R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

August 18, 2002

FYI- Interim Final Rule - Special Due- Diligence Programs for Certain Foreign Accounts - This bulletin transmits an interim final rule published by the U.S. Treasury Department and the Financial Crimes Enforcement Network on July 23. The attached interim final rule provides guidance for banks to comply with section 312 of the USA PATRIOT Act.
Press Release: www.occ.treas.gov/ftp/bulletin/2002-37.txt
Attachment: www.occ.treas.gov/fr/fedregister/67fr48348.pdf 

FinCEN Advisory - In a continuing effort to assist banks in Bank Secrecy Act compliance, anti-money laundering efforts, and prevention and detection of other financial crimes, the Federal Deposit Insurance Corporation forwards to FDIC-supervised banks each issue of FinCEN Advisory, published by the Department of the Treasury's Financial Crimes Enforcement Network. www.fdic.gov/news/news/financial/2002/FIL0288.html

INTERNET COMPLIANCETruth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review security strategies and plans. 

Senior management and the board of directors are responsible for overseeing the development and implementation of their bank's security strategy and plan. Key elements to be included in those strategies and plans are an intrusion risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. These elements are needed for both internal and outsourced operations.

The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions. In assessing the risks, management should gather information from multiple sources, including (1) the value and sensitivity of the data and processes to be protected, (2) current and planned protection strategies, (3) potential threats, and (4) the vulnerabilities present in the network environment. Once information is collected, management should identify threats and the likelihood of those threats materializing, rank critical information assets and operations, and estimate potential damage.

The analysis should be used to develop an intrusion protection strategy and risk management plan. The intrusion protection strategy and risk management plan should be consistent with the bank's information security objectives. It also should balance the cost of implementing adequate security controls with the bank's risk tolerance and profile. The plan should be implemented within a reasonable time. Management should document this information, its analysis of the information, and decisions in forming the protection strategy and risk management plan. By documenting this information, management can better control the assessment process and facilitate future risk assessments.

PRIVACY EXAMINATION QUESTION - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [7(e)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated