Internet Banking News
September 19, 1999
INTERNET COMPLIANCE - When on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the requirements of the Electronic
Fund Transfer Act and Regulation E apply. Financial institutions must provide disclosures
that are clear and readily understandable, in writing, and in a form the consumer may
keep. An interim rule was issued that allows depository institutions to satisfy the
requirement to deliver by electronic communication any of these disclosures as long as the
consumer agrees to such method of delivery.
Regulations clarify that written authorization for preauthorized transfers from a
consumer's account include an electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security code. The text of the
electronic authorization must be displayed on a computer screen that enables the consumer
to read the communication from the institution. Only the consumer may authorize the
transfer and not a third-party merchant on behalf of the consumer.
Timing in reporting an unauthorized transaction, loss, or theft of an access device
determines a consumer's liability. A financial institution may receive correspondence
through an electronic medium concerning an unauthorized transaction, loss, or theft of an
access device. Therefore, the institution should ensure that controls are in place to
review these notifications and also to ensure that an investigation is initiated as
required.
FYI - I recommend that your bank's Electronic Fund Transfer Policy be a link off any
web page that allows funds transfers or that discusses funds transfers.
INTERNET SECURITY - Issues to consider in your bank's risk assessment process include:
1) Identifying mission-critical information systems, and determining the effectiveness of
current information security programs.
2) Assessing the importance and sensitivity of information, and the likelihood of outside
break-ins (e.g., by hackers) and insider misuse of information.
CLIENTS: For example, if a large depositor list were made public, that disclosure could
expose the bank to reputational risk and the potential loss of deposits. Further, the
institution could be harmed if human resource data (e.g., salaries and personnel files)
were made public. The assessment should identify systems that allow the transfer of funds,
other assets, or sensitive data/confidential information, and review the appropriateness
of access controls and other security policy settings.
3) Assessing the risks posed by electronic connections with business partners.
4) Determining legal implications and contingent liability concerns associated with any of
the above.
COMMENT: Risk assessment is probably the most important process in determining your bank's
security measures. Without a good risk assessment, there is no way you can establish
security measures to protect critical data. |
