June 11, 2000
FYI - The Office of the Comptroller of the Currency issued guidance today stressing the importance of regularly validating the computer-based financial models that are used to help with decision-making on a range of important activities at banks.
Press Release http://www.occ.treas.gov/ftp/release/2000-38.txt
FYI - I have attached a series of questions and answers (Qs & As) prepared by the Department of Housing and Urban Development Office of General Counsel. The Qs & As were prepared in response to questions received from the Massachusetts Bankers Association relating to the HUD-1 settlement statement.
Press release http://www.occ.treas.gov/ftp/advisory/2000-5.txt
FYI - At the ABA Compliance Conference, conversation with bank examiners indicated that one of the problems they are seeing on web sites deals with not indicating the meaning of the abbreviations APY and APR . If you use APY or APR be certain to indicate "Annual Percentage Yield" or "Annual Percentage Rate" respectively.
INTERNET SECURITY - The following topics represent potential areas of vulnerability related to access control and system design.
1) System Architecture and Design
The Internet can facilitate unchecked and/or undesired access to internal systems, unless systems are appropriately designed and controlled. Unwelcome system access could be achieved through IP spoofing techniques, where an intruder may impersonate a local or internal system and be granted access without a password. If access to the system is based only on an IP address, any user could gain access by masquerading as a legitimate, authorized user by "spoofing" the user's address. Not only could any user of that system gain access to the targeted system, but so could any system that it trusts.
Improper access can also result from other technically permissible activities that have not been properly restricted or secured. For example, application layer protocols are the standard sets of rules that determine how computers communicate across the Internet. Numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol (HTTP), facilitates the movement of text and images. But other types of protocols, such as File Transfer Protocol (FTP), permit the transfer, copying, and deleting of files between computers. Telnet protocol actually enables one computer to log in to another. Protocols such as FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for system attacks to be launched against systems from anywhere in the world. Systems can even be accessed and then used to launch attacks against other systems. A typical attack would be a denial of service attack, which is intended to bring down a server, system, or application. This might be done by overwhelming a system with so many requests that it shuts down. Or, an attack could be as simple as accessing and altering a Web site, such as changing advertised rates on certificates of deposit.
2) Security Scanning Products
A number of software programs exist which run automated security scans against Web servers, firewalls, and internal networks. These programs are generally very effective at identifying weaknesses that may allow unauthorized system access or other attacks against the system. Although these products are marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent. In some cases, the products are freely available on the Internet.
INTERNET COMPLIANCE - Listing of any deposit rate information on your web site falls under Truth in Savings. The purpose of the regulation is to require the clear and uniform disclosure of:
1) the rates of interest which are payable on deposit accounts by depository institutions; and
2) the fees that are assessable against deposit accounts, so that consumers can make a meaningful comparison between the competing claims of depository institutions with regard to deposit accounts.
In general ......each advertisement, announcement, or solicitation initiated by any depository institution or deposit broker relating to any demand or interest-bearing account offered by an insured depository institution which includes any reference to a specific rate of interest payable on amounts deposited in such account, or to a specific yield or rate of earnings on amounts so deposited, shall state the following information, to the extent applicable, in a clear and conspicuous manner:
1) The annual percentage yield.
2) The period during which such annual percentage yield is in effect.
3) All minimum account balance and time requirements which must be met in order to earn the advertised yield (and, in the case of accounts for which more than 1 yield is stated, each annual percentage yield and the account minimum balance requirement associated with each such yield shall be in close proximity and have equal prominence).
4) The minimum amount of the initial deposit which is required to open the account in order to obtain the yield advertised, if such minimum amount is greater than the minimum balance necessary to earn the advertised yield.
5) A statement that regular fees or other conditions could reduce the yield.
6) A statement that an interest penalty is required for early withdrawal.
Misleading Descriptions of Free or No-Cost Accounts Prohibited - No advertisement, announcement, or solicitation made by any depository institution or deposit broker may refer to or describe an account as a free or no-cost account (or words of similar meaning) if:
1) in order to avoid fees or service charges for any period
A) a minimum balance must be maintained in the account during such period; or
B) the number of transactions during such period may not exceed a maximum number; or
2) any regular service or transaction fee is imposed.
Misleading or Inaccurate Advertisements, Etc., Prohibited - No depository institution or deposit broker shall make any advertisement, announcement, or solicitation relating to a deposit account that is inaccurate or misleading or that it represents its deposit contracts.
We recommended that any web page listing any deposit rate information be linked to Your Bank's Truth in Savings statement.
PRIVACY STATEMENT - The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly adopted the attached final rule on the privacy of consumers' financial information. The rule takes effect on November 13, 2000, but financial institutions have until July 1, 2001, to be in mandatory compliance with the regulation.
IN CLOSING - I would like to thank the American Bankers Association for inviting me to speak at their compliance conference held this past week. I met a lot of new friends and look forward being of service. My especially thanks to Andy Zavoina with First National Bank of Killeen, Texas for his introduction at the presentation I gave about Internet Compliance and Internet Security.