Download presentation
Presentation is loading. Please wait.
Published byElfreda Taylor Modified over 8 years ago
1
Understanding Enterprise Privacy Compliance Processes for the Financial Services Industry Harvard Privacy Symposium August 20, 2008 3:00 – 3:45 p.m. Susan M. Pandy, Senior Director, Internet & eCommerce, NACHA John Carlson, Senior Vice President, BITS Dan Burks, Chief Privacy Officer, U.S. Bank
2
Agenda Electronic Payments Snapshot Risks Regulation & Supervision Striking a Balance between Security, Privacy and Convenience
3
The Electronic Payments Mix
4
Changes in Payments Volumes ’03 – ‘06 * Includes ACH, Credit Card, Debit Card and EBT. Does not include check images 18.6 -4.5 -5 0 5 10 15 20 Electronics* Checks Written 76% of the increase in total electronic volume comes from sources other than from declines in check volume. Source: ECCHO, Federal Reserve 2007 Payments Study
5
Checks Become Less Relevant Over Time To Come
6
Banks Respond with Electronic Payments Source: Grant Thornton 14 th Annual Bank Executive Survey
8
Cross-Channel Information Risk Phishing Internet/PC Man-in- the-Middle Hacking Worms Employee Theft Spyware Theft of Data Channels ATM Physical POS Wireless Skimming Employee Theft Trapping Dumpster Diving Employee Theft Mail Theft Spyware Employee Theft Skimming Employee Theft External Theft Trapping
9
Information Risk in Electronic Payments Increased product offerings across channels (e.g., Internet, phone, mobile, ATM, branch, etc.) Enhanced accessibility to electronic payment channels/networks = End-to-end transaction risk Information fraud = attempts to gain access to identities, transactions, credentials, data or any combination of these factors. Exposure risk: Trojans, crimeware, data breaches and hacking
10
Sample Headlines Feds Arrest Hackers of TJX, Other Retailers in Huge Conspiracy Bust Eleven perpetrators held responsible for online theft and sale of more than 40 million credit and debit cards Card data stolen from grocery chain
12
Privacy Trust Eroding Factors Source: Ponemon Institute 2007
13
Affect Of A Breach On Privacy Trust Source: Ponemon Institute 2007
14
Regulation and Supervision Role of Regulators in security and privacy protection –Differences between financial regulators and the Federal Trade Commission –Focus on authentication as one of several important security controls Industry collaboration Research and development priorities
15
Key Regulatory Requirements Gramm-Leach Bliley (GLBA) Identity Theft “Red Flags” Rule Interagency guidance –Information security, including authentication –Vendor management
16
Authentication Requirements 2005: Federal Financial Institutions Examination Council (FFIEC) updated guidance for authentication –Risk-based program that requires: Risk assessment process Adequate “layered” security controls Customer awareness programs –Urges multifactor authentication –Applies to all forms of electronic banking activities
17
Authentication (Cont.) In response to risks and regulatory/supervisory requirements, financial institutions are: –Deploying stronger and broadly accepted authentication methods, predominantly knowledge-based authentication (KBA) (e.g., challenge questions) and/or device authentication (e.g., unique identifier of customer’s PC) –Tokens also used, but for limited applications (e.g., high value transfers) –Applying layered controls to protect consumers and FIs Guidance underscores the importance of the enrollment process and scalability Consumer acceptance is top concern, together with cost and technology readiness –Reveals tension between imposing new requirements and customer convenience
18
Vendor Management Requirements Oversight of third party service providers –Senior Management/Board Oversight –risk assessment –Contract review –Ongoing monitoring Risk-based supervision –Increasing focus on oversight of both domestic and foreign-based service providers
19
Financial Industry Challenges Changing threat landscape Evolution and adequacy of controls Vendor management Customer convenience Customer privacy preferences and security expectations Fraud from traditional and new channels Privacy issues around new channels
20
Examples of Industry Efforts Identity Theft Assistance Center Focused efforts to address fraud, security and vendor management through BITS/The Financial Services Roundtable –Development of industry best practices, including: Breach notification Securing data in transport and storage Encryption key management Security awareness programs Shared Assessments Program
21
Financial Sector R&D Priorities Financial Services Sector Coordinating Council established in 2002 –45 financial sector associations and financial institutions –Goal: critical infrastructure protection and homeland security through coordination and collaboration –Works in partnership with the Treasury Department and financial regulators in the Financial and Banking Information Infrastructure Committee (FBIIC) R&D committee established 2004 –Identifies priorities for research –Beta testing SMART program as a means to provide subject matter experts to researchers in academia
22
Seven Major Challenges Facing the Finance and Banking Sector 1.Designing and Testing Secure Applications 2.More Secure and Resilient Financial Transaction Systems 3.Enrollment and Identity Credential Management 4.Understanding the Human Insider Threat 5.Data Centric Protection Strategies 6.Measuring the Value of Security Investments 7.Development of Practical Standards
23
Striking A Balance CUSTOMER CONVENIENCE & ACCESS PRIVACY INFORMATION SECURITY
24
Balancing Security, Privacy and Convenience Keeping pace with technology Channel specific fraud detection Compliance challenges Privacy as strategic marketing vs. compliance exercise
25
Information Fraud: Sensitive Information Movement – End-to-End File Server Endpoint Applications Storage FilesNetwork Production Data Data warehouse DR Staging WW Campuses WW Customers WW Partners Remote Employees WA N WWW VPN Disk storage Back up disk Back up tape Outsourced Development Enterprise email Business Analytics Customer Portal 34
26
Information Fraud: Specific Risks Network Media Theft Device Theft Takeover Fraud Intercept File Server Endpoint Applications Storage Files Production Data Data warehouse DR Staging WW Campuses WW Customers WA N WWW VPN Disk storage Back up disk Back up tape Outsourced Development Enterprise email Business Analytics Customer portal Media Loss Unauthorized Access DOS Corruption Unavailability Eavesdropping Data Theft Remote Employees WW Partners Data Loss Device Loss Unintentional Distribution Unauthorized Access Unauthorized Activity 35
27
Best Practices for Mitigating Against Information Fraud Risks: External Protect against emerging threats –Monitor for developments and changes Maintain a logical authentication strategy –Revisit this strategy Educate –Without creating paranoia or indifference
28
Best Practices for Mitigating Against Information Fraud Risks: External Understand what data is most sensitive to the business Select appropriate controls based on: –Policy –Risk –Where sensitive data resides Manage security centrally Audit security to constantly improve
29
Select the Appropriate Controls Data Controls: Encryption and Key Management Data Controls: Enterprise Digital Rights Management Access Controls: Authentication and Authorization Audit Controls: Security Event and Information Mgt Data Controls: Data Loss Prevention
30
Contact Information Susan Pandy, Senior Director Internet & eCommerce, NACHA 703.561.3953703.561.3953 spandy@nacha.org www.nacha.org John Carlson, Senior Vice President, BITS 202.589.2442 john@fsround.org www.bitsinfo.org Dan Burks, Chief Privacy Officer, U.S. Bank 612.303.7816 daniel.burks@usbank.com www.usbank.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.