March 3, 2002
- Charles Schwab is going ahead
with plans to set up an online bank, despite the fact that the
concept has been slow to catch on with consumers. http://news.com.com/2100-1017-849312.html
Specially Designated Nationals and Blocked Persons - On
January 9, 2002, the Department of the Treasury's Office of Foreign
Assets Control (OFAC) amended its listing of Specially Designated
Nationals and Blocked Persons by adding four new names of specially
designated global terrorists. Their assets must be blocked
- Specially Designated Nationals and Blocked Persons - On
January 23, 2002, the Department of the Treasury's Office of Foreign
Assets Control (OFAC) updated its list of authorized service
providers under the Cuban Assets Control Regulations.
- FinCEN Publications - Attached is a copy of the January
2002 issue of SAR Bulletin, published by the Department of the
Treasury's Financial Crimes Enforcement Network.
- U.S. Department of Treasury FinCEN Advisories 11A and 21A -
This advisory letter revises the list of countries detailed in OCC
Advisory Letter 2000-8, "U.S. Department of Treasury FinCEN
Advisories 13 through 27," dated August 9, 2000 and AL 2001-7,
"U.S. Department of Treasury FinCEN Advisories 13A, 14A, 19A,
23A," dated July 25, 2001.
COMPLIANCE - Electronic Fund Transfer Act,
Regulation E (Part 2 of 2)
The Federal Reserve Board Official Staff Commentary (OSC)
also clarifies that terminal receipts are unnecessary for transfers
initiated on-line. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
for Managing Outsourced E-Banking Systems and Services
(Part 2 of 3)3.
Banks should adopt appropriate procedures for ensuring the adequacy
of contracts governing e-banking. Contracts governing outsourced
e-banking activities should address, for example, the following:
contractual liabilities of the respective parties as well as
responsibilities for making decisions, including any sub-contracting
of material services are clearly defined.
for providing information to and receiving information from the
service provider are clearly defined. Information from the service
provider should be timely and comprehensive enough to allow the bank
to adequately assess service levels and risks. Materiality
thresholds and procedures to be used to notify the bank of service
disruptions, security breaches and other events that pose a material
risk to the bank should be spelled out.
that specifically address insurance coverage, the ownership of the
data stored on the service provider's servers or databases, and the
right of the bank to recover its data upon expiration or termination
of the contract should be clearly defined.
expectations, under both normal and contingency circumstances, are
e) Adequate means and guarantees, for instance through audit
clauses, are defined to insure that the service provider complies
with the bank’s policies.
f) Provisions are
in place for timely and orderly intervention and rectification in
the event of substandard performance by the service provider.
cross-border outsourcing arrangements, determining which country
laws and regulations, including those relating to privacy and other
customer protections, are applicable.
h) The right of the
bank to conduct independent reviews and/or audits of security,
internal controls and business continuity and contingency plans is
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Initial Privacy Notice
3) Does the institution provide to existing customers, who
obtain a new financial product or service, an initial privacy notice
that covers the customer's new financial product or service, if the
most recent notice provided to the customer was not accurate with
respect to the new financial product or service? [§4(d)(1)]