February 10, 2002
FYI - RUSSIAN, U.S. AUTHORITIES NAB ALLEGED HACKER
- Breach of online banking service eventually led to extortion
attempt, then capture through traced e-mail. http://www.pcworld.com/news/article/0,aid,82964,tk,dn020602X,00.asp
FYI - Guidance on Avoiding Violations of the Spousal Signature Provisions
of Regulation B - The Federal Deposit Insurance Corporation is
issuing the attached guidance to assist banks in complying with the
spousal signature provisions of the Equal Credit Opportunity Act and
Regulation B, 12 C.F.R. Part 202.
COMPLIANCE - Disclosures/Notices (Part 2 of
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
Principle 11: Banks should develop appropriate incident response
plans to manage, contain and minimize problems arising from
unexpected events, including internal and external attacks, that may
hamper the provision of e-banking systems and services.
Effective incident response mechanisms are critical to minimize
operational, legal and reputational risks arising from unexpected
events such as internal and external attacks that The
current and future capacity of critical e-banking delivery systems
should be assessed on an ongoing basis may
affect the provision of e-banking systems and services. Banks should
develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk
and limit liability associated with disruptions in their e-banking
services, including those originating from outsourced systems and
To ensure effective response to unforeseen incidents, banks should
1) Incident response plans to address recovery of e-banking
systems and services under various scenarios, businesses and
geographic locations. Scenario analysis should include consideration
of the likelihood of the risk occurring and its impact on the bank.
E-banking systems that are outsourced to third-party service
providers should be an integral part of these plans.
2) Mechanisms to identify an incident or crisis as soon as it
occurs, assess its materiality, and control the reputation risk
associated with any disruption in service.
3) A communication strategy to adequately address external
market and media concerns that may arise in the event of security
breaches, online attacks and/or failures of e-banking systems.
4) A clear process for alerting the appropriate regulatory
authorities in the event of material security breaches or disruptive
5) Incident response teams with the authority to act in an
emergency and sufficiently trained in analyzing incident
detection/response systems and interpreting the significance of
6) A clear chain of command, encompassing both internal as
well as outsourced operations, to ensure that prompt action is taken
appropriate for the significance of the incident. In addition,
escalation and internal communication procedures should be developed
and include notification of the Board where appropriate.
7) A process to ensure all relevant external parties,
including bank customers, counterparties and the media, are informed
in a timely and appropriate manner of material e-banking disruptions
and business resumption developments.
8) A process for collecting and preserving forensic evidence
to facilitate appropriate post-mortem reviews of any e-banking
incidents as well as to assist in the prosecution of attackers.
FYI PRIVACY - "Privacy
Choices for Your Personal Financial Information" - In
conjunction with National Consumer Protection Week, several federal
agencies today released a guide to help consumers make informed
choices about whether to allow their personal financial information
to be shared.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Account number sharing
A. If available, review a sample of telemarketer scripts used
when making sales calls to determine whether the scripts indicate
that the telemarketers have the account numbers of the institution's
B. Obtain and review a sample of contracts with agents or service
providers to whom the financial institution discloses account
numbers for use in connection with marketing the institution's own
products or services. Determine whether the institution shares
account numbers with nonaffiliated third parties only to perform
marketing for the institution's own products and services. Ensure
that the contracts do not authorize these nonaffiliated third
parties to directly initiate charges to customer's accounts (§12(b)(1)).
C. Obtain a sample of materials and information provided to the
consumer upon entering a private label or affinity credit card
program. Determine if the participants in each program are
identified to the customer when the customer enters into the program
This concludes our review of the
"Privacy of Consumer Financial Information." Next
week we begin a series listing regulatory-privacy examination
questions. By answering these questions on a weekly basis,
you will ensure compliance with the privacy regulations.