September 29, 2002
- NCUA Letter
to Credit Unions - Detection of Terrorist Financing - Credit unions
must remain vigilant to ensure they do not unwittingly hide or move
terrorist funds. The Financial Action Task Force on Money Laundering
issued the enclosed guidance on April 24, 2002, to assist financial
institutions in detecting terrorist financing. www.ncua.gov/ref/letters/02-CU-14.html
FYI - NCUA - Proposed
Rule - Accuracy of Advertising and Notice of Insured Status includes
proposed use of the NCUA insurance logo on the Internet. www.ncua.gov/news/proposed_regs/12CFRPart740advertising-proposed.html
FYI - Wells Fargo
has resolved its second network outage in four days, but one affected
client is staying with another provider for now. System problems at
the banking giant prevented many consumers from logging into their online
banking accounts on Monday. The problem forced bill payment service PayPal
to switch from Wells Fargo to its backup payments provider. http://news.com.com/2100-1017-959277.html?tag=cd_mh
FYI - Ann
Marie Poet's new business partner called himself Dr. Mbuso Nelson, and
said he was an official with the Ministry of Mining in South Africa.
Nelson popped into Poet's life out of nowhere one day, offering to pay
$4.5 million to the 59-year-old secretary for her assistance in
transferring $18 million from a bank in South Africa to the United States.
A manager at Bank One apparently approved all of the wire transfers even
though Poet was not authorized to conduct such transfers. http://www.wired.com/news/business/0%2C1367%2C55329%2C00.html
FYI - PayPal Gets Checked by
Scams - Users of online payment service hit twice in as many weeks with
e-mails requesting personal information. http://www.pcworld.com/news/article/0,aid,105470,tk,dn092702X,00.asp
- When computer engineer Stephen Carey bodged a firm's system
upgrade, its bosses felt justified in refusing to pay his bill.
They did not realize, however, how much damage he could do with his
inside knowledge of their operation. http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=9061
COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account
at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to
satisfy the requirement to deliver by electronic communication any
of these disclosures and other information required by the act and
regulations, as long as the consumer agrees to such method of
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not specifically mentioned in the commentary, this
applies to all new banking services including electronic financial
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
- We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Suspicious Activity Reporting.
National banks are required to report intrusions and other computer crimes to the OCC and law enforcement by filing a Suspicious Activity Report (SAR) form and submitting it to the Financial Crimes Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This reporting obligation exists regardless of whether the institution has reported the intrusion to the information-sharing organizations discussed below. For purposes of the regulation and the SAR form instructions, an "intrusion" is defined as gaining access to the computer system of a financial institution to remove, steal, procure or otherwise affect information or funds of the institution or customers. It also includes actions that damage, disable, or otherwise affect critical
systems of the institution. For example, distributed denial of service attaches
(DDoS) attacks should be reported on a SAR because they may temporarily disable critical systems of financial institutions.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
36. Does the institution use a
reasonable means for delivering the notices, such as:
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer;
c. for the consumer who conducts transactions electronically,
clearly and conspicuously
posting the notice on the institution’s electronic site and
requiring the consumer to acknowledge receipt as a necessary step to
obtaining a financial product or service; [§9(b)(1)(iii)] or
d. for isolated transactions, such as ATM transactions, posting the
notice on the screen and requiring the consumer to acknowledge
receipt as a necessary step to obtaining the financial product or
(Note: insufficient or unreasonable means of delivery include:
exclusively oral notice, in person or by telephone; branch or office
signs or generally published advertisements; and electronic mail to
a customer who does not obtain products or services electronically.
[§9 (b)(2)(i) and (ii), and (d)])
IN CLOSING - The Internet
Banking News will not be published next weekend October 6.
I am going on my annual horseback ride to the Carson National Forest
in northern New Mexico for a few days of camping out at 10,000
feet. The Internet Banking News will return the weekend
of October 13. You will find pictures of previous trips and
Gray Ghost, my appaloosa, at http://www.yennik.com/pictures/index.htm.
I will post new pictures when I return.