January 16, 2000
FYI - E*TRADE Group, Inc., the Menlo Park, Calif., on-line brokerage firm, has received the approval of the Office of Thrift Supervision to acquire Telebanc Financial Corporation and its $3.9 billion asset branchless thrift, Telebank. OTS attached a number of conditions to the approval.
FYI - The Office of Thrift Supervision has begun shipping to the thrift institutions it regulates and to its examiner staff copies of the updated Compliance Activities Handbook that incorporates interagency fair lending examination procedures adopted in 1999 and other material reflecting recent statutory and regulatory changes.
INTERNET SECURITY - Regarding auditing of Internet activities, the regulators will:
1. Determine whether the scope of internal or external audit coverage includes Internet banking.
2. Determine whether a risk assessment or audit has been performed on key management practices.
3. Determine whether internal audit is or was involved in planning and implementing the Internet banking system.
4. If available, obtain internal or external audit reports (including Type II SAS 70 reviews) that evaluate vendor management processes or specific vendor relationships as they relate to information systems and technology.
5. Obtain management reports or conduct interviews with management to determine whether vendor controls have been evaluated. Determine whether management has considered the adequacy of:
a. Security controls and reporting including whether management understands and has evaluated security for access control, user authentication, and data privacy.
b. Security monitoring activity including whether the vendor performs real-time intrusion detection and penetration testing of offsite or in-house networks.
c. Service levels and the vendor's ability to meet negotiated standards.
d. Testing activity by the vendor prior to product distribution.
e. Virus detection processes.
f. Contingency planning and business resumption plans.
6. If the bank outsources its Internet banking processing, determine the name of the vendor(s) employed and whether the bank has obtained and reviewed the regulatory agency examination report of the vendor.
7. Determine whether the audit function reviews the consistency between the bank's disclosed security and privacy standards and actual bank practices.
INTERNET COMPLIANCE - Last week we gave you the OCC's definition of "Compliance Risk." This week we are covering the compliance issues raised by the OCC as:
1) Federal consumer protection laws and regulations, including CRA and Fair Lending, are applicable to electronic financial services operations including Internet banking. Moreover, it is important for national banks to be familiar with the regulations that permit electronic delivery of disclosures/notices versus those that require traditional hard copy notification. National banks should carefully review and monitor all requirements applicable to electronic products and services and ensure they comply with evolving statutory and regulatory requirements.
2) Advertising and record-keeping requirements also apply to banks' Web sites and to the products and services offered. Advertisements should clearly and conspicuously display the FDIC insurance notice, where applicable, so customers can readily determine whether a product or service is insured.
3) Regular monitoring of bank Web sites will help ensure compliance with applicable laws, rules, and regulations. See the "Consumer Compliance Examination" booklet of the Comptroller's Handbook, OCC Bulletin 94-13, "Nondeposit Investment Sales Examination Procedures," and OCC Bulletin 98-31, "Guidance on Electronic Financial Services and Consumer Compliance" for more information.
4) Application of Bank Secrecy Act (BSA) requirements to cyber banking products and services is critical. The anonymity of banking over the Internet poses a challenge in adhering to BSA standards. Banks planning to allow the establishment of new accounts over the Internet should have rigorous account opening standards. Also, the bank should set up a control system to identify unusual or suspicious activities and, when appropriate, file suspicious activity reports (SARs).
5) The BSA funds transfer rules also apply to funds transfers or transmittals performed over the Internet when transactions exceed $3,000 and do not meet one of the exceptions. The rules require banks to ensure that customers provide all the required information before accepting transfer instructions. The record keeping requirements imposed by the rules allow banks to retain written or electronic records of the information.
6) The Office of Foreign Asset Control (OFAC) administers laws that impose economic sanctions against foreign nations and individuals. This includes blocking accounts and other assets and prohibiting financial transactions. Internet banking businesses must comply with OFAC requirements. A bank needs to collect enough information to identify customers and determine whether a particular transaction is prohibited under OFAC rules. See the FFIEC Information systems Examination Handbook (IS Handbook) for a discussion of OFAC.
WEB PAGES - Bank web pages should contain a link to what I refer to as a "Terms and Conditions" statement. This statement basically states that visitors to the bank's web site accept the inherent risks of Internet use. The bank cannot be responsible for inappropriate use by the visitor, viruses, downtime created beyond the bank's control, Internet security outside the bank's computers, and e-mail security.