & Associates by your side, you can navigate the complexities of cybersecurity with confidence and peace of mind. Together, we can strengthen your cyber defenses, uphold regulatory compliance, and safeguard the interests of your members and institution.

Contact us today to learn more about how we can support your credit union’s cybersecurity goals. Let’s embark on this journey together towards a more secure and resilient future.

Helpful Links:

Notable Changes in the New Ransomware Self-Assessment Tool

By: Mike Detrow, CISSP 

The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service first released the Ransomware Self-Assessment Tool (R-SAT) in October 2020 as a tool for banks to use to evaluate their preparedness for a ransomware attack and to help identify additional controls that should be implemented to increase a bank’s security. 

A number of state banking departments worked together to evaluate banks that suffered a ransomware attack between January 1, 2019 and December 31, 2022, and the Conference of State Bank Supervisors used this information to publish a report in October 2023 that identifies the lessons learned by these banks1.   

Key Findings from the Ransomware Lessons Report

This report identifies the following significant findings: 

  • Lack of completion and proper use of the R-SAT to identify gaps in a bank’s security controls to prevent or mitigate the effects of a ransomware attack 
  • Lack of multi-factor authentication or improperly configured multi-factor authentication 
  • Lack of proper understanding of social media and methods for monitoring social media platforms to address the potential dissemination of misinformation that may affect a bank’s reputation 

In response to the findings identified in this report, a new version of the R-SAT was released in October 2023 that identifies additional security considerations that banks will need to evaluate regarding their preparedness for a ransomware attack.   

Notable Additions to R-SAT

The notable additions to the new version of the R-SAT are identified below: 

  • Specific questions were added in item 3 regarding the services provided by the cyber insurance carrier to respond to a ransomware attack  
  • A column was added in item 4 to identify services that are based in a cloud environment 
  • Item 5 is a new question asking if any data is housed in a location outside of the United States 
  • Item 10 now asks about the frequency of employee security awareness training  
  • Item 11 is a new question asking if the institution performs phishing test exercises at least quarterly 
  • Item 12 identifies additional questions regarding backup data validation and recovery capabilities 
  • Item 13 includes additional questions regarding the implementation of multi-factor authentication 
  • Item 14 includes several new additional preventative controls that should be considered 
  • Item 18 includes additional ransomware response procedures that should be included in the incident response plan 

Security Control Enhancements Recommended by Young & Associates

Through the IT Audits and consulting work that Young & Associates performs for community banks and credit unions, we also see value in the following security control enhancements: 

  • Proper understanding of the use of cloud-based services and appropriate policies governing their use 
  • Providing cybersecurity training to employees throughout the year that identifies current threats rather than just one annual training session 
  • Performing employee phishing tests at least quarterly rather than just once a year 
  • Performing an authentication assessment and implementing multi-factor authentication for all critical systems and applications 

To help prevent or mitigate the potential effects of a ransomware attack and to prepare for their next IT examination, banks should review the report regarding the ransomware lessons learned by banks that suffered an attack and complete the updated R-SAT by using the following link to access these resources: https://www.csbs.org/ransomware-self-assessment-tool 

Strengthening Bank Security Against Ransomware

As cyber risks become more prevalent, managing your technology infrastructure and security is paramount. Young & Associates provides financial institution IT consulting to help protect community banks and credit unions from internal and external threats. Should you have any questions about this article, please reach out to Mike Detrow, Director of Information Technology, at mdetrow@younginc.com or contact us on our website. 

Credit Union Cybersecurity: Actionable Cyber Threat Defense

In an era dominated by technology, the financial sector faces a growing menace in the form of cyberattacks. Credit unions, along with their members’ sensitive data, have become prime targets for cybercriminals. To safeguard against these evolving threats, credit unions must proactively fortify their cybersecurity defenses.

As the financial industry changes, cybercriminals adapt, so credit unions must prioritize cybersecurity planning. This article discusses steps and measures credit unions can take to protect their operations and member data from cyber threats.

