|
January 13, 2002
FYI
- We want to congratulate the folks at the NCUA for a great
job redesigning their web site. They have improved the look,
the ease of navigation, and the overall professionalism of the site.
Press release www.ncua.gov/news/press_releases/nr010702.html
NCUA Home Page http://www.ncua.gov
FYI
FOR TEXAS STATE BANKS - Consumer Complaints - Those portions
of your website that offer consumer goods and services must contain
access to the required notice. http://www.banking.state.tx.us/LEGAL/RULES/11TAC.HTM#§11.37
INTERNET
COMPLIANCE - "Member FDIC" Logo - When is it
required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
Principle 7: Banks should take appropriate measures to preserve
the confidentiality of key e-banking information. Measures taken to
preserve confidentiality should be commensurate with the sensitivity
of the information being transmitted and/or stored in databases.
Confidentiality is the assurance that key information remains
private to the bank and is not viewed or used by those unauthorized
to do so. Misuse or unauthorized disclosure of data exposes a bank
to both reputation and legal risk. The advent of e-banking presents
additional security challenges for banks because it increases the
exposure that information transmitted over the public network or
stored in databases may be accessible by unauthorized or
inappropriate parties or used in ways the customer providing the
information did not intend. Additionally, increased use of service
providers may expose key bank data to other parties.
To meet these challenges concerning the preservation of
confidentiality of key e-banking information, banks need to ensure
that:
1) All confidential
bank data and records are only accessible by duly authorized and
authenticated individuals, agents or systems.
2) All confidential
bank data are maintained in a secure manner and protected from
unauthorized viewing or modification during transmission over
public, private or internal networks.
3) The bank’s
standards and controls for data use and protection must be met when
third parties have access to the data through outsourcing
relationships.
4) All access to
restricted data is logged and appropriate efforts are made to ensure
that access logs are resistant to tampering.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13, and 14 and/or 15 but not outside of these
exceptions
(Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual
privacy notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery (§§4(d),
4(e), and 5(a)), means of delivery of annual notice §9(c)), and
accessibility of or ability to retain the notice (§9(e)). |
