August 5, 2001
Authentication in an Electronic Banking Environment - The Federal
Financial Institutions Examination Council has released the attached
guidance, "Authentication in an Electronic Banking Environment."
Press Release - www.occ.treas.gov/ftp/advisory/2001-8.txt
Attachment - www.occ.treas.gov/ftp/advisory/2001-8a.pdf
FYI - The Federal Reserve Board announced the lifting of the
October 1, 2001 mandatory compliance date for interim rules governing the
electronic delivery of certain consumer disclosures. On March 29,
2001, the Board published interim final rules on electronic disclosures
and invited public comment. The rules establish uniform standards for the
electronic delivery of federally mandated disclosures under five consumer
protection regulations: B (Equal Credit Opportunity), E (Electronic Fund
Transfers), M (Consumer Leasing), Z (Truth in Lending), and DD (Truth in
INTERNET COMPLIANCE - Fair Housing Act
A financial institution that advertises on-line credit products that are
subject to the Fair Housing Act must display the Equal Housing Lender
logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through electronic
media with a video component (the financial institution has the ability to
see the applicant) must be treated as "in person" applications.
Accordingly, information about these applicants' race or national origin
and sex must be collected. An institution that accepts applications
through electronic media without a video component, for example, the
Internet or facsimile, may treat the applications as received by mail.
INTERNET SECURITY - Over the next few weeks, we will cover
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Continuing technological innovation and competition among existing
banking organizations and new entrants have allowed for a much wider array
of banking products and services to become accessible and delivered to
retail and wholesale customers through an electronic distribution channel
collectively referred to as e-banking. However, the rapid development of
e-banking capabilities carries risks as well as benefits.
The Basel Committee on Banking Supervision expects such risks to be
recognized, addressed and managed by banking institutions in a prudent
manner according to the fundamental characteristics and challenges of
e-banking services. These characteristics include the unprecedented speed
of change related to technological and customer service innovation, the
ubiquitous and global nature of open electronic networks, the integration
of e-banking applications with legacy computer systems and the increasing
dependence of banks on third parties that provide the necessary
information technology. While not creating inherently new risks, the
Committee noted that these ( characteristics increased and modified some
of the traditional risks associated with banking activities, in particular
strategic, operational, legal and reputational risks, thereby influencing
the overall risk profile of banking.
Based on these conclusions, the Committee considers that while existing
risk management principles remain applicable to e-banking activities, such
principles must be tailored, adapted and, in some cases, expanded to
address the specific risk management challenges created by the
characteristics of e-banking activities. To this end, the Committee
believes that it is incumbent upon the Boards of Directors and banks’
senior management to take steps to ensure that their institutions have
reviewed and modified where necessary their existing risk management
policies and processes to cover their current or planned e-banking
activities. The Committee also believes that the integration of e-banking
applications with legacy systems implies an integrated risk management
approach for all banking activities of a banking institution.
PRIVACY - We continue covering various issues in the "Privacy of
Consumer Financial Information" published by the financial regulatory
agencies in May 2001.
Definitions and Key Concepts
In discussing the duties and limitations imposed by the regulations, a
number of key concepts are used. These concepts include "financial
institution"; "nonpublic personal information";
"nonaffiliated third party"; the "opt out" right and
the exceptions to that right; and "consumer" and
"customer." Each concept is briefly discussed below. A more
complete explanation of each appears in the regulations.
A "financial institution" is any institution the
business of which is engaging in activities that are financial in nature
or incidental to such financial activities, as determined by section 4(k)
of the Bank Holding Company Act of 1956. Financial institutions can
include banks, securities brokers anddealers, insurance underwriters and
agents, finance companies, mortgage bankers, and travel agents.
Nonaffiliated Third Party:
A "nonaffiliated third party" is any person except a
financial institution's affiliate or a person employed jointly by a
financial institution and a company that is not the institution's
affiliate. An "affiliate" of a financial institution is any
company that controls, is controlled by, or is under common control with
the financial institution.