In the latest regulator reaction to recent card breaches, the Office of the Comptroller of the Currency has revised its guidance with respect to merchant processing risk management for banks and financial institutions (including community banks).
The revised "Merchant Processing" section of the Comptroller's Handbook "provides updated guidance to examiners and bankers on assessing and managing the risks associated with merchant processing activities" and includes updated guidance on:
- selection of third-party organizations and due diligence
- technology service providers
- on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402)
- data security standards in the payment card industry for merchants and processors
- member alert to control high-risk merchants (MATCH) list
- Bank Secrecy Act/Anti-Money Laundering compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity
- appropriate capital for merchant processing activities
Per a BankInfoSecurity post, "More card breaches are being traced back to the breach of a third party, banking regulators and industry advisory boards say." And, "In early August, Troy Leach, chief technology officer of the PCI Council, in speaking about recently released version 3.0 of the PCI Data Security Standard, said recent research has shown that 65 percent of all data breaches involve a third party and 45 percent involved retailers."
This updated guidance also flows from increased regulatory guidance on third party vendor issues (described in prior Business Advocate posts: "Vendor Risk Management: When Companies Cease Their Vigilance, Evil (Or At Least Negligence) May Prevail" and "When Dealing With Vendor Risk, Risk Management Plans Are Nothing; Risk Management Planning is Everything"). With this guidance, the OCC's focus has narrowed to card-payments risks, especially third party roles in in the exposure of card data during processing. Per the OCC, "The potential exists for legal liability related to customer privacy breaches" and "The bank's GLBA risks when dealing with a third-party processor that possesses confidential customer information are the same as the risks when the bank possesses the information."