Coming Soon: The Branchless Banking Kit!
By Vigilize | Thursday, April 12, 2012 - One Comment
It’s hard to believe almost a year ago Infotex set out on the path to create a new “branchless banking kit” which would include all the IT policy and procedure templates necessary to address a total re-write of the typical “E-banking Policy.” The decision to do this was accompanied by an article in Dan’s New Leaf entitled “Manifesto: Time to Revolutionize our E-banking Policies.” The original article is as follows:
- Manifesto: Time to Revolutionize our E-banking Policies
I’m in the midst of writing an article about Wireless Banking. I’m actually working two articles: one about the Top Five Risks of Wireless Banking, the other a drill-down on the Compliance Risks of Wireless Banking. In the process, I’m reviewing a few E-banking policies for Clients nice enough to allow my participation in their efforts to mitigate this particular Wireless Banking Compliance Risk.
- As I review the policies before me, having reviewed a few already in my auditing experiences, I recognize a common problem in their structure. You see, we auditors see the same policy almost everywhere we go, and whenever we see proposed updates, they still follow the same old structure. E-banking policies, like many other IT related policies, were all born in the late 1990’s, layering iteration after iteration of modification after modification into a document that already has to be banged into shape by the constraints of many different laws and regulations.
- Thus, I declare this manifesto:
- Re-create a more organic structure. Instead of merging yet another new delivery system into an already hodge-podge policy/procedure document, it’s time to back up and create a policy that more closely conforms to the way technology has evolved, while supporting existing compliance frameworks.
- Policy modifications result from the adoption of new technologies. We are going to continue experiencing new electronic banking delivery channels, and we are not going to be able to predict how they materialize.
- Our existing E-banking policies are iterations of E-banking policies that originated in the 1990’s, prior to on-line banking, to address ATM’s and telephone banking as well as new payment processing technologies such as electronic wire transfers and electronic funds transfers. As new delivery systems, payment processes, and authentication solutions became available, the E-banking policy evolved into a collection of after-thoughts trying to address new technologies as they emerge.
- We should consider rewriting the policy with a new structure, centered around the concept of “Branchless Banking” rather than “E-banking.” The policy would address the three primary asset categories: Payment Processes, Delivery Systems, and Authentication Solutions.
- Branchless Banking Policy
- Introductory Stuff (Scope, Author, Date, Approval, etc. depending upon institution)
- Payment Processes
- Electronic Funds Transfer
- Electronic Wire Transfer
- ACH Transactions
- Remote Capture Deposit
- Mobile Payment Processes
- Scan and Pay
- Consumer Capture
- Delivery Systems
- ATMs, Kiosks
- Telephone Banking
- On-line Banking
- Wireless Banking
- Authentication Solutions
- ATM cards.
- Credit cards.
- Debit cards.
- Login Credentials
- Tokens (Hard and Soft)
- Cell or Smart Phone
- GPS Position
- Concluding Stuff (update schedule, related policies and procedures, distribution list, etc. depending on institution)
- Alignment with Business Strategy
- Return on Investment Considerations
- Training Objectives
- Adoption Strategy (Diffusion Theory)
- Deployment Objectives
- Strategic Risk
- Risk Management
- Initial Risk Assessment
- Vendor Due Diligence Requirements
- Ongoing Risk Management
- Data Security Objectives
- Record Retention
- Legal Risk Mitigation
- Compliance Risk
- Applicable Laws
- BSA / AML
- EFT Act (see Reg E below)
- E-Sign Act
- FACTA (and the Red Flags Rule)
- UCC Article 4A
- US Patriot Act (CIP and KYC)
- ______________________ Next Law Here
- Applicable Regulations
- Regulation B, Equal Credit Opportunity
- Regulation CC, Availability of Funds and Collection of Checks
- Regulation DD, Truth in Savings
- Regulation E, Electronic Fund Transfers
- Regulation M, Consumer Leasing
- Regulation Z, Truth in Lending
- ______________________Next Regulation Here
Within each asset, be it a payment process, delivery system, or authentication solution, the following would be addressed as appropriate:
- With this new approach in structuring the policy, as new technologies emerge, new policies can be added without organically ruining existing policies. Meanwhile, these must be high-level policies that establish guidance for the creation of procedures and the creation/acquisition of tools. The Branchless Banking Policy must document POLICY statements rather than procedures or inventories. It must establish goals, objectives, and strategy directives. The actual procedures, tools, and tactics will be documented in separate documents.
- This would be a bit of a revolution, but it has happened before. I see the Branchless Banking Policy Revolution as being similar to the day when we finally put our foot down and insisted on one stand-alone Acceptable Use Policy!
We’re almost there! Look for the new Branchless Banking Kit in the next 30 days or so!
Posted in Compliance, Controls, Infotex News, Press Releases
One Response to “Coming Soon: The Branchless Banking Kit!”
Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex. “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
about artificial intelligence . . . And who will protect us from it . . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker. This isn’t science fiction, it’s an actual attack that has […]
Unavailability Strikes Where it doesn’t matter anyway Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So, I’m writing today’s article from a resort in the middle of Wisconsin. I want to make sure I’m staying on top of my New Leaf, which is to […]
. . . and the importance of segregated response. The latest edition of Executive Vice President, Michael Hartke’s article series! In 2007 when I first joined infotex, coming from small to medium sized business general IT support into the world of cybersecurity, the one thing that was very hard for me to internally rectify was […]
How concerts can help us understand APTs . . . Especially if you use your imagination! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . My daughter reminded me of a concert Stacey and I attended way back in 2013, in Chicago. It was one […]
Mutiny! The Malicious Insider Threat Webinar Registration A Webinar-Video It is often awkward to bring up the one attack vector most of us have not addressed. The malicious insider threat. Even if we can flaunt all statistics and claim that the likelihood of an insider attack is low in our bank, the impact is still […]
Comment from Diana Timberlake
Time 07/08/2013 at 7:54 am
I need to redo our Remote Deposit Capture policy. Do you have any sample policies available? I am looking for what is required to be in the policy. I attended your seminar with Michelle Sloan at IBA on June 6. Thanks in advance for any help you can provide.