|
October 21, 2001
FYI
-
NCUA - Letter to Credit Unions 01-CU-12 -- e-Commerce
Insurance Considerations
www.ncua.gov/ref/letters/01-CU-12.pdf
INTERNET
COMPLIANCE - Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that
periodic statements for open-end credit accounts may be provided
electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day
rule," requiring mailing or delivery of the statement not later
than 14 days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
multiple-page advertisements.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Board and Management Oversight - Principle 1: The
Board of Directors and senior management should establish effective
management oversight over the risks associated with e-banking
activities, including the establishment of specific accountability,
policies and controls to manage these risks. (Part 1 of 2)
Vigilant management oversight is essential for the provision of
effective internal controls over e-banking activities. In addition
to the specific characteristics of the Internet distribution channel
discussed in the Introduction, the following aspects of e-banking
may pose considerable challenge to traditional risk management
processes:
1) Major elements of the delivery channel (the Internet and related
technologies) are outside of the bank's direct control.
2) The Internet facilitates delivery of services across multiple
national jurisdictions, including those not currently served by the
institution through physical locations.
3) The complexity of issues that are associated with e-banking and
that involve highly technical language and concepts are in many
cases outside the traditional experience of the Board and senior
management.
In light of the unique characteristics of e-banking, new e-banking
projects that may have a significant impact on the bank's risk
profile and strategy should be reviewed by the Board of Directors
and senior management and undergo appropriate strategic and
cost/reward analysis. Without adequate up-front strategic review and
ongoing performance to plan assessments, banks are at risk of
underestimating the cost and/or overestimating the payback of their
e-banking initiatives.
In addition, the Board and senior management should ensure that the
bank does not enter into new e-banking businesses or adopt new
technologies unless it has the necessary expertise to provide
competent risk management oversight. Management and staff expertise
should be commensurate with the technical nature and complexity of
the bank's e-banking applications and underlying technologies.
Adequate expertise is essential regardless of whether the bank's
e-banking systems and services are managed in-house or outsourced to
third parties. Senior management oversight processes should operate
on a dynamic basis in order to effectively intervene and correct any
material e-banking systems problems or security breaches that may
occur. The increased reputational risk associated with e-banking
necessitates vigilant monitoring of systems operability and customer
satisfaction as well as appropriate incident reporting to the Board
and senior management.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Financial Institution Duties
( Part 5 of 6)
Limitations on Disclosure of Account Numbers:
A financial institution must not disclose an account number or
similar form of access number or access code for a credit card,
deposit, or transaction account to any nonaffiliated third party
(other than a consumer reporting agency) for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
the consumer.
The disclosure of encrypted account numbers without an accompanying
means of decryption, however, is not subject to this prohibition.
The regulation also expressly allows disclosures by a financial
institution to its agent to market the institution's own products or
services (although the financial institution must not authorize the
agent to directly initiate charges to the customer's account). Also
not barred are disclosures to participants in private-label or
affinity card programs, where the participants are identified to the
customer when the customer enters the program.
|
