Audit of the Division of Banks
November 18, 2021 · Division of Banks · Read the full official report on mass.gov ↗
source
“In performing our audit work, we found that not all DOB employees promptly received cybersecurity awareness training, as discussed in Finding 1.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Division of Banks, covering July 1, 2017 through June 30, 2019.
“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2017 through June 30, 2019.”
Auditors checked whether the Division of Banks properly oversaw certain financial businesses, handled license information from other states, shared enforcement information, and made sure employees completed required cybersecurity training.
“In this performance audit, we determined whether DOB (1) ensured that foreign transmittal agencies maintained three years of records in accordance with Section 10 of Chapter 169 of the General Laws; (2) collected, and acted on, information on mortgage lenders or brokers that may have had their licenses suspended or revoked by the licensing authority of any other state, as required by Sections 42.04(2)(b)(4) and 42.06(2)(b)(4) of Title 209 of the Code of Massachusetts Regulations; and (3) shared its information regarding Massachusetts-licensed lenders and brokers that had been subjected to formal enforcement action from other states, as required by Section 5107 of Title 12 of the United States Code and Section 1508(d)(3) of Title V of Public Law 110-289 (the Secure and Fair Enforcement for Mortgage Licensing Act of 2008).”
The Division of Banks oversees many financial service providers in Massachusetts, so weak cybersecurity training could put sensitive information at risk.
“Untimely cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information in DOB’s information technology systems.”
If you use banks, credit unions, mortgage lenders, money-transfer businesses, check cashers, or similar financial services in Massachusetts, this agency helps regulate those businesses and protect the financial services environment.
“DOB’s primary mission is to ensure a sound, competitive, and accessible financial services environment throughout the Commonwealth.”
The auditors answered yes to all three main oversight questions, but found one problem: some employee cybersecurity training was late.
“Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.”
The Division of Banks said it is creating policies and procedures to make sure employees get cybersecurity training on time, including before new employees access systems.
“The DOB reviewed the recommendations, and we are developing and implementing policies and procedures in accordance with EOTSS policies to ensure employees receive the training in a timely manner.”
The key issue was not about the agency failing its main licensing and enforcement-review duties; it was about making sure staff are trained on cybersecurity quickly and regularly enough to protect state systems and data.
“DOB did not ensure that all of its employees promptly completed cybersecurity awareness training.”
DOB means Division of Banks, the state agency reviewed here; FTA means foreign transmittal agency, a business that receives money to send to other countries; NMLS is the nationwide online licensing system for mortgage-related licenses.
“According to Section 45.02 of Title 209 of the Code of Massachusetts Regulations, a foreign transmittal agency (FTA) is “a person who engages or is financially interested in the business of receiving deposits of money for the purpose of transmitting the same or equivalents thereof to foreign countries.””
What the Auditor checked
- Complied Does DOB ensure that foreign transmittal agency (FTA) licensees maintain three years of records in accordance with Section 10 of Chapter 169 of the General Laws?
- Complied Does DOB collect, and act on, information from other states in compliance with Sections 42.04(2)(b)(4) and 42.06(2)(b)(4) of Title 209 of the Code of Massachusetts Regulations?
- Complied Does DOB share its information regarding Massachusetts enforcement actions for licensed mortgage lenders and brokers with other states, as required by Section 5107 of Title 12 of the United States Code and Section 1508(d)(3) of Title V of Public Law 110-289?
What the Auditor found
Why it matters: Untimely cybersecurity awareness training increases the risk of user error and compromise of protected information in DOB systems.
Standard: EOTSS Acceptable Use of Information Technology Policy IS.002, EOTSS Information Security Risk Management Standard IS.010, and state Executive Order 504 ( Section 5.1.1 of the Executive Office of Technology Services and Security’s Acceptable Use of Information Technology Policy IS.002; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6 of state Executive Order 504 )
2 recommendations
- DOB should develop and implement policies and procedures, in accordance with EOTSS policies, that require all current employees to receive annual cybersecurity awareness training.agency: agreed
- DOB should develop and implement policies and procedures, in accordance with EOTSS policies, that require newly hired employees to receive cybersecurity awareness training during orientation or within a prescribed timeline before they have access to DOB’s systems.agency: agreed
Agency response & Auditor reply
Agency: "The DOB reviewed the recommendations, and we are developing and implementing policies and procedures in accordance with EOTSS policies to ensure employees receive the training in a timely manner."
Auditor: "Based on its response, DOB is taking steps to address these issues."
More audits of this entity
Other Office of the State Auditor reports on Division of Banks .
- Division of BanksState Agency / Office · March 23, 2017
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Division of Banks (January 28, 2025)State Agency / Office · January 28, 2025 - Division of BanksState Agency / Office · January 25, 2012