March 18, 2001
FYI - March 13, 2001 - The Federal Reserve Board published revisions to Regulation E (Electronic Fund Transfers) Official Staff Commentary, which applies and interprets the requirements of the regulation. The effective date is March 15, 2001 with the mandatory compliance date set at January 1, 2002.
INTERNET COMPLIANCE - Disclosures/Notices
Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.
INTERNET SECURITY - Outsourcing information technology services will be a "hot topic" with examiners this year. On this note, we will spend the next few weeks reviewing the FFIEC press release "Risk Management of Outsourced Technology Services."
Purpose and Background
This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. Financial institutions should consider the guidance outlined in this statement and the attached appendix in managing arrangements with their technology service providers. While this guidance covers a broad range of issues that financial institutions should address, each financial institution should apply those elements based on the scope and importance of the outsourced services as well as the risk to the institution from the services.
Financial institutions increasingly rely on services provided by other entities to support an array of technology-related functions. While outsourcing to affiliated or nonaffiliated entities can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services, it also introduces risks that financial institutions should address. This guidance covers four elements of a risk management process: risk assessment, selection of service providers, contract review, and monitoring of service providers.
FYI - It has come to our attention that the regulators are concerned about the following reported Internet security issues:
The FBI stated that organized hacker groups, primarily from former Soviet countries, are responsible for recent increases in credit card thefts and extortion attempts.
Large Criminal Hacker Attack on Windows NTE-Banking and E-Commerce Sites http://www.sans.org/newlook/alerts/NTE-bank.htm