R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 8, 2002

FYI  - The proliferation of insecure corporate wireless networks is fueling the growth of drive-by spamming, a security expert warned on Thursday.  http://news.com.com/2100-1033-956911.html 

FYI - Suspicious Activity Reports - Attached is a copy of the fourth issue of The SAR Activity Review, published by the Department of the Treasury's Financial Crimes Enforcement Network. The SAR Activity Review, published semiannually, provides feedback to financial institutions about suspicious activity reported to FinCEN by the institutions. www.fdic.gov/news/news/financial/2002/FIL02102.html

FYI - Specially Designated Nationals and Blocked Persons - On August 27, 2002, the Department of the Treasury's Office of Foreign Assets Control amended its list of Specially Designated Nationals and Blocked Persons by removing six names from its list of Specially Designated Global Terrorists.  www.fdic.gov/news/news/financial/2002/FIL02103.html

INTERNET COMPLIANCE
- TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

INTERNET SECURITY
We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review the last of a three part series regarding controls to prevent and detect intrusions.

8) Encryption. Encryption is a means of securing data. Data can by encrypted when it is transmitted, and when it is stored. Because networks are not impervious to penetration, management should evaluate the need to secure their data as well as their network. Management's use of encryption should be based on an internal risk assessment and a classification of data. The strength of encryption should be proportional to the risk and impact if the data were revealed.

9) Employee and Contractor Background Checks. Management should ensure that information technology staff, contractors, and others who can make changes to information systems have passed background checks. Management also should revalidate periodically access lists and logon IDs. 

10) Accurate and Complete Records of Uses and Activities. Accurate and complete records of users and activities are essential for analysis, recovery, and development of additional security measures, as well as possible legal action. Information of primary importance includes the methods used to gain access, the extent of the intruder's access to systems and data, and the intruder's past and current activities. To ensure that adequate records exist, management should consider collecting information about users and user activities, systems, networks, file systems, and applications. Consideration should be given to protecting and securing this information by locating it in a physical location separate from the devices generating the records, writing the data to a tamperproof device, and encrypting the information both in transit and in storage. The OCC expects banks to limit the use of personally identifiable information collected in this manner for security purposes, and to otherwise comply with applicable law and regulations regarding the privacy of personally identifiable information.

11) Vendor Management. Banks rely on service providers, software vendors, and consultants to manage networks and operations. In outsourcing situations, management should ensure that contractual agreements are comprehensive and clear with regard to the vendor's responsibility for network security, including its monitoring and reporting obligations. Management should monitor the vendor's performance under the contract, as well as assess the vendor's financial condition at least annually.

PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by 13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and
practices; [8(a)(1)]

b. the institution has provided the consumer with a new opt out notice;
[8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [8(a)(3)] and

d. the consumer has not opted out? [8(a)(4)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated