August 14, 2000
INTERNET SECURITY - The is the second of three installments covering
the NCUA's "best practice" suggestions dealing with Identity
Theft prevention. This guidance is based on experience from actual
identity theft. Evaluate each suggestion and balance the privacy
protection risk with the institution's resources and products to develop
privacy protection strategies and policies that are right for your credit
union, savings and loans, or bank.
9. Conduct better identity verification for instant credit, especially
when an address is recently changed or is different from the credit
report. Don't rely solely on social security numbers. Supplement with
utility bills, tax records, etc.
10. Train your staff to recognize and address incidents in which
identify thieves use persuasive social engineering skills to obtain
necessary pieces of information to enable them to complete identify theft.
11. Put photographs on credit cards and staff business cards.
12. Truncate digits on account numbers printed on transactions slips at
point of sale terminals.
13. Use account profiling systems to detect unusual activity. Notify
members of potential fraudulent activity.
14. Avoid mass mailing pre-approved offers of credit.
15. Keep all information about employees locked in cabinets or
encrypted data files. Establish data security procedures for those with
legitimate access to the files.
16. Encrypt sensitive personal and confidential information. Conduct
"systems penetration tests" to determine if systems are
INTERNET COMPLIANCE -Truth in Lending Act - Regulation Z
The commentary to regulation Z clarifies that periodic statements for
open-end credit accounts may be provided electronically, for example, via
remote access devices. The regulations state that financial institutions
may permit customers to call for their periodic statements, but may not
require them to do so. If the customer wishes to pick up the statement and
the plan has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day
rule," requiring mailing or delivery of the statement not later than
14 days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or closed-end
credit products on-line have options. Financial institutions should ensure
that on-line advertising complies with the regulations. For on-line
advertisements that may be deemed to contain more than a single page,
financial institutions should comply with regulations which describe the
requirements for multiple-page advertisements.
IN CLOSING - If you would like assistance in developing Internet and
security policies that will meet your requirements and those of the bank
examiners, we can help R. Kinney Williams & Associates develop these
policies. Please give us a call when we can be of service.