|
February 17, 2002
FYI
-
Specially Designated Nationals and Blocked Persons - On
December 26, 2001, the Department of the Treasury's Office of
Foreign Assets Control amended its listing of Specially Designated
Nationals and Blocked Persons by adding the Foreign Terrorist
Organization designation to two Specially Designated Global
Terrorists and by providing additional information about a SDGT
listed in OFAC's December 20, 2001, update.
www.fdic.gov/news/news/financial/2002/fil0210.html
FYI - A popcorn maker has
agreed to pay $10,000 to settle charges that it violated privacy
laws when it collected children's names and e-mail addresses on its
Web site without parental consent, according to federal regulators.
http://news.com.com/2110-1023-837942.html?tag=cdshrt
INTERNET
COMPLIANCE - Expedited Funds Availability Act
(Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
Sound Security Control Practices for E-Banking
1. Security profiles should be created and maintained and specific
authorization privileges assigned to all users of e-banking systems
and applications, including all customers, internal bank users and
outsourced service providers. Logical access controls should also be
designed to support proper segregation of duties.
2. E-banking data and systems should be classified according to
their sensitivity and importance and protected accordingly.
Appropriate mechanisms, such as encryption, access control and data
recovery plans should be used to protect all sensitive and high-risk
e-banking systems, servers, databases and applications.
3. Storage of sensitive or high-risk data on the organization’s
desktop and laptop systems should be minimized and properly
protected by encryption, access control and data recovery plans.
4. Sufficient physical controls should be in place to deter
unauthorized access to all critical e-banking systems, servers,
databases and applications.
5. Appropriate techniques should be employed to mitigate external
threats to e-banking systems, including the use of:
a) Virus-scanning
software at all critical entry points (e.g. remote access servers,
e-mail proxy servers) and on each desktop system.
b) Intrusion detection
software and other security assessment tools to periodically probe
networks, servers and firewalls for weaknesses and/or violations of
security policies and controls.
c) Penetration testing
of internal and external networks.
6. A rigorous security review process should be applied to all
employees and service providers holding sensitive positions.
PRIVACY EXAMINATION QUESTION - Initial Privacy Notice
Does the institution provide a
clear and conspicuous notice that accurately reflects its privacy
policies and practices to all customers not later than when the
customer relationship is established, other than as allowed in
paragraph (e) of section four (4) of the regulation? [§4(a)(1))]?
(Note: no notice is required if nonpublic personal information is
disclosed to nonaffiliated third parties only under an exception in
Sections 14 and 15, and there is no customer relationship. [§4(b)]
With respect to credit relationships, an institution establishes a
customer relationship when it originates a consumer loan. If the
institution subsequently sells the servicing rights to the loan to
another financial institution, the customer relationship transfers
with the servicing rights. [§4(c)])
|
