LexAlign automates the onsite audit function using a sophisticated diagnostic assessment. LexAlign replaces the manual questionnaire process most widely used today.  

The LexAlign diagnostic assessment derives directly and transparently from regulatory guidance (in the form of exam manuals, institution letters, bulletins, supervisory highlights, summaries to rule changes, etc.), so that what is measured (and risk rated) are customer operational deviations from those official expectations.  In effect, LexAlign makes expert guidance accessible in a targeted way to the persons actually conducting the activities.

When a customer completes the LexAlign diagnostic assessment, they have immediate access to an audit report with gap analysis and action plan that explains their risk factors and how to remediate them.  This empowers the customer to manage their own operational risks.

The questions are all derived from regulatory exam manuals and guidance, reflecting regulator expectations.

Here is a list of the authoritative sources used by LexAlign.

Because the diagnostic interviews are dynamic, meaning that the questions you see depend on how you did and/or did not answer prior questions, the system won’t let you go backwards.  The customer has various options: cancel and restart an Assessment before completing it; finish the Assessment and indicate Remediation for any relevant issue (this will update both the information and scoring that the Bank sees); or simply re-do the Assessment.  We have rarely seen any Customer complain about having made mistakes, and in the couple of times it did happen, it related to an earlier section. When it has happened, we recommend bank staff tell the Customer that any mistakes will be noted and encourage them to use the Remediation feature to update information, and then make a note on the Customer’s page for that Diagnostic in the Dashboard. 

This typically happens when the email goes to your spam folder and you are trying to access the link within it. First move the email to your inbox where it will be seen as a trusted email. You will then be able to click on the link within the email to access the demo site.

The RDC and Security modules are sold as a bundle. A Security assessment is a required component to create a complete solution for RDC.

The LexAlign Security module was created as a standalone module for these reasons:

• It applies to all treasury customers, not just RDC.
• The person completing the Security Assessment is typically different than the person completing the RDC Assessment.
• The Security Assessment is also considered to be ACH Part 1, the natural starting point for ACH operational risk management.

If the bank is primarily focused on RDC, they should launch the LexAlign Diagnostic for RDC first. We suggest launching the LexAlign Diagnostic for Security for each Cohort a minimum of 6 weeks after RDC.

If the bank is primarily focused on ACH customers, they would launch the LexAlign Diagnostic for Security first (we call it ACH Part 1: Security).

The LexAlign solution is a much better experience for customers, they see immediate benefits as opposed to the alternative approaches. The LexAlign solution empowers customers to recognize and manage their operational risks. The typical completion time for each LexAlign Assessments is around 30 minutes. Requiring customers to spend 30 minutes per year to complete an Assessment is not unreasonable.

Please check your spam folder. If the email invitation is not in your spam folder please let us know and we will resend it.

LexAlign does a number of things to ensure emails are delivered to bank customers and can be trusted. Most of these are easily configured in the LexAlign Control Panel.

• We use a sub-domain of the bank’s domain such as “lexalign.bankname.com”. LexAlign provisions this sub-domain based on the name the bank wants to use. When we provision the domain, we provide DNS (Domain Name System) information to the bank so that their IT department can add these records to their DNS. This lets email servers know that the email is authorized by the bank’s domain.
• We use a “Sender name” that matches what bank customers are used to seeing.
• We use a “reply to” email address that matches what bank customers are used to seeing.
• We include a link in the emails to a frequently asked questions page that lives on the banks website.
• We use the bank’s email footer as another item that bank customers will recognize to help them trust the email.

In addition to the above, prior to the launch of LexAlign, the bank will send an email through their normal delivery letting their customers know that they are using a new system for their annual audit process and to expect emails from LexAlign.

You can extract a list of all customers, showing who is activated or deactivated by going into the Control Panel, selecting the Cycle Checklist, then going to the bottom and clicking on “Approve Customer List”. This allows you to download the full customer list. After downloading, simply cancel out of this section.

The bank has a dashboard that provides summary information for all customers as well as specific customer information regarding the assessments completed.

LexAlign modules are charged separately and not until implementation is complete. If RDC is implemented first, the Security module is not charged until it has completed its own implementation process.

They are calendar days.

https://app.lexalign.com/institution_reps/sign_in

https://demo.lexalign.com/users/sign_in

https://demo.lexalign.com/institution_reps/sign_in

Cohorts launch based on their defined communication schedule independent of the Cohort number.

It’s still early days but the response so far from users, test users, and other institutions has been positive.  One of our test users (a bank customer) said in connection with an earlier version of our current Security Diagnostic, “Just going through the questions is opening my eyes to things we need to think about.” A business owner said, “This is great. It’s going to save me money because I don’t need to hire an IT security expert to do an assessment.” An IT manager said, “I’ve been trying to get management to focus on security, and the audit report helps me do that.”

Nacha also said that our Security Diagnostic would satisfy the security audit requirements for the annual ACH audits, so it satisfies two sets of requirements.  In general, the LexAlign Security Diagnostic enables customers to do a self-assessment against what the Federal Trade Commission recommends as appropriate and prudent practices.  Financial regulators defer to the FTC for guidance on business security to address the extraordinary risk of fraud that targets them.  By using the Security Diagnostic you’re helping customers align their operations with the FTC’s authoritative guidance.

