July 28, 2002
- Hewlett-Packard Co.
confirmed that it has fired and suspended some of its employees in
the U.K. for violating the company's e-mail usage policy. http://www.idg.net/ic_888916_1794_9-10000.html
FYI - Tips to Safely Conduct
Financial Transactions Over the Internet - An NCUA Brochure for Credit
Union Members www.ncua.gov/ref/letters/02-FCU-11.html
FYI - Section 312 of the
USA Patriot Act -- Due Diligence for Correspondent and Private Banking
Accounts - Section 312 of the USA Patriot Act
generally requires a U.S. financial institution that maintains a
correspondent account or private banking account for a non-U.S. person
to establish appropriate and, if necessary, enhanced due diligence
procedures to detect and report instances of money laundering. www.federalreserve.gov/boarddocs/srletters/2002/sr0218.htm
COMPLIANCE - Electronic Fund Transfer Act,
Regulation E (Part 2 of 2)
The Federal Reserve Board Official Staff Commentary (OSC)
also clarifies that terminal receipts are unnecessary for transfers
initiated on-line. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
INTERNET SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
Logical Access Controls (Part 2 of 2)
Token technology relies on a
separate physical device, which is retained by an individual, to
verify the user's identity. The token resembles a small hand-held
card or calculator and is used to generate passwords. The device is
usually synchronized with security software in the host computer
such as an internal clock or an identical time based mathematical
algorithm. Tokens are well suited for one‑time password
generation and access control. A separate PIN is typically required
to activate the token.
Smart cards resemble credit
cards or other traditional magnetic stripe cards, but contain an
embedded computer chip. The chip includes a processor, operating
system, and both read only memory (ROM) and random access memory
(RAM). They can be used to generate one-time passwords when prompted
by a host computer, or to carry cryptographic keys. A smart card
reader is required for their use.
Biometrics involves identification and verification of an individual
based on some physical characteristic, such as fingerprint analysis,
hand geometry, or retina scanning. This technology is advancing
rapidly, and offers an alternative means to authenticate a user.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
23. If the institution delivers the
opt out notice after the initial notice, does the institution
provide the initial notice once again with the opt out notice?
24. Does the institution provide an opt out notice, explaining how
the institution will treat opt out directions by the joint
consumers, to at least one party in a joint consumer relationship?