May 20, 2001
FYI - The Federal Reserve Board requests public comment on how the Board's regulations may be adapted to online banking and lending. Comments are due by August 20, 2001.
FYI - The Federal Reserve Board today announced the availability of a new video "Identity Theft: Protect Yourself." The 15-minute video explains how easily someone can obtain your personal financial information and unlawfully use that information to obtain credit or other financial information under your name.
FYI - On April 24, 2001, the Department of the Treasury's Office of Foreign Assets Control (OFAC) amended its listing of specially designated nationals and blocked persons to include the names of additional Specially Designated Narcotics Traffickers.
INTERNET COMPLIANCE - Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.
Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.
INTERNET SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet." While this Financial Institution Letter was published in December 1997, the issues still are relevant.
Logical Access Controls
A primary concern in controlling system access is the safeguarding of user IDs and passwords. The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism.
The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder.
Security Flaws and Bugs / Active Content Languages
Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications.
Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.
PRIVACY STATEMENT - FDIC and the other federal bank regulatory agencies, acting through the FFIEC, have developed and approved examination procedures to review supervised financial institutions for compliance with the agencies' regulation on "Privacy of Consumer Financial Information."