March 19, 2000
FYI - The Justice Department operates a Web site to pull together information on its growing battle against cybercrime. The Web site, at
http://www.cybercrime.gov, includes press releases, officials' speeches, and testimony to Congress, legal texts and Justice Department reports among other things.
FYI - The OCC added an Internet banking section to its Web site. The move is meant to accommodate increasing interest among bankers and others in OCC initiatives and actions on Internet banking.
FYI - One of our readers suggested the following web site that provides detailed research across the Information Technology market spectrum.
FYI - A question came up this week regarding out-of-territory loan applications received over the Internet. Remembering that the Internet is worldwide, Your Bank should indicate its trade area on the bank's home page and lending pages; thus allowing you to decline a credit because the bank does not make loans outside the bank's trade area. Also keep in mind that the bank's Internet activities should reflect the bank's CRA statement.
INTERNET SECURITY - Over the next two weeks, we will share information about computer security policies. The information is from the Information Systems Audit and Control Association's (ISACA) Certified Information Systems Auditor (CISA) Review Technical Information Manual. ISACA is a worldwide organization of professional computer security auditors. The CISA is the organization's certification that the IS audit is proficient to audit computer security systems including the Internet.
For security to be successfully implemented and maintained, the framework and intent of security must be clearly established and communicated to all appropriate parties. The key is a written security policy that serves to heighten security awareness throughout the organization.
Four of the seven key components of such a policy include the following:
1) Management Support and Commitment
Management must demonstrate a commitment to security. Management shows this commitment by clearly approving and supporting formal security awareness and training. This may require special management-level training since security is not necessarily a part of management expertise.
2) Access Philosophy
Access to computerized information should be based on a "need-to-know, need-to-do" basis.
3) Access Authorization
The data owner or manager who is responsible for the accurate use and reporting of the information should provide written authorization for users to gain access to computerized information. The manager should give this documentation directly to the security administrator so mishandling or alteration of the authorization does not occur.
4) Reviews of Access Authorization
Like any other control, access controls should be evaluated regularly to ensure they are still effective. Personnel and departmental changes, malicious efforts and just plain carelessness can impact the effectiveness of access controls. For this reason, the security administrator, with the assistance of the managers who provide access authorization, should review access controls. Any access exceeding the "need-to-know, need-to-do' philosophy should be changed accordingly.
INTERNET RISKS - According to the OCC, Internet banking creates new risk control challenges. Over the past few weeks, we covered the OCC's comments on Credit Risk, Interest Rate Risk, Liquidity Risk, Price Risk, Foreign Exchange Risk, and Transactional Risk. This week we will cover Compliance Risk.
Compliance risk is the risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank's clients may be ambiguous or untested. Compliance risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts.
Compliance risk can lead to a diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and lack of contract enforceability.
Most Internet banking customers will continue to use other bank delivery channels. Accordingly, national banks will need to make certain that their disclosures on Internet banking channels, including Web sites, remain synchronized with other delivery channels to ensure the delivery of a consistent and accurate message to customers.
Federal consumer protection laws and regulations, including CRA and Fair Lending, are applicable to electronic financial services operations including Internet banking. Moreover, it is important for national banks to be familiar with the regulations that permit electronic delivery of disclosures/notices versus those that require traditional hard copy notification. National banks should carefully review and monitor all requirements applicable to electronic products and services and ensure they comply with evolving statutory and regulatory requirements.
Advertising and record-keeping requirements also apply to banks' Web sites and to the products and services offered. Advertisements should clearly and conspicuously display the FDIC insurance notice, where applicable, so customers can readily determine whether a product or service is insured. Regular monitoring of bank Web sites will help ensure compliance with applicable laws, rules, and regulations. See the "Consumer Compliance Examination" booklet of the Comptroller's Handbook, OCC Bulletin 94-13, "Nondeposit Investment Sales Examination Procedures," and OCC Bulletin 98- 31, "Guidance on Electronic Financial Services and Consumer Compliance" for more information.
Application of Bank Secrecy Act (BSA) requirements to cyberbanking products and services is critical. The anonymity of banking over the Internet poses a challenge in adhering to BSA standards. Banks planning to allow the establishment of new accounts over the Internet should have rigorous account opening standards. Also, the bank should set up a control system to identify unusual or suspicious activities and, when appropriate, file suspicious activity reports (SARs).
The BSA funds transfer rules also apply to funds transfers or transmittals performed over the Internet when transactions exceed $3,000 and do not meet one of the exceptions. The rules require banks to ensure that customers provide all the required information before accepting transfer instructions. The record keeping requirements imposed by the rules allow banks to retain written or electronic records of the information.
The Office of Foreign Asset Control (OFAC) administers laws that impose economic sanctions against foreign nations and individuals. This includes blocking accounts and other assets and prohibiting financial transactions. Internet banking businesses must comply with OFAC requirements. A bank needs to collect enough information to identify customers and determine whether a particular transaction is prohibited under OFAC rules. See the FFIEC Information Systems Examination Handbook (IS Handbook) for a discussion of OFAC.
IN CLOSING - We offer penetration and vulnerability testing. Our associate is Cisco certified and has a Cisco Certified Internetwork Expert on staff. If you would like more information about affordable penetration and vulnerability testing, please send us an e-mail. We will have our associate call you to discuss how testing will benefit your Internet audit and security program.