It seems as though financial institutions are constantly keeping up with the Jones’ when it comes to features they offer for home banking. Just recently, Chase Bank announced Person-to-Person Quick Pay. This feature offers their customers the ability to send money to virtually anyone so long as the individual has an email or phone number. Features like these are catching the eyes of credit union members as well as examiners of various regulating agencies. Since these features involve a heavy amount of IT systems, a strong set of internal controls surrounding them is imperative to protect your member’s information and money.
Many financial institutions will outsource some of their more flashy applications, such as bill pay, to third parties. Other times smaller institutions will have to rely on a third party for services like credit and debit card interchange processing. It’s important to know what type of controls those vendors have in place to protect the confidential information of your members and what controls your company is responsible for to address and ensure they are in place. Depending on your type financial institution and services provided, you or your vendor may be required to have a SOC1, SOC2 or a SOC3 examination. It’s up to you to make sure that your vendors are top notch and their examinations are up-to-date.
Even the most diligent of vendors and service organizations can fall short of proper controls if the processes are not followed through on the credit union’s end. With smaller financial institutions, it can be difficult to ensure that individuals have the appropriate access and authorizations. GBQ’s Risk Advisory Services is a great way to gain knowledge and advice for anything related to IT controls as they can sometimes become a twisted maze of confusion. Working with a consultant who will coach and advise you in this area is a great way to reduce the likelihood of breaches in your information.
*Thank you to Dan Conway, Assurance Staff, for his contributions to this post.