Category: Compliance

02 Jul 2020
Keys to Develop a Compliant Business Continuity Management Program

Keys to Develop a Compliant Business Continuity Management Program

Keys to Develop a Compliant Business Continuity Management Program

Financial institutions (and examiners) are still adjusting to the Federal Financial Institution Examination Council’s (FFIEC) 2019 update to its BCP IT Examination Handbook. The handbook, now renamed Business Continuity Management (BCM), included several updates to the previous 2015 guidance. According to the FFIEC, BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

To ensure financial institutions do this effectively, the FFIEC expanded the original BCM process.

The previous handbook encouraged institutions to adopt a four-step approach:

  1. Business Impact Analysis
  2. Risk Assessment
  3. Risk Management (essentially, recovery procedures), and
  4. Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

  1. Risk Management (Business Impact Analysis, Risk/Threat Assessment)
  2. Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
  3. Training & Testing (aka Exercises)
  4. Maintenance & Improvement
  5. Board Reporting

Additionally, the business continuity management process outlines 10 key steps financial institutions must complete to achieve a more enterprise-wide approach and meet examiner expectations. This is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance.

The FFIEC handbook also provides a more detailed break-down of the BCM lifecycle:

  1. Oversee and implement resilience, continuity and response capabilities
  2. Align business continuity management elements with strategic goals and objectives
  3. Develop a business impact analysis to identify critical functions, analyze interdependencies, and assess impacts
  4. Conduct a risk assessment to identify risks and evaluate likelihood and impact of disruptions
  5. Develop effective strategies to meet resilience and recovery objectives
  6. Establish a business continuity plan that includes incident response, disaster recovery, & crisis/emergency management
  7. Implement a business continuity training program for personnel and other stakeholders
  8. Conduct exercises and tests to verify that procedures support established objectives
  9. Review and update the business continuity program to reflect the current environment and
  10. Monitor and report business resilience activities.

As many of these items were part of the previous guidance, here is a checklist consisting of required elements that may be missing from your program:

  1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  2. Does the BIA produce sufficient information to establish the following?
    • Recovery point objectives (RPO)
    • Recovery time objectives (RTO) for each business process (prioritized)
    • Maximum tolerable (or allowable) downtime (MTD/MAD)
  3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?
  4. Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?
  5. Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)
  6. Does your Board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

If you would like to make sure your BCM is up to date with the latest regulatory expectations, a complimentary plan review is the best place to start.

25 Jun 2020
What is My Bank's Cybersecurity Posture Compared to My Peers?

What is My Bank or Credit Union’s Cybersecurity Posture Compared to My Peers?

What is My Bank's Cybersecurity Posture Compared to My Peers?

It is important to understand your institution’s cybersecurity posture to find out where you stand in regard to cyber threats and what you need to do to create a more secure environment. It’s a delicate balance because being behind on your cybersecurity posture means your institution is less secure than it should be but being ahead likely means that you are investing in resources that you may not need. Unfortunately, it’s almost impossible to do a true peer-to-peer comparison because there are just too many variables between even similarly sized financial institutions to obtain a useful analysis. Here’s why:

Every Institution Has a Unique Model

When we implement information security or business continuity programs for banks and credit unions, we start with a process called “Enterprise Modeling” where we identify the departments, the processes, and the functions that make up each individual financial institution. What this process typically reveals is that if you model out two financial institutions that look identical in terms of geographic area, demographic customer or member base, size and complexity, the results will almost always be significantly different since each institution has a unique operating model based on their specific services, organization, processes, and technologies.

Cyber Risk Appetite Is a Key Variable

Cyber risk appetite is another factor that often differentiates your institution from your peers. Safe Systems’ Compliance Guru defines risk appetite as “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” For example, let’s say we have two financial institutions that seem equivalent in outward appearance. Based on their strategic plan, one institution has decided to take a more aggressive cybersecurity posture to electronic banking products and the other has decided to take a more conservative approach. Because the level of risk varies by the approach, you simply cannot accurately compare the two institutions.

