August 6, 2000
FYI - An application filed by Citizens National Bank of Evans City, Pennsylvania, with the OCC to establish an operating subsidiary, CNBCommerce.com, LLC, to provide e-commerce services to small businesses.
http://www.occ.treas.gov/interp/jul00/cd00-08.pdf
INTERNET SECURITY - Over the next three weeks, we will shared the NCUA's "best practice" suggestions dealing with Identity Theft prevention. This guidance is based on experience from actual identity theft. Evaluate each suggestion and balance the privacy protection risk with the institution's resources and products to develop privacy protection strategies and policies that are right for your credit union, savings and loans, or bank.
1. Develop a comprehensive written privacy protection policy that includes responsible information handling practices. The privacy policy should address privacy and information handling for all the sensitive data held by the credit union, including data gathered from a website. The policy should cover all staff and officials of the credit union and their dealings with persons outside the credit union. It is beyond the scope of this Letter to provide comprehensive information on security and privacy strategies. However, we have appended some informational websites from experts in the field and encourage you to investigate further at libraries and technical bookstores.
2. Display your credit union's Privacy Protection Policy in your literature and on your website.
3. All staff, including credit union volunteers, should be trained on the credit union's security measures and privacy protection policies. Review and update the policies routinely and provide follow-up training. Even temporary and part-time employees, independent consultants, and vendors should have information on, and be subject to, the written policies.
4. Conduct criminal and civil background checks before hiring employees who will have access to sensitive personal information. This includes screening services and temporary firms that the credit union uses, such as after hours cleaning companies.
5. Limit the credit union's data collection to the information that is necessary for the stated purpose, and nothing more.
6. Limit data disclosure. Restrict the addition of unnecessary data on printed documents. For example, social security numbers printed on documents such as pay or loan distribution checks, parking permits, staff badges, time sheets, mailing labels, account statements, etc.
7. Prohibit using birth dates, social security, or driver's license numbers as account or personal identifier numbers.
8. Restrict sensitive personal data to only those who have a legitimate need to know. Implement electronic audit trails and impose strict penalties for browsing and illegitimate access.
INTERNET COMPLIANCE - The Fair Housing Act clarifies that a financial institution that advertises on-line credit products must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy.
Home Mortgage Disclosure Act (Regulation C) clarifies that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.
Home Mortgage Disclosure Act can be found at http://www.fdic.gov/regulations/laws/rules/7500-400.html#7500203.4
IN CLOSING - I would like to thank the National Center for Credit Unions for inviting me to speak at their conference held this past week. I met a lot of new friends and look forward being of service to them. My especially thanks to Dennis Sullivan and Ira Apfel with the NCCU.
|