January 27, 2002
COMPLIANCE - Non-Deposit Investment Products
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with
this Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INTERNET SECURITY - We
continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the
Basel Committee on Bank Supervision in May 2001.
Principle 9: Banks should take appropriate measures to ensure
adherence to customer
privacy requirements applicable to the jurisdictions to which the
bank is providing e-banking products and services.
Maintaining a customers information privacy is a key
responsibility for a bank. Misuse or unauthorized disclosure of
confidential customer data exposes a bank to both legal and
reputation risk. To meet these challenges concerning the
preservation of privacy of customer information, banks should make
reasonable endeavors to ensure that:
1) The bank's customer
privacy policies and standards take account of and comply with all
privacy regulations and laws applicable to the jurisdictions to
which it is providing e-banking products and services.
2) Customers are made
aware of the bank's privacy policies and relevant privacy issues
concerning use of e-banking products and services.
3) Customers may
decline (opt out) from permitting the bank to share with a third
party for cross-marketing purposes any information about the
customers personal needs, interests, financial position or
4) Customer data are
not used for purposes beyond which they are specifically allowed or
for purposes beyond which customers have authorized.
5) The banks
standards for customer data use must be met when third parties have
access to customer data through outsourcing relationships.
PRIVACY - We continue covering
various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
Reuse & Redisclosure of nonpublic personal information
received from a nonaffiliated financial institution under Sections
14 and/or 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure and reuse of
the information where the institution is the recipient of nonpublic
personal information ('11(a)).
B. Select a sample of data received from nonaffiliated financial
institutions, to evaluate the financial institution's compliance `
with reuse and redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below
('11(a)(1)(i) and (ii)).
2. Verify that the institution only uses and shares the data
pursuant to an exception in Sections 14 and 15 ('11(a)(1)(iii)).