Understanding the Cyber Threat Landscape

The increase in cyberattacks on credit unions, as well as their affiliated CUSOs and vendors, has brought cybersecurity vulnerabilities into sharp focus. It’s essential to recognize that cyber threats are no longer a distant possibility, but a tangible reality that demands immediate attention. Cybercriminals employ a range of tactics, including ransomware, phishing, and Distributed Denial-of-Service (DDoS) attacks, all with the potential to disrupt operations, compromise data, and tarnish the reputation of credit unions.

Taking Action: Security Controls for Credit Unions

In a realm where financial innovation and digital transformation reign, protecting sensitive data and ensuring uninterrupted services takes precedence. However, this progress is accompanied by the challenge of cyber threats, demanding a proactive approach to security.

To counter the evolving threat landscape, credit unions must adopt specific actions and security controls that reinforce their defenses. These measures not only safeguard their operations but also uphold the confidence and trust of their members. Let’s explore the steps credit unions can take to strengthen their cybersecurity and defend against cyber threats.

1. Implement Strong Access Controls

Effective access controls form the first line of defense against unauthorized access. Credit unions should enforce stringent access policies, ensuring that only authorized personnel have access to critical systems and sensitive data. Implement role-based access controls (RBAC) to limit privileges based on job roles, and regularly review and update permissions to maintain a least-privilege approach.

2. Fortify with Multi-Factor Authentication (MFA)

Incorporate MFA for all critical systems, applications, and accounts in your credit union. This extra layer of security forms a significant hurdle for unauthorized access attempts and provides protection against phishing attacks. MFA necessitates users to offer additional confirmation apart from a password, thereby boosting security.

3. Prioritize Patching and Updating Systems

Addressing vulnerabilities promptly is critical to preventing potential breaches. Outdated software and unpatched systems are prime targets for cyber attackers. Regularly update and patch operating systems, software applications, and security solutions to address known vulnerabilities and reduce the risk of exploitation. Stay informed about security advisories and updates from the software provider and relevant cybersecurity agencies.

4. Enhance Member and Employee Cybersecurity Awareness

Cyber threats evolve continuously, and so should employee knowledge. Educating your employees about cyber threats is one of the most effective ways to mitigate risks. Provide ongoing training to employees to help them recognize and respond to social engineering, the latest cyber threats, other common attack techniques, and best practices to keep them vigilant and informed. Awareness empowers your team to become a crucial line of defense. Equally important is educating members about safe online practices to prevent them from falling victim to scams or attacks.

5. Reinforce Email Security and Anti-Phishing Measures

Email remains a primary vector for cyberattacks. Implement sophisticated email security systems that inherently possess phishing identification and prevention features. Use SPF, DKIM, and DMARC to stop email spoofing and make emails more authentic, lowering the chance of successful phishing.

6. Conduct Regular Penetration Testing and Vulnerability Assessments

Proactively identify vulnerabilities by conducting regular penetration testing and vulnerability assessments. This allows credit unions to uncover weaknesses in their systems, applications, and infrastructure before cybercriminals can exploit them.

7. Craft a Robust Incident Response Plan

Prepare for the worst by developing a comprehensive incident response plan. Regularly test this plan to ensure your credit union is ready to respond swiftly and efficiently to a cyberattack. This plan should outline steps to take in case of a cyber incident, clearly define roles, responsibilities, communication protocols, and procedures, and rehearse different attack scenarios to minimize downtime and mitigate damages.

8. Manage Vendor Risk Strategically

Your credit union’s security isn’t solely dependent on your internal measures—it extends to third-party vendors as well. Review and assess the cybersecurity practices of vendors providing services to your credit union. Ensure they adhere to robust security standards and regularly evaluate their security posture to safeguard your ecosystem. Learn more about effective vendor due diligence evaluations in this blog.

9. Network Segmentation and DDoS Protection

Network segmentation involves dividing the network into smaller segments to limit lateral movement in the event of a breach. Execute network partitioning to confine possible security breaches and reduce their effects. This approach restricts attackers’ ability to move freely within the network, containing the impact and reducing the potential damage. Protect against DDoS attacks by filtering and limiting traffic to prevent disruptions to your services.

