Best Practices & Common Pitfalls for Financial Institution ISOs

Manager at a Company (USA)
Being an Information Security Officer (ISO) can be a challenging task as today’s threat environment is continuously changing. Join us on March 15th for Best Practices & Common Pitfalls for Financial Institution ISOs as we walk you through the most practical and high priority items your ISO should be focusing on today. Register here:

"Secure or Not Secure, that is the Question" - Google

Manager at a Company (USA)
Google recently announced beginning in July 2018, with the release of Chrome 68, web pages loaded without HTTPS will be marked as "not secure". At first, a change like this can seem like another way for Google to earn more money. The safer you feel on the web, the more time you'll spend interacting with Google services and advertisements. While probably true in this case, it doesn't diminish the fact that this is a very good change for everyone using Chrome. All users can benefit from a better visual representation showing the site they are currently visiting may not be secure. HTTPS offers two major security benefits when compared to HTTP. * First, it allows for the certificate to confirm the website you are visiting is the website you intended to visit. (which is why training users on checking certificates is always recommended) * Secondly, HTTPS allows client-to-server communication to be encrypted, thus protecting the traffic from Man in the Middle attacks. While Google has made a major change to protect its user's it is still crucial to understand that HTTPS browsing is not a silver bullet. Malicious content CAN and often IS hosted via HTTPS websites. What does this change mean for you? If you are a Chrome user, you can feel happy knowing that you will have a better visual representation that the site you are on is not secure. If your organization has a website that uses HTTP, you may want to migrate to HTTPS. Otherwise, Chrome users that visit your site will see an ominous sign indicating that your website is "not secure" and may navigate to a competitor's site. For more information, see the Google announcement included at this link [](

QualiFile (ChexSystems) on Beneficial Owners

Person at a bank ($3.3BUSA)
We pull QualiFile (ChexSystems) on all new customers and I do know ChexSystems is considered a credit report under the FCRA. We use QualiFile as a non-documentary verification and for OFAC checking. I have heard discussion about how this could be an FCRA issue when pulling a QualiFile on a beneficial owner that is not a signer on the account and has no relationship to the account other than its ownership of the legal entity. Some argue that there is no business purpose to be able to pull this on a beneficial owner. I would like to know if anyone else uses QualiFile (ChexSystems) to at account opening as well and if they plan to continue to use this to OFAC check beneficial owners or if they will do a more manual process to do the OFAC check on the beneficial owners, if they are not a signer.

Beneficial Ownership

Employee at a bank ($206MUSA)
I understand that we have to CIP under the ownership prong all that have at least a 25% ownership and at least one under the control prong. I can possibly see situations in our bank where one of the owners may /will fit into both categories. Can we use their CIP under the ownership prong and also use the same individual under the control prong or does the control prong have to be someone totally different from the ownership prong? I have my opinion but wanted to see what others might think. Thank you in advance for any input.

Gun Control

AVP at a bank ($522MUSA)
Hello. We recently had a customer ask if our bank or any of it's affiliated entities support, do any business with, make loans to, or have holdings associated with the NRA, gun manufacturers, or related organizations/companies (either locally or nationally). This question was sent by email with a subject line of "cleaning house". Given the current events this topic is extremely controversial and I'm struggling with a response. Does anyone have thoughts on this? Thank you!

Counterfeit Check Return

Person at a bank ($228MUSA)
We received a letter from Bank of America with a uniform indemnification agreement about a counterfeit check that one of our customers deposited. They are asking us to immediately send them a cashiers check and emailing to see how soon it will be. Has anyone had a situation like this and how did you handle it?

CTR Question

Person at a credit_union ($97MUSA)
First transaction, the member deposited $15,710.00 into her savings account. Second transaction, the member then withdrew $1,300.00 from her checking account. Do I document on the CTR as multiple transactions and do add it in item 22 and item 27?


AVP at a bank ($204MUSA)
If court documents are presented to change an customer's guardian, permitting the guardian to close the account and dispense the funds as instructed, does the bank need to document the new guardian on a revised signature card, or is the court document sufficient to accommodate the new guardian?

Successor in Interest

AVP at a bank ($148MUSA)
Has anyone completed their policy for this? I am looking for some examples or what other banks are doing for this new servicing rule going into effect on April 19th.