April 2, 2000
FYI EDITORIAL - There is considerable discussion concerning the term "clear and conspicuous" as the term applies to web pages since the term is found in some disclosure regulations. Some regulators believe that a link in of itself to a disclosure is not "clear and conspicuous" and that the disclosure should be on the web page with the appropriate advertisement. Other regulators believe that a link to the proper disclosure meets the requirements of the regulations. In fact the FFIEC Internet guidelines state "Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected." We have said many times before that the compliance officers, regulators, and consultants will be going through a learning curve over the next few years as the various Internet banking issues are sorted out. In the meantime, some banks will be written up for a violation, while others will not. We believe that the regulators will look more favorably on those banks that take a proactive approach to compliance on the Internet, than those banks that do nothing.
FYI - Until the regulators become consistent, we recommend that each disclosure be on a separate web page rather than having all disclosures on one web page. The wording of the link to the disclosure should be identifiable to the disclosure rather that calling the link "disclosures" or "legal disclosures." Be sure to test print the disclosures on an "inkjet" printer, which most consumers have today.
INTERNET RISKS - According to the OCC, Internet banking creates new risk control challenges. Over the past number of weeks, we covered the OCC's comments on Credit Risk, Interest Rate Risk, Liquidity Risk, Price Risk, Foreign Exchange Risk, Transactional Risk, Compliance Risk, and Strategic Risk. This week we will cover Reputation Risk, which is the final risk in this series.
Reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution's ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss, or a decline in its customer base. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with customers and the community.
A bank's reputation can suffer if it fails to deliver on marketing claims or to provide accurate, timely services. This can include failing to adequately meet customer credit needs, providing unreliable or inefficient delivery systems, untimely responses to customer inquiries, or violations of customer privacy expectations.
A bank's reputation can be damaged by Internet banking services that are poorly executed or otherwise alienate customers and the public. Well designed marketing, including disclosures, is one way to educate potential customers and help limit reputation risk. Customers must understand what they can reasonably expect from a product or service and what special risks and benefits they incur when using the system. As such, marketing concepts need to be coordinated closely with adequate disclosure statements. A bank should not market the bank's Internet banking system based on features or attributes the system does not have. The marketing program must present the product fairly and accurately.
National banks should carefully consider how connections to third parties are presented on their Web sites. Hypertext links are often used to enable a customer to link to a third party. Such links may reflect an endorsement of the third party's products or services in the eyes of the customer. It should be clear to the customer when they leave the bank's Web site so that there is no confusion about the provider of the specific products and services offered or the security and privacy standards that apply. Similarly, adequate disclosures must be made so that customers can distinguish between insured and non-insured products.
National banks need to be sure that their business continuity plans include the Internet banking business. Regular testing of the business continuity plan, including communications strategies with the press and public, will help the bank ensure it can respond effectively and promptly to any adverse customer or media reactions.
INTERNET SECURITY - Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.
In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.
Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them. Some tools can automatically fix vulnerabilities after detection.
INTERNET COMPLIANCE - FFIEC's comments on the role of the Compliance Officer are:
When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services. Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk. The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan. This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements. For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to test the system for regulatory compliance.
Compliance officers will need to review their existing compliance policies and procedures and make appropriate modifications based upon the types of products, services, and operating features of the institution's online system. The compliance program may not need to be revamped, but merely extended to address the new level of technology employed by the institution. Staff should be trained and a monitoring system implemented to review continually the content and operation of the online programs to prevent inadvertent or unauthorized changes that may affect compliance with the regulations.
Management should review and revise the institution's electronic financial services as the regulatory environment changes and electronic delivery mechanisms evolve. This will help to ensure that the institution maintains an effective compliance program.
IN CLOSING - As we ride the learning curve of Internet compliance, we will continue to keep you informed of our findings. We would appreciate you keeping us aware of what the field examiners are saying when they review your bank's web site. Together, we can take a proactive approach to ensuring Internet compliance.