10. Safeguard through Regular Data Backups, Testing, and Recovery Planning

Ransomware attacks can paralyze credit unions by encrypting critical data. Regularly back up your data and test the recovery process to ensure quick and effective restoration in case of an attack. Backups reduce the likelihood of data loss and minimize the temptation to pay ransoms.

11. Encourage Sharing of Threat Intelligence

Get involved in communities that share threat intelligence in order to keep updated on new cyber threats and trends. Collaborating with industry peers enhances your understanding of evolving attack tactics, enabling you to adapt and protect your credit union effectively.

12. Sustain Vigilance with Continuous Monitoring and Updates

Cyber threats are ever-evolving, making continuous monitoring and prompt patch application essential. Monitor network traffic, logs, and systems for any unusual activities that could indicate a breach. Timely identification of suspicious activities enables credit unions to respond promptly and mitigate potential damage. Stay up to date with the latest security updates and promptly implement patches to close potential vulnerabilities.

13. Engage with Cybersecurity Experts

Consider seeking guidance from cybersecurity experts or firms specializing in the financial sector, like Young & Associates. Our industry-specific insights can provide credit unions with tailored solutions to address the unique challenges posed by cyber and information security threats.

Credit unions can strengthen their security and protect their operations, member data, and reputation by taking proactive cybersecurity measures. To protect against cyberattacks, credit unions must stay alert and take necessary actions as threats change and become more advanced. Remember, protecting against cyber threats is not just a responsibility—it’s a necessity for the digital age.

Partnering with Young & Associates: Expert Cybersecurity Solutions

In the face of escalating cyber threats, credit unions are seeking expert guidance and support to bolster their security measures. At Young & Associates, we understand the dynamic challenges that credit unions face in the realm of cybersecurity. We offer IT consulting, audit, and technical testing services to help strengthen your credit union’s defenses.

Our experienced experts provide valuable knowledge to help protect your institution from cyber threats with effective strategies and solutions. Y&A offers cybersecurity solutions ranging from comprehensive security audits to technical testing that uncovers vulnerabilities. We tailor our services to suit the unique needs of credit unions in this digital age. We will help your credit union understand and navigate cybersecurity. Contact us to learn more. 

Considerations for AI Adoption at Community Financial Institutions

By: Mike Detrow, CISSP 

You have probably seen the headlines claiming that artificial intelligence (AI) models such as ChatGPT will soon replace many human jobs. Marketing campaigns are also touting the use of AI by vendors to improve the effectiveness of their data analysis tools. If you have not already started to think about the application of AI for banking operations, you will likely be evaluating it soon. Just as with any other risk management practice, it is best to evaluate new technologies proactively rather than waiting until your vendors force you to use them or your employees begin using them without your knowledge. 

The purpose of this article is to identify the risks associated with machine learning and generative AI that you should consider as you are evaluating use cases for AI at your financial institution. Machine learning is the use of training data and algorithms that allow computers to imitate intelligent human behavior more realistically. Generative AI uses machine learning to allow a computer to generate new content such as text, images, video, or sounds based on specific input provided by a user.  

The Role of AI in Financial Institutions: A Look at Practical Applications 

First, let’s explore potential use cases for AI in community financial institutions. Some of the applications that we have seen so far include: 

  • Document development, such as job descriptions, policies, and marketing materials 

Risk Factors for AI Implementation in Community Financial Institutions 

Next, let’s examine some of the potential risks associated with the use of AI in community banks and credit unions. One of the biggest concerns with the use of AI is the security of non-public information. Entering such data into an AI model that is not under the complete control of the financial institution or one of the institution’s vendors introduces the risk of this information being disclosed, resulting in the potential misuse of this sensitive data. 

In addition to security concerns, there are other risks which should be considered. Results provided by AI-driven decision-making models could be biased based on the data that was used to train the model. Also, the information provided by AI models may be inaccurate or misleading, which could inadvertently result in an employee disseminating such incorrect information if not thoroughly vetted.  

