January 7, 2001
FYI - The Blanket Bond does NOT cover non-employee computer fraud, fraudulent voice instructions and fraudulent telefacs requests unless there is an endorsement to cover such activity. At present, I am not aware of an endorsement to cover a fraudulent e-mail from a bank customer. This information supplied by Fidelity and Deposit. Please double check with the bonding company to be sure that R. Kinney Williams & Associates is covered regarding Internet activities.
FYI - The Federal Reserve Board, after consulting with the Secretary of the Treasury, has determined by rule that acting as a "finder" is an activity that is incidental to a financial activity and, therefore, a permissible activity for a financial holding company.
FYI - The Federal Reserve Bank of Dallas Community Affairs Department now offers a new, interactive version of "Building Wealth: A Beginner's Guide to Securing Your Financial Future" at
You may want to add this link to Your Bank's web site.
INTERNET SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
Performing the Risk Assessment and Determining Vulnerabilities
Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Banks still should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.
When institutions contract with third-party providers for information system services, they should have a sound oversight program. At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider's security program, including how the provider uses available risk assessment tools and practices. Institutions also should obtain copies of independent penetration tests run against the provider's system.
INTERNET COMPLIANCE: - Disclosures/Notices continued:
Financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.
INTERNET COMPLIANCE In regard to non-deposit investment products, the FDIC has informally told us that "Member FDIC" and the non-deposit disclaimer should not be on the same web page.
PRIVACY STATEMENT - Big Brother knocked in 2000. For privacy experts, 2000 looked more like 1984.