|
December 9, 2001
FYI
- A
preliminary test of mail delivered to a secure, closed mail-handling
facility outside the main Federal Reserve Board building tested
positive for anthrax exposure late Thursday afternoon.
www.federalreserve.gov/boarddocs/press/General/2001/20011206/default.htm
FYI - Russian Man Arrested in ATM
Fraud Case A Russian organized crime ring stole account and personal
identification numbers (PINs) from people using point of sale ATMs
in Manhattan, New Your City. The group allegedly stole $1.5 million
from the victims, who are largely Chase and Citibank customers.
http://www.msnbc.com/news/664990.asp?0dm=T217T#BODY
INTERNET COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
co. According to the
OSC, an example of a consumer's authorization that is not in the
form of a signed writing but is, instead, "similarly
authenticated," is a consumer's authorization via a home
banking system. To
satisfy the regulatory requirements, the institution must have some
means to identify the consumer (such as a security code) and make a
paper copy of the authorization available (automatically or upon
request). The text of
the electronic authorization must be displayed on a computer screen
or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A
financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or
theft of an access device. Therefore,
the institution should ensure that controls are in place to review
these notifications and also to ensure that an investigation is
initiated as required.
INTERNET SECURITY - We
continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the
Basel Committee on Bank Supervision in May 2001.
Principle 3: Banks should ensure that appropriate measures
are in place to promote adequate segregation of duties within
e-banking systems, databases and applications.
Segregation
of duties is a basic internal control measure designed to reduce the
risk of fraud in operational processes and systems and ensure that
transactions and company assets are properly authorized, recorded
and safeguarded. Segregation of duties is critical to ensuring the
accuracy and integrity of data and is used to prevent the
perpetration of fraud by an individual. If duties are adequately
separated, fraud can only be committed through collusion.
E-banking services may necessitate modifying the ways in which
segregation of duties are established and maintained because
transactions take place over electronic systems where identities can
be more readily masked or faked. In addition, operational and
transaction-based functions have in many cases become more
compressed and integrated in e-banking applications. Therefore, the
controls traditionally required to maintain segregation of duties
need to be reviewed and adapted to ensure an appropriate level of
control is maintained. Because access to poorly secured databases
can be more easily gained through internal or external networks,
strict authorization and identification procedures, safe and sound
architecture of the straight-through processes, and adequate audit
trails should be emphasized.
Common practices used to establish and maintain segregation of
duties within an e-banking environment include the following:
1) Transaction processes and systems should be designed to
ensure that no single employee/outsourced service provider could
enter, authorize and complete a transaction.
2) Segregation should be maintained between those initiating
static data (including web page content) and those responsible for
verifying its integrity.
3) E-banking systems should be tested to ensure that
segregation of duties cannot be bypassed.
4) Segregation should be maintained between those developing
and those administrating e-banking systems.
PRIVACY - We continue covering
various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
regulation.
A. Disclosure of Nonpublic Personal Information
1) Select a
sample of third party relationships with nonaffiliated third parties
and obtain a sample of data shared between the institution and the
third party both inside and outside of the exceptions. The sample
should include a cross-section of relationships but should emphasize
those that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers (customers and those who
are not customers) in its notices about its policies and practices
in this regard and what the institution actually does are consistent
(§§10, 6).
b. Compare the data shared to a s`ample of opt out directions
and verify that only nonpublic personal information covered under
the exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts (§13(a))
. |