Building a Strong Foundation for AI Risk Management within Your Financial Institution 

Now that you are aware of the risks associated with AI, what should you do to evaluate its potential within your bank or credit union? To safeguard your financial institution in the era of rapid AI adoption, it’s imperative to set guidelines early. The first step is to establish a group within your institution that will provide oversight for AI. If you already have an IT Steering Committee, this role will likely be assigned to this committee as it should already include the appropriate employees for this task. If you do not have an IT Steering Committee, you should consider establishing a cross-functional group of employees drawn from various areas of the institution to handle AI oversight. 

The first initiative for your AI oversight group should include a discovery process to identify any existing use of AI at the financial institution. It is possible that employees are already using ChatGPT to help develop marketing materials, for writing scripts or macros, or they may be using web browser plugins to improve productivity. Some of your vendors may also be using AI for various tasks associated with delivering services to your financial institution or customers, such as AML models, loan underwriting, and website virtual assistants or chatbots 

This group should develop a plan to identify any employee use of AI, whether it be through engaging in conversations with employees or potentially through employing the use of web traffic analysis. Keep in mind that your IT staff may not be the only employees that are potentially using AI within your financial institution.  

Additionally, your AI oversight group should review vendor documentation and, if deemed necessary, reach out to vendors to determine how they may be using AI. The purpose of this discovery process is to determine whether any non-public data has been put at risk based on any current or prior use of AI by employees or vendors so that appropriate actions can be taken to address any potential data misuse and prevent any further inappropriate AI usage.  

Once the AI oversight group has identified existing utilization of AI by employees and vendors and addressed any potential security concerns, the next step is to formally establish the institution’s risk appetite related to AI. This is achieved by documenting it within a policy that will be approved by the board and provided to employees for their acknowledgement. You should consider the following criteria within your policy: 

  • Definition of AI and the associated risks 
  • Authorization Process: Clearly defined IT Steering Committee approval requirements for new use cases. 
  • Vendor Risk Management: Due diligence practices for new vendors and ongoing monitoring of existing vendors to understand their AI usage and the potential risks involved. 
  • Acceptable Use: Employee guidelines for the usage of AI models such as ChatGPT and browser plugins, data security, output verification process, etc. 
  • Ethical and Legal Requirements: Guidelines for nondiscrimination, regulatory compliance, and adherence to other institution policies. 
  • Intellectual Property Protection: Measures to safeguard intellectual property rights and copyrighted material. 
  • Incident Response: Procedures to detect and report any suspected security incidents. 

It is important to note that it is likely not feasible to implement an outright ban of AI at the financial institution within your policy, especially as some of your vendors are likely already using AI or will be using it in the near future. 

With the use of AI expected to increase very rapidly over the next few years, it is imperative for management to establish guidelines for its use as early as possible to limit the potential for its misuse at your institution. 

Y&A’s Solution for Secure AI Adoption and Risk Preparedness within Financial Institutions 

In the rapidly evolving landscape of AI integration within the financial sector, striking a balance between reaping the potential benefits of this technology and practicing effective risk management can be challenging. It’s crucial to adopt a risk-ready approach to scaling AI integration in order to safeguard the future of your institution. The proliferation of AI applications shows no signs of slowing, making it wise to proactively address risks before regulatory measures come into effect. 

To streamline the process of addressing AI risk, Young & Associates offers a customizable AI policy that you can tailor to your financial institution’s specific needs. Click here to learn more about this product. 

Should you have any questions about this article, please reach out to Mike Detrow, Director of Information Technology, at mdetrow@younginc.com or contact us on our website. 

Embracing New Technology ̶ “Lead, Follow, or Get Out of the Way”

By: Bill Elliott, CRCM, Director of Compliance Education

I have been teaching for Young and Associates for over 20 years. Twenty years ago, when I asked about “the percentage of customers that enter your lobby in any given month,” the answers I got from attendees were usually around 80%. Twenty years later, the answers are almost always under 25%. Just recently a banker in a seminar told me that they have a branch that has almost no foot traffic.

