BID® Daily Newsletter
Sep 3, 2019

BID® Daily Newsletter

Sep 3, 2019

Inquiry & Insight - New Products, Data Loss, SARs

Summary: In this month's "Inquiry and Insight" issue, Steve Brown answers questions on new products, data loss prevention and SARs.

Have you wondered the percentage of people who sleep with their cat or dog? If so, you will be interested in research by the American Pet Products Association that finds 62% of people do so. That is even more good news when you consider research by the Mayo Clinic finds doing so may actually improve your sleep.
Switching our topic to banking matters, we take a look at a few interesting questions and hope our insight helps you sleep a little better at night.
Q: What is your process for new product/service development? We know that regulators want to know this, but is a spreadsheet enough?
A: From what we have heard and seen, spreadsheet documents or robust checklists are a good start, but even more important is to cover your bases with all the right documentation. It helps to specifically focus on the compliance component of new products so that regulators see you've addressed this important aspect. Right behind compliance is the need to document whether: the product is a strategic fit; you've done your homework in asking the right risk-related questions; the financial costs and benefits have been properly evaluated. As you dig in deeper, you will need to address many different tactical aspects, but this should get you started.
Q: We are trying to make our data loss prevention (DLP) program more robust. It currently has data classification, policies and procedures. Are we missing anything to enhance it?
A: Data flows all over the place in banks. It moves around to vendors, customers, employees, regulators and a host of other places. McAfee cites some good best practices that include such things as: implementing single centralized program, evaluating internal resources, conducting an inventory assessment, creating a classification system and establishing data handling and remediation policies. One often overlooked area includes educating employees too. For us, the DLP program is included in our information security policy. In addition to the classification, policies and procedures, we have added training, enforcement and reporting to ensure that the program is being followed appropriately from a compliance and security standpoint.
Q: Does anyone have experience with a client who has more than one SAR for the same activity? When should the account be closed?
A: There is no hard and fast rule on the number of SARs filed before considering account closure, and it depends on many factors. These can include the customer's explanation weighted with the expected activity and the reason the SAR was filed. Some banks review the number of SARs filed with a Board level committee (e.g., Audit; Compliance; Risk) to ensure that there is oversight and governance around the process. Accounts should be reviewed for closure the moment signs point to illegal activity, however, whether one SAR or several have been filed, of course. If you do so, be sure to document the details. Depending on the severity of the illegal activity, law enforcement may need to be notified prior to account closure. In some cases, law enforcement may request that the account remain open in order to perform an investigation. Partnering with legal counsel is advised.
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

How CFIs Can Maintain Adequate Capital in a Downturn
The Federal Reserve just concluded its annual capital adequacy annual stress test with 33 participating banks. While regulators don’t require CFIs to run stress tests to assess their capital adequacy, the federal banking supervisory agencies indicate that they should have the capacity to analyze the potential impact of adverse outcomes, and particularly encourage this for CFIs with CRE portfolios. We provide four steps to help form the foundation of an effective capital planning process.
Serious Hack-Attack-You Have 36 Hours to Report It
CFIs and other banks now have 36 hours to report serious hacks, including those that may disrupt operations, cause material losses or even threaten the stability of the entire financial system. Is 36 hours enough time for CFIs?