February 24, 2002
- The United States' top adviser on
cybersecurity on Tuesday took companies to task, pointing out that
many spend less on computer security than they do on coffee for
COMPLIANCE - Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
for Managing Outsourced E-Banking Systems and Services
(Part 1 of 3)
Banks should adopt appropriate processes for evaluating decisions to
outsource e-banking systems or services.
a) Bank management
should clearly identify the strategic purposes, benefits and costs
associated with entering into outsourcing arrangements for e-banking
with third parties.
b) The decision to
outsource a key e-banking function or service should be consistent
with the bank’s business strategies, be based on a clearly defined
business need, and recognize the specific risks that outsourcing
c) All affected areas
of the bank need to understand how the service provider(s) will
support the bank’s e-banking strategy and fit into its operating
2. Banks should conduct appropriate risk analysis and due diligence
prior to selecting an e-banking service provider and at appropriate
a) Banks should
consider developing processes for soliciting proposals from several
e-banking service providers and criteria for choosing among the
b) Once a potential
service provider has been identified, the bank should conduct an
appropriate due diligence review, including a risk analysis of the
service provider’s financial strength, reputation, risk management
policies and controls, and ability to fulfill its obligations.
c) Thereafter, banks
should regularly monitor and, as appropriate, conduct due diligence
reviews of the ability of the service provider to fulfill its
service and associated risk management obligations throughout the
duration of the contract.
d) Banks need to ensure
that adequate resources are committed to overseeing outsourcing
arrangements supporting e-banking.
e) Responsibilities for
overseeing e-banking outsourcing arrangements should be clearly
f) An appropriate exit
strategy for the bank to manage risks should it need to terminate
the outsourcing relationship.
PRIVACY EXAMINATION QUESTION - We continue our series
listing the regulatory-privacy examination questions. When you
answer the question each week, you will help ensure compliance with
the privacy regulations.
Initial Privacy Notice
2) Does the institution provide a
clear and conspicuous notice that accurately reflects its privacy
policies and practices to all consumers, who are not
customers, before any nonpublic personal information about
the consumer is disclosed to a nonaffiliated third party, other than
under an exception in §§14 or 15? [§4(a)(2)]?