February 27, 2000
FYI - Remarks by Julie L. Williams 1st Senior Deputy Comptroller and Chief Counsel Office of the Comptroller of the Currency Before the 5th Annual Cyberbanking and Electronic Commerce Conference Washington, DC.
INTERNET SECURITY - FDIC reminds us that systems can be vulnerable to a variety of threats, including the misuse or theft of passwords. Hackers may use password cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system. By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access (root access), tamper with critical files, read confidential e-mail, or initiate unauthorized e-mails or transactions.
Hackers may use "social engineering," a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war dialing," in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. Next week - Other common forms of system attacks.
INTERNET COMPLIANCE EDITORIAL - Your Bank's disclosures are public information, such as truth-in-savings statement, funds availability policy, and electronic funds transfer policy. I know that many of the disclosures are given to the customer once a year to satisfy the regulations. Even so, I recommend that all your disclosures be on the bank's web pages. Until we get regulatory clarification, an easy method is to have a link to "Bank Disclosures," which is a web page that links to the bank's various disclosures. This helps your customers by allowing them access at their convenience.
INTERNET RISKS - According to the OCC, Internet banking creates new risk control challenges. Over the past three weeks, we covered the OCC's comments on Credit Risk, Interest Rate Risk, and Liquidity Risk. This week we will cover Price Risk.
Price risk is the risk to earnings or capital arising from changes in the value of traded portfolios of financial instruments. This risk arises from market making, dealing, and position taking in interest rate, foreign exchange, equity, and commodities markets.
Banks may be exposed to price risk if they create or expand deposit brokering, loan sales, or securitization programs as a result of Internet banking activities. Appropriate management systems should be maintained to monitor, measure, and manage price risk if assets are actively traded.
PRIVACY STATEMENT - The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and the Office of Thrift Supervision published for comment in the Federal Register a proposed regulation implementing the privacy provisions of the Gramm-Leach-Bliley Act. The proposed rule (193 pages) pertains to all institutions regulated by the four federal agencies.