May 14, 2000
FYI - The NCUA has issued an Identity Thief Prevention bulletin, which you will find at
FYI - In response to the Children's Online Privacy Protection Act of 1998, we would recommend that the following statement or a similar statement be included in your terms and condition statement: "We do not knowingly solicit data from children, and we do not knowingly market to children. We recognize that protecting children's identities and privacy online is important and that the responsibility to do so rests with both the online industry and with parents."
FYI - The FRB, the FDIC, the OCC, and the OTS jointly announced their request for comment on a proposed rule implementing section 711, CRA Sunshine Requirements, of the recently enacted Gramm-Leach-Bliley Act. Notice posting will be allowed on the Internet.
FYI - Application by UMB Bank, National Association, Kansas City, Missouri to expand the activities in an existing operating subsidiary by investing in an entity to be known as eScout.com LLC.
FYI - The OTS has approved a federal thrift charter for Marsh & McLennan Companies, Inc. to form an Internet-only thrift, @Bank, to be located in Framingham, Mass. It will be the eighth Internet bank chartered by OTS.
A related article about brokerage houses entering the banking business can be found at
INTERNET SECURITY - Over the next few weeks, we will share the FDIC's December 1997 paper "Security Risks Associated with the Internet." This week we will cover FDIC's comments regarding Data Privacy and Confidentiality and Data Integrity, and Authentication. Next week we will cover Authentication, Non-repudiation, and Access Control/System Design.
The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise.
1) Data Privacy and Confidentiality
Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords.
Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.
2) Data Integrity
Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.
INTERNET COMPLIANCE - Disclosures/Notices- Several consumer regulations provide for disclosures and/or notices to consumers. The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means. The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).
Disclosures are generally required to be "clear and conspicuous." Therefore, compliance officer should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected. A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.
PRIVACY STATEMENT - The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision today approved the issuance of final regulations implementing the provisions of the Gramm-Leach-Bliley Act governing the privacy of consumer financial information.
IN CLOSING - The next publication of the "Internet Banking News" will be May 28. I am traveling to Kansas City to celebrate my 17 year old son's high school graduation. Then I am off to Denver to give a presentation at the State Conference of Bank Supervisor's regulatory forum about compliance on the Internet and Internet security.
Have a wonderful two weeks,