Industry requirements typically depend on the asset-size of your financial institution. NCUA, FDIC, and other regulators are increasing compliance mandates for small and medium-sized financial institutions. This means that credit unions in Dayton, as well as other Midwest areas, should expect to see some of the following requirements:

• FFIEC Cybersecurity Risk Assessment
• GLBA Information Security Risk Assessment
• Business Impact Analysis
• Business Continuity Planning
• Security awareness training for employees, board of directors, and membership

Whether your organization is based in Dayton, other Ohio areas, or anywhere in the Midwest, a Chief Information Security Officer (CISO) can be critical in helping your financial institution develop an Information Security Program and maintain a strong security posture. Many companies have discovered a virtual CISO (vCISO) to be an effective and cost-efficient way to achieve their goals. A vCISO will perform many of the same functions at a fraction of the cost.

CISO Services should include:

• Security Plan and Risk Assessment Framework 
• Governance and Board Strategy Development
• Corrective Action Plan Development and Execution Strategies
• Compliance Audit Guidance and Assistance
• Policy Development
• Security Awareness Program Development
• Social Engineering
• Incident Response Plan Development
• Business Continuity Planning
• Vulnerability Assessment and Penetration Testing

A Chief Information Security Officer (CISO) earns an average estimated salary ranging from $120,000 – $250,000 annually. This investment may be too much for a small to medium-sized company to handle. Many Dayton-based companies have discovered a virtual CISO (vCISO) to be an effective and cost-efficient way to achieve their goals. A vCISO will perform many of the same functions at a fraction of the cost.

Phishing is the most common method of cyber-attacks. The most common delivery method is through email. These attempts are becoming sophisticated and clever, making detection increasingly difficult for the average employee and/or member.  While you cannot stop all phishing attempts, the following items can significantly reduce the risk of a data breach due to a phishing attempt:

• Email Filtering – Many of the top-recommended filtering software programs will block most spam emails. While this is necessary, it may also create a false sense of security since these phishing attempts are increasing in sophistication.  
• Website Filtering – Companies should have filters setup to prohibit their users from navigating to potentially malicious websites. These websites may contain malware that can be downloaded onto your employee’s devices.
• Phishing Simulation – Building a strong security awareness culture is much like building a muscle. With routine simulation and training, your staff will build these security “muscles”, which helps detect any attempts not stopped by software filters. 
• Security Awareness Training – Security awareness training can improve your staff and make them your “eyes and ears” for cyber-defense. Strong security awareness programs help turn your staff into a human firewall. They should understand how to detect phishing attempts (whether from email, phone, or text), in-person masquerading by social engineers, USB drop attempts, etc.

A BSA compliance job involves assisting and supporting management and coordination of the AML/BSA/OFAC compliance functions corporate wide. A BSA compliance person will direct work efforts to ensure that applicable programs, policies and procedures of the corporation and affiliates comply with BSA/AML/OFAC laws and regulations.

Its creation was to prevent financial institutions from being used as tools by the criminals to hide or launder their ill-gotten gains.

The illegal funds are usually placed into a financial institution in order to layer those funds into different products offered by the financial institution to hide their original source. Then the funds appear to be legitimate when they are withdrawn from the financial institution. This is true whether you are based in Dayton, Midwest, or anywhere around the country.

There are 5 pillars to a good compliance program:

1. System of internal policies, procedures, and controls
2. A designated compliance officers
3. Ongoing employee training
4. Independent audit function
5. Customer Due Diligence

There are 6 steps to develop a compliance culture:

1. Leadership must understand and support compliance efforts
2. Compliance efforts must not be compromised by revenue
3. All departments must share information with compliance
4. Compliance department must have adequate resources
5. Must do independent testing of compliance program by third party
6. Staff must be trained to understand the purpose of compliance and how suspicious transaction reporting is used

The ultimate responsibility for the Bank Secrecy Act (BSA) compliance is with the Board of Directors.

Terrorist financing uses funds for an illegal political purpose, but the money is not necessarily derived from illicit proceeds. Money laundering always involves the proceeds of illegal activity. The purpose of laundering is to enable the money to be “cleaned” and used legally.

FinCEN stands for Financial Crimes Enforcement Network and they are the U.S. Treasury Bureau in charge of managing the Bank Secrecy Act.

A Financial Intelligence Unit. It is FinCEN for the United States. Their job is to receive suspicious transaction reports from financial institutions, analyze those reports and disseminate the findings to law enforcement and other foreign FIU to fight money laundering.

Office of Foreign Asset Control. They administer and enforce economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction.

Financial Action Task Force. They provide anti-money laundering guidance to governmental bodies around the globe. Best known for their 40 Recommendations. There are 9 FAFT style regional bodies in the world.