July 1, 2001
FYI - Joint agency interpretation of Board's Regulation P (Privacy of
Consumer Financial Information). www.federalreserve.gov/boarddocs/legalint/privacy/2001/20010525/default.htm
INTERNET COMPLIANCE - Electronic Fund Transfer Act (Regulation E)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the requirements of
the Electronic Fund Transfer Act and Regulation E apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account at an
electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may keep.
An Interim rule was issued on March 20, 1998 that allows depository
institutions to satisfy the requirement to deliver by electronic
communication any of these disclosures and other information required by
the act and regulations, as long as the consumer agrees to such method of
Financial institutions must ensure that consumers who sign up for a new
banking service are provided with disclosures for the new service if the
service is subject to terms and conditions different from those described
in the initial disclosures. Although not specifically mentioned in the
commentary, this applies to all new banking services including electronic
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers initiated
online. Specifically, OSC regulations provides that, because the term
"electronic terminal" excludes a telephone operated by a
consumer, financial institutions need not provide a terminal receipt when
a consumer initiates a transfer by a means analogous in function to a
telephone, such as by a personal computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly authenticated
by the consumer, such as through the use of a security code. According to
the OSC, an example of a consumer's authorization that is not in the form
of a signed writing but is, instead, "similarly authenticated,"
is a consumer's authorization via a home banking system. To satisfy the
regulatory requirements, the institution must have some means to identify
the consumer (such as a security code) and make a paper copy of the
authorization available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or other
visual display that enables the consumer to read the communication from
the institution. Only the consumer may authorize the transfer and not, for
example, a third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a consumer's
liability. A financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or theft
of an access device. Therefore, the institution should ensure that
controls are in place to review these notifications and also to ensure
that an investigation is initiated as required.
INTERNET SECURITY - We continue the series from the FDIC "Security
Risks Associated with the Internet." Over the next few weeks, this
series will discuss the primary technical and procedural security measures
necessary to properly govern access control and system security.
System Architecture and Design
Measures to address access control and system security start with the
appropriate system architecture. Ideally, if an Internet connection is to
be provided from within the institution, or a Web site established, the
connection should be entirely separate from the core processing system. If
the Web site is placed on its own server, there is no direct connection to
the internal computer system. However, appropriate firewall technology may
be necessary to protect Web servers and/or internal systems.
Placing a "screening router" between the firewall and other
servers provides an added measure of protection, because requests could be
segregated and routed to a particular server (such as a financial
information server or a public information server). However, some systems
may be considered so critical, they should be completely isolated from all
other systems or networks. Security can also be enhanced by sending
electronic transmissions from external sources to a machine that is not
connected to the main operating system.