R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

February 10, 2002

FYI - RUSSIAN, U.S. AUTHORITIES NAB ALLEGED HACKER - Breach of online banking service eventually led to extortion attempt, then capture through traced e-mail.  http://www.pcworld.com/news/article/0,aid,82964,tk,dn020602X,00.asp 

FYI
-
Guidance on Avoiding Violations of the Spousal Signature Provisions of Regulation B - The Federal Deposit Insurance Corporation is issuing the attached guidance to assist banks in complying with the spousal signature provisions of the Equal Credit Opportunity Act and Regulation B, 12 C.F.R. Part 202.
www.fdic.gov/news/news/financial/2002/fil0209.html


INTERNET COMPLIANCE
Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

INTERNET SECURITY
- We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision in May 2001.

Principle 11: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.


Effective incident response mechanisms are critical to minimize operational, legal and reputational risks arising from unexpected events such as internal and external attacks that
The current and future capacity of critical e-banking delivery systems should be assessed on an ongoing basis may affect the provision of e-banking systems and services. Banks should develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, including those originating from outsourced systems and operations.

To ensure effective response to unforeseen incidents, banks should develop: 

1)  Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans.

2)  Mechanisms to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service.

3)  A communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-banking systems.

4)  A clear process for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.

5)  Incident response teams with the authority to act in an emergency and sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.

6)  A clear chain of command, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.

7)  A process to ensure all relevant external parties, including bank customers, counterparties and the media, are informed in a timely and appropriate manner of material e-banking disruptions and business resumption developments.

8)  A process for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-banking incidents as well as to assist in the prosecution of attackers.

FYI PRIVACY
- "Privacy Choices for Your Personal Financial Information" - In conjunction with National Consumer Protection Week, several federal agencies today released a guide to help consumers make informed choices about whether to allow their personal financial information to be shared.
www.federalreserve.gov/boarddocs/press/General/2002/20020206/default.htm

PRIVACY
- We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers (12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts (12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program (12(b)(2)).

This concludes our review of the "Privacy of Consumer Financial Information."  Next week we begin a series listing regulatory-privacy examination questions.  By answering these questions on a weekly basis, you  will  ensure compliance with the privacy regulations.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated