|
January 26, 2003
FYI - OCC Concludes Case Against First
National Bank in Brookings Involving Payday Lending, Unsafe Merchant
Processing, and Deceptive Marketing of Credit Cards - The Office of
the Comptroller of the Currency has concluded an enforcement action
against First National Bank in Brookings requiring the Brookings,
S.D. institution to pay restitution to credit card customers harmed
by its marketing practices, terminate its payday lending business
and stop merchant processing activities through one vendor.
The Order involves deceptive practices in
connection with the Bank’s marketing of credit cards, which the
Order indicates included the Internet. See page 19 of the
Order.
Press Release: www.occ.treas.gov/newsrelease.asp?Doc=C4GDHG41.xml
Order: www.occ.treas.gov/ftp/eas/ea2003-1.pdf
FYI - National Flood Insurance Program
Reauthorization - On January 13, 2003, the President signed into law
H.R. 11, the "National Flood Insurance Program Reauthorization Act
of 2003," which reauthorizes the National Flood Insurance Program
for one year retroactive to December 31, 2002. www.occ.treas.gov/ftp/bulletin/2003-2.txt
FYI
-
Requests for Comment Regarding
Removal, Suspension, and Debarment of Accountants From Performing
Audit Services http://www.dallasfed.org/htm/pubs/pdfs/notices/2003/03-01.pdf
FYI - A one-stop
online shop has opened for citizens who want to research and comment
on any of the thousands of regulatory actions considered yearly by
the federal government.
News article - http://www.pcworld.com/news/article/0,aid,108932,tk,dn012303X,00.asp
Regulation Site - http://www.regulations.gov/
FYI - An AT&T
security researcher has revealed a little-known vulnerability in
many locks that lets a person create a copy of the master key for an
entire building by starting with any key from that building. http://www.nytimes.com/2003/01/23/business/23LOCK.html?ex=1043989200
FYI - Sen.
Edward Kennedy's office unveiled a revamped Web site Tuesday, one of
the first congressional sites to fully comply with federal laws
requiring accessibility for disabled users. http://news.com.com/2100-1023-981456.html?tag=cd_mh
FYI -
SBC Communications is claiming a wide-ranging patent on Web frames
that could affect hundreds of sites that use the technology. http://news.com.com/2100-1023-981446.html?tag=fd_top
FYI
-
Cuban Asset Control
Regulations - The Department of the Treasury's Office of Foreign
Assets Control has updated its list of approved service providers to
Cuba. www.fdic.gov/news/news/financial/2003/fil0307.html
FYI
- Previously Blocked Property of the Federal Republic of
Yugoslavia - Treasury's
Office of Foreign Assets Control has unblocked certain property and
assets owned by FRY www.fdic.gov/news/news/financial/2003/fil0306.html
FYI
- Requests for Comment Regarding
Removal, Suspension, and Debarment of Accountants From Performing
Audit Services http://www.dallasfed.org/htm/pubs/pdfs/notices/2003/03-01.pdf
FYI - The
government received twice as many complaints about identity theft
last year over 2001, with victims reporting hijacked credit cards,
drained bank accounts and tarnished reputations. http://www.salon.com/news/wire/2003/01/23/id_theft/index.html
INTERNET
COMPLIANCE - Advertisements
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the
Internet or on-line text. Thus, institutions should carefully review
their on-line advertisements in an effort to minimize compliance
risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business"
under HUD's rules prescribing lobby notices. Thus, institutions may
want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
applications.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
We conclude our review of the FDIC paper "Risk Assessment Tools
and Practices of Information System Security." We hope you have
found this series useful.
INCIDENT RESPONSE - Discusses implementing an incident
response strategy for the response component of an institution's
information security program. After implementing a defense strategy
and monitoring for new attacks, hacker activities, and unauthorized
insider access, management should develop a response strategy. The
sophistication of an incident response plan will vary depending on
the risks inherent in each system deployed and the resources
available to an institution. In developing a response strategy or
plan, management should consider the following:
1) The plan should provide a platform from which an institution can
prepare for, address, and respond to intrusions or unauthorized
activity. The beginning point is to assess the systems at risk, as
identified in the overall risk assessment, and consider the
potential types of security incidents.
2) The plan should identify what constitutes a break-in or system
misuse, and incidents should be prioritized by the seriousness of
the attack or system misuse.
3) Individuals should be appointed and empowered with the latitude
and authority to respond to an incident. The plan should include
what the appropriate responses may be for potential intrusions or
system misuse.
4) A recovery plan should be established, and in some cases, an
incident response team should be identified.
5) The plan should include procedures to officially report the
incidents to senior management, the board of directors, legal
counsel, and law enforcement agents as appropriate.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com
for more information.
PRIVACY - We continue our coverage of the various
issues in the "Privacy of Consumer Financial Information"
published by the financial regulatory agencies.
Definitions and Key Concepts
In discussing the duties and limitations imposed by the
regulations, a number of key concepts are used. These concepts
include "financial institution"; "nonpublic personal
information"; "nonaffiliated third party"; the
"opt out" right and the exceptions to that right; and
"consumer" and "customer." Each concept is
briefly discussed below. A more complete explanation of each appears
in the regulations.
Financial Institution:
A "financial institution" is any institution the
business of which is engaging in activities that are financial in
nature or incidental to such financial activities, as determined by
section 4(k) of the Bank Holding Company Act of 1956. Financial
institutions can include banks, securities brokers and dealers,
insurance underwriters and agents, finance companies, mortgage
bankers, and travel agents.
Nonaffiliated Third Party:
A "nonaffiliated third party" is any person except
a financial institution's affiliate or a person employed jointly by
a financial institution and a company that is not the institution's
affiliate. An "affiliate" of a financial institution is
any company that controls, is controlled by, or is under common
control with the financial institution.
|
