|
October 20, 2002
INTERNET
COMPLIANCE - Reserve Requirements of Depository
Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
obligations.
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
advertising requirements.
INTERNET SECURITY - This completes our review of the
OCC Bulletin about Infrastructure Threats and Intrusion Risks.
This week we review Information Sharing.
Information sharing among reliable and reputable experts can help
institutions reduce the risk of information system intrusions. The
OCC encourages management to participate in information-sharing
mechanisms as part of an effort to detect and respond to intrusions
and vulnerabilities. Mechanisms for information sharing are being
developed by many different organizations, each with a different
mission and operation. In addition, many vendors offer information
sharing and analysis services. Three organizations that are
primarily involved with the federal government's national
information security initiatives are the Financial Services
Information Sharing and Analysis Center (FS/ISAC), the Federal
Bureau of Investigation (FBI), and Carnegie Mellon University's
CERT/CC.
The FS/ISAC was formed in response to Presidential Decision
Directive 63: Critical Infrastructure Protection (May 22, 1998),
which encourages the banking, finance, and other industries to
establish information-sharing efforts in conjunction with the
federal government. The FS/ISAC allows financial services entities
to report incidents anonymously. In turn, the FS/ISAC rapidly
distributes information about attacks to the FS/ISAC members. Banks
can contact FS/ISAC by telephone at (888) 660-0134, e-mail at admin@fsisac.com
or their Web site at http://www.fsisac.com.
The FBI operates the National Information Protection Center
Infraguard outreach effort. Since Infraguard supports law
enforcement efforts, Infraguard members submit two versions of an
incident report. One complete version is used by law enforcement and
contains information that identifies the reporting member. The other
version does not contain that identifying information, and is
distributed to other Infraguard members. Banks can contact the FBI
by contacting local FBI field offices or via e-mail at nipc@fbi.gov.
CERT/CC is part of a federally funded research and development
center at Carnegie Mellon University that helps organizations
identify vulnerabilities and recover from intrusions. It provides
up-to-date information on specific attacks (including viruses and
denial of service) and collates and shares information with other
organizations. CERT/CC does not require membership to report
problems. Banks can contact CERT/CC by phone at (412) 268-7090 or
e-mail at cert@cert.org.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
38. For customers only, does the institution ensure that the
initial, annual, and revised notices may be retained or obtained
later by the customer in writing, or if the customer agrees,
electronically? [§9(e)(1)]
IN CLOSING - The
Gramm-Leach-Bliley Act, best practices, and examiners recommend a penetration
study
of your Internet connection. The
Vulnerability Internet Security Test Audit (VISTA)
is an independent penetration study of {custom4}'s network
connection to the Internet that meets the regulatory requirements.
As
professional IT auditors,
we provide an independent review of the vulnerability test results and an audit
letter to your Board of Directors certifying the test results. For more
information, visit http://www.internetbankingaudits.com/.
|
