R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 1, 2002

FYI  - The OCC recently published "Internal Controls - A Guide for Directors."  Whether or not you are regulated by the OCC, we recommend this as required reading by your Directors.  http://www.occ.treas.gov/IntCtrl.pdf 

FYI - Feds, firms unveil test for security pros - A new certification program for entry-level computer-security professionals will officially get up and running, said representatives of the combined industry-government group behind the exam.  http://news.com.com/2100-1001-975556.html?tag=fd_top 

FYI- System admins slow to zap bugs - System administrators are still not patching systems frequently enough, according to a recently published study of a software security flaw that allowed the Linux Slapper worm to spread.  http://news.com.com/2100-1001-966398.html 

FYI - A Greater Threat than Software Viruses? - The biggest risk to organizations is active Internet content containing invisible software that enters computer networks and does damage.   http://advisor.com/doc/11501 

FYI - Identity Theft Highlights Serious Security Flaws - Much attention has been focused on high-tech solutions, but this week's bust points out the simple problems with passwords.  http://www.pcworld.com/news/article/0,aid,107426,tk,dn112702X,00.asp 

FYI - Treasury Issues Moratorium on Section 314(a) Information Requests This Notice addresses two matters associated with section 314 of the USA PATRIOT Act as described below. Generally, section 314 authorizes law enforcement authorities to communicate with banking organizations and others about suspected money launderers and terrorists, and banking organizations to communicate amongst themselves about such matters.

FYI - A small Manhattan bank that prosecutors said accepted duffel bags full of cash without questioning their origin pleaded guilty yesterday to violating federal money laundering rules in what the government called the first case of its kind.  http://www.nytimes.com/2002/11/28/business/28LAUN.html?ex=1039150800 

FYI - Bank of America's customers are getting a crack at moving checks off the paper trail and into the digital realm, part of a trend that could end up saving banks millions of dollars.  http://news.com.com/2100-1017-975522.html?tag=cd_mh 

FYI - Numerous consumers moved to try to protect their finances and credit lines Tuesday, a day after prosecutors warned that thousands of people were vulnerable to a high-tech assault on their identities after records were stolen from a software company.  http://www.nytimes.com/aponline/national/AP-Identity-Theft.html?ex=1038891600 

INTERNET COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. If relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include:

1) Identifying mission-critical information systems, and determining the effectiveness of current information security programs. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem. Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process.

2) Assessing the importance and sensitivity of information and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information. For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings. 

3) Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank's system. Another example involves vendors that may be allowed to access the bank's system without proper security safeguards, such as firewalls. This could result in open access to critical information that the vendor may have "no need to know."

4) Determining legal implications and contingent liability concerns associated with any of the above. For example, if hackers successfully access a bank's system and use it to subsequently attack others, the bank may be liable for damages incurred by the party that is attacked. 

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

If the institution receives information from a nonaffiliated financial institution under an exception in 14 or 15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in 14 or 15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [11(a)(2)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated