July 2, 2000
FYI - The OCC, FDIC, OTS, & FRB are requesting comment on proposed information systems guidelines, which will require banks to (1) identify and assess the risks that may threaten customer information; (2) develop a written plan containing policies and procedures to manage and control these risks; (3) implement and test the plan; and (4) adjust the plan on a Continuing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security.
OCC press release - http://www.occ.treas.gov/ftp/bulletin/2000-22.txt
The proposal - http://www.occ.treas.gov/ftp/regs/2000-22a.txt
FYI - "Internet banking has been somewhat slower to get off the ground, but I detect little resistance to the idea per se." Remarks by John D. Hawke, Jr., Comptroller of the Currency before the Stonier Graduate School of Banking.
FYI - The five federal financial institutions supervisory agencies, together with the Financial Crimes Enforcement Network (FinCEN) issued a newly revised Suspicious Activity Report (SAR) form. Added a check box for "Computer Intrusion" to Part III, "Suspicious Activity Information," in recognition of the need to obtain more specific information with regard to computer related suspicious
For purposes of this reporting requirement, computer intrusion does not mean attempted intrusions of websites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information.
FYI - FDIC Chairman Donna Tanoue announced the appointment of five senior officials in the Corporation's Division of Compliance and Consumer Affairs. We wish these individuals the best as they make decisions affecting the various Internet compliance issues.
FYI - The FDIC sent bankers an alert about potential problems identified in brokered deposit arrangements with San Clemente Securities, Inc., San Clemente, California. http://www.fdic.gov/news/news/press/2000/pr0046.html
FYI - The OCC has entered into a settlement with Providian National Bank that directs the bank to cease a number of unfair and deceptive practices and to pay at least $300 million to consumers harmed by those practices. At the same time, the San Francisco District Attorney entered into a similar agreement with Providian's parent, Providian Financial Corp.
INTERNET SECURITY - The following topics represent comments from the FDIC paper "Security Risks Associated with the Internet."
1) Digital Signatures
Digital signatures authenticate the identity of a sender, through the private, cryptographic key. In addition, every digital signature is different because it is derived from the content of the message itself. The combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated.
Digital signatures can be applied to any data transmission, including e-mail. To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data). This process is known as the "hash." The message digest is then encrypted with a private key, and sent along with the message. The recipient receives both the message and the encrypted message digest. The recipient decrypts the message digest, and then runs the message through the hash function again. If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified. Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message. The digital signature cannot be reused, because it is unique to the message. In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.
2) Certificate Authorities and Digital Certificates
Certificate authorities and digital certificates are emerging to further address the issues of authentication, non-repudiation, data privacy, and cryptographic key management. A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction. To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted. Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand. Digital certificates are messages that are signed with the CA's private key. They identify the CA, the represented party, and could even include the represented party's public key.
The responsibilities of CAs and their position among emerging technologies continue to develop. They are likely to play an important role in key management by issuing, retaining, or distributing public/private key pairs.
The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary. The technologies and methods can be used individually, or in combination with one another. Some techniques may merely encrypt data in transit from one location to another. While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation. Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers. Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored.
The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized. Care should be taken to ensure the techniques utilized are sufficient to meet the required needs of the institution. All of the technical and implementation differences should be explored when determining the most appropriate package.
INTERNET COMPLIANCE - Electronic Fund Transfer Act (Regulation E)
Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. In accordance with the regulation, financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.
According to a Federal Reserve Board Official Staff Commentary (OSC), financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures required under the regulation. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.
The OSC also clarifies that terminal receipts are unnecessary for transfers initiated online. And provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer.
Additionally, the OSC clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
Pursuant to the regulation, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.
IN CLOSING - I want to personally thank you for your support. If there is anything we can do to be of assistance, please contact me.
Have a safe Fourth,