The reason for this change is obvious ̶ why go to the bank or credit union when you can do it electronically? And the generations of customers coming up are more than willing to figure out how to do it on their smartphone. Since banking via your smartphone is readily available to anyone who has a decent cell signal, it is hard to argue with that position.

The problem for financial institutions is the constant struggle with technology and finding ways to leverage it better and faster. And the last two years of COVID have exacerbated the problem greatly, as customers were either reluctant to leave their homes, or institutions were unable to service customers except through perhaps the drive-through window. The result of all this is that some financial institutions have lost customers due to the lack of technology, while others have done very well because they had the technology available and could enable it to serve their customers.

Another question I ask in seminars is, “How many of you believe that you will get to retirement before your institution is opening accounts online?” If I have a 60-something person in the crowd, maybe I will get a hand raised. For everyone else, they can see it is either here or coming soon.

Embracing Change
Management sometimes is reluctant to embrace change, which is understandable, as few enjoy it. But not changing may come at a cost that your organization is not willing to pay. To remain independent, financial institutions must step out of the comfort zone of, “We have always done it this way” and embrace the technology necessary for their survival and for their consumers’ needs. Pretending that it simply isn’t going to happen will not work ̶ it has already happened.

One of our clients is situated in an area where cows outnumber people three to one. Around 90% of their mortgage applications come in electronically and the bank encourages applicants to do it electronically, as that speeds the process up. A loan that closes faster means that the organization makes more money earlier, certainly a worthwhile goal.

On the deposit side, watch any football game, and major financial institutions tout the abilities that are available to the customer using their smartphone. One bank indicates that you can open a checking account online in five minutes. I’ve never tried it, but since the average customer takes more than five minutes to choose their check style, I’m not sure it is 100% accurate. But it is the wave of the future, or perhaps I should say the wave of the present.

Tips to Consider
After you decide why your organization wants to invest and leverage new technology (gain more customer insight, improve customer experience, penetrate new markets, etc.), here are some basics that you need to consider:

  • First, what systems are available that interface easily with your core processing system? If you cannot interface, you probably ought not be interested. The goal is to make everything flow from space to space to space with a minimum of human intervention, with high-quality information at each step to support why you are making this investment. While admittedly that means your staff must pay attention to get everything correct early in the process, once you do that, completing the transaction should be fairly simple. If your core processing system supports very little that would be useful to you in this new electronic banking world, it is possible that you may need to consider replacing it with something a little more flexible.
  • Second, you need to have the ability internally to manage the new processes and technologies. And you need to ensure that you have the training available to your staff so that they understand their role and responsibilities necessary to support your customer base.

There is no question that all this costs money ̶ but not doing anything also carries costs. Some of the cost of new technology may be offset by closing branches that are not necessary as these new delivery systems grow and mature. Closing a branch has its own real dollar costs, and management must assure that the closure will not impact the organization’s Community Reinvestment Act or fair lending positions. All this needs to be considered – and maybe discussed with regulators – before closing a branch. And even if you do not close a branch, some savings is possible with a reduction in your overall staffing levels.

I personally have a checking account that I really don’t need anymore, but I have several bills paid out of that checking account directly. Since the account is free, I’ve never bothered to do anything other than adequately fund the account, because moving all those transactions to my “main” checking account seems just too cumbersome. So, the technology keeps me a customer.

Once customers begin to intertwine bill pay, budget models and other products, they may think long and hard before unpacking all these services to move the account and business somewhere else. The digital experience is just as impactful to the overall customer experience as face-to-face contacts. And an integrated digital platform may help retain customers that may not be thrilled with your organization; however, the digital experience becomes so difficult to “unpack” that they accept their pain points and continue to remain customers. This retention provides you the time to address their pain points and transform them into advocate customers speaking highly of your quality of services to others.

“Lead, Follow, or Get Out of the Way”
Years ago, I heard the phrase, “Lead, follow, or get out of the way.” That certainly is our world today. Your best possible position is to be a leader. If you choose to follow, you may do just fine. But if you try to simply get out of the way, you may find yourself in a difficult position. So, you must consider your options here, and frankly do it very quickly.