The Best Way to Evaluate Cybersecurity Posture

At Safe Systems, we recommend allowing your bank or credit union’s information to stand on its own. To truly improve your cybersecurity posture, you must examine where you are based on where you need to be — not where a peer may be in the process. Carefully evaluate your risks (including areas of elevated risk), and the controls you have in place that offset those risks. Then, examine the best control groups to apply against those areas of elevated risk and develop an action plan to take your institution from where you are now, to where you need to be. Then, when you conduct this process again next year, you can demonstrate steady progress to both examiners and your Board.

Holding Steady May Cause You to Fall Behind

In addition, just because your inherent risk profile isn’t increasing from one assessment to the next, this doesn’t necessarily mean your control maturity levels shouldn’t increase. The risk environment is constantly evolving, so holding steady on your controls may actually mean your cybersecurity resilience is decreasing. Making incremental increases in your control maturity levels will help keep you ahead of the latest threats.

For more information about improving your cybersecurity posture, watch the full “Banking Bits and Bytes Super Duper CEO Series,” below or view our other cybersecurity resources.

18 Jun 2020
Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

  • Review all guidance and issues related to their institution and become familiar with any changes that might impact them
  • Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments
  • Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

  • Analyzing potential threats
  • Assessing the technology required
  • Managing access controls and security
  • Conducting regular data recovery test
  • Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”

12 Jun 2020
The “Inherited” Risk – Assessing and Reporting on Vendor Risk

The “Inherited” Risk – Assessing and Reporting on Vendor Risk

The “Inherited” Risk – Assessing and Reporting on Vendor Risk

Vendors are the largest source of non-preventable risk for a financial institution, so it is critical that banks and credit unions carefully evaluate, monitor, and manage all vendor relationships to remain compliant and reduce risk. Additionally, institutions must be able to accurately assess risk, implement adequate controls, and provide all stakeholders (including regulators, management, and the Board) with appropriate reporting to convey the overall status of the vendor management program at any point in time.

Assessing Vendor Risk

The first step in vendor risk management is to perform a risk assessment to evaluate your level of inherent risk. This must always be done first so that you can then identify and implement the proper controls. If the controls selected do not completely offset the risks identified, then alternate or compensating controls would need to be identified in order to achieve a level of residual risk that is within your risk appetite.

Depending on the information you get from the risk assessment, you can clearly map out the level of inherent risk based on the vendor’s access to data and systems and the level of criticality for each vendor. These results will provide the information you need to control the risks, and ultimately report the overall results of your vendor management program to your key stakeholders.

When conducting a risk assessment you want to include all vendors but focus particularly on your critical vendors. A critical vendor is defined as one that either provides a product or service that is a key interdependency of one or more of your products or services, or one that stores, processes, or transmits non-public customer or confidential information.

Once you’ve established the initial or inherent risk level, you can identify one or more controls to off-set the risks. Typically, you want the vendor’s third-party audit report or SOC report; audited financials; insurance binders; a copy of their incident response and disaster recovery plans; and any testing the vendor has done on these plans. If you can’t obtain a SOC report, you’ll need compensating controls to determine their network security. Ask if they have an information security program and if they’ve conducted any vulnerability and penetration testing. You should also request a report of examination (ROE) from your primary federal regulator on your core provider.

Reporting to Stakeholders

When reporting to the various stakeholders within your institution, many of the reports are relatively similar, but the level of detail will be slightly different for each stakeholder group.


The primary stakeholder that financial institutions must report to is the Board. When presenting to the Board, reporting does not generally need to be highly detailed and should provide a brief, high-level summary of the overall program.

