Financial Institutions Will Seek Stronger Security Measures from Screening Providers including SOC 2 Reports and NAPBS Accreditation

 trends banner-3

Written By ESR News Blog Editor Thomas Ahearn

With data breaches front page news in 2016, industries dealing with sensitive and confidential information – especially in the financial sector – know ensuring data security from third party service providers is mission critical. The fact that businesses including banks and financial institutions will seek stronger security measures such as SSAE 18 Service Organization Control (SOC) 2® reports and accreditation from National Association of Professional Background Screeners (NAPBS®) from screening providers is Trend Number 3 in the Employment Screening Resources® (ESR) 10th annual ‘ESR Top Ten Background Check Trends’ for 2017.

“It has clearly become a best practice for business with sensitive data such as banks and financial institutions as well and also employers outside of the financial industry who place a greater importance on security – to utilize a SOC 2 report when considering a background screening provider and to also make sure that the screening firm has achieved NAPBS Accreditation,” says ESR founder and CEO Attorney Lester Rosen. The list featuring emerging and influential trends in the background check industry for 2017 will be available at www.esrcheck.com/ESR-Top-Ten-Background-Check-Trends.

Several well-known companies suffered data breaches in 2016. In September 2016, ESR News reported that technology company Yahoo! Inc. confirmed that user account information that may have included names, email addresses, phone numbers, dates of birth, passwords, and security questions was stolen from 500 million Yahoo user accounts by “a state-sponsored actor” in a massive data breach in late 2014. In addition, Important Security Information for Yahoo Users released in December 2016 stated: Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.

A data breach can cost a company millions. In April 2016, Sony Pictures agreed to pay an estimated $15 million to settle a class action lawsuit stemming from a data breach suffered by the studio in November 2014. Sony was also required to provide identity theft protection that could cost an additional $4 million. According to the complaint, Sony Pictures “failed to secure its computer systems, servers, and databases despite weaknesses it has known about for years.” The lawsuit claimed sensitive data including Social Security numbers, employment files, and medical information was leaked to the public.

In March 2016, ESR News reported that Home Depot Inc. has agreed to pay $19.5 million – $13 million to settle class action lawsuits and $6.5 million for identity protection services – to compensate approximately 40 to 50 million consumers affected by a massive data breach in 2014. Home Depot will set up a $13 million settlement fund to reimburse consumers affected by the data breach for out-of-pocket losses. In addition, the home improvement retailer will spend $6.5 million for 18 months of free identity protection services for data breach victims.

With data breaches so common, the Federal Trade Commission (FTC) issued a Data Breach Response: A Guide for Business that outlines the steps that businesses should take when experiencing a data breach. A blog entitled “Responding to a data breach?” on the FTC website about the guide describes immediate steps businesses should take to quickly secure their systems if employees lose laptops, hackers get into customer databases, or information is inadvertently posted on websites. The FTC guide is available at www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business.

When it comes to both data breaches and background screening, banks and financial institutions need to proceed with caution with third-party relationships. According to Guidance on risk management issued by the U.S. Department of the Treasury Office of the Comptroller of the Currency (OCC) – OCC BULLETIN 2013-29 – a financial institution is responsible for “for assessing and managing risks associated with third-party relationships” and a critical component of that responsibility is to utilize third party service providers that have a SOC report. The OCC Guidance is available at www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.

The OCC Guidance on Risk Management reads in part: If available, review Service Organization Control (SOC) reports, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 16 (SSAE 16)… A bank should include in the contract the types and frequency of audit reports the bank is entitled to receive from the third party (e.g., financial, SSAE 16, SOC 1, SOC 2, and SOC 3 reports, and security reviews).

Service Organization Control (SOC) Reports® are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. In September of 2016, ESR announced that independent auditors conducting a SOC 2® Type 2 examination of ESR’s operations for the six month testing period of January 2016 through June 2016 issued a SOC 2® Type 2 report that states ESR management maintained effective controls over the privacy, security, and confidentiality of its employee screening system.

