R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 25, 2003


Singapore's DBS Bank Moves to Higher Security - Singapore's DBS Bank has introduced enhanced security systems on its e-banking service, following a hacking incident which cost the bank $62,000 last summer.  http://www.infosecnews.com/sgold/news/2003/05/22_03.htm 

FYI  - Bank of America Corp. has warned its customers to be aware of a scam that attempts to get them to log into a fake Web site that then captures their personal financial details.  http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,81211,00.html 

FYI - Hacking 2003: The new agenda - Bank robbers rarely choose a target at random when planning a heist. They usually have intimate knowledge of their target, scope it out and plan the attack. We see a similar approach now being used on the Internet.  http://news.com.com/2010-1071-1001016.html 

FYI  - Hack attacks on banks increase - Nearly 40 percent of financial institutions in a new survey admitted that their systems had been compromised, as 'intelligent attacks' increasedhttp://news.zdnet.co.uk/story/0,,t269-s2134573,00.html 

FYI  - FFIEC Information Technology Examination Handbook - The Federal Financial Institutions Examination Council has issued two booklets - one, with revised guidance for evaluating risk-management processes to ensure the availability of critical financial services, and the other covering the supervision and examination of services performed for financial institutions by technology service providers. The booklets are the second and third in a series of updates, which will eventually replace the 1996 FFIEC Information Systems Examination Handbook and comprise the new FFIEC Information Technology Examination Handbook. www.fdic.gov/news/news/financial/2003/fil0340.html

FYI - U.S. law-enforcement officers arrested 50 suspects this week in an effort to combat the fast-growing online crime that now accounts for more than half of all fraud complaints.  Those arrested stand accused of a variety of crimes, from setting up fake banking Web sites to collect the account numbers of unsuspecting customers to surreptitiously taping and selling unreleased movies.  http://www.cnn.com/2003/TECH/internet/05/16/cybercrime.feds.ap/index.html 

FYI - The Federal Reserve Board announced it will expand the operating hours for the online Fedwire® Funds Service. www.federalreserve.gov/boarddocs/press/other/2003/20030521/default.htm

FYI - Business Continuity Planning and Supervision of Technology Service Providers Booklets - The Federal Financial Institutions Examination Council has issued updated guidance in two booklets, one on business continuity planning, and the other on FFIEC supervision of technology service providers These booklets are the second and third in a series that will completely update and replace the 1996 FFIEC Information Systems Examination Handbook. 
Press release  www.occ.treas.gov/ftp/bulletin/2003-18.txt
Attachment  http://www.ffiec.gov/press/pr052003.htm 
Press release  www.ots.treas.gov/docs/77318.html
Press release  www.ncua.gov/news/press_releases/2003/FFIEC03-0520.htm 

Return to top of newsletter.  Return to the top of the newsletter

INTERNET COMPLIANCEEqual Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to top of newsletter.  Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  



This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management’s response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.

In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to top of newsletter.  Return to the top of the newsletter


- Authentication

5. Determine if passwords are stored on any machine that is directly or easily accessible from outside the institution, and if passwords are stored in programs on machines, which query customer information databases.  Evaluate the appropriateness of such storage and the associated protective mechanisms.

Return to top of newsletter.  Return to the top of the newsletter

-We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13). 
(Part 1 of 3)

Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information 

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

b.  Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).

2)  If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a)) .

Return to top of newsletter.  Return to the top of the newsletter

PENETRATION TESTS - WEB SITE AUDITS - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing. 
Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated