Congress Acknowledges Outdated Banking Laws

Event Summary

On October 22, the White House and Congress agreed to change outdated US banking laws. Until this agreement was reached, the White House had promised to veto the banking reform bill. Details of the compromise are reportedly not yet disclosed. The new legislation hopes to replace banking laws written during the Depression era, with up-to-date Year 2000 era banking laws

Currently, FDIC policy only "encourages" banks to perform information security audits. If a bank does decide to do an information security audit, the independent security auditor is hired by the bank which can create a conflict of interest. As well, today's banks are not qualified to decide which Information Technology consultants perform quality audits. Just because a consulting house is big name, and well-known, does not guarantee that they will perform an exhaustive and quality information security audit. Every consultancy who performs information security audits does them differently.

The FDIC reviews these optional audits, and assigns what is called an URSIT rating to the financial institution. URSIT stands for Uniform Rating System Information Technology and is an indicator of how well a bank manages its internal information technology systems, including the security of them. Currently, the FDIC does not have any procedures on how to assign URSIT ratings, and URSIT ratings are only made available to the banks board of directors.

Market Impact

The October 22nd announcement is a clear admission that today's banking laws do little to take internet banking, and internet banking security into consideration.

When Stephen White, an information review examiner for the FDIC was asked, " Due to all the security compromises on government systems, how can you expect the general public to have faith in the government's ability to monitor information security at banks?" he responded that today's URSIT ratings are meaningless without facts to support them.

Clearly some banking reform and regulations are in dire need. An independent auditor, not paid by a bank's board of directors, should be auditing all FDIC insured banks. The FDIC's information security audit should be standardized, and presented to various private sector security forums for review.

User Recommendations

Take precautions when doing internet banking or any financial transactions over the internet.

  1. Ask your bank to see a copy of its Information Security Policy. If they won't let you see it, there is high probability that they don't have an Information Security Policy. If they don't have an Information Security Policy, you can bet that information security, and the security of internet banking, is not one of their priorities.

  1. Ask your bank who their independent auditor is that performed their last information security audit. Ask the independent auditor to see their Information Security Audit Vulnerability Service Level Description (SLD). If they don't have an Information Security Audit SLD, you can be sure that they are making up the process as they go along.

  1. Make sure that your browser is SSL enabled. SSL encrypts the transmission of data from a user's browser, on an application level, back to the transaction server.

comments powered by Disqus