March 11, 2001
FYI - The OCC released a bulletin on bank-provided aggregation services. The bulletin and press release are available on the OCC's web site.
FYI - On March 5, 2001, Comptroller of the Currency John D. Hawke, Jr. outlines the Global Challenges of Internet Banking.
INTERNET COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:
When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services. Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk. The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan. This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements. For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to test the system for regulatory compliance.
INTERNET SECURITY - We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.
INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:
1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.
2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.
3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.
4) A recovery plan should be established, and in some cases, an incident response team should be identified.
5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.
Please remember that we perform vulnerability testing and would be happy to e-mail the financial institution a proposal. Please send an e-mail to Kinney Williams at
email@example.com for more information.
FYI - Virginia became the first state in the nation to adopt a new act creating a uniform commercial contract law for computer software, data, and online contracts. "UCITA" will become effective in Virginia on July 1, 2001.