April 29, 2001
FYI - April 23, 2001 - Remarks by Julie L. Williams, 1st Senior Deputy Comptroller and Chief Counsel, OCC, Before the American Banker's 2nd Account Aggregation Conference - "The Impact of Aggregation on the Financial Services Industry"
FYI - April 24, 2001 - OCC Advises Banks to Ensure Information Systems Security is Maintained - The Office of the Comptroller of the Currency today issued an alert outlining steps that national banks should take to protect and maintain network security.
Press release http://www.occ.treas.gov/ftp/release/2001-40.txt
INTERNET COMPLIANCE - This is the first of two comments regarding Electronic Fund Transfer Act (Regulation E.)
Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.
INTERNET SECURITY - We begin a new series from the FDIC "Security Risks Associated with the Internet." While this Financial Institution Letter was published in December 1997, the issues still are relevant.
This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in?house or services are outsourced, bank management is responsible for protecting systems and data from compromise.
The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication,
Non-repudiation, and Access Control/System Design.
Data Privacy and Confidentiality
Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords.
Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.
PRIVACY CLIENTS - On a recent IS audit, we discovered the bank's trial balances for deposits and loans in the outside trash containers. While this could be a privacy issues, it is certainly a reputation concern. The problem involved was that the shedder only handles a few papers at a time and the person responsible for shedding thought it was easier to throw the documents in the trash for the city to pick up.