Internet Banking News December 12, 1999 IMPORTANT - The Blanket Bond does NOT cover non-employee computer fraud, fraudulent voice instructions and fraudulent telefacs requests unless there is an endorsement to cover such activity. At present, I am not aware of an endorsement to cover a fraudulent e-mail from a bank customer. This information supplied by Fidelity and Deposit. Please double check with the bonding company to be sure that R. Kinney Williams & Associates is covered regarding Internet activities. FYI - The results of an Internet survey conducted by the California Department of Banking. The survey can be found at http://www.sbd.ca.gov/bulletin/1997/Internet.htm. FYI - The FFIEC believes that financial institutions may be exposed to higher levels of fraudulent and malicious attempts to exploit information systems during the century date change. For more information refer to the press release at http://www.fdic.gov/news/news/financial/1999/FIL99107a.html. INTERNET SECURITY - Before you can determine the scope of the security policy and the auditing procedures, R. Kinney Williams & Associates needs to conduct a risk assessment of your computer and Interment operations. This is what the OCC has to say about risk management: Financial institutions should have a technology risk management process to enable them to identify, measure, monitor, and control their technology risk exposure. Examiners should refer to OCC Bulletin 98-3, "Technology Risk Management" for additional guidance on this topic. Risk management of new technologies has three essential elements: 1. The planning process for the use of the technology. 2. Implementation of the technology. 3. The means to measure and monitor risk. The OCC's objective is to determine whether a bank is operating its Internet banking business in a safe and sound manner. The OCC expects banks to use a rigorous analytic process to identify, measure, monitor, and control risk. Examiners will determine whether the level of risk is consistent with the bank's overall risk tolerance and is within the bank's ability to manage and control. INTERNET COMPLIANCE - Electronic Fund Transfer Act (Regulation E) Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery. Accordingly, institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service. Although not specifically mentioned in the commentary, this includes electronic financial services. Additionally, a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. An example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer. PRIVACY - The FDIC supports industry self-regulation that is specific, meaningful and effective. The agency believes it is a good business practice for financial institutions to adopt responsible privacy policies and information practices, disclose those policies and practices to increase consumer knowledge and understanding, and take other prompt, effective actions necessary to provide consumers with privacy protections in the online environment. The FDIC recognizes that information collection practices will vary among financial institutions. Therefore, it encourages banks to develop and implement information practices that best serve the needs of the bank and its customers. Such actions are good risk management and will enhance consumer confidence in online banking. TEXAS BANKS - The Texas Business and Commerce Code, Section 26.02 deals with the statute of frauds. You will recall the statute of frauds relates to requirements that certain contracts be in writing to be enforceable. A loan agreement for over $50,000 must be in writing to be enforceable, and the rights of the parties are governed solely by the writing if the lender complies with Section 26.02, which include the posted notice and the customer's signature acknowledging the effect of Section 26.02. Everette Jobe, General Counsel for the Texas Department of Banking, in an informal statement said "I tend to believe that Internet transactions should be treated the same as transactions at "off-premises electronic deposit facilities" with respect to the notice posting requirement, without regard to whether the Internet server is on the bank's premises or hosted by an ISP." CLIENTS - This means that your web site needs a link to notice in Section 26.02. This notice link should be on your home page and all lending web pages especially if you are using online loan applications. You will find the required notice at http://www.banking.state.tx.us/legal/rules/text/03%2D34.html. If your state has some bank posting requirements, the chances are the posting needs to be on R. Kinney Williams & Associates's web page. Please send me an e-mail of any posting requirements. I will verify if the posting needs to be on web sites and will comment in a future newsletter. |
