|
August 26, 2001
FYI
- Cyber Citizen
lands Felony Charges? A
good deed may lead to prosecution for a 24 year old sales and
support employee for an internet service provider in SE Oklahoma.
He become a statistic for the Computer Analysis Response Team
because he alerted a local business to a serious
security flaw in their website. http://www.linuxfreak.org/post.php/08/17/2001/134.html
FYI - FDIC Guidance on
Electronic Authentication
www.fdic.gov/news/news/financial/2001/fil0169.html
INTERNET
COMPLIANCE - Disclosures/Notices Continued from last
week
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with high customer expectations for constant and
rapid availability and potentially high transaction demand. The bank
must have the ability to deliver e-banking services to all end-users
and be able to maintain such availability in all circumstances.
Effective incident response mechanisms are also critical to minimize
operational, legal and reputational risks arising from unexpected
events, including internal and external attacks, that may affect the
provision of e-banking systems and services. To meet customers’
expectations, banks should therefore have effective capacity,
business continuity and contingency planning. Banks should also
develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk
and limit liability associated with disruptions in their e-banking
services.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
The Exceptions
Exceptions to the opt out right are detailed in sections 13, 14,
and 15 of the regulations. Financial institutions need not comply
with opt-out requirements if they limit disclosure of nonpublic
personal information:
1) To a nonaffiliated third party to perform services for the
financial institution or to function on its behalf, including
marketing the institution's own products or services or those
offered jointly by the institution and another financial
institution. The exception is permitted only if the financial
institution provides notice of these arrangements and by contract
prohibits the third party from disclosing or using the information
for other than the specified purposes. In a contract for a joint
marketing agreement, the contract must provide that the parties to
the agreement are jointly offering, sponsoring, or endorsing a
financial product or service. However, if the service or function is
covered by the exceptions in section 14 or 15 (discussed below), the
financial institution does not have to comply with the additional
disclosure and confidentiality requirements of section 13.
Disclosure under this exception could include the outsourcing of
marketing to an advertising company. (Section 13)
2) As necessary to effect, administer, or enforce a
transaction that a consumer requests or authorizes, or under certain
other circumstances relating to existing relationships with
customers. Disclosures under this exception could be in connection
with the audit of credit information, administration of a rewards
program, or to provide an account statement. (Section 14)
3) For specified other disclosures that a financial
institution normally makes, such as to protect against or prevent
actual or potential fraud; to the financial institution's attorneys,
accountants, and auditors; or to comply with applicable legal
requirements, such as the disclosure of information to regulators.
(Section 15)
CLIENTS
FYI PRIVACY - FDIC Examination Procedures to Evaluate
Customer Information Safeguards
www.fdic.gov/news/news/financial/2001/fil0168.html
IN CLOSING - One
of the more compelling arguments for wide-scale use of smart cards
in large companies can be summed up in the following, somewhat
cryptic question: How often do you call your bank's help desk
when using an ATM? http://cnet.com/news/0-1007-200-6940831.html?tag=mn_hd
|
