April 8, 2001
FYI - Suspicious Activity Reports and the Internet
A financial institution should report on a SAR any activity that
appears to be in violation of the federal computer crime law, 18 U.S.C.
Sec. 1030 (Fraud and Related Activity in Connection with Computers). In
1997, The Federal Bureau of Investigation, working with FDIC staff, other
federal banking agency representatives and other federal law enforcement
agencies, developed a guidance for reporting. http://www.fdic.gov/news/news/financial/1997/fil97124.html#attach.
INTERNET COMPLIANCE - "Member FDIC" Logo - When is it
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain the
official advertising statement unless the advertisement is subject to
exceptions such as advertisements for loans, securities, trust services
and/or radio or television advertisements that do not exceed thirty
Whether subsidiary web pages require the official advertising statement
will depend upon the content of the particular page. Subsidiary web pages
that advertise deposits must contain the official advertising statement.
Conversely, subsidiary web pages that relate to loans do not require the
official advertising statement.
INTERNET SECURITY - We continue our review of the FFIEC press release
"Risk Management of Outsourced Technology Services."
Service Provider Oversight
Institutions should implement an oversight program to monitor each
service provider's controls, condition, and performance. Responsibility
for the administration of the service provider relationship should be
assigned to personnel with appropriate expertise to monitor and manage the
relationship. The number of personnel, functional responsibilities, and
the amount of time devoted to oversight activities will depend, in part,
on the scope and complexity of the services outsourced. Institutions
should document the administration of the service provider relationship.
Documenting the process is important for contract negotiations,
termination issues, and contingency planning.
The board of directors and management are responsible for ensuring
adequate risk mitigation practices are in place for effective oversight
and management of outsourcing relationships. Financial institutions should
incorporate an outsourcing risk management process that includes a risk
assessment to identify the institution's needs and requirements; proper
due diligence to identify and select a provider; written contracts that
clearly outline duties, obligations and responsibilities of the parties
involved; and ongoing oversight of outsourcing technology services.