Additionally, it is not necessary for the Board to see this report every time they meet. The requirement is to present an annual update, but we recommend reporting more often if the pace of internal change dictates (whether twice a year or quarterly) to show you are adequately managing vendor risk on an on-going basis. Here is an example of what a Board report should look like:

Sample Report for Vendor Management


The management committee (i.e. IT Steering) requires a bit more detailed information than the Board does, and unlike Board reporting frequency, IT should report to the management committee every time they meet. If your management committee meets on a monthly basis, you should produce a report each month as well and communicate this information to the committee. Management needs to know what you’re doing; what you’re not doing; what you’re behind on; and have a good understanding of your progress.

Sample Report for Vendor Management   Sample Report for Vendor Management


Regulators typically review the same reports as your board and committee. However, auditors and examiners will tend to take a deeper dive into your vendor management program and want to review everything you have on your critical vendors. They are looking to see if you’ve done a risk assessment and if you have identified the reports from the vendor that will line up with, control, and offset the risks you identified in the risk assessment. The report you present to examiners and auditors may have more of a narrow but deeper focus, taking a more detailed view of your most critical vendors.

View Our Vendor Management Resources

21 May 2020
The Value of Network Reporting for Community Banks and Credit Unions

The Value of Network Reporting for Community Banks and Credit Unions

The Value of Network Reporting for Community Banks and Credit Unions

With increased cyber-attacks, shared data with third-party vendors, and strict regulatory requirements, community banks and credit unions have high standards to meet for information security. Adequate oversight and network reporting on the information security program is needed to ensure the proper controls are in place and that all stakeholders have visibility into the network.

In a recent webinar, Safe Systems shared some key observations on the need for financial institutions to have better communication and reporting between IT staff, the compliance department, and senior management. Here are a few key points to consider:

  1. Gaps Between IT Staff and ISO/Compliance Teams
  2. In many financial institutions, there is a lack of synergy and communication between the IT department and the information security/compliance team. Many ISOs simply do not have the technical background to fully understand how information is being protected. They tend to be more focused on vendor management, business continuity management, and performing risk assessments and less familiar with how systems are getting patched; if machines have antivirus; or if backups are updated consistently. It can be difficult to communicate effectively if ISOs don’t understand the IT world or don’t have visibility into network reports and the necessary information to do their job.

  3. Oversight to Better Manage Controls
  4. Because bank and credit union IT staff are human, sometimes errors will occur. While financial institutions have many technology solutions that automate IT functions and controls, oversight is required to ensure that the controls are adequate, working, and therefore mitigating risks. Without appropriate oversight, any gaps in the network can lead to a successful cyber-attack. Similarly, a finding during an exam that shows certain controls were implemented ineffectively can also leave the institution vulnerable.

  5. Limited Access to Reports
  6. Too often, when ISOs conduct a review of the information security program, the reports they receive are vague or too technical to decipher the key insights most important to the ISO role. Other key stakeholders, like the Board and senior management, also may need more access to high-level reports to better identify threats, assess risk, and make decisions on the appropriate controls to implement.

    Without access to adequate reports, the ISO and other stakeholders can become overly reliant on the IT team to explain what is happening on the network without having the ability to verify that information independently.

To learn more about information security reporting and get a demo of our NetInsight ™ cyber risk reporting tool, watch our webinar, “NetInsight: Trust But Verify.”

22 Apr 2020
Reading Between the Lines: Recent Regulatory News

Reading Between the Lines: Recent Regulatory News

Reading Between the Lines: Recent Regulatory News

March 30, 2020 – Federal Reserve Statement on Supervisory Activities from

The Compliance Guru has introduced a new series, “Reading Between the Lines: Recent Regulatory News,” designed to help community banks and credit unions better understand new regulations and updates.

His first post of reviews the recent Federal Reserve Statement on Supervisory Activities.

Read the full post to get a breakdown of:

  • Where did it come from, and where can I find it?
  • Who needs to know about it?
  • Why was it Issued?
  • What does it say?
  • What did it NOT say (but the Guru wants you to know)?
16 Apr 2020
Building a Pandemic Response Plan

Building a Pandemic Response Plan: What Are the Requirements for Community Banks and Credit Unions?

