Credit unions

 

Data Security – Good and Poor Practice

Controls and Monitoring

Credit unions should carry out regular reviews of the controls they have in place to monitor the risks of data security to both the membership and the staff or volunteers engaged in running the credit union.

Examples of good practices

General:

  • A number of CUs, performing checks on potential employees, would take up references, conduct credit checks, or carry out Criminal Records Bureau (CRB) checks (especially when operating collection points at schools).
  • CUs had conducted a risk assessment and had thought about the risk to the sensitive pieces of information they hold about their members. Subsequent to this they had produced a formal policy and written procedures for the handling of sensitive data (both paper based and electronic), with staff being trained on these procedures.

Physical controls:

  • CU offices should be well secured. We saw examples where locks, alarms, CCTV and in some instances, metal shutters were used.
  • Where a CU operated in a room of a shared office building, the room would be locked even if the room would only be empty for a short while
  • We saw that a number of CUs using office premises operated a clear desk policy, so no sensitive documents were left on show overnight. The FSA considers all firms should have a suitable clear desk policy that is understood by all staff. The policy should be monitored, tested and regularly reviewed as appropriate to the business, and exceptions highlighted to senior management.
  • CU staff were given lockers that all personal effects (e.g. mobile phone, USB sticks) had to be placed in before entering the main office. This practice can mitigate the risks of portable devices being used inappropriately to store customer data.

IT Controls:

  • CUs had thought about different users having different access rights to the computer system, depending on their role in the CU (e.g. supervisory committee only having 'read only' access).
  • Each volunteer or staff member should have their own password to the IT system. All volunteers and staff should ensure that their username and password is kept private. Passwords need to be complex enough not to be easily guessed and they should not be written down. Guidance on strong passwords is available from the Government-backed group Get Safe Online
  • Laptops are kept in secure cabinets, even when stored away from the main CU office, thus reducing the opportunity for theft or data compromise.

Third Party Access:

  • CUs need to consider which third parties (e.g. software providers, auditors) can access customer data and how this is controlled. We saw instances where CUs operated stand alone computers purely for internet access.

Examples of poor practices

General:

  • No vetting or checks being made of staff and volunteers.
  • No formal risk assessment of data security and no formal policy or procedure for staff and volunteers to follow.
  • CUs unaware of the potential for financial crime and money laundering by its own staff and had failed to put suitable controls in place.
  • CUs had not considered the possibility of data compromise and were unaware of how they would deal with such an instance.

Physical controls:

  • Secure filing keys kept in a filing cabinet that is shared with other organisations.
  • At some premises, we saw filing cabinets where members' personal information was kept were not locked. In some instances where these were locked the keys were kept in the open (often on top of the cabinets themselves) or in a key safe that was shared with other organisations.
  • We saw one instance of members' files being kept in an open box in the middle of an office.
  • No controls were put in place by the Board to mitigate the risk of access to personal information for unauthorised use.

IT Controls:

  • CUs failed to review who had access to their computer systems and whether they had the right level of access for the role they currently perform. This led to several instances where individuals had far more access to the system than was necessary, e.g. supervisory committee having full access to the whole system rather than read only.
  • The password security evidenced during some visits was poor as there were no criteria set for them. Passwords did not have an expiry date nor did they contain a minimum level of complexity (e.g. using capitals, numbers, special characters etc)
  • We continue to see usernames and passwords being written down or shared. In one instance the chair of the supervisory committee insisted on knowing all the usernames and passwords. In another the auditor was using a CU officer's username and password.
  • No control is maintained over whereabouts and use of laptops. In some instances it was possible for third parties to access the internet on these machines, which could lead to introduction of a virus or interrogation of a database.

Third Party Access:

  • Evidence was seen where software providers had unlimited access to CU systems and were able to access the CUs entire computer system remotely without permission.


Back to topBack to top

Data Control

Credit unions should have a formal procedure for control of data which can be effectively monitored and tested on a regular basis.

Examples of good practices

Data Retention

  • Computer records were backed up regularly, with the back up held securely off site.
  • Data that was sent/taken to other locations was encrypted and/or password protected.

Data Disposal

  • All paper documents containing sensitive information were shredded.
  • Where a 3rd party was employed to shred sensitive documents this was done in front of a CU staff member.
  • When obsolete computer equipment was disposed of or passed to another organisation the hard drive was removed and physically destroyed.
  • Sensitive member data was never emailed out of the CU, to avoid the chance of it being misdirected.

Examples of poor practices

Data Retention:

  • IT back ups stored on site, in some instances these were not kept in secure environments.
  • Members paper files being kept at a director's home insecurely.

Data disposal:

  • Many CUs have not given consideration as to how they would dispose of electronic information in accordance with Data Protection rules.
  • Documentation was not destroyed in a controlled environment.
  • Some CUs were keeping all the information they had ever had about all the members and even ex-members. Money laundering rules state that a CU should keep details of transactions for at least five years from the date of transaction. Members' details should be kept for 5 years from the date that the relationship ceases. Data Protection rules state that they must be kept for a maximum of 7 years.

Back to topBack to top

Policies and procedures

These are some of the points we noted during the visit process

Examples of good practices

  • Where CUs were operating out of multiple offices, the branches were connected using secure lines.
  • Dormant accounts were treated as new members when becoming active again.

Examples of poor practices

  • A CU was keeping a book of pre-signed cheques to pay members. Keeping pre-signed cheques is a big risk for CUs and if you are doing this you should think of a different process for signing cheques to minimise the risk of financial crime in this area.
  • It was possible for members of staff to process a whole transaction from start to finish (e.g. create a member through to them taking out a loan and making share deposits
  • No special treatment for dormant members. Accounts allowed to be reactivated after long periods of inactivity with no additional checks.

Back to topBack to top