Internet Banking
News
January 23, 2000
FYI - What is a bank's home page? Is it the first web page that appears when entering the bank's URL? Or is it the first true "advertising" web page? The question has come up over the past few weeks regarding "portal" and "splash" web pages. A portal is a web page or site that offers numerous links to different services or information. AOL is a portal. A splash web page is a page that appears for only a few seconds then automatically proceeds to the next web page. So, what is a bank's home page? While it is my opinion that the home page is Your Bank's first "advertising" web page, I would enjoy hearing your thoughts on this subject, which I will pass along confidentially to the regulators.
FYI - Recent call report instructions require Your Bank to list their "primary URL" and the instructions read:
"Banks with an Internet Web site or home page must report the primary Web address for their site as part of their Call Report submission. On the report forms, the location for disclosing this address is on the cover page below the FDIC Certificate Number. Web addresses should not exceed 75 characters in length. The FFIEC and the banking agencies are currently treating Web addresses as confidential. However, the agencies plan to make banks' Web addresses publicly available beginning with the Call Reports for March 31, 2000. Therefore, please ensure that you accurately report your Web address, if any. Do not provide an e-mail address in the space for the Web address.
The primary Internet Web address is the public Internet site address (also known as the Uniform Resource Locator or URL) that a bank's customer or potential customer enters into Internet browser software in order to find the first page of the bank's Web site. Examples are www.bank.com http://www.bank.com, www.isp.com/bank/, http://www.isp.com/bank/, or bank.isp.com. When entering your Web address on the Call Report, do not preface the Web address with http:// because this is already included on the report form. If your bank does not have its own Web site or home page, but information on or functions of your bank can be accessed through an affiliate's Web address, please provide that affiliate's primary Web address. If your bank maintains more than one Web site, it should provide the Web address that best represents your institution."
INTERNET SECURITY - Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage. (FDIC December 1997)
INTERNET COMPLIANCE - The FFIEC Internet guidelines read "Compliance officers will need to review their existing compliance policies and procedures and make appropriate modifications based upon the types of products, services, and operating features of the institution's online system. The compliance program may not need to be revamped, but merely extended to address the new level of technology employed by the institution. Staff should be trained and a monitoring system implemented to review continually the content and operation of the online programs to prevent inadvertent or unauthorized changes that may affect compliance with the regulations."
PRIVACY - The regulator's draft privacy policy gives an insight to the information to be included in initial and annual notices of privacy policies and practices.
(a) General Rule. The initial and annual notices you provide about your privacy policies and practices shall include each of the following items of information:
(1) The categories of nonpublic personal information that you collect, separately identified by both source and content;
(2) The categories of nonpublic personal information that you disclose identified by both its source and its content;
(3) Your policies and practices with respect to disclosing nonpublic personal information-
(i) To your affiliates, including the categories of affiliates (separately identified by both types of businesses and products or services offered to consumers). Other than as provided;
(ii) To nonaffiliated third parties, including the categories of nonaffiliated third parties (separately identified by both types of businesses and products or services offered to consumers), other than those third parties as provided; and
(iii) About individuals that no longer have a customer relationship with you;
(4) To the extent applicable, the consumer or customer's right to opt out of disclosure of nonpublic personal information to a nonaffiliated third party that you identify as required by paragraphs (2) and (3)(ii) other than as permitted;
(5) Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)); and
(6) Your policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information.
(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information about a customer or consumer to nonaffiliated third parties as authorized, you are not required to list those exceptions in the initial or annual privacy notices required. When describing your policies and practices with respect to those parties, you are only required to state that you make disclosures to other nonaffiliated third parties as permitted by law.
(c) Examples.
(1) Categories of nonpublic personal information that you collect. You categorize the nonpublic personal information you collect according to its source if you identify the particular source, such as a credit application or a specific account. You categorize nonpublic personal information you collect according to its content if you identify the particular type of content, such as payment history, overdraft history, income information, and information about purchases. You may not, however, categorize the information you collect only in general terms, such as "transaction information" or "everything."
(2) Categories of nonpublic personal information you disclose. You categorize nonpublic personal information you disclose according to its source if you identify the particular source, such as a credit application or a specific account. You categorize nonpublic personal information you disclose according to its content if you identify the particular type of content, such as payment history, overdraft history, income history, income information, and information about purchases. When applicable, you may refer to the categories of information you collect, including stating that you disclose everything you collect.
(3) Categories of affiliates and nonaffiliated third parties to whom you disclose. You categorize the affiliates and nonaffiliated third parties to whom you disclose if you identify the types of businesses that they engage in, such as telemarketing, health insurance, or mortgage banking, and the particular types of products or services that they may offer your customers, such as dental plans, health insurance, or home loans.
(4) Confidentiality, security, and integrity. You describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if you explain matters such as who has access to the information and the particular circumstances under which the information may be accessed. You describe your policies and practices with respect to protecting the integrity of nonpublic personal information if you explain measures such as those you take to protect against reasonably anticipated threats or hazards. You are not required to describe technical information about the safeguards that you use.
|