Building a Pandemic Response Plan

As COVID-19 continues to spread around the world, financial institutions have been forced to respond to this pandemic in new and innovative ways to stop the spread of the virus; protect their employees and the public; and keep their doors open and operations running smoothly to serve their customers and members. Community banks and credit unions are referencing the Pandemic sections of their business continuity management plans to determine the best way forward for their institutions during this challenging time. With the Federal Financial Institution Examination Council’s (FFIEC) recent business continuity management (BCM) guidance, many financial institutions are first of all wondering what has changed in the guidance, and second what specific additional changes this particular event might require.

Pandemic Planning

Since 2007, financial institutions were required to have a separate pandemic plan, and regulators only looked for documentation that institutions were testing their plans periodically. Unfortunately, the pandemic section of the business continuity plan (BCP) has tended to be treated as more of an afterthought since these situations have historically occurred much less often than natural disasters or other business interruptions. If they were assessed at all, they fell into the category of a high impact, low probability event.

Notwithstanding COVID-19, pandemics are still low probability events, but the impact of these events may be far more significant than past risk assessments have indicated. In what may now be perceived as an untimely move, the FFIEC made the decision in the 2019 BCM update to deemphasize Pandemic by categorizing it the same as any other disruptive event. The FFIEC no longer requires financial institutions to have a separate pandemic plan, but instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters.

In other words, your BCM plan is your pandemic plan, and you must analyze the impact a pandemic can have on your organization; determine recovery time objectives (RTOs); and build out a recovery plan. You must also include a methodology to determine the key triggers your organization will use to activate your recovery plan when faced with a pandemic. But when should you activate your recovery plan and who is in charge of this process?

Pandemic Response

CDC Intervals of a Pandemic

Before a recovery plan is activated, it is important to have an initial response team (typically comprised of C-Level executives) evaluate the situation and assess the potential impact of the current event on the institution. The team must determine if the situation is likely to negatively impact the institution’s ability to provide products and services to their customers or members beyond the established recovery time objectives outlined in the BCM plan.

The same rules apply in a pandemic. Community financial institutions should use the six pandemic phases outlined by the World Health Organization (WHO) or the Center for Disease Control (CDC) to evaluate the severity of the situation.

In most cases, the pandemic portion of the plan is not triggered for activation until phases 4-5 (or if between 20-40% of your workforce is not available to work).

What Regulators Expect

During a pandemic, regulators expect financial institutions to continue offering products and services to customers/members and conduct operations as normally as possible. This underscores the importance of including succession planning and cross training in the BCM plan. In the past, assumptions used to simulate a pandemic were that phases 4-5 wouldn’t last more than a week or two, so most financial institutions may only have planned for one person to be identified and pre-trained to step into a critical role until the event was over. However, the COVID-19 pandemic is a global crisis currently impacting at least 183 countries and territories and is predicted to impact many more people, and take much more time to contain.

To ensure critical functions continue, financial institutions should have at least two or three alternate staff members trained for every primary resource within the institution and assess whether some roles can be performed remotely. This can be difficult for smaller institutions with limited staff and resources. For specialized functions dominated by key personnel, such as funds management, wire services, human resources, etc., these institutions may not have multiple alternatives to step in if key employees are unavailable. In these circumstances, you may need to have other cross-trained staff members identified who can step into these roles quickly.

Next Steps: Lessons Learned

There will be many more lessons learned after the COVID-19 pandemic has passed, and regulators will expect those lessons to be reflected in your plan. When all is said and done, regulators are likely to ask “what have you learned from this event, and what have you done to enhance your pandemic plan based on those lessons learned?” Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time? Since interdependencies include employees, and pandemic events almost exclusively impact personnel, have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access? If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

The answers to these questions, and many more, will be used to enhance the pandemic section of your BCM plans, but until we reach that post-event, lessons-learned point, it’s important for financial institutions to continue to reference their business continuity plans; document the entire process; keep stakeholders informed; and put measures in place to continue serving their customers and members and protecting their employees and the public.

