ENFRA-TECH

SaaS - Software as a Service. A software deployment model in which a vendor licenses an application to customers for use as a service on demand. SaaS software vendors may host the application on their own web servers or download the application to the consumer device, disabling it after use or after the on-demand contract expires. The on-demand function may be handled internally to share licenses within a firm or by a third-party application service provider (ASP) sharing licenses between firms (ref: wikipedia).

12 CFR 334 - Fair and Accurate Credit Transactions Act. Examiners will follow general Act guidelines relative to Sections 82, 89 and 90. Typically, regulatory guidelines applicable to risk management practices are described in Section 90. Parameters more operationally targeted to red flags associated with address discrepancies are treated under Sections 82 and 89.

Can Enfra-Tech Help You?. Enfra-Tech recognizes that it isn't easy making a profit in a highly regulated world. We can help you to cost-effectively deploy and maintain the controls necessary to ensure regulatory compliance. Click here for more information.

Products & Services

Cloud computing poses some serious risks for the financial services industry, community banks, and just about any IT user who has outsourced customer data. There are several issues involved here.

First, there is a question of trust. Given the competitive world of outsourced IT, are you sure your vendors have not tried to cut costs by shipping your confidential customer data out to the Internet cloud for vitualized 3rd party processing?

This is exactly one of the reasons why we have the Gramm-Leach-Bliley Act (GLBA) - to know what your vendor is doing with your proprietary corporate data. And, it's also why GLBA due diligence guidelines require you to maintain and review current vendor SAS-70 reports. But there's a catch here...

The Problem. Most likely your vendor SAS-70 reports will be of little value because regulators and auditors have yet to formalize controls over cloud computing or SaaS IT Services.

The Solution. You can begin by requiring that your mission-critical IT service providers sign an agreement stipulating that your confidential corporate and customer information will not be subject to cloud computing solutions - especially where 3rd party vendors are engaged. Likewise, be sure that this policy is part of your formal IT Policies Manual.

Indications are that in 2010 financial institutions and other creditors will face increasingly stringent reviews of so-called "red flag" controls over customer identity theft.

Financial instituitions can expect examiners to mount a two-front regulatory campaign focusing on (1) risk management practices and (2) compliance procedures.

Examiners assigned to risk management practices will be testing that a formal Identity Theft Prevention Program is in place. The Program should be designed to detect, prevent, and mitigate identity theft consistent with regulatory guidelines (12 CFR 334).

Regulatory efforts directed toward red flag compliance procedures will focus on controls over customer address discrepancies, and procedures controling address changes. Although initially examinations will target "reactive" red flag procedures, future reviews will more likely test for more "proactive" controls - e.g., software to cross-check customer master and credit billing addresses.

CAN ENFRA-TECH HELP YOU?