|
November 18, 2001
FYI
- Banking giant Citibank announced that it will soon remove fees for
all U.S. transactions on its online payment service. http://news.cnet.com/news/0-1007-200-7891983.html?tag=ch_mh
FYI - Specially Designated Nationals and Blocked
Persons - On November 7, 2001, the Department of the Treasury's
Office of Foreign Assets Control amended its listing of specially
designated nationals and blocked persons by adding a significant
number of terrorist organizations and individuals, including certain
money transmitters and others in the United States. www.fdic.gov/news/news/financial/2001/fil0197.html
FYI - Specially Designated Nationals and Blocked Persons - On
November 7, 2001, the Department of the Treasury's Office of Foreign Assets
Control amended its listing of specially designated nationals and blocked
persons by adding a significant number of terrorist organizations and
individuals, including certain money transmitters and others in the United
States. www.fdic.gov/news/news/financial/2001/fil0197.html
FYI - Fed Announces Results of Study of the Payments System
First Authoritative Study in 20 Years - New data collected by the Federal
Reserve System suggest check writing in the United States is steadily giving way
to electronic forms of payment as consumers, businesses, and financial
institutions seek to be more efficient and cost-effective.
www.federalreserve.gov/boarddocs/press/General/2001/20011114/default.htm
INTERNET
COMPLIANCE - The Role Of Consumer Compliance In
Developing And Implementing Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system designers
consult with the compliance officer during the development and
implementation stages in order to minimize compliance risk. The
compliance officer should ensure that the proper controls are
incorporated into the system so that all relevant compliance issues
are fully addressed. This level of involvement will help decrease an
institution's compliance risk and may prevent the need to delay
deployment or redesign programs that do not meet regulatory
requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This profile will establish a framework from which
the compliance officer and technology staff can discuss specific
technical elements that should be incorporated into the system to
ensure that the online system meets regulatory requirements. For
example, the compliance officer may communicate with the technology
staff about whether compliance disclosures/notices on a web site
should be indicated or delivered by the use of "pointers"
or "hotlinks" to ensure that required disclosures are
presented to the consumer. The compliance officer can also be an
ongoing resource to test the system for regulatory compliance.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
While
the Board of Directors has the responsibility for ensuring that
appropriate security control processes are in place for e-banking,
the substance of these processes needs special management attention
because of the enhanced security challenges posed by e-banking.
Over the next number of weeks we will cover the principles of
Security Controls.
Security Controls -
Principle
1: Banks should take appropriate measures to authenticate the
identity and authorization of customers with whom it conducts
business over the Internet. (Part 1 of 2)
It is essential in banking to confirm that a particular
communication, transaction, or access request is legitimate.
Accordingly, banks should use reliable methods for verifying the
identity and authorization of new customers as well as
authenticating the identity and authorization of established
customers seeking to initiate electronic transactions.
Customer verification during account origination is important in
reducing the risk of identity theft, fraudulent account applications
and money laundering. Failure on the part of the bank to adequately
authenticate customers could result in unauthorized individuals
gaining access to e-banking accounts and ultimately financial loss
and reputational damage to the bank through fraud, disclosure of
confidential information or inadvertent involvement in criminal
activity.
Establishing and authenticating an individual's identity and
authorization to access banking systems in a purely electronic open
network environment can be a difficult task. Legitimate user
authorization can be misrepresented through a variety of techniques
generally known as "spoofing." Online hackers can also
take over the session of a legitimate authorized individual through
use of a "sniffer" and carry out activities of a
mischievous or criminal nature. Authentication control processes can
in addition be circumvented through the alteration of authentication
databases.
Accordingly, it is critical that banks have formal policy and
procedures identifying appropriate methodology(ies) to ensure that
the bank properly authenticates the identity and authorization of an
individual, agent or system by means that are unique and, as far as
practical, exclude unauthorized individuals or systems. Banks can us
a variety of methods to establish authentication, including PINs,
passwords, smart cards, biometrics, and digital certificates. These
methods can be either single factor or multi-factor (e.g. using both
a password and biometric technology to authenticate). Multi-factor
authentication generally provides stronger assurance.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Examination Procedures (Part 1 of 3)
A. Through discussions with management and review of available
information, identify the institution's information sharing
practices (and changes to those practices) with affiliates and
nonaffiliated third parties; how it treats nonpublic personal
information; and how it administers opt-outs. Consider the following
as appropriate:
1) Notices (initial, annual, revised, opt out, short-form, and
simplified);
2) Institutional privacy policies and procedures, including
those to:
a) process requests for nonpublic
personal information, including requests for aggregated data;
b) deliver notices to consumers;
manage consumer opt out directions (e.g., designating files,
allowing a reasonable time to opt out, providing new opt out and
privacy notices when necessary, receiving opt out directions,
handling joint account holders);
c) prevent the unlawful disclosure
and use of the information received from nonaffiliated financial
institutions; and
d) prevent the unlawful disclosure of
account numbers;
3) Information sharing agreements between the institution and
affiliates and service agreements or contracts between the
institution and nonaffiliated third parties either to obtain or
provide information or services;
4) Complaint logs, telemarketing scripts, and any other
information obtained from nonaffiliated third parties (Note: review
telemarketing scripts to determine whether the contractual terms set
forth under section 13 are met and whether the institution is
disclosing account number information in violation of section 12);
5) Categories of nonpublic personal information collected from
or about consumers in obtaining a financial product or service
(e.g., in the application process for deposit, loan, or investment
products; for an over-the-counter purchase of a bank check; from
E-banking products or services, including the data collected
electronically through Internet cookies; or through ATM
transactions);
6) Categories of nonpublic personal information shared with,
or received from, each nonaffiliated third party; and
7) Consumer complaints regarding the treatment of nonpublic
personal information, including those received electronically.
8) Records that reflect the bank's categorization of its
information sharing practices under Sections 13, 14, 15, and outside
of these exceptions.
9) Results of a 501(b) inspection (used to determine the
accuracy of the institution's privacy disclosures regarding data
security).
IN CLOSING - We greatly appreciate your business and
want to wish you a
wonderful Thanksgiving.
|