For more information on pandemic response, view our pandemic resource center. Or, if you would like to make sure your BCM is up to date, please request a complimentary plan review to ensure that your business continuity management plan is keeping up with changing regulations.

View Our Pandemic Resources

09 Apr 2020
American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

With ongoing cybersecurity threats; increased use of third-party providers; and constantly evolving regulatory and reporting requirements, the role of the information security officer (ISO) is even more important in today’s complex banking environment than ever before. However, community bank and credit union ISOs often struggle to keep up with the growing number of responsibilities this role requires – often forced to manage critical tasks with limited resources and a lack of segregation of duties.

The Challenge

Nicole Rinehart, Chief Operations Officer at American Pride Bank, ran into this very issue as the sole IT admin at American Pride Bank. Managing all of the ISO responsibilities, including critical activities such as Board reporting and the production of comprehensive reports for examiners, was difficult to manage due to the many manual processes required.

During a regulatory examination, an examiner recommended the bank focus on having more independence within its ISO duties. The Federal Financial Institution Examination Council (FFIEC) states that all financial institutions must have separation of duties for the ISO role. To accomplish this, the bank began evaluating solutions to help streamline processes and ensure complete oversight of all information security activities.

The Solution

Get a CopyImplementing a Virtual ISO to Improve Compliance Posture  Complimentary White Paper

After consideration, American Pride Bank decided to partner with Safe Systems and implement its ISOversight virtual ISO solution. The service includes a suite of applications and programs to help institutions streamline management of key compliance duties including the CAT, BCP, Vendor Management and Information Security.

In this case, the bank was already leveraging individual components of ISOversight. By converting to the virtual ISO service, they gained additional tools, reports, and expert compliance support. An important part of the solution includes monthly meetings with the Safe Systems compliance team to assess the bank’s information security activities and provide guidance.

The Results

With ISOversight, American Pride Bank has improved its overall preparation and communication of the information security program. All key stakeholders in the bank have access to ISO-related items in real-time, and the information security program is more organized and streamlined, enabling the bank to save time on monitoring and reporting.

“The ISOversight solution has been a game-changer for our bank because now we have a robust process in place working with Safe Systems and a full committee of our team members to ensure all tasks are completed accurately and nothing slips through the cracks,” said Rinehart. “It’s so important to have a process like this, especially when you have limited resources. Safe Systems has truly become an extension of our internal team, helping us to stay on track with ISO responsibilities and ensuring we comply with all regulatory requirements.”

To learn more, read the full case study, “American Pride Bank Streamlines Processes and Improves Compliance Reporting with Safe Systems’ ISOversight Virtual ISO Solution.”

31 Mar 2020
Pandemic Resource

Are You Required to Address Your COVID-19 Readiness with Your Customers?

Pandemic Resource

Hey Guru,
Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are working on an ad to educate our customers on how to use our online products if they are concerned about coming out in public to the branch. Thanks!

I wouldn’t call it a requirement to post a statement, but it’s definitely a best practice. I could easily see the examiners being just fine with your generic Pandemic planning, but next time they come in asking “what specific steps did you take in reaction to the recent COVID-19 event?”

Lots of generic best practices out there (CDC, etc.), and of course your response would depend on your capabilities (encouraging e-banking vs. face-to-face transactions, and e-signatures for physical signatures on loan documents, for example). For some FI-specific resources and more, read the complete blog post at

27 Mar 2020
What Community Banks and Credit Unions Should Do to Combat COVID-19

Facing a Pandemic: What Community Banks and Credit Unions Should Do to Combat COVID-19

What Community Banks and Credit Unions Should Do to Combat COVID-19

As the Coronavirus pandemic continues to rise throughout the world, it is important for community banks and credit unions to effectively carry out their pandemic plans to stop the spread of the virus and implement alternative ways to serve customers or members during this critical time. Safe Systems held a webinar last week covering five things all community banks and credit unions need to do during a pandemic. In this blog, we’ll cover a few of the key points from the webinar.

