For most of 2020, banks and credit union employees have had to work and collaborate remotely to maintain business continuity amidst the ongoing COVID-19 pandemic. Despite early optimism that workforces would be able to return to offices by Spring thanks to breakthrough vaccine discoveries, this notion has faded drastically. A disjointed vaccine distribution plan, the emergence of potentially deadlier COVID variants, and a record year-end surge in cases have dashed hopes that 2021 would signal a return to normal. So, financial services employees will have to hunker down at home a little while longer.
Naturally, the prolonged remote office situation presented a significant cybersecurity challenge for IT administrators of financial centers. Ultra-sensitive client data once exchanged over a secure network on the premises are now transmitted over employees’ personal connections. The current situation is a ripe opportunity for hackers to pounce all over. To safeguard against fraudsters and scammers, IT heads have had the unenviable task of ensuring remote office practices are not only optimized for security but remain compliant with ever-evolving regulations.
Customer documents, in particular, are rife with confidential data that fraudsters are just salivating to gain access to. Names, savings account numbers, social security numbers, and addresses are just a few pieces of personally identifiable information (PII) that customers entrust with their financial institutions to do business. That creates an immense burden on banks and credit unions, who routinely weave through thousands of documents containing sensitive customer information. Needless to say, private data should be the very first item to secure. One slight lapse or oversight could lead to data breaches and the subsequent fallout of regulatory fines and reputational damage.
Below are measures that financial institutions must take when handling and sharing sensitive client files while working remotely.
Redact Information the Right Way
Specifically, certain information found on documents must be redacted in accordance with the Federal Rule of Bankruptcy Procedure 9037. On the surface, redaction seems like merely blacking out confidential parts of a document. But in addition to covering up sensitive information from a document, you also need to permanently remove any text and graphics found underneath. This ensures that social security numbers, birthdates, and other PII no longer exist on the document itself and cannot simply be found in a routine lookup. Beyond this, electronic documents need to be sanitized, which is removing any hidden information layers that could be found and exploited by hackers. This sounds like a relatively mundane procedure, but even certain high-profile cases have learned painfully that properly redacting documents can mitigate the risk of exposing your trusting clients as well as avoid hefty fines from regulatory violations.
Encrypt your Documents
In most cases, sensitive client documents like tax records and W2s are only for the eyes of just a few employees at a bank. Just because a client has entrusted his or her information to your financial institution doesn’t mean that the entire organization can or should have access to it. A practical step for preventing unauthorized access when electronically sharing PII documents is to always encrypt client files with a password, authorizing access only to those who’ve been given the password. If files were accidentally shared with a wrong colleague or department, password encryption acts as extra protection. Employees can go one step further by requiring another password to enable modifying and printing permissions on documents, which prevents unauthorized editing and printing. The only way to lift access or editing restrictions is by applying the decryption key, in this case, your password. By encrypting your documents with passwords and permissions, only you and specified team members can safely view them, and you reduce the chances of unauthorized access and vastly reduce the risk of data leakage.
Implement a Document Access Policy
Setting an overarching document policy may be the most effective strategy for protecting classified documents within departments. By doing so, IT administrators can dictate which employee can access sensitive files, the type of information they can access, and what actions they can take (example: viewing, editing, sharing, printing). Enforcing a strict document policy ensures that documents with PII are only accessible by those directly involved in the process. For instance, administrators can set a custom policy where a client’s loan profile and associated documents can be accessed and modified only by loan originators, loan processors, and underwriters responsible for that file. Anyone that isn’t part of that team will not have document access authorization even it somehow reaches his or her inbox. This greatly regulates the flow of confidential information and maximizes security and compliance.