R. Kinney Williams & Associates®
R. Kinney Williams
& Associates

Internet Banking News

June 20, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Survey: 2 million bank accounts robbed - Criminals taking advantage of online banking - Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner. Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year. http://www.msnbc.msn.com/id/5184077/

FYI - New Guidance for Examiners, Financial Institutions and Technology Service Providers on Development and Acquisition of Information Systems - The Federal Financial Institutions Examination Council has issued a booklet with guidance on evaluating development and acquisition activities. www.fdic.gov/news/news/financial/2004/fil6404.html 

FYI - Guidance on Developing an Effective Computer Virus Protection Program - The FDIC is issuing guidance to financial institutions about the importance of maintaining an effective computer virus protection program. The guidance provides information on the risks associated with computer viruses and how these risks can be mitigated. www.fdic.gov/news/news/financial/2004/fil6204.html 

FYI - Keys to addressing the data privacy mandate - Enterprises worldwide are spending approximately $20 billion per year on IT security, yet very costly breaches continue to occur. In large part, this is because security efforts have mainly been focused on network security rather than data privacy. Data privacy is the process of securing critical data as it is being stored, transmitted, and used within the enterprise.
www.scmagazine.com/features/index.cfm?fuseaction=featureDetails&newsUID=4a14fd86-c1af-4855-8e02-00057c15b2ec

FYI - The case for intrusion prevention - There have been many cases reported in both trade and national press recently about the increasing threat of cyber attacks, and the methodology employed to exploit vulnerabilities in security implementations. Despite this increased emphasis on the reality of the threat, many organisations are ignoring the advances in security products and technologies that can significantly increase their resistance to these attacks. www.scmagazine.com/features/index.cfm?fuseaction=featureDetails&newsUID=89299d64-93fa-4e46-a244-f4d902a3d981

FYI - Security time bomb is triggered by 'rogue laptops' - Unpatched notebook PCs are a weak link in enterprise security arrangements, experts warned.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39156799-39020375t-10000025c

FYI - The Witty worm: A new chapter in malware - If press coverage is any guide, then the Witty worm wasn't all that successful. Witty infected only about 12,000 machines, almost none of them home users. But Witty was a big deal. It represented some scary malware firsts and is likely a harbinger of worms to come. IT professionals need to understand Witty and what it did. http://www.computerworld.com/printthis/2004/0,4814,93584,00.html

FYI - IT managers: security too tough for us - More than two thirds (68 per cent) of UK IT managers say that managing security is a complex and time-consuming task. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=e8add48c-e118-4d24-b381-a8f43436f7e2&newsType=Latest%20News

FYI - Online banking skyrockets, study says - More than 22 million customers logged in to accounts at the top 10 U.S. banks during the first quarter, a 29 percent jump from the same period last year, according to a new study. http://news.com.com/Online+banking+skyrockets%2C+study+says/2100-1032_3-5237462.html?tag=nefd.top

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

  • nature of the third-party product or service;
  • trade name of the third party; and
  • website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE

Financial institution system development, acquisition, and maintenance functions should incorporate agreed upon security controls into software prior to development and implementation. Management should integrate consideration of security controls into each phase of the system development process. For the purposes of this section, system development could include the internal development of customized systems, the creation of database systems, or the acquisition of third-party developed software. System development could include long-term projects related to large mainframe-based software projects with legacy source code or rapid Web-based software projects using fourth-generation programming. In all cases, institutions need to prioritize security controls appropriately.

SOFTWARE DEVELOPMENT AND ACQUISITION

Security Requirements

Financial institutions should develop security control requirements for new systems, system revisions, or new system acquisitions. Management will define the security control requirements based on their risk assessment process evaluating the value of the information at risk and the potential impact of unauthorized access or damage. Based on the risks posed by the system, management may use a defined methodology for determining security requirements, such as ISO 15408, the Common Criteria.23 Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. A member of senior management should document acceptance of the security requirements for each new system or system acquisition, acceptance of tests against the requirements, and approval for implementing in a production environment.

Development projects should consider automated controls for incorporation into the application and the need to determine supporting manual controls. Financial institutions can implement appropriate security controls with greater cost effectiveness by designing them into the original software rather than making subsequent changes after implementation. When evaluating purchased software, financial institutions should consider the availability of products that have either been independently evaluated or received security accreditation through financial institution or information technology-related industry groups.

Return to the top of the newsletter

IT SECURITY QUESTION:

 F. PERSONNEL SECURITY

 5. Determine if employees have an available and reliable mechanism to promptly report security incidents, weaknesses, and software malfunctions.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Exceptions to Notice and Opt Out Requirements

50.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:

a.  with the consent or at the direction of the consumer; [§15(a)(1)]
b.
1.  to protect the confidentiality or security of records; [§15(a)(2)(i)]
2.  to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
3.  for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2)(iii)]
4.  to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
5.  to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2)(v)]
c.  to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [§15(a)(3)]
d.  in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]
e.  to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f.  in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]
g.  to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
h.  to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
i.  to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated