R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 26, 2003

FYI - OCC Concludes Case Against First National Bank in Brookings Involving Payday Lending, Unsafe Merchant Processing, and Deceptive Marketing of Credit Cards - The Office of the Comptroller of the Currency has concluded an enforcement action against First National Bank in Brookings requiring the Brookings, S.D. institution to pay restitution to credit card customers harmed by its marketing practices, terminate its payday lending business and stop merchant processing activities through one vendor.  The Order involves deceptive practices in connection with the Bank’s marketing of credit cards, which the Order indicates included the Internet.  See page 19 of the Order.
Press Release: www.occ.treas.gov/newsrelease.asp?Doc=C4GDHG41.xml
Order: www.occ.treas.gov/ftp/eas/ea2003-1.pdf

National Flood Insurance Program Reauthorization - On January 13, 2003, the President signed into law H.R. 11, the "National Flood Insurance Program Reauthorization Act of 2003," which reauthorizes the National Flood Insurance Program for one year retroactive to December 31, 2002. www.occ.treas.gov/ftp/bulletin/2003-2.txt

FYI  - Requests for Comment Regarding Removal, Suspension, and Debarment of Accountants From Performing Audit Services  http://www.dallasfed.org/htm/pubs/pdfs/notices/2003/03-01.pdf 

FYI - A one-stop online shop has opened for citizens who want to research and comment on any of the thousands of regulatory actions considered yearly by the federal government.
News article - http://www.pcworld.com/news/article/0,aid,108932,tk,dn012303X,00.asp
Regulation Site - http://www.regulations.gov/ 

FYI - An AT&T security researcher has revealed a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building.  http://www.nytimes.com/2003/01/23/business/23LOCK.html?ex=1043989200 

FYI - Sen. Edward Kennedy's office unveiled a revamped Web site Tuesday, one of the first congressional sites to fully comply with federal laws requiring accessibility for disabled users.  http://news.com.com/2100-1023-981456.html?tag=cd_mh 

FYI - SBC Communications is claiming a wide-ranging patent on Web frames that could affect hundreds of sites that use the technology.  http://news.com.com/2100-1023-981446.html?tag=fd_top 

- Cuban Asset Control Regulations - The Department of the Treasury's Office of Foreign Assets Control has updated its list of approved service providers to Cuba. www.fdic.gov/news/news/financial/2003/fil0307.html

FYI - Previously Blocked Property of the Federal Republic of Yugoslavia  - Treasury's Office of Foreign Assets Control has unblocked certain property and assets owned by FRY www.fdic.gov/news/news/financial/2003/fil0306.html

- Requests for Comment Regarding Removal, Suspension, and Debarment of Accountants From Performing Audit Services  http://www.dallasfed.org/htm/pubs/pdfs/notices/2003/03-01.pdf 

FYI - The government received twice as many complaints about identity theft last year over 2001, with victims reporting hijacked credit cards, drained bank accounts and tarnished reputations.  http://www.salon.com/news/wire/2003/01/23/id_theft/index.html 


Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.

INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:

1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.

2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.

3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.

4) A recovery plan should be established, and in some cases, an incident response team should be identified.

5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

- We continue our coverage of the various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated