Compliance Center: FFIEC Issues Interbank Messaging and Wholesale Payment Network Advisory Statement

The Federal Financial Institutions Examination Council (FFIEC) recently released a statement advising financial institutions that actively manage the risks associated with interbank messaging and wholesale payment networks. In the statement, the FFIEC stressed that financial institutions should review risk-management practices and controls related to information technology systems and wholesale payment networks, including risk assessment, authentication, authorization and access controls; monitoring and mitigation; fraud detection; and incident response.

In accordance with the FFIEC’s guidance, credit unions should consider the following steps:

Conduct ongoing information security risk assessments

Maintain an ongoing information security risk assessment program that considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks. Identify, prioritize, and assess the risk to critical systems, including threats to applications that control various system parameters and other security and fraud prevention measures. In addition, ensure that third-party service providers:

    • Perform effective risk management and implement appropriate controls;
    • Properly maintain and conduct regular testing of their security controls simulating potential risk scenarios;
    • Are contractually obligated to provide security incident reports when issues arise that may affect the institution.

Perform security monitoring, prevention, and risk mitigation

Ensure protection and detection systems, such as intrusion detection systems and antivirus protection, are up-to-date and firewall rules are configured properly and reviewed periodically. Establish a baseline environment to enable the ability to detect anomalous behavior. Monitor system alerts to identify, prevent, and contain attack attempts from all sources. In addition,

    • Follow software assurance industry practices for internally developed applications;
    • Conduct due diligence of third-party software and services;
    • Conduct penetration testing and vulnerability scans, as necessary;
    • Promptly manage vulnerabilities, based on risk, and track mitigation progress, including implementing patches for all applications, services, and systems;
    • Review reports generated from monitoring systems and third parties for unusual behavior.

Protect against unauthorized access

Limit the number of credentials with elevated privileges across the institution, especially administrator accounts, and the ability to easily assign elevated privileges to access critical systems. Review access rights periodically to confirm approvals are still appropriate to the job function. Establish stringent expiration periods for unused credentials, monitor logs for use of old credentials, and promptly terminate unused or unwarranted credentials. Establish authentication rules, such as time-of-day and geolocation controls, or implement multifactor authentication protocols for web-based control panels.  In addition,

    • Conduct regular audits to review the access and permission levels to critical systems for employees and contractors;  Implement least privileges access policies across the entire enterprise. In particular, do not allow users to have local administrator rights on workstations;
    • Change default password and settings for system-based credentials;
    • Prevent unpatched systems, such as home computers and personal mobile devices from connecting to internal-facing systems;
    • Implement monitoring controls to detect unauthorized devices connected to internal networks.
    • Use secure connections when remotely accessing systems and services (e.g., virtual private networks).

Implement and test controls around critical systems regularly

Ensure appropriate controls, such as access control, segregation of duties, audit, and fraud detection and monitoring systems, are implemented for systems based on risk. Limit the number of sign-on attempts for critical systems and lock accounts once such thresholds are exceeded. 

Implement alert systems to notify employees when baseline controls are changed on critical systems. Test the effectiveness and adequacy of controls periodically. Report test results to senior management and, if appropriate, to the Board of Directors or a committee of the Board of Directors. Include in the report recommended risk mitigation strategies and progress to remediate findings. In addition,

    • Encrypt sensitive data on internal- and external-facing systems in transit and, where appropriate, at rest.
    • Implement an adequate password policy;
    • Review the business processes around password recovery;
    • Regularly test security controls, such as web application firewalls;
    • Implement procedures for the destruction and disposal of media containing sensitive information based on risk relative to the sensitivity of the information and the type of media used to store the information;
    • Filter Internet access through web site ‘whitelisting’ where appropriate to limit employees’ access to only those web sites necessary to perform their job functions;
    • Conduct incremental and full backups of important files and store the backed-up data offline.

Manage business continuity risk

Validate that business continuity planning supports the institution’s ability to quickly recover and maintain payment processing operations. In addition,

    • Coordinate business continuity development and testing with all applicable third parties;
    • Coordinate testing with other industry players.

Enhance information security awareness and training programs

Conduct regular, mandatory information security awareness training across the financial institution, including how to identify and prevent successful phishing attempts.  Ensure training reflects the functions performed by employees.

Participate in industry information-sharing forums

Incorporate information sharing with other financial institutions and service providers into risk mitigation strategies to identify, respond to, and mitigate cybersecurity threats and incidents. Since threats and tactics can change rapidly, participating in information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), can improve an institution’s ability to identify attack tactics and to successfully mitigate cyber attacks involving destructive malware on its systems. In addition to the FS-ISAC, there are government resources such as the U.S. Computer Emergency Readiness Team (US-CERT) that provide information on vulnerabilities. The US-CERT portal may be found at

Compliance Question of the Week

If we have a business that is opening an account that is exempt from paying taxes, do we still have to require that they certify their TIN on the W-9 form?

Yes. The W-9 (or W-8BEN) should be filled out regardless of the tax status of the business or individual.


IRS Instructions for Form W-9

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA announced the release of a three-part video series that focuses on credit union succession planning.

The video for the May 2016 board meeting is now available.

The NCUA announced that state credit unions are showing growth in loans, assets, and shares, with Washington State being among one of the states with the highest median growth rates for loans.

Consumer Financial Protection Bureau (CFPB)

The CFPB released a new online guide aimed at helping consumers evaluate costs while shopping for auto loans.

CFPB Director Cordray delivered a prepared speech to the Consumer Advisory Board, focusing on the CFPB’s Know Before You Owe auto loan initiative.

Federal Reserve Board (FRB)

The FRB released its First Issue 2016 Consumer Compliance Outlook, which includes Q&As on the flood rules, TRID webinars, and a compliance alert.

The FRB delivered its annual Report to Congress on the Profitability of Credit Card Operations of Depository Institutions.

Office of the Comptroller of the Currency (OCC)

The OCC has issued a bulletin on the Servicemembers Civil Relief Act, reminding institutions about the extension of time periods for certain protections. The extended protections include those related to mortgaged property.

Federal Financial Institutions Examination Council (FFIEC)

The FFEIC issued a statement advising institutions to manage their risks associated with interbank messaging and wholesale payment networks.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of June 9, 2016. The last update prior to this was June 3, 2016.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Federal.