Pub. 6 2016 Issue 2

C Y BER-ATTACKS AGAINST INTERBANK NETWORKS AND WHOLESALE PAYMENT SYSTEMS OCCUR IN THE FINAN- CIAL TECHNOLOGY (“FINTECH”) COMMUNITY AND THE FEDERAL FINANCIAL INSTITUTIONS EXAMINATIONS ouncil (“FFIEC”) has taken action to mitigate the risks. Cyber attackers have exhibited the ability to bypass financial institution information security controls for wholesale pay- ment origination and have effectively obtained and used valid operator credentials to compose, approve and send damag- ing messages. In addition, cyber attackers have utilized funds transfer operations, hastily transferred stolen funds across jurisdictions to avoid recovery, and controlled and employed malware to disable and delay detection of fraudulent transac- tions. Such attacks expose the originating financial institution to financial loss and compliance risk (e.g. the PATRIOT Act, Bank Secrecy Act, and OFAC). As a result of the cyber-attacks, the FFIEC, which includes the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee, issued a warning to financial institutions to review fintech risk management practices and controls over information technology and wholesale payment systems networks. With the FFIEC emphasizing technological risk in its state- ments, it follows that the financial institution regulators may be keen on fintech risk in future examinations of financial institutions. The FFIEC— as a guide for financial institu- tions to mitigate risk— has issued an FFIEC IT Examination Handbook, which includes Information Security, Business Continuity Planning, Outsourcing Technology Services and Wholesale Payment Systems booklets. The handbook serves as a guide by which the FFIEC regulators will assess finan- cial institutions and certain fintech risks. Discussed below are some of the risk mitigation expectations of the FFIEC for financial institutions. Financial institutions should create an infrastructure that mitigates cyber risk. The FFIEC recommends financial institutions maintain a continuous information security risk assessment program that considers emerging threats in the fintech industry, and assesses and prioritizes risks to sus- ceptible systems. To do so, financial institutions should use multiple layers of security controls. The FFIEC also provides that financial institutions should ensure that third-party ser- FFIEC Releases Joint Statement Voicing Need for Financial Institutions to Protect Against Cyber Attacks 20 www.azbankers.org