R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 28, 2002

FYI  - A new tool for manipulating packets of data that travel over the Internet could allow attackers to camouflage malicious programs just enough to bypass many intrusion-detection systems and firewalls.  http://news.com.com/2100-1001-887065.html 

FYI
- NCUA Letter to Federal Credit Unions 02-FCU-04 - Weblinking Relationships -Electronic Financial Services (Part 721.3(c)) - authorizes FCUs to offer through electronic means any services, products, functions, or activities that a credit union could otherwise perform, provide, or deliver to members
www.ncua.gov/ref/letters/02-FCU-04.html

FYI
-
The Federal Reserve Banks are amending Operating Circular No. 5, (Electronic Access), effective June 1, 2002. The revised operating circular will govern electronic access to Reserve Bank services.
http://www.dallasfed.org/htm/pubs/pdfs/notices/2002/02-19.pdf    

INTERNET COMPLIANCE
- Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers. The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means. The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s). The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous." Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected. A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

INTERNET SECURITY
- We continue the series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.


Non-repudiation
 

Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions. 


Access Control / System Design 


Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage. 


PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10)  Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a)  information from the consumer;

b)  information about the consumer's transactions with the institution or its affiliates;

c)  information about the consumer's transactions with nonaffiliated third parties; and

d)  information from a consumer reporting agency? [6(c)(2)]

IN CLOSING
The Vulnerability Internet Security Test Audit 
(VISTA) is an independent security test of {custom4}'s network connection to the Internet against unauthorized external intrusion.  While your Network Administrator or systems consultants probably perform a vulnerability scan, the scan would not be considered independent since they developed and maintain your Internet security.  An independent vulnerability test is required in most cases by your regulator, the Gramm-Leach-Bliley Act, and best practicesBefore your next IT examination, visit http://www.internetbankingaudits.com/ for more information and to schedule your independent vulnerability security scan.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated