|
|
Internet Banking News |
|
March 25, 2001 ACH - The following article is from Jack Burkett, Associate Counsel, Texas Independent Bankers Association: Banks could be liable for losses that result from their customers' failure to meet security standards under a recent amendment to the NACHA Rules. The amendment, which is intended to enhance security for ACH debits that are originated through the Internet, mandates the use of security measures that meet minimum standards. Banks transmitting ACH debits for customers will be deemed to warrant that the customers have met those standards and may be liable if the customers have not. The amendment places new requirements on debit originators and their banks. Originators (banks' merchant customers) are required to employ fraud-detection systems, verify that routing numbers are valid, use security technology that meets a specified standard and conduct annual security audits. Banks are required to ensure that their customers have satisfied these obligations and, by transmitting the debit, warrant that they have done so. If the originator is not a natural person, the bank must also know the originator's identity, have procedures to monitor the originator's creditworthiness, and establish and periodically review the originator's exposure limit and entries. The amendment becomes effective March 16, 2001. See: http://www.nacha.org/news/news/pressreleases/2000/PR082400/pr082400.htm. INTERNET COMPLIANCE - Disclosures/Notices In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance. INTERNET SECURITY - We continue our review of the FFIEC press release "Risk Management of Outsourced Technology Services." Risk Assessment The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution's objectives and strategic plans and how the service provider's relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution's strategic plans, too costly, or introduce unforeseen risks. Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks. Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system's structure, design and controls and not necessarily the volume of activity. An outsourcing risk assessment should consider the following: 1) Strategic goals, objectives, and business needs of the financial institution. 2) Ability to evaluate and oversee outsourcing relationships. 3) Importance and criticality of the services to the financial institution. 4) Defined requirements for the outsourced activity. 5) Necessary controls and reporting processes. 6) Contractual obligations and requirements for the service provider. 7) Contingency plans, including availability of alternative service providers, costs and resources required to switch service providers. 8) Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic objectives and service provider performance. 9) Regulatory requirements and guidance for the business lines affected and technologies used. PRIVACY - Safeguarding Customer Information On March 14, 2001, The Federal Deposit Insurance Corporation (FDIC),
the Board of Governors of the Federal Reserve System, the Office of the
Comptroller of the Currency, and the Office of Thrift Supervision have
jointly approved and issued guidelines establishing standards for
safeguarding customer information as required by the Gramm-Leach-Bliley
Act (GLBA). Press Release: http://www.fdic.gov/news/news/financial/2001/fil0122.html |
| PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance. |
