January 30, 2000
FYI - Security Flaw Discovered at Online Bank - Read the New York Times Article at
FYI - A Parisian computer programmer is facing counterfeiting and fraud charges after developing a homemade "smart card" that gave him the ability to fraudulently purchase goods and services throughout France, his attorney said Tuesday.
INTERNET SECURITY - When a financial institution contracts with third-party providers for Internet banking services, management must understand the provider's information security program to effectively evaluate the security system's ability to protect bank and customer data. The FDIC has previously issued guidance on information security concerns such as data privacy and confidentiality, data integrity, authentication, non-repudiation, and access control/system design.
Back in December 1997, the FDIC FIL entitled "Security Risks Associated With the Internet" states in part that the fundamental technological risks presented by use of the Internet regardless of whether systems are maintained in-house or services are outsourced, bank management is responsible for protecting systems and data from compromise.
What should the bank require of the online banking provider?
1) an annual financial statement.
2) an annual IS audit of the provider's computer operations with special attention to Internet/network security by a qualified IS security auditor.
3) a copy of the provider's disaster plan.
4) monthly reports regarding intrusion attempts, down time, and equipment malfunctions.
5) a copy of the provider's privacy and security statement.
6) and anything else to ensure your comfort level with the provider.
INTERNET COMPLIANCE - Electronic Fund Transfer Act (Regulation E)
Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.
Accordingly, institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service. Although not specifically mentioned in the commentary, this includes electronic financial services.
Additionally, a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. An example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
FYI - I am of the opinion that Your Bank's electronic funds transfer policy should be a link off the online banking section of your web site, which allows customers to transfer funds. In addition, if you are accepting new deposit accounts applications online, there should be a link to the electronic funds transfer policy.
We hope you had a great super bowl weekend and that your team won,