Many in the industry are talking about Banking as a Platform (BaaP), Digital Transformation, and Banking as a Service (BaaS). These are all different concepts, yet all very relevant and available. It is our hope you make the choice to “lead” or “follow” closely and have your customers or new markets choose you for banking services. Please do not “get out of the way,” as it will be more challenging for you and your organization in the long run. Given how quickly technology and related issues advance, the “long run” is now measured in shorter and shorter time frames.

For more information on this article and how Young & Associates can assist your organization to position your organization to leverage technology to better serve your customers, contact us at mgerbick@younginc.com or 330.422.3482.

Considering Anti-Money Laundering Software for Your Institution

By: Edward Pugh, CAMS, Consultant

For many financial institutions, one of the most impactful purposes of the Anti-Money Laundering Act of 2020 is the encouragement of technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism. While a requirement to adopt technology in the AML space is not spelled out, the encouragement is being meted out in regulatory exams. Industry professionals have noted that the asset-size thresholds for scrutiny of the adoption of technology (or lack thereof) is decreasing.

Aside from regulatory expectations, there are many advantages in adopting AML technology solutions, which include better detection capability, more efficient workflows, better information flow, and many others. There is a plethora of providers in the marketplace offering a wide range of products and capabilities. However, the aim of this article is to lay out some considerations once the decision to adopt new technologies has been made. Here are some things to consider:

  • Risk Assessment. Your institution’s BSA/AML risk assessment should drive the technology selection process. It is important to be able to demonstrate that the technology does in fact mitigate the risks that were assessed. The risk assessment can also serve as a guide in determining the sophistication of the software needed; a lot of products in the market may offer many features and options that may not be necessary.
  • Data. Data quality is the most important aspect of implementing AML software technology. Any implementation will require time to be devoted to data cleansing and mapping. Most vendors offer varying levels of assistance depending on your needs. Whether this part of the process is handled in-house or through a vendor, there will be costs associated with data preparation.
  • Future-proof. While no technology can be “future-proof,” it is important to have a platform that is robust and can handle upgrades or changes in your institution’s core software and any ancillary systems that may be feeding data into the AML software. There should also be a clear process for updates as regulations, laws, and criminal typologies change or are discovered.
  • Maintenance. BSA/AML evolves constantly. Financial institutions and their customers continually change. Over time, fine-tuning scenarios and thresholds is an important periodic activity. Some software allows the institution to conduct changes to the model while others require more vendor involvement. It’s an important area to consider when choosing between the numerous options.
  • Efficiency. Properly implemented, quality AML platforms will reduce the compliance burden in your institution. However, it is important to note that there will be “growing pains” in the beginning. One of the most common surprises is the often-dramatic increase in alerts generated. This is usually due to new scenarios being monitored, and much more transaction data being monitored. It can also be due to data quality issues that can arise during implementation. This surge in alerts is temporary. The efficiency comes as the system is fine-tuned and staff becomes more acquainted with the platform and its capabilities.

One final thought: Think big, start small. AML platforms can be customized and upgraded. For many institutions, the choices are overwhelming. Of course, there are many other factors that must be taken into account, especially cost. Having a clear understanding of the above-mentioned considerations will help weigh the cost considerations in choosing between the many options available in the marketplace.

For more information on the selection of AML software, contact us at
mgerbick@younginc.com or 330.422.3482. And if your institution has AML software in place, please read the following article, AML Validation & Review, to learn more about how we can assist your financial institution in the validation and review of your existing AML software. Our BSA team is uniquely qualified to guide you through this often complicated and technical process, and we look forward to working with you to achieve your goals.

AML Validation & Review

The increasing sophistication of Anti-Money Laundering/Combating the Funding of Terrorism (AML/CFT) software and modeling techniques and the broader application of these models have played an undeniable role in the enhanced effectiveness of AML/CFT programs in financial institutions.

