June 25, 2000
BULLETIN - A civil lawsuit is accusing Wells Fargo & Co. of using the Internet to discriminate against minorities and encourage racial segregation. Other lawsuits are expected to be filed.
FYI - The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision jointly requested comment on a proposed rule establishing standards for safeguarding confidential customer information. The proposed rule would implement section 501 (b) of the Gramm-Leach-Bliley Act (GLBA). Comments will be accepted until August 25, 2000.
FYI - The Federal Reserve Board published proposed revisions to the Regulation E (Electronic Fund Transfers) Official Staff Commentary, which applies and interprets the requirements of the regulation. Comments are due by August 31, 2000.
INTERNET SECURITY - The following topics represent comments from the FDIC paper "Security Risks Associated with the Internet."
Encryption, or cryptography, is a method of converting information to an unintelligible code. The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.
Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters. Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.
2) Symmetric and Asymmetric Key Systems
There are two types of cryptographic key systems, symmetric and asymmetric. With a symmetric key system (also known as secret key or private key systems), all parties have the same key. The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised. For the parties to get the same key, there has to be a way to securely distribute the key to each party. While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet. Asymmetric key systems can solve this problem.
In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key." The other key is made widely available to anyone who wants it, and is referred to as the "public key." The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key. Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system. Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key. Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is. The keys can be stored either on a computer or on a physically separate medium such as a smart card.
Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s). In addition, the key itself must be strong enough for the intended application. The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data. Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods. Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.
INTERNET COMPLIANCE - If you accept applications on your web site or make credit applications available on your web site you need to comply with Regulation B and may need to provide notifications.
(a) Notification of action taken, ECOA notice, and statement of specific reasons. (1) When notification is required. A creditor shall notify an applicant of action taken within:
(i) 30 days after receiving a completed application concerning the creditor's approval of, counteroffer to, or adverse action on the application;
(ii) 30 days after taking adverse action on an incomplete application, unless notice is provided in accordance with paragraph (c) of this section;
(iii) 30 days after taking adverse action on an existing account; or
(iv) 90 days after notifying the applicant of a counteroffer if the applicant does not expressly accept or use the credit offered.
(2) Content of notification when adverse action is taken. A notification given to an applicant when adverse action is taken shall be in writing and shall contain: a statement of the action taken; the name and address of the creditor; a statement of the provisions of section 701(a) of the act; the name and address of the federal agency that administers compliance with respect to the creditor; and either:
(i) A statement of specific reasons for the action taken; or
(ii) A disclosure of the applicant's right to a statement of specific reasons within 30 days, if the statement is requested within 60 days of the creditor's notification. The disclosure shall include the name, address, and telephone number of the person or office from which the statement of reasons can be obtained. If the creditor chooses to provide the reasons orally, the creditor shall also disclose the applicant's right to have them confirmed in writing within 30 days of receiving a written request for confirmation from the applicant.
(3) Notification to business credit applicants. For business credit, a creditor shall comply with the requirements of this paragraph in the following manner:
(i) With regard to a business that had gross revenues of $1,000,000 or less in its preceding fiscal year (other than an extension of trade credit, credit incident to a factoring agreement, or other similar types of business credit), a creditor shall comply with paragraphs (a) (1) and (2) of this section, except that:
(A) The statement of the action taken may be given orally or in writing, when adverse action is taken;
(B) Disclosure of an applicant's right to a statement of reasons may be given at the time of application, instead of when adverse action is taken, provided the disclosure is in a form the applicant may retain and contains the information required by paragraph (a)(2)(ii) and the ECOA notice specified in paragraph (b)(1) of this section;
(C) For an application made solely by telephone, a creditor satisfies the requirements of this paragraph by an oral statement of the action taken and of the applicant's right to a statement of reasons for adverse action.
(1) ECOA notice. To satisfy the disclosure requirements the creditor shall provide a notice that is substantially similar to the following:
The federal Equal Credit Opportunity Act prohibits creditors from discriminating against credit applicants on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has the capacity to enter into a binding contract); because all or part of the applicant's income derives from any public assistance program; or because the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The federal agency that administers compliance with this law concerning this creditor is (name and address as specified by the appropriate agency listed in appendix A of this regulation).
(2) Statement of specific reasons. The statement of reasons for adverse action required by the regulation must be specific and indicate the principal reason(s) for the adverse action. Statements that the adverse action was based on the creditor's internal standards or policies or that the applicant failed to achieve the qualifying score on the creditor's credit scoring system are insufficient.
(c) Incomplete applications.--(1) Notice alternatives. Within 30 days after receiving an application that is incomplete regarding matters that an applicant can complete, the creditor shall notify the applicant either:
(i) Of action taken, in accordance with paragraph (a) of this section; or
(ii) Of the incompleteness, in accordance with paragraph (c)(2) of this section.
(2) Notice of incompleteness. If additional information is needed from an applicant, the creditor shall send a written notice to the applicant specifying the information needed, designating a reasonable period of time for the applicant to provide the information, and informing the applicant that failure to provide the information requested will result in no further consideration being given to the application. The creditor shall have no further obligation under this section if the applicant fails to respond within the designated time period. If the applicant supplies the requested information within the designated time period, the creditor shall take action on the application and notify the applicant in accordance with the regulation.