R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 20, 2002

FYI - Reports of viruses and security vulnerabilities in software nearly doubled in 2001, CERT says.  http://www.pcworld.com/news/article/0,aid,79303,tk,dn011402X,00.asp 

FYI - During the late 1990s, productivity trends in retail banking stood in contrast to those in much of the rest of the economy.  http://news.com.com/2009-1017-814419.html?legacy=cnet&tag=dd.ne.dht.nl-hed.0 

FYI - The Board of Governors, along with other federal agencies, issued guidance to help financial institutions comply with consumer privacy regulations.  http://www.dallasfed.org/htm/pubs/pdfs/notices/2002/02-06.pdf 


A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

INTERNET SECURITY - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision in May 2001.

Principle 8: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions.

To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should ensure that adequate information is provided on their websites to allow customers to make informed conclusions about the identity and regulatory status of the bank before they enter into e-banking transactions.

Examples of such information that a bank could provide on its own website include:

1)  The name of the bank and the location of its head office (and local offices if applicable).

2)  The identity of the primary bank supervisory authority(ies) responsible for the supervision of the bank's head office.

3)  How customers can contact the bank's customer service center regarding service problems, complaints, suspected misuse of accounts, etc.

4)  How customers can access and use applicable Ombudsman or consumer complaint schemes.

5)  How customers can obtain access to information on applicable national compensation or deposit insurance coverage and the level of protection that they afford (or links to websites that provide such information).

6)  Other information that may be appropriate or required by specific jurisdictions.

PRIVACY - We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions. 

B. Presentation, Content, and Delivery of Privacy Notices

1)  Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices: 

a.  Are clear and conspicuous (3(b), 4(a), 5(a)(1));

b.  Accurately reflect the policies and practices used by the institution (4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information (6).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

a)  Timeliness of delivery (4(a), 4(d), 4(e), 5(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (9) and accessibility of or ability to retain the notice (9(e)).

IN CLOSING - We hope you will give us the opportunity to perform your vulnerability testing of your network connection to the Internet.  In most cases, this test is required by the regulators.  Please visit http://www.internetbankingaudits.com/ for more information and to schedule your vulnerability test before your IT examination.  With over 30 year experience (which includes 20 years as a bank examiner) auditing IT departments of financial institutions, I personally review the test results and issue an audit letter to your Board certifying the results.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated