February 3, 2002
- Guidance on Managing Risks Associated With Wireless
Networks and Wireless Customer Access
- Financial institutions are actively evaluating and
implementing wireless technology as a means to reach customers and
reduce the costs of implementing new networks.
FYI - NCUA - Amending FCU Bylaws to Permit
Directors Voting by E-Mail www.ncua.gov/ref/opinion_letters/01-1176.html
INTERNET COMPLIANCE - Disclosures/Notices (Part
1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can
"keep" the disclosure. A consumer using certain electronic
devices, such as Web TV, may not be able to print or download the
disclosure. If feasible, a financial institution may wish to include
in its on-line program the ability for consumers to give the
financial institution a non-electronic address to which the
disclosures can be mailed.
INTERNET SECURITY - We
continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the
Basel Committee on Bank Supervision in May 2001.
Principle 10: Banks should have effective capacity,
business continuity and contingency planning processes to help
ensure the availability of e-banking systems and services.
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with customer expectations. To achieve this, the
bank must have the ability to deliver e-banking services to
end-users from either primary (e.g. internal bank systems and
applications) or secondary sources (e.g. systems and applications of
service providers). The maintenance of adequate availability is also
dependent upon the ability of contingency back-up systems to
mitigate denial of service attacks or other events that may
potentially cause business disruption.
The challenge to maintain continued availability of e-banking
systems and applications can be considerable given the potential for
high transaction demand, especially during peak time periods. In
addition, high customer expectations regarding short transaction
processing cycle times and constant availability (24 X 7) has also
increased the importance of sound capacity, business continuity and
contingency planning. To provide customers with the continuity of
e-banking services that they expect, banks need to ensure that:
1) Current e-banking
system capacity and future scalability are analyzed in light of the
overall market ddynamics for e-commerce and the projected rate of
customer acceptance of e-banking products and services.
transaction processing capacity estimates are established, stress
tested and periodically reviewed.
3) Appropriate business
continuity and contingency plans for critical e-banking processing
and delivery systems are in place and regularly tested.
PRIVACY - We continue covering
various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
Redisclosure of nonpublic personal information received from a
nonaffiliated financial institution outside of Sections 14 and 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure of the
information where the institution is the recipient of nonpublic
personal information ('11(b)).
B. Select a sample of data received from nonaffiliated financial
institutions and shared with others to evaluate the financial
institution's compliance with redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below
('11(b)(1)(i) and (ii)).
2. If the institution shares information with entities other
than those under step a above, verify that the institution's
information sharing practices conform to those in the nonaffiliated
financial institution's privacy notice ('11(b)(1)(iii)).
3. Also, review the procedures used by the institution to
ensure that the information sharing reflects the opt out status of
the consumers of the nonaffiliated financial institution (''10,