|
October 28, 2001
FYI
- The Treasury received 83
substantiated reports of computer intrusions, with 60 percent of the
cases involving banks’ own employees
trying to embezzle funds or perpetrate other frauds. http://www.msnbc.com/news/646264.asp?0dm=-12NT
FYI
- Amendment to OFAC
Regulations Concerning Yugoslavia. - Effective October 3, 2001, the
Department of the Treasury's Office of Foreign Assets Control
amended its regulations concerning Yugoslavia.
www.fdic.gov/news/news/financial/2001/fil0192.html
FYI - Update
to Executive Order Targeting Terrorist Assets - On September 24,
2001, President George W. Bush issued an Executive Order targeting
terrorists. As a result, a number of new names were added to the
Department of the Treasury's Office of Foreign Assets Control (OFAC)
Specially Designated Nationals and Blocked Persons list.
www.fdic.gov/news/news/financial/2001/fil0188.html
FYI - Specially
Designated Nationals and Blocked Persons
- On October 5, 2001, the Department of the Treasury's Office
of Foreign Assets Control updated its Foreign Terrorist Organization
list based on information published by the Secretary of State in the
Federal Register.
www.fdic.gov/news/news/financial/2001/fil0190.html
INTERNET
COMPLIANCE - Advertisements
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the
Internet or on-line text. Thus, institutions should carefully review
their on-line advertisements in an effort to minimize compliance
risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business"
under HUD's rules prescribing lobby notices. Thus, institutions may
want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
applications.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Board and Management Oversight - Principle 1: The
Board of Directors and senior management should establish effective
management oversight over the risks associated with e-banking
activities, including the establishment of specific accountability,
policies and controls to manage these risks. (Part 2 of 2)
Finally, the Board and senior management should ensure that
its risk management processes for its e-banking activities are
integrated into the bank's overall risk management approach. The
bank's existing risk management policies and processes should be
evaluated to ensure that they are robust enough to cover the new
risks posed by current or planned e-banking activities. Additional
risk management oversight steps that the Board and senior management
should consider taking include:
1) Clearly establishing the banking organization's risk appetite in
relation to e-banking.
2) Establishing key delegations and reporting mechanisms, including
the necessary escalation procedures for incidents that impact the
bank's safety, soundness or reputation (e.g. networks penetration,
employee security infractions and any serious misuse of computer
facilities).
3) Addressing any unique risk factors associated with ensuring the
security, integrity and availability of e-banking products and
services, and requiring that third parties to whom the banks has
outsourced key systems or applications take similar measures.
4) Ensuring that appropriate due diligence and risk analysis are
performed before the bank conducts cross-border e-banking
activities.
The Internet greatly facilitates a bank's ability to distribute
products and services over virtually unlimited geographic territory,
including across national borders. Such cross-border e-banking
activity, particularly if conducted without any existing licensed
physical presence in the "host country," potentially
subjects banks to increased legal, regulatory and country risk due
to the substantial differences that may exist between jurisdictions
with respect to bank licensing, supervision and customer protection
requirements. Because of the need to avoid inadvertent
non-compliance with a foreign country's laws or regulations, as well
as to manage relevant country risk factors, banks contemplating
cross-border e-banking operations need to fully explore these risks
before undertaking such operations and effectively manage them.
Depending on the scope and complexity of e-banking activities, the
scope and structure of risk management programs will vary across
banking organizations. Resources required to oversee e-banking
services should be commensurate with the transactional functionality
and criticality of systems, the vulnerability of networks and the
sensitivity of information being transmitted.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Financial Institution Duties
( Part 6 of 6)
Redisclosure and Reuse Limitations on Nonpublic Personal
Information Received:
If a financial institution receives nonpublic personal
information from a nonaffiliated financial institution, its
disclosure and use of the information is limited.
A) For nonpublic personal information received under a
section 14 or 15 exception, the financial institution is limited to:
1) Disclosing the information to the
affiliates of the financial institution from which it received the
information;
2) Disclosing the information to its
own affiliates, who may, in turn, disclose and use the information
only to the extent that the financial institution can do so;
and
3) Disclosing and using the
information pursuant to a section 14 or 15 exception (for example,
an institution receiving information for account processing could
disclose the information to its auditors).
B) For nonpublic personal information received other than
under a section 14 or 15 exception, the recipient's use of the
information is unlimited, but its disclosure of the information is
limited to:
1) Disclosing the information to
the affiliates of the financial institution from which it received
the information;
2) Disclosing the information to its
own affiliates, who may, in turn disclose the information only to
the extent that the financial institution can do so; and
3) Disclosing the information to any
other person, if the disclosure would be lawful if made directly to
that person by the financial institution from which it received the
information. For example, an institution that received a customer
list from another financial institution could disclose the list (1)
in accordance with the privacy policy of the financial institution
that provided the list, (2) subject to any opt out election or
revocation by the consumers on the list, and (3) in accordance with
appropriate exceptions under sections 14 and 15.
IN CLOSING - This week I will be attending an IT auditing
school sponsored by the Information Systems Audit and Control
Association (ISACA). Please send me an e-mail if I can be of
any assistance.
|