This annual comprehensive and independent examination ensures that ESR meets the current high standards set by the American Institute of Certified Public Accountants (AICPA) to protect customer and third-party information. NDB Accountants & Consultants LLP (NDB), a nationally recognized Certified Public Accounting (CPA) firm specializing in regulatory compliance and consulting services, performed the examination and issued the SOC 2® report. More information about the SOC 2® is available here.

The SOC 2® Type 2 audit was conducted using stringent criteria established by the AICPA. These internationally recognized standards address technological advances and associated risks including cloud services not covered in the now retired SAS 70 standards. The principles and criteria used in ESR’s SOC 2® audit were developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) for use by practitioners in trust services engagements:

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.

The SOC 2® Type 2 report is becoming increasingly important to ESR’s existing and potential customers seeking assurance about the effectiveness of controls related to the privacy, security, and confidentiality of consumer information used to process background checks. Financial institutions require it, and publicly traded larger private companies are frequently asking for a SOC 2® report before selecting an outsourced service organization like ESR. Additional information about the ESR SOC 2® report is available at www.esrcheck.com/SOC-2/.

Employers who have a need to safeguard data as well as Personally Identifiable Information (PII) should also look to see if a screening provider is accredited by the National Association of Professional Background Screeners (NAPBS®), which was established in 2003 to represent the interest of companies offering background screening services. Currently, the NAPBS represents over 750 member companies engaged in employment and tenant background screening. In June 2016, the NAPBS Background Screening Credentialing Council (BSCC) announced that ESR had successfully demonstrated continued compliance with the Background Screening Agency Accreditation Program (BSAAP) and is recognized as NAPBS Accredited. ESR was first accredited by the NAPBS in 2010.

Since its inception, NAPBS has maintained that there is a strong need for a singular, cohesive industry standard and, therefore, created the BSAAP.  Governed by a strict professional standard of specified requirements and measurements, the BSAAP is becoming a widely recognized seal of achievement that representing a background screening organization’s commitment to excellence, accountability, high professional standards and continued institutional improvement. To become accredited, screening firms must pass a rigorous onsite audit, conducted by an independent auditing firm, of its policies and procedures as they relate to six critical areas:  consumer protection, legal compliance, client education, product standards, service standards, and general business practices. More information about NAPBS Accreditation is available at www.napbs.com/accreditation/accreditation-overview/.

ESR CEO Rosen says banks and financial entities have a special obligation to exercise care when hiring due to regulations and the need to maintain a workforce that clients will trust. Banks and regulated financial entities need to avoid hiring the wrong person as well as the legal and financial troubles that can result from a “bad hire.” Without taking appropriate steps to know who they are hiring with background checks, banks and financial institutions face a near statistical certainty that they will hire someone with an unsuitable criminal record or a falsified background that can lead to workplace violence, lawsuits for negligent hiring, and time wasted recruiting and hiring the wrong person.

Rosen explains that there is a special statuary and fiduciary duty that banks and financial institutions have when performing background checks. Specifically, banks and financial institutions need to understand the Federal Deposit Insurance Corporation (FDIC) Regulations Section 19 Requirements that do not allow any FDIC-insured financial institution to hire anyone that has been convicted or entered into a pre-trial diversion for a crime involving “dishonesty” or “breach of trust” unless there is prior written consent from the FDIC.

  • “Dishonesty” is defined as “directly or indirectly to cheat or defraud; to cheat or defraud for monetary gain or its equivalent; or wrongfully to take property lawfully belonging to another in violation of any criminal statute.” FDIC Statement of Policy for Section 19 of the FDI Act, 63 Fed. Reg. 66,177, 66,185 (1998). See FIL 125-98 Dec. 1998).
  • “Breach of trust” is defined as “a wrongful act, use, misappropriation, or omission with respect to any property or fund which has been committed to a person in a fiduciary or official capacity, or the misuse of one’s official or fiduciary position to engage in a wrongful act, misappropriation or omission.”

