January 20, 2002
- Reports of viruses and security vulnerabilities in software nearly
doubled in 2001, CERT says. http://www.pcworld.com/news/article/0,aid,79303,tk,dn011402X,00.asp
- During the late 1990s, productivity trends in retail banking stood
in contrast to those in much of the rest of the economy. http://news.com.com/2009-1017-814419.html?legacy=cnet&tag=dd.ne.dht.nl-hed.0
FYI - The
Board of Governors, along with other federal agencies, issued
guidance to help financial institutions comply with consumer privacy
COMPLIANCE - Fair Housing Act
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in
person" applications. Accordingly, information about these
applicants' race or national origin and sex must be collected. An
institution that accepts applications through electronic media
without a video component, for example, the Internet or facsimile,
may treat the applications as received by mail.
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
Principle 8: Banks should ensure that adequate information is
provided on their websites to allow potential customers to make an
informed conclusion about the bank's identity and regulatory status
of the bank prior to entering into e-banking transactions.
To minimize legal and reputational risk associated with e-banking
activities conducted both domestically and cross-border, banks
should ensure that adequate information is provided on their
websites to allow customers to make informed conclusions about the
identity and regulatory status of the bank before they enter into
Examples of such information that a bank could provide on its own
1) The name of the bank
and the location of its head office (and local offices if
2) The identity of the
primary bank supervisory authority(ies) responsible for the
supervision of the bank's head office.
3) How customers can
contact the bank's customer service center regarding service
problems, complaints, suspected misuse of accounts, etc.
4) How customers can
access and use applicable Ombudsman or consumer complaint schemes.
5) How customers can
obtain access to information on applicable national compensation or
deposit insurance coverage and the level of protection that they
afford (or links to websites that provide such information).
6) Other information
that may be appropriate or required by specific jurisdictions.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Sharing nonpublic personal information with nonaffiliated third
parties only under Sections 14 and/or 15.
Note: This module applies only to customers.
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data shared
between the institution and the third party.
a. Compare the data shared and with whom the data were shared
to ensure that the institution accurately states its information
sharing practices and is not sharing nonpublic personal information
outside the exceptions.
B. Presentation, Content, and Delivery of Privacy Notices
1) Obtain and review the financial institution's initial and
annual notices, as well as any simplified notice that the
institution may use. Note that the institution may only use the
simplified notice when it does not also share nonpublic personal
information with affiliates outside of Section 14 and 15 exceptions.
Determine whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written customer records where available, determine if the
institution has adequate procedures in place to provide notices to
customers, as appropriate. Assess the following:
a) Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the customer agrees; or as a necessary step
of a transaction) (§9) and accessibility of or ability to retain
the notice (§9(e)).
IN CLOSING - We hope you will give us the
opportunity to perform your vulnerability testing of your network connection
to the Internet. In most cases, this test is required by the
regulators. Please visit http://www.internetbankingaudits.com/
for more information and to schedule your vulnerability test before
your IT examination. With over 30 year experience (which
includes 20 years as a bank examiner) auditing IT departments of
financial institutions, I personally review the test results and
issue an audit letter to your Board certifying the results.