Internet Banking News December 5, 1999 FYI - This past week I was privileged to speak about Internet banking compliance and security at the Bankers' Compliance Group seminar held in California. The Bankers' Compliance Group specializes in compliance regulations for bankers. I want to thank Mark Moore with the law firm of Aldrich and Bonnefin for inviting me to participate in their seminar. You want to bookmark their web site at http://www.bankerscompliancegroup.com for future reference for Your Bank. INTERNET SECURITY - The OCC Internet Banking handbook states that well-defined policies will help a bank develop a sound system of controls and ultimately reduce the vulnerability to penetration. Well-defined control objectives will help the systems administrator or vendors to properly configure the firewall. Such policies also will give auditors a standard to measure against when performing tests. Some considerations for bank firewall policies include: 1) Communicating the bank's policy with respect to monitoring employee use of data communications networks, including electronic mail and the Internet. 2) Requiring virus checking for all diskettes or downloads from other than authorized sources. Even diskettes received from other employees can be contaminated with a virus and should be scanned before use, especially on a PC connected to the bank's network. 3) Determining the bank's policy for the access to PCs and the bank's network after hours for uses that are not related to work. 4) Informing employees of the consequences of violating the institution's network usage policies. 5) Limiting access to and use of administrator level capabilities of the firewall hardware and software. 6) Requiring periodic review of the vulnerabilities of the bank's firewalls from known threats including, penetration testing. 7) Regularly logging and reviewing all activity. INTERNET COMPLIANCE - Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with nondeposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the nondeposit investment product or its lack of FDIC insurance. 1) Not FDIC Insured In addition, the logo format disclosures should be boxed, set in bold face type, and displayed in a conspicuous manner. PRIVACY - Financial institutions should review their internal controls to ensure that these controls prevent the improper disclosure of personal information to third parties. Banks with outsourcing arrangements may need to be especially cognizant of privacy concerns as outsourcing arrangements present a greater potential for banks to lose control over consumer information. Banks that lose control of consumers' information are subject to liability and reputation risk. Internal controls should incorporate a monitoring and review mechanism that will test compliance with established privacy policies and information practices.
WEB PAGES - I would recommend that you establish a log for each web page. The web page log will keep track of the date the web page was created, the date of changes, and the description of the change. The web page logs will come in handy to show examiners when changes were made to help you with record retention requirements. |
