R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

February 17, 2002

FYI - Specially Designated Nationals and Blocked Persons - On December 26, 2001, the Department of the Treasury's Office of Foreign Assets Control amended its listing of Specially Designated Nationals and Blocked Persons by adding the Foreign Terrorist Organization designation to two Specially Designated Global Terrorists and by providing additional information about a SDGT listed in OFAC's December 20, 2001, update.

- A popcorn maker has agreed to pay $10,000 to settle charges that it violated privacy laws when it collected children's names and e-mail addresses on its Web site without parental consent, according to federal regulators. 

Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

- We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision in May 2001.

Sound Security Control Practices for E-Banking

1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.

2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.

3. Storage of sensitive or high-risk data on the organization’s desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.

4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.

5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:

a)  Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
b)  Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
c)  Penetration testing of internal and external networks.

6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

- Initial Privacy Notice

Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]?

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated