Internet Banking News
July 25, 1999
1) Once again the Comptroller is speaking out about customer privacy. This
week he told a House panel that Congress should consider strengthening the consumer
privacy protections included in pending financial modernization legislation. The
Comptroller further stated that the relationship between banks and their customers is
built upon the pervasive assumption of customers that their banks will maintain the
confidentiality of that relationship. However, technological advances and competitive
pressures have placed a premium on the availability of personal information.
COMMENT: The complete text of the Comptroller's testimony can be found at http://www.bankwebsiteaudits.com/documents/occ_testimony_72199.htm.
From a liability standpoint, be certain that your privacy statement matches the bank's
practices.
2) INTERNET COMPLIANCE - Truth in Lending Act (Regulation Z) - Advertising of credit
products should be carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or closed-end credit products
on-line have options. Financial institutions should ensure that on-line advertising
complies with §226.16 and §226.24. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should comply with §226.16(c) and
§226.24(d), which describe the requirements for multiple-page advertisements.
COMMENT: Regulation Z applies when the bank's web site states specific credit terms. The
disclosures shall also be clear and conspicuous. Sections §226.16 and §226.24 can be
found at http://www.fdic.gov/lawsregs/rules/6500-7.html.
3) INTERNET SECURITY - A financial institution's board of directors and senior management
should be aware of information security issues and be involved in developing an
appropriate information security program. A comprehensive information security policy
should outline a proactive and ongoing program incorporating three components:
· Prevention
· Detection
· Response
Prevention measures include sound security policies, well-designed system architecture,
properly configured firewalls, and strong authentication programs. The FDIC paper
discusses two additional prevention measures: vulnerability assessment tools and
penetration analyses. Vulnerability assessment tools generally involve running scans on a
system to proactively detect known vulnerabilities such as security flaws and bugs in
software and hardware. These tools can also detect holes allowing unauthorized access to a
network, or insiders to misuse the system. Penetration analysis involves an independent
party (internal or external) testing an institution's information system security to
identify (and possibly exploit) vulnerabilities in the system and surrounding processes.
Using vulnerability assessment tools and performing regular penetration analyses will
assist an institution in determining what security weaknesses exist in its information
systems.
I will cover Detection and Response over the next two weeks.
COMMENT: It goes with out saying that the Board of Directors must be involved with your
Internet activities. Your bank probably already has a Bank Information Systems steering
committee. This committee should be given the responsibility of Internet security, or
another committee should be formed to specifically address Internet issues. In either
case, there should be at least quarterly reports to the Board regarding the bank's
Internet activities. |