BSA/AML Compliance Regulations Your Credit Union’s IT Team Should Know

Because of the increasing level of cyber threats to banks and credit unions, the Federal Financial Institutions Examination Council (FFIEC) puts significant demands on IT department in the form of “guidance.” FFIEC guidelines are very hard to meet without the help of a qualified managed service provider (MSP).

More than just compliance is at stake. Financial institutions face new and innovative competition from non-traditional players such as PayPal or former vendors such as credit card companies. Meeting the challenge to both innovate and protect the customer experience will require the help of informed IT professionals.

By now, most employees are very familiar with regulatory compliance policies. The IT Security regulations are contained within both the Bank Secrecy Act and the collection of US Anti-Money Laundering laws, hence the acronym BSA/AML. The FFIEC conveniently documents the relevant regs in one place commonly referred to as Part 748 Section 353.

The Board of Directors is responsible for IT Security. The Board must approve an IT Security policy and supervise its operation. They delegate the day-to-day IT Security operation to whomever they choose, but as far as the examiners see it, it is the Board who must answer for deficiencies. This fact should elevate the seriousness with which every member of the IT department takes security.

A Policy of IT Security Best Practice

credit union compliance

The credit union must develop and strictly adhere to a written and readily available IT Security Policy. The policy will contain specific language about how the institution will:

  • protect the “security and confidentiality of member records,”
  • protect against the “anticipated” threats or hazards to the integrity of those records,
  • respond to and report security breaches,
  • provide details helpful in identifying abusers of sensitive data, and
  • prevent destruction of vital data.

The policy holds the credit union (and thus it’s IT department) accountable to methods and timed responses. For example, if the policy states that security breaches will be reported within 24 hours of discovery, then the IT department must be able to provide details about what was affected, how it took place, and what is known about the participants in the event – even if it happened at 3:00 AM —within 24 hours of discovering it. Likewise, if the policy states that bank data will be archived off-site and restored to use within 24 hours should there be a disastrous event, the IT department is responsible to deliver on that promise even if the size of the data files increases exponentially.

Sustainable IT security best practice will help Credit Unions both compete and comply.

The FFIEC recommends instilling a culture that “contributes to the effectiveness of the IT Security program.” The IT department can do much to raise awareness of the threats to bank security and their mitigation. For example, because phishing continues to be effective for hackers, the IT department should be involved in training employees in responsible or “defensive” email use. They should help employees identify unencrypted web sites even when they are at home or with other family members. They should understand the risks inherent to social media.

Federally insured credit unions are required to regularly perform risk assessments and security audits. This work would include remediation. It would include patch management and updates, firewall monitoring, asset inventory management, and the like. Vulnerability assessments must also be performed. Such work should be done by parties who did not design the network architecture or who are responsible for maintaining it. This lack of bias will provide assurance to the Board.

The IT Department should play a major role in ensuring the credit union doesn’t bite off more than it can chew in terms of technology. It is left up the credit union to provide the resources it needs to meet such a standard of accountability a basic IT Security policy defines. However, the scope of work is enormous. It is generally well outside the resources of an understaffed IT department.

Managed services for credit union can add strategic value. They can help the financial institution to:

  1. reduce the time and resources needed to routine matters.
  2. gain access to an unbiased IT professional for independent reviews and audits.
  3. minimize the costs and risks from IT Security compliance.

DC Plus brings IT performance and compliance to credit unions with regular 1-, 12-, and 18-month security and vulnerability assessments, patch management, managed AV, and firewall with threat management services (content filtering, AV, SSL inspection, etc.) in addition to regular employee security training!






  1. bellejilky

    Hello i am new user and i would to ask you, How to disable a pm?

  2. SVSAllony

    Многие из скважин в конце проведения восстановительного комплекса событий смогут быть снова введены в использование. Тем более что общая стоимость данных выполненных работ в десятки раз ниже цены непосредственных сооружений.
    Гарантировано повышение дебита водозаборной скважины не менее 30 процентов от существующего на момент начала задач.

    В 80% случаях скважины восстанавливаются до первичных данных при внедрении в применение скважины, что считается альтернативой бурения новой скважины.

    Сотрудники нашей компания по Очистке Чаш Градилен и Увеличение производительности (дебита) водозаборных скважин предлагаем свои услуги всем, как частным так и общественным организациям.

    Спец вод сервис – текущий ремонт скважин

  3. CharlesOvare – Заказать фундамент

    Создание дома вашей мечты – это оригинальная возможность, спланировать и претворить в жизнь нечто воистину уникальное во всех отношениях. Возведение фундамента – это в целом первоначальная модель ремонта, в процессе которой домик строится. При расчете замена фундамента под старым деревянным домом цена предусматривается весьма много факторов. Средняясумма возведения домов фундамента составляет приблизительно от 10$ за кв.метр . Погреб сможет умножить итоговую стоимость каждого объекта недвижимости, предоставляя необходимое помещение ради организации хранения и порой рабочее пространство. Наша профессиональная команда по конструированию и возведенью фундамент под памятник на кладбище цена может помочь выстроить жилище, о котором вы всегда мечтали. От начала до конца наша специализированная компания в Череповец позаботимся о всех без исключения процессах, чтобы заказчику не довелось тревожиться о деталях. Специализированная международная компания в Киселевск несет юридическую ответственность за проект, а не вы, именно поэтому организация в Борисоглебск имеют интерес в том, затем чтобы довести до конца строительство коттеджа быстрее и эффективнее. Узнайте о сваи винтовые для фундамента цены в вытегре у спспециалистовециалистов корпорации.

  4. Terrytup

    The pattern measure I saw Gail Dines stand up for, at a colloquy in Boston, she moved the audience to tears with her portrait of the problems caused next to dirt, and provoked laughing with her virulent observations about pornographers themselves. Activists in the audience were newly inspired, and men at the conclusion – uncountable of whom had not till hell freezes over viewed porn as a muddle in advance of – queued up afterwards to guaranty their support. The mise en scene highlighted Dines’s iffy charisma and the truthfully that, since the expiry of Andrea Dworkin, she has risen to that most difficult and interesting of mr roles: the great’s paramount anti-pornography campaigner.


  5. Terrytup

    The matrix time I saw Gail Dines discourse with, at a talk in Boston, she moved the audience to tears with her portrait of the problems caused next to obscenity, and provoked laughter with her sharp observations about pornographers themselves. Activists in the audience were newly inspired, and men at the event – uncountable of whom had on no account viewed pornography as a complication in advance of – queued up afterwards to pledge their support. The exhibition highlighted Dines’s tense charisma and the fact that, since the expiry of Andrea Dworkin, she has risen to that most baffling and captivating of conspicuous roles: the great’s cardinal anti-pornography campaigner.


  6. Ernestphind

    “After I originally commented I appear to have clicked the -Notify me when new comments are added- checkbox and from now on every time a comment is added I get 4 emails with the same comment. Perhaps there is a means you are able to remove me from that service? Cheers!”
    דירות דיסקרטיות בירושלים

  7. Ernestphind

    “When I initially commented I seem to have clicked the -Notify me when new comments are added- checkbox and from now on whenever a comment is added I receive 4 emails with the exact same comment. Perhaps there is a way you are able to remove me from that service? Cheers!”
    דירות דיסקרטיות בקריות


Submit a Comment

Your email address will not be published. Required fields are marked *