March 17, 2002
PRIVACY - FTC Cracks Down on Digital Detectives
- Three firms fined for illegally gathering private information
online. "In a matter or hours, they had the bank account
FYI PRIVACY - Study
of Information Sharing Practices Among Financial Institutions and
Their Affiliates - The Secretary of the Treasury, in conjunction
with the federal functional regulatory agencies and the Federal
Trade Commission is conducting a study of information sharing by
Press Release: www.occ.treas.gov/ftp/bulletin/2002-11.txt
- U.S. Secret Service agents and Jacksonville
County Sheriff's officers arrested a 30-year-old Florida man who
authorities allege was trying to sell 60,000 names and personal
information of The Prudential Insurance Company of America
FYI - In recent weeks, scam artists pretending to represent
reputable companies such as Bank of America and eBay have been
e-mailing Internet users in an attempt to steal their account
information. Although not a new scam, the e-mails are part of a
growing trend of identity theft online. http://news.com.com/2100-1017-857177.html?tag=cd_mh
FYI - Rep. Tom Davis (R-Va.) has
introduced legislation to set mandatory computer security standards
for federal agencies. http://www.gcn.com/vol1_no1/daily-updates/18120-1.html
FYI - Federal regulators have boosted
PayPal's contention that it is not a bank and shouldn't be regulated
as one, the online payments company said on Tuesday.
FYI - Information Sharing
Pursuant to Section 314(b) of the USA Patriot Act - This SR letter
describes a new, immediately effective regulation concerning the
sharing of information about terrorist financing and money
laundering among financial institutions that was issued by the U.S. Department
of the Treasury, through its Financial Crimes Enforcement Network (FinCEN).
The FinCEN rule was issued pursuant to section 314(b) of
the USA Patriot Act on March 4, 2001.
COMPLIANCE - Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Practices for E-Banking Applications
authorization and access privileges should be assigned to all
individuals, agents or systems, which conduct e-banking activities.
2. All e-banking systems should be constructed to ensure that they
interact with a valid authorization database.
3. No individual agent or system should have the authority to change
his or her own authority or access privileges in an e-banking
4. Any addition of an individual, agent or system or changes to
access privileges in an e-banking authorization database should be
duly authorized by an authenticated source empowered with the
adequate authority and subject to suitable and timely oversight and
5. Appropriate measures should be in place in order to make
e-banking authorization databases reasonably resistant to tampering.
Any such tampering should be detectable through ongoing monitoring
processes. Sufficient audit trails should exist to document any such
6. Any e-banking authorization database that has been tampered with
should not be used until replaced with a validated database.
7. Controls should be in place to prevent changes to authorization
levels during e-banking transaction sessions and any attempts to
alter authorization should be logged and brought to the attention of
PRIVACY EXAMINATION QUESTION - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
5) When the subsequent delivery of a privacy notice is permitted, does
the institution provide notice after establishing a customer
relationship within a reasonable time? [§4(e)]