The regulatory agencies are utilizing more analytical and statistical specialists in BSA examinations. Additionally, recent BSA examinations demonstrate that the de facto threshold for regulatory scrutiny of AML models continues to decrease. All AML models must follow the guidance of OCC Bulletin 2011-12 and the subsequent Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance (4/9/21), which outline the expectations for model risk management, especially the need for independent review and model validations.

Young & Associates can assist you with our AML Validation and Review.
Customized for your institution and as required by the regulators, our AML validation and review addresses:

  • Conceptual Soundness. We focus on the design, methodology, and construction of the model. This includes analysis and review of the model documentation, assumptions and limitations, data quality and completeness, and implementation
  • Ongoing Monitoring. We make sure that the model is working efficiently and as intended to meet your institution’s business objectives, and ensure that it is tailored to the institution’s Risk Assessment (AML Program Management). This includes model tuning and calibration, which is driven by several Key Performance Indicators (KPIs).
  • Outcomes Analysis. We examine the model’s output, including alerts generated from transaction monitoring, along with the supporting information used for investigation. Above-the-line and below-the-line testing is conducted to ensure that alerts are accurate and complete. Monitoring rules and parameters are also assessed.

Young & Associates collaborates with many of the AML software providers throughout the validation and review to make the process as seamless to your institution as possible.

Trusted Guidance in BSA/AML Compliance
Young & Associates provides an unmatched depth of practical expertise. Our BSA compliance team includes former banking executives, compliance regulators, and tenured finance professionals who hold the CAMS (Certified Anti-Money Laundering Specialist) designation. We’re uniquely qualified to understand and solve your challenges, because we have personally experienced those same issues. For more information on how we can assist you with your AML validation and review, contact us at mgerbick@younginc.com or 330.422.3482.

ADA Website Compliance, 5 Key Tips

By: Mike Lehr, Human Resources and Sales Consultant

Banks must make their websites accessible to individuals with disabilities. That is how federal courts have interpreted the Americans with Disabilities Act (ADA). We have found five key tips go a long way to doing that. Ironically, software scans measuring accessibility don’t do this successfully.

That’s a key, key lesson: do not rely on scanning software to determine whether your site is accessible. Again, do not rely on this software for determining accessibility. In our audits and discussions with attorneys who have defended clients in lawsuits, these results are almost useless. What holds up best is the testimony and tests of sight-impaired users (SIUs) who have used the website. Nothing compares to observing a SIU running through a site. That’s because the WCAG 2.1 and Section 508 guidelines – used as the basis for compliance – have many interpretive elements to them. Yes, some we can quantify and code. About half we can’t. Images make the simplest examples. Scans state whether an alt-text exists. They can’t tell though whether the alt-text is necessary or even useful.

This doesn’t mean scans don’t help. They do. They look at the entire site. A human audit is just that, an audit, meaning it looks at a sample. Scans give one input to developing the site’s audit plan.

The Five Tips

We can summarize the five tips that go a long way to ensuring a site’s accessibility as easy navigation, useful alt-tags, and proper coding practices. The tips focus on SIUs rather than other disabilities because not seeing the site – or seeing it well – is the most difficult challenge to overcome even with good hardware.

1. Navigation Menu – Only One

Websites have many ways to navigate them. In addition to the traditional horizontal menu, mobile menus (hamburger menus) also exist. Sites also employ vertical menus on the left and right sides of the page. They also use fly-in menus that come in on certain pages. The tip refers to silencing all but the most comprehensive or dominant menu.

That means the site should be coded to do this when it detects a screen reader (SRs  ̶  software that allows a SIU to read a site). It should be the most comprehensive and dominant menu. Remember, SIUs can’t see the screen well. They only hear it. Most times they won’t even know how big the window is on the screen.

Yet, SIUs often program SRs to prioritize links. That means SRs will read all menus. For the SIU, that becomes confusing as to which link to click. They hear too many duplicates. Imagine now going to a site where you see double of everything.

2. Alt-tags as Signposts

As mentioned above, SRs often prioritize links. That includes non-menu links such as those imbedded in text, images, and other elements. Links tend to take users to one of four places: another page, another place on the same page, another site, or a file such as a PDF. In doing so, one of two things happen: the user remains in the same window or opens a new one.