  1. Pandemic Testing
  2. According to the Federal Financial Institution Examination Council (FFIEC) guidelines, financial institutions need to have a “testing program designed to validate the effectiveness of the facilities, systems, and procedures identified” in their business continuity plan. In a pandemic, it is the people who are affected more than the facilities, so your systems and processes become more impacted than anything else.

    A preventative program has to address:

    • Monitoring outbreaks
    • Educating and providing appropriate hygiene training and tools to employees
    • Communicating with customers and members
    • Coordinating with critical providers and suppliers

    With the pandemic already underway, it can feel counterproductive to conduct a pandemic test for your financial institution. However, we’ve found it’s never too late to test and improve your pandemic plan, even in the midst of a crisis. Make sure you are validating your succession plan and cross training measures by purposely excluding certain key individuals from actively participating in the testing exercises you conduct for your institution. During a pandemic, important individuals may not be in the branch or available every day, so it’s important that you test your plan to make sure the institution can still operate efficiently.

  3. Social Distancing
  4. Social distancing is a term that’s come out of this global pandemic to stop the spread of the virus. The Center for Disease Control (CDC) states that individuals should keep a six-foot minimum distance from others to limit the spread of the virus, but how does this impact the way your financial institution does business? Think of how your teller line, customer service areas, lending offices, etc. are set up. For these more personal, face-to-face interactions, it is important for you to change the location set up to ensure the 6-foot distance is achieved to protect both the customer and employee. Here are some tips from the American Bankers Association® to consider:

    • Require non-customer facing personnel work from home and try limiting interactions of personnel as much as possible in offices.
    • Have staff sign in when they arrive and leave.
    • Designate times for “at risk” customers (because of age or condition) to visit the lobby when no others are allowed.
    • Make loans or open new accounts by appointment only. When you close a lobby, designate one drive-thru for business customers and one for consumers, as their transactions are very different and differentiating the two can help speed transactions.
    • Keep your messaging positive. Don’t not use the word “Closed” on your door or website; instead use “Appointments Available.” Remind customers that banks are never truly closed, thanks to online and digital platforms that provide customers with 24/7 access to their accounts.

    We are posting tips, resources, and FAQs from ABA, FDIC, NCUA, and our own Safe Systems’ experts on the homepage of our website.

  5. Security in Social Distancing
  6. For employees that are able to work from home, providing resources for working outside of the institution is another great option to keep staff and the public protected. If your staff members are working from home, here are a few things to consider to ensure the institution maintains both security and productivity.

    • Do your employees have enough bandwidth at home?
    • Do you have a dedicated VPN device?
    • Do you have a firewall to allow this connection?
    • Can the firewall/device handle the number of devices actively connecting remotely at one time?
    • Do you have enough licenses (if needed) for each user to connect remotely?

    When your staff is working from home, you still must worry about security. You will need to decide how they connect to your network, what device they use, and how that device is secured. For instance, if you are allowing an employee to use their personal computer, then reference your remote access policy. It should include rules for the appropriate cyber hygiene of the remote device (patching, antimalware, etc.), and should be signed by the end-user. OpenDNS offers free security options for DNS lookups on home computers, which is also a good consideration should you need to update or create a home PC access policy and requirements. You may also require multi-factor authentication as an additional precaution to keep the network secure.

Financial institutions provide critical services to their communities and must be able to support customers and have alternate ways of doing business during a pandemic.

If you would like to gain more insights on COVID-19 and listen to a brief Q&A from our compliance team and information security officer, download our recorded webinar, “5 Things Community Banks and Credit Unions Need to do During a pandemic.”


Watch Recorded Webinar


As many community banks and credit unions are still formulating their responses to the pandemic, we’d like to collect and share what steps financial institutions are actively taking to protect employees and customers while maintaining business operations. Please take a few minutes to complete this survey and tell us how your institution is responding to the novel coronavirus (COVID-19) pandemic.


How are you responding to the Pandemic? Take the Quiz