Interagency Guidance on
Year 2000-Related Fraud Prevention
The Year 2000 computer problem may create opportunities for fraud against financial
institutions and customers. In response, the Federal Financial Institutions Examination
Council (FFIEC) encourages financial institutions to alert their customers about
fraudulent schemes involving the century date change and to mitigate their own risks by
continuing to follow and, where necessary, enhance internal controls and security
procedures.
Customer Awareness Efforts
Bank, thrift, and credit union customers need to be informed about Year 2000-related
fraudulent schemes so they can avoid becoming victims of these illegal activities.
Informed customers can help institutions identify many types of fraud. As noted in the
February 1999 FFIEC Year 2000 Customer Communication Outline and the May 1998 FFIEC
Guidance on Year 2000 Customer Awareness Programs, each financial institution should
educate its customers about the institutions Year 2000 readiness efforts. These
efforts should include information identifying potential risks to customers associated
with the century date change, including possible fraudulent schemes.
As a supplement to an institutions customer communications, the FFIEC has
prepared the attached advisory to inform financial institution customers of this problem.
The "Year 2000-Related Fraud Advisory" encourages customers to become educated
about these fraudulent schemes and to take steps to minimize their risks by, for example,
reviewing the accuracy of financial statements and receipts and promptly reporting
suspicious or irregular activities. Customers should be advised how to contact the
institution if any fraudulent activity is suspected.
The FFIEC encourages financial institutions to distribute the attached advisory to all
customers and to provide additional information on Year 2000 concerns using the
FFIECs "The Year 2000 Date Change" brochure, the FFIEC's "A Y2K
Checklist for Customers," and the Federal Trade Commissions Y2K fraud advisory,
"Y2K?
Y 2 Care: Protecting Your Finances from Year 2000 Scam Artists." Copies of these
documents are available on the FFIEC and FTC Web sites (www.ffiec.gov and www.ftc.gov), or
by calling the FFIEC at (202) 872-7500, or the FTC at (888) USA-4-Y2K.
Institutions also should consider addressing Year 2000 preparedness and fraud
prevention in customer newsletters, hotlines, and outreach events. Financial institutions
may contact their primary federal regulator if they have questions about Year 2000-related
fraud issues and other Year 2000 concerns.
Internal Controls
Century date change efforts should not distract financial institutions from continuing
to maintain adequate fraud deterrence measures. They should continue to have strong
internal controls to prevent, detect, and correct Year 2000-related problems. For example,
financial institutions should continue to:
- Train staff, particularly first line employees such as tellers and customer service
representatives, about potential Year 2000-related fraud risks to their financial
institution and customers, and discuss appropriate responses
- Inform appropriate law enforcement authorities of known or suspected criminal activities
by filing Suspicious Activity Reports in accordance with the FFIEC agencies
reporting rules
- Limit access to remediated computer code to those with a need to know (i.e., trusted
employees and vendors that have undergone security checks)
- Protect against unauthorized access, such as "trap doors," by maintaining
appropriate change management control procedures, including those that address
verification of software changes
- Verify that financial postings and reconciliations are performed properly and promptly
- Monitor large suspense accounts and unreconciled accounts
- Ensure that verifications and call backs are performed for wire transfer instructions
received by facsimile
Security Procedures
Financial institutions should review and adapt, as necessary, security procedures to
protect against Year 2000 related criminal activity. In this regard, management should
review security measures pertaining to cash storage, automatic teller machine use, branch
activity, and electronic transfers. As part of this process, management should continue to
review blanket bond coverage, conduct general and specialized training for appropriate
employees, and adjust staffing requirements as needed. In addition, institutions should
ensure they have clear procedures for coordinating with law enforcement agencies and
parties that provide security, such as courier, armored car, vault, and alarm services. |