|
June 16, 2002
FYI
- Fedwire and
Net Settlement - The Federal Reserve provides the Fedwire funds
transfer service and the Fedwire custodial and transfer service for
securities. The Federal Reserve also provides a net settlement service. www.federalreserve.gov/paymentsystems/fedwire/default.htm
FYI - Financial
institutions are using sophisticated software to cut off funding to
terrorists. http://www.msnbc.com/news/766013.asp?pne=msn
FYI - NCUA - Anti-Money Laundering
Programs Interim Final Rule Published by FinCEN - NCUA provides this
Regulatory Alert to notify you of a recent interim final rule published by
the Financial Crimes Enforcement Network, an agency of the Department of
the Treasury. www.ncua.gov/ref/reg_alerts/02-RA-04.html
FYI - Specially Designated Nationals
and Blocked Persons - On May 31, 2002, the Department of the Treasury's
Office of Foreign Assets Control (OFAC) amended its list of Specially
Designated Nationals and Blocked Persons by adding seven names, removing
one name, and changing information on one name on its list of Specially
Designated Narcotics Traffickers. Attached is a copy of the OFAC bulletin
announcing the changes. www.fdic.gov/news/news/financial/2002/fil0266.html
FYI - FinCEN Advisory - The
Department of the Treasury's Financial Crimes Enforcement Network (FinCEN)
published issues 28 through 32 of its FinCEN Advisory in April
2002. Copies are attached for your information. www.fdic.gov/news/news/financial/2002/fil0264.html
INTERNET
COMPLIANCE - Fair Housing Act
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
regulator.
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in
person" applications. Accordingly, information about these
applicants' race or national origin and sex must be collected. An
institution that accepts applications through electronic media
without a video component, for example, the Internet or facsimile,
may treat the applications as received by mail.
INTERNET SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
SECURITY MEASURES
Certificate Authorities and Digital Certificates
Certificate authorities and digital certificates are emerging to
further address the issues of authentication, non‑repudiation,
data privacy, and cryptographic key management.
A certificate authority (CA) is a trusted third party that
verifies the identity of a party to a transaction . To do this, the
CA vouches for the identity of a party by attaching the CA's digital
signature to any messages, public keys, etc., which are transmitted.
Obviously, the CA must be trusted by the parties involved,
and identities must have been proven to the CA beforehand.
Digital certificates are messages that are signed with the
CA's private key. They identify the CA, the represented party, and could even
include the represented party's public key.
The responsibilities of CAs and their position among emerging
technologies continue to develop.
They are likely to play an important role in key management
by issuing, retaining, or distributing public/private key pairs.
Implementation
The implementation and use of encryption technologies, digital
signatures, certificate authorities, and digital certificates can
vary. The technologies
and methods can be used individually, or in combination with one
another. Some
techniques may merely encrypt data in transit from one location to
another. While this keeps the data confidential during transmission,
it offers little in regard to authentication and
non-repudiation. Other
techniques may utilize digital signatures, but still require the
encrypted submission of sensitive information, like credit card
numbers. Although protected during transmission, additional measures
would need to be taken to ensure the sensitive information remains
protected once received and stored.
The protection afforded by the above security measures will be
governed by the capabilities of the technologies, the
appropriateness of the technologies for the intended use, and the
administration of the technologies utilized.
Care should be taken to ensure the techniques
utilized are sufficient to meet the required needs of the
institution. All of the
technical and implementation
differences should be explored when determining the most appropriate
package.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Content of Privacy Notice
17. Does the institution provide consumers who receive the
short-form initial notice with a reasonable means of obtaining the
longer initial notice, such as:
a. a toll-free telephone number that the consumer may call to
request the notice; [§6(d)(4)(i)] or
b. for the consumer who conducts business in person at the
institution's office, having copies available to provide immediately
by hand-delivery? [§6(d)(4)(ii)] |
