R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

August 25, 2002

FYI  - Board statement on Payments System Risk policy - The Federal Reserve Board announced on Tuesday that it will not, over the near term, incorporate two policy options into its longer-term Payments System Risk policy plan. The Board will, however, continue to analyze the benefits and potential drawbacks of a two-tiered pricing regime for daylight overdrafts.  www.federalreserve.gov/boarddocs/press/bcreg/2002/20020820/default.htm

FYI  -
Viruses don't break the bank - HBoS deploys multi-vendor antivirus strategy Halifax/Bank of Scotland (HBoS) has cut virus infections by 90 per cent by using several suppliers for its antivirus strategy.  http://www.vnunet.com/News/1134385 

FYI  - A federal agency is readying a report that will recommend against the U.S. government using wireless LANs - except when applying a long, detailed list of security controls.
News article - http://www.nwfusion.com/news/2002/134874_08-19-2002.html 
Draft report - http://csrc.nist.gov/publications/drafts/draft-sp800-48.pdf 

FRB examiner says that banking web sites fail to comply with regulations - the The American Bankers Association's "Electronic Payments and Internet Banking" news digests.  http://www.aba.com/Industry+Issues/ealertii17.htm#b   

FYI - Audit Shows More PCs At the IRS Are Missing - An audit released by the Office of the Treasury Inspector General for Tax Administration found that the IRS cannot account for an unknown number of the 6,600 laptop and desktop computers it lends to volunteers.  

Wells Fargo is closing down its wireless banking service.  The financial company said that it plans to shut down the mobile service by late September, due to lack of interest.  http://news.com.com/2100-1017-954592.html 

Proposed Rule on Customer Identification Program - On July 23, 2002, the U.S. Department of the Treasury, through the Financial Crimes Enforcement Network, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the National Credit Union Administration jointly proposed a rule that would add a new section to the Bank Secrecy Act regulations. www.fdic.gov/news/news/financial/2002/FIL0292.html

Fictitious Digital Investment Certificates - The Canada Deposit Insurance Corporation has advised North American investors and depositors of an apparent Internet fraud scam falsely involving CDIC.  
Press Release:  www.occ.treas.gov/ftp/alert/2002-10.txt
Attachment:  www.occ.treas.gov/ftp/alert/2002-10a.txt


Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions. Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following: 

1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.

2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's CyberNotes.

3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically?


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated