April 7, 2002
- E-Insurance for the Digital Age -
Big insurers are now offering policies
against hacks, viruses, and stolen data. They may also set security
COMPLIANCE - Record Retention
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
INTERNET SECURITY - We conclude our coverage of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Capacity, Business Continuity and Contingency Planning Practices for
1. All e-banking services and applications, including those provided
by third-party service providers, should be identified and assessed
2. A risk assessment for each critical e-banking service and
application, including the potential implications of any business
disruption on the bank's credit, market, liquidity, legal,
operational and reputation risk should be conducted.
3. Performance criteria for each critical e-banking service and
application should be established, and service levels should be
monitored against such criteria.
Appropriate measures should be taken to ensure that e-banking
systems can handle high and low transaction volume and that systems
performance and capacity is consistent with the bank's expectations
for future growth in e-banking.
4. Consideration should be given to developing processing
alternatives for managing demand when e-banking systems appear to be
reaching defined capacity checkpoints.
5. E-banking business continuity plans should be formulated to
address any reliance on third-party service providers and any other
external dependencies required achieving recovery.
6. E-banking contingency plans should set out a process for
restoring or replacing e-banking processing capabilities,
reconstructing supporting transaction information, and include
measures to be taken to resume availability of critical e-banking
systems and applications in the event of a business disruption.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Content of Privacy Notice
8) Do the initial, annual, and revised privacy notices include
each of the following, as applicable: (Part 1 of 2)
a) the categories of nonpublic personal information that the
institution collects; [§6(a)(1)]
b) the categories of nonpublic personal information that the
institution discloses; [§6(a)(2)]
c) the categories of affiliates and nonaffiliated third
parties to whom the institution discloses nonpublic personal
information, other than parties to whom information is disclosed
under an exception in §14 or §15; [§6(a)(3)]
d) the categories of nonpublic personal information disclosed
about former customers, and the categories of affiliates and
nonaffiliated third parties to whom the institution discloses that
information, other than those parties to whom the institution
discloses information under an exception in §14 or §15; [§6(a)(4)]
The Vulnerability Internet Security Test Audit is an
affordable means of testing the security of Yennik,
Inc.'s network connection to the Internet against unauthorized
In most cases, this vulnerability test is required by your
regulator. Please visit http://www.internetbankingaudits.com/
for more information and to arrange your vulnerability test before
your next IT examination. With over 30 year experience (which
includes 20 years as a bank examiner) auditing IT departments of
financial institutions, I personally review the test results,
discuss the finding with your network administrator, and issue an
audit letter to your Board certifying the results.