What to protect and how?
Seemingly conflicting regulations pose headaches for many
If your website contains sensitive customer information, you are required to take steps to ensure data is safe from intrusion. The common standard for meeting this requirement comes from the American Institute of Certified Public Accountants (AICPA).
As of this past June, the AICPA replaced its SAS 70 standard with a Statement on Standards for Attestation Engagements No. 16 (SSAE 16). This governs “Reporting on Controls at a Service Organization.”
“This standard has created mass confusion principally because many organizations are not clear about whether their websites actually contain confidential customer data,” says Tim Coco, president and chief executive officer of COCO+CO., Inc. “The confusion stems from the fact that what many believe is their only website is really a compilation of several websites,” he explains.
Community banks and credit unions, for example, typically outsource online banking to third parties who have responsibility for protecting the data. Similarly, wealth managers might use Charles Schwab’s SchwabSafe® for online customer transactions. “The log-on to online banking on the non-customer information site is a technological ‘trick,’ if you will, and is equivalent to simply opening another website,” Coco says. Testing only the main site may be inadequate and the results will be misleading.
Non-confidential sites still pose customer risks
Even those websites without customer data, however, are subject to “phishing” and “pharming” attacks. These occur when a hacker obtains control over a website and tricks customers into providing confidential account information such as usernames and passwords.
The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, requires a number of safeguards to protect non-public personal information. For financial institutions, this means obtaining documentation from website hosts that they have security provisions in place. This documentation is now encompassed in SSAE 16.
The ‘big picture’ illustrates regulatory conflicts
Unfortunately, separate Web hosts usually can’t see the big picture, and regulatory conflicts arise. This occurs when, for example, the technology to secure a website also prevents the same website from being moved and restored in an emergency.
For institutions regulated by the Federal Deposit Insurance Corporation (FDIC) or National Credit Union Administration (NCUA), this disconnect between security and “timely resumption of operations in the event of a disaster” runs afoul of guidelines set down by the Federal Financial Institutions Examination Council (FFIEC).
To learn how COCO+CO. addresses these conflicts, see the story below.
New Finiracle brand helps community banks and credit unions comply with Web, advertising regulations
Finiracle provides executives with regulatory relief.
COCO+CO. Inc. celebrated its 20th anniversary with the launch of Finiracle, a new national brand of SSAE 16 (formerly SAS 70) website hosting and compliant advertising products for banks and credit unions.
Finiracle responds primarily to three pressing needs of smaller institutions — website security and disaster recovery, safe social media management and low cost, yet compliant advertising campaigns, said COCO+CO. President and CEO Tim Coco.
“Community banks and credit unions are tiptoeing through regulatory minefields, and no one is satisfied. Top management rightfully complains of high costs, compliance finds pitfalls both in Internet security and customer messaging, IT is forced into inflexible vendor arrangements and marketing departments sacrifice audience-drawing content and features,” Coco said.
“These institutions played no roles in creating the recent financial crisis, but they are beset by tougher regulations and vendor scare tactics. Finiracle uniquely coordinates seemingly conflicting compliance efforts, delivering peace of mind and savings,” Coco said. He explained, for example, proprietary website hosting runs afoul of business continuity and disaster recovery efforts. “Most vendors’ closed systems serve only to drive up costs while discouraging modern features and inhibiting recovery during an emergency.” By contrast, Finiracle builds on COCO+CO.’s 20 years of financial compliance experience and delivers SSAE 16-secure (formerly SAS 70) Web hosting solutions through license-free technologies. Websites are completely portable and can be quickly reestablished on any common server. Just as important, website content complies with myriad consumer protection and disclosure regulations. All testing and reporting requirements are met at Finiracle’s secure data centers.
Finiracle’s packaged marketing campaigns contain compliant, innovative and savvy marketing content. Besides banners, posters and print advertising materials, interactive multimedia solutions are available.
Security concerns and worries about timely management are also keeping smaller banks and credit unions from enjoying the marketing benefits of social technologies. Finiracle delivers complete reputation management, control over embarrassing posts through full moderation and anti-spam wall post controls. Custom blogs and e-newsletters are also available.
More information is available at www.finiracle.com.