August 18, 2002
Interim Final Rule - Special Due- Diligence Programs for
Certain Foreign Accounts - This bulletin transmits an interim final
rule published by the U.S. Treasury Department and the Financial
Crimes Enforcement Network on July 23. The attached interim final
rule provides guidance for banks to comply with section 312 of the
USA PATRIOT Act.
Press Release: www.occ.treas.gov/ftp/bulletin/2002-37.txt
FYI - FinCEN Advisory
- In a continuing effort to assist banks in Bank Secrecy Act
compliance, anti-money laundering efforts, and prevention and
detection of other financial crimes, the Federal Deposit Insurance
Corporation forwards to FDIC-supervised banks each issue of FinCEN
Advisory, published by the Department of the Treasury's Financial
Crimes Enforcement Network. www.fdic.gov/news/news/financial/2002/FIL0288.html
COMPLIANCE - Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that
periodic statements for open-end credit accounts may be provided
electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day
rule," requiring mailing or delivery of the statement not later
than 14 days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review security strategies and plans.
Senior management and the board of directors are responsible for overseeing the development and implementation of their bank's security strategy and plan. Key elements to be included in those strategies and plans are an intrusion risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. These elements are needed for both internal and outsourced operations.
The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions. In assessing the risks, management should gather information from multiple sources, including (1) the value and sensitivity of the data and processes to be protected, (2) current and planned protection strategies, (3) potential threats, and (4) the vulnerabilities present in the network environment. Once information is collected, management should identify threats and the likelihood of those threats materializing, rank critical information assets and operations, and estimate potential damage.
The analysis should be used to develop an intrusion protection strategy and risk management plan. The intrusion protection strategy and risk management plan should be consistent with the bank's information security objectives. It also should balance the cost of implementing adequate security controls with the bank's risk tolerance and profile. The plan should be implemented within a reasonable time. Management should document this information, its analysis of the information, and decisions in forming the protection strategy and risk management plan. By documenting this information, management can better control the assessment process and facilitate future risk assessments.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
28. Does the institution refrain
from requiring all joint consumers to opt out before implementing
any opt out direction with respect to the joint account? [§7(d)(4)]
29. Does the institution comply with a consumer's direction to opt
out as soon as is reasonably practicable after receiving it?