This tip refers to using alt-tags as signposts. Two sides of this exist. The first involves telling SIUs where they are going. Otherwise, they primarily think they go to another page. The site needs to tell them even if the image’s caption or surrounding text clearly states this. That’s because SIUs can program the SR to read only the links on a page, meaning the SR won’t read context clues.

The other side of this involves making each link distinct. For instance, “click here” often appears after descriptive text such as, “To go to our checking account page click here.” It tells SIUs nothing when they program the SR to read links only. This compounds if many links say “click here.” So, choose to make the whole phrase a link or add more description to the alt-tag.

3. Alt-tags as Additional Descriptors

Many misread the guidelines when they come to alt-tags for non-links such as images. They think it says – and scanning software reinforces this – that alt-tags can’t be blank. So, sites duplicate the caption in the alt-tag or add text to a purely aesthetic design element such as a color block, shape, or filler that communicates nothing.

Imagine a great, beautiful well-designed home. However, when you enter there’s clutter everywhere. You have to move things around. You even trip over some. This is “death by a thousand cuts.” Sites do the same to SIUs when they have duplicate, nonsensical, and useless alt-tags.

In such cases, code the alt-tag with the left double quotes followed by the right double quotes (“”). This tells the SR to skip the alt-tag and tells the scanning software an alt-tag exists (so it won’t flag it as an issue).

4. H-tags and TITLE Attributes

SRs assume sites use generally accepted coding practices. That means SRs will have problems with sites that don’t. Two of the more common ones that sites overlook are the h-tag and the TITLE attribute. The first identifies headers. The second identifies the page.

Sites can prioritize headers. Headers using an h1 tag is the most important. H2 tags are second, h3 third and so on. Most web managers know these headers as ways to change the look of a header. Their use can automatically enlarge, bold, italicize, color, or underline headers.

While h-tags allow designers to quickly add design enhancements to headers, they also serve to prioritize content. In this role, they help SIUs much. Just as SIUs can program SRs to read only the links on a page, they can also have them read just the headers. Some even allow them to program what level header to read, such as “read h1 – h3 headers” only. This means that headers must accurately reflect the relative importance of the website page’s content.

Unfortunately, content managers often only look at h-tags as design elements. So, rather than code a header using an h-tag, it might be quicker and easier just to bold and color text. After all, it will just look the same. However, this just relegates a header to common text. SRs will miss it.

TITLE attributes serve no real purpose for non-SIUs. Since they appear at the top of a page’s code, they can serve to further describe the page and reassure SIUs that they arrived on the page they wanted. Again, many sites just throw something similar to the page’s visible title in this or something abbreviated. More description often helps SIUs.

5. Help Desk Phone Number

Companies increasingly employ more automated forms of problem resolution. So, they aren’t likely to list a phone number prominently on their sites. Yet, such a number can go a long way to helping SIUs work through a site. Including the phone number near the top in the page’s coding will make it invisible to non-SIUs but accessible to SIUs with their SRs.

For instance, the site could include the number (along with times of availability) in the alt-text of the company’s logo in the upper left which often includes a link to the home page. Sites often include this number before or after input elements such as account logins.

Of course, this does necessitate that the bank supports the number. That might mean changing voicemail prompts and other protocols if the number has other uses. It also means training staff to handle such calls with sensitivity and patience.

Going a Long Way

Except for the first tip regarding menus, a reasonably experienced website content manager can perform these tasks. Even then, with less than an hour’s training, others can learn. Time and discipline remain the real challenge. It can begin though with ensuring that any new content incorporates these tips.

As for policy decisions, we recommend that banks purchase scanning and screen reading software. They make a world of difference. Also, and finally, we encourage banks to contact their local society for the sight impaired and ask for their help. Most members already have SRs. See if you can observe them using your site. It’s not only good community outreach, but I guarantee you will find it an eye-opening experience. We did.

For more information on this article and how Young & Associates can assist your bank in this area, contact Dave Reno, Director – Lending and Business Development at dreno@younginc.com and 330.422.3445.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question