03/12/2007
We have had several customers express ardent displeasure with multi-factor authentication and the desire to be "opted out." Our system allows for opt-out but an FDIC examiner has told us that opt-out should never be allowed. I understand that it should be extremely limited, but if a very good customer says "turn it off," why should they not have the choice since it is being put in place for their security - provided they are willing to sign some kind of hold harmless agreement. From a Regulatory compliance standpoint we are meeting our obligations by putting multi-factor generally in place, but is the expectation that no customer ever be given a choice?
02/05/2007
Can we take a wedding ring as collateral on a consumer loan if we hold possession of the ring and it is for purposes other than to purchase the ring?
11/27/2006
In regard to KYC and CIP, what personally identifiable information is the bank required to obtain for the beneficiary of an account? Full name, address, social security number and date of birth? We want to make sure that we are in compliance but a social security number and date of birth aren't always available for the beneficiary to the individual opening an account.
11/27/2006
Currently we do a social security verification or a credit report on all new accounts to verify identity/and/or other information. Some reports verify the individual information to be the same as what we have on the person but will not verify that the social security number is actually issued to that person, but gives the date of issue and the state issued in. According to the CIP rules, are we required to verify that the number given is actually issued to that person? If so, do you know where or how to obtain that specific information?
11/20/2006
I attended a tele-seminar on 9/11/06 with Jack Holzknecht about Red Flag Guidelines; We just had an audit and we received a write up for not having any formal procedures in place to ensure identity of a customer requesting credit if a fraud alert appears on the customer's credit report. The recommendation read, "To mitigate fraud risk and ensure the proper identity, formal procedures should be created and implemented. Procedures may include additional steps for identification, additional security questions, as well as additional documentation to evidence of proof." If the Red Flag Guidelines are not finalized yet, how can we still get written up for it? Should the recommended policies be in place already even though there has been no Final Rule released?
10/23/2006
Besides the annual privacy disclosure are there any other disclosures required to be provided to customers annually?
10/09/2006
What are the bank policies that need board approval and how frequently?
08/21/2006
I know you can't "stop payment" on a cashier's check but you can "refuse to pay" if the remitter or payee asserts a claim in writing because the check is lost, destroyed or stolen? Can we charge the customer our Stop Payment Fee of $20.00 for this service or would we have to change our Schedule of Fees to include a "Refusal to Pay" fee before we could charge for this service?
08/21/2006
I have attended several security workshops where Dana Turner was the presenter. At one of the seminars, he referenced training examiners on conducting exams related to compliance with the Bank Protection Act and that there was to be an increased focus on this. This was about 18 - 24 months ago and I've not heard anything more, so I wondered if there was any new information on this?
07/17/2006
I would like to develop an Information Security Compliance Assurance Framework and program for my organization. Could you please suggest some reference sources for the same?