Each group designates the level of risk a customer poses, based on exhibiting operational gaps or other factors that (in each case) regulators discuss in RDC, AML, or fraud risk management.  The gaps are risk weighted according to their prominence in the regulatory guidance or examination manuals, prudential considerations, expert input, and industry feedback.  Most customers end up between 2 and 3, then 4. 

• Group 1: Minimal to low risk
• Group 2: Low to moderate risk
• Group 3: Moderate risk
• Group 4: Higher risk
• Group 5: Warrants prompt attention, possibly including disabling the service

The typical implementation process for the first LexAlign Diagnostic is 6-8 weeks. The actual length can vary greatly depending on how quickly the bank can complete the prerequisites. Each LexAlign Diagnostic has its own implementation process. LexAlign Diagnostics are typically staggered so that there are at least two to three months between Diagnostics.

The LexAlign solution does not collect any PII (personally identifiable information), nor does it contain or use any transactional information, account numbers, or credentials.  The information we collect can not be used to create financial transactions.  The information we collect is only about customer operations.

The LexAlign solution was developed using regulatory exam manuals and guidance and should be viewed as a standard that applies to all financial institutions. Since LexAlign Assessments are diagnostic interviews, rather than questionnaires, there isn’t a defined set of questions that every customer sees.  It’s dynamic in the sense that the system delves into issues based on prior answers.  However, there are topics we cover that for the most part are standard, though a small subset are reserved for larger organizations.  We scour the regulatory sources and consult with experts to determine the issues the regulators are focused on, and we believe our Assessments are far more comprehensive and granular than questionnaires that banks have historically used.  We don’t ask simple high-level questions like “Is your banking computer secure?” because we don’t think they’re meaningful, in part because they presume a level of subject area expertise that we don’t think many, if not most customers have.  Instead, we ask factual questions about practices that our system then uses to determine compliance and risk. 

Over the standard six-week automated notification period, we’ve seen banks achieve more than a 70% assessment completion rate from their commercial customers without any manual effort.

We do this by automating the onsite audit function for customer compliance which reduces the time it takes to manage commercial customers by up to 90 percent.

The LexAlign solution reduces costs by automating the onsite audit function for security and compliance, directly based on the regulators’ stated expectations.  This reduces the time it takes to manage customer compliance for commercial customers by up to 90 percent.

In our Nacha conversations, we heard that assessing the customer for IT and information security is a required part of the annual audit.  This is not trivial, as it’s gaps in your customers’ security that fraudsters are exploiting in the extraordinary explosion of credit-push fraud, which Nacha has called the now dominant form of ACH fraud.

But here’s the good news:  we also heard that the LexAlign Security Diagnostic would satisfy this requirement. 

The LexAlign Security Diagnostic enables customers to do a self-assessment against what the Federal Trade Commission recommends as appropriate and prudent practices.  Financial regulators defer to the FTC for guidance on business security to address the extraordinary risk of fraud that targets them.

The LexAlign Security Diagnostic was designed to satisfy Part 1 of the ACH audit and addresses Nacha’s call for A New Risk Management Framework for the Era of Credit-Push Fraud by recruiting, sensitizing and empowering the customer as the front layer in the layered approach to security that regulators expect.

Bank deposits aren’t secure unless your bank customers are secure.

We’ve spoken to a number of banks who are interested in the ability to automate ACH audits for their commercial customers. 

Security is crucial for all commercial customers but especially those doing RDC, ACH, and Wires.

This is why it’s important to get started with the LexAlign Security Diagnostic, also known as ACH Part 1:

• LexAlign makes the expertise contained in regulatory guidance easily accessible and actionable for commercial customers.
• LexAlign shows them precisely where their operations deviate from what regulators require or recommend for online banking.
• LexAlign empowers commercial customers with actionable information and tailored resources to be the fortified frontline against fraud while automatically demonstrating proactive and effective risk management by the bank.
• LexAlign provides commercial customers with a security policy that regulators expect them to have.

Fraudsters are exploiting security gaps in banks’ operations to access their deposit accounts.  It’s called “credit-push fraud” and it’s exploding.

LexAlign is designed to recruit bank customers to be the front layer in their layered security approach against fraud.  After all, as Jane Larimer, President and CEO of Nacha said:

“All participants in the payment system, whether the ACH Network or elsewhere, have roles to play in working together to combat fraud.”

We recently met with Nacha’s senior network risk officer to discuss the scope of our forthcoming ACH Diagnostic and demoed our Security Diagnostic as it’s directly on point and responsive to Nacha’s call for A New Risk Management Framework for the Era of Credit-Push Fraud, which they say is now the greatest source of fraud loss across payment channels.

The LexAlign Security Diagnostic meets that call.

Credit-push fraud works with startling success because customers have unaddressed vulnerabilities that make them susceptible to business email compromise and account takeover.  LexAlign sensitizes them to the risks and responsibilities, alerts them to their particular vulnerabilities, and equips them in a uniquely effective way to improve their security and staff awareness, while automatically providing the bank with records demonstrating superior oversight and support in alignment with regulators’ stated expectations.

Today, LexAlign is a stand-alone application. LexAlign would be happy to integrate with the FIS applications that provide banks with a central location for accessing various products. Banks should make that request to FIS.