I think by now everyone knows that we review every booklet of the FFIEC guidelines, but sometimes there is some common confusion about where our audit scope checklist ends and begins. Let's clear that up.

ACH Self Assessments: Our review does include ACH, however DOES NOT count toward your institutions' ACH self assessment that needs to be submitted to NACHA by December 1st of every year. Our review is more security focused, such as: dual control, secure transmission out of the bank, secure transmission from the customer, customer limits, agreements, password requirements, etc. NACHA reviews are more transaction and compliance related. I'd go into more depth about those reviews, but as you know now, I DO NOT conduct them.

Red Flags: We touch on Red Flags for preventing identity theft but thats basically where it stops from an IT perspective. We basically just ensure there is a Board Approved policy in place, risk assessment and procedures. There are full audit procedures that need to be conducted according to examiners, but IS NOT part of our scope. Our FFIEC technology audit satisfies some Red Flag requirements, however IS NOT a full Red Flags audit.

Reg GG: Our reviews DO NOT currently include Reg GG compliance. I'll be honest, there is not a lot of analysis on this regulation just yet but we do know that financial institutions need to have policies and procedures in place to block restricted gambling transactions according to Reg GG. I also know their are Payment Card BIN codes specifically for gambling institutions. Finally, our compliance experts just finished a Reg GG template in RiskKey, so feel free to conduct your own reviews using that template. Let us know what you think of the template.

Finally, rest assure that if it is related to technology compliance in any way, we will review it and include it in our scope of work.