|
November 25, 2001
FYI
- Unix bugged? - Internet Security Systems last week sounded
the alarm about a serious security weakness it says is associated
with Unix software from six vendors: Sun, Compaq, Hewlett-Packard,
Caldera, SGI and IBM. http://www.nwfusion.com/news/2001/1119unix.html
INTERNET
COMPLIANCE - Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures via
electronic means has raised many issues with respect to the format
of the disclosures, the manner of delivery, and the ability to
ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
services.
Disclosures are generally required to be "clear and
conspicuous." Therefore, compliance officers should review the
web site to determine whether the disclosures have been designed to
meet this standard. Institutions may find that the format(s)
previously used for providing paper disclosures may need to be
redesigned for an electronic medium. Institutions may find it
helpful to use "pointers " and "hotlinks" that
will automatically present the disclosures to customers when
selected. A financial institution's use solely of asterisks or other
symbols as pointers or hotlinks would not be as clear as descriptive
references that specifically indicate the content of the linked
material.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Security Controls -
Principle
1: Banks should take appropriate measures to authenticate the
identity and authorization of customers with whom it conducts
business over the Internet. (Part 2 of 2)
The bank must determine which authentication methods to use based on
management's assessment of the risk posed by the e-banking system as
a whole or by the various sub-components. This risk analysis should
evaluate the transactional capabilities of the e-banking system
(e.g. funds transfer, bill payment, loan origination, account
aggregation etc.), the sensitivity and value of the stored e-banking
data, and the customer's ease of using the authentication method.
Robust customer identification and authentication processes are
particularly important in the cross-border e-banking context given
the additional difficulties that may arise from doing business
electronically with customers across national borders, including the
greater risk of identity impersonation and the greater difficulty in
conducting effective credit checks on potential customers.
As authentication methods continue to evolve, banks are encouraged
to monitor and adopt industry sound practice in this area such as
ensuring that:
1) Authentication databases that provide access to e-banking
customer accounts or sensitive systems are protected from tampering
and corruption. Any such tampering should be detectable and audit
trails should be in place to document such attempts.
2) Any addition, deletion or change of an individual, agent or
system to an authentication database is duly authorized by an
authenticated source.
3) Appropriate measures are in place to control the e-banking
system connection such that unknown third parties cannot displace
known customers.
4) Authenticated e-banking sessions remain secure throughout
the full duration of the session or in the event of a security lapse
the session should require re-authentication.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Examination Procedures
(Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify which
module(s) of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is
applicable.
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and
controls, including review of new products and services and controls
over servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including
the use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training
program;
5) Suitability of the compliance audit program for ensuring
that:
a) the procedures address all
regulatory provisions as applicable;
b) the work is accurate and
comprehensive with respect to the institution's information sharing
practices;
c) the frequency is
appropriate;
d) conclusions are appropriately
reached and presented to responsible parties;
e) steps are taken to correct
deficiencies and to follow-up on previously identified deficiencies;
and
6) Knowledge level of management and personnel.
IN CLOSING - We hope you had a good Thanksgiving.
|
