June 23, 2002
- Notice of Proposed Rulemaking--Due-Diligence
Anti-Money Laundering Programs for Certain Foreign Accounts - This
bulletin transmits a notice of proposed rulemaking published by the
U.S. Treasury Department and the Financial Crimes Enforcement
Network on May 30 to implement a provision of the USA PATRIOT Act.
Press Release: www.occ.treas.gov/ftp/bulletin/2002-29.txt
FYI - Forcing Private Industry's Hand to Protect
Critical Infrastructure - The Bush administration may consider using
"unorthodox" tactics to encourage the private sector to
bolster cyber security on the portions of the nation's critical
infrastructure it controls. For instance, the administration has
been discussing with insurance industry the possibility of writing
insurance policies only for those companies whose security meets
certain standards. http://www.washingtonpost.com/wp-dyn/articles/A27682-2002Jun10.html
FYI - Massachusetts
Attorney General Tom Reilly has filed charges against a Middleton,
Mass., woman, accusing her of hacking into her former boss's
computer system and forwarding confidential e-mails to former
COMPLIANCE - Non-Deposit Investment Products
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with
this Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INTERNET SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
System Architecture and Design
Measures to address access control and system security start with
the appropriate system architecture. Ideally, if an Internet
connection is to be provided from within the institution, or a Web
site established, the connection should be entirely separate from
the core processing system. If the Web site is placed on its own
server, there is no direct connection to the internal computer
system. However, appropriate firewall technology may be necessary to
protect Web servers and/or internal systems.
Placing a "screening router" between the firewall and other
servers provides an added measure of protection, because requests
could be segregated and routed to a particular server (such as a
financial information server or a public information server).
However, some systems may be considered so critical, they should be
completely isolated from all other systems or networks.
Security can also be enhanced by sending electronic
transmissions from external sources to a machine that is not
connected to the main operating system.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Content of Privacy Notice
18. If the institution, in
its privacy policies, reserves the right to disclose nonpublic
personal information to nonaffiliated third parties in the future,
does the privacy notice include, as applicable, the:
a. categories of nonpublic personal information that the financial
institution reserves the right to disclose in the future, but does
not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom
the financial institution reserves the right in the future to
disclose, but to whom it does not currently disclose, nonpublic
personal information? [§6(e)(2)]