Banks and financial institutions are precluded from allowing persons subject to Section 19 to engage in conduct or relationships Section 19 prohibits, says Rosen. The penalty that may be imposed upon banks or individuals for violating Section 19 is a fine of $ 1,000,000 for each day the violation continues or imprisonment for not more than five years or both. Section 19 requirements prohibit both misdemeanor and felony convictions, and pre-trial diversion programs related to the criminal offense. An application to the FDIC is required for most exceptions to Section 19 requirements.

However, the FDIC instituted a “de minimis” exception in 2012 that does not require an application if: There is only one conviction or pre-trial diversion program on record for a covered offense; The offense was punishable by: a) Imprisonment for a term of less than one year, and/or; b) A fine of less than $2,500.00 and the individual served 3 days or less in jail; The conviction or pre-trial diversion program was entered at least five years prior to the date of the application, and; The offense did not involve an insured depository institution or insured credit union.

The Financial Industry Regulatory Authority (FINRA) has rules that cover every member of a national securities exchange, broker, dealer, registered transfer agent, and registered clearing agency. FINRA Rule 3110(e) took effect July 1, 2015, and is based on similar provisions in National Association of Securities Dealers (NASD) Rule 3010(e) and New York Stock Exchange (NYSE Rule 345.11). The rule introduces a new requirement to search national public records to verify information in the Form U4 (Uniform Application for Securities Industry Registration or Transfer). A broker check can be conducted at www.finra.org. To read more about the special obligations banks and financial institutions have to perform background checks when hiring, visit www.esrcheck.com/wordpress/2015/11/09/banks-have-special-obligation-to-perform-background-checks-when-hiring/.

The need for strong controls in the financial industry was also demonstrated by Wells Fargo Bank in 2016.  As reported by ESR News in September 2016, the Consumer Financial Protection Bureau (CFPB) fined Wells Fargo $100 million – the largest penalty the CFPB has ever imposed – as part of a total fine of $185 million “for the widespread illegal practice of secretly opening unauthorized deposit and credit card accounts.” Under the CFPB’s Consent Order, Wells Fargo will pay full restitution to all victims and a $100 million fine to the CFPB’s Civil Penalty Fund. Wells Fargo will also pay a $35 million penalty to the Office of the Comptroller of the Currency and $50 million to the City and County of Los Angeles.

Wells Fargo issued a statement on the agreements related to sales practices that indicated the amount of the settlements regarding allegations that some of its retail customers received financial products and services they did not request totaled $185 million, plus $5 million in customer remediation. The statement from Wells Fargo also indicated “$2.6 million has been refunded to customers for any fees associated with products customers received that they may not have requested.  Accounts refunded represented a fraction of one percent of the accounts reviewed, and refunds averaged $25.”

Analysis by Wells Fargo – one of the largest financial institutions in the U.S. – found bank employees had opened more than two million deposit and credit card accounts that may not have been authorized by consumers. CNN reported that 5,300 Wells Fargo employees were fired over these phony accounts. According to the CFPB, thousands of Wells Fargo employees – allegedly spurred on by targets and incentives – boosted sales figures by opening unauthorized accounts and funding them by transferring funds from authorized accounts of consumers without their knowledge or consent.

ESR Top Ten Background Check Trends for 2017 Webinar

Employment Screening Resources® (ESR) founder and CEO Attorney Lester Rosen will host a live complimentary webinar entitled ‘ESR Top Ten Background Check Trends for 2017’ on Wednesday, January 18, 2017, from 11:00 AM to 12:00 PM Noon Pacific Time. To register for the free webinar, please visit https://attendee.gotowebinar.com/register/733293271056375556.

The webinar is approved for 1.0 (HR (General)) recertification credit hours toward PHR, SPHR, and GPHR recertification through the HR Certification Institute (HRCI). The webinar is worth 1.0 Professional Development Credit (PDC) from the Society for Human Resource Management (SHRM) for the SHRM Certified Professional (SHRM-CP™) and SHRM Senior Certified Professional (SHRM-SCP™).

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2016 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.