|
August 19, 2001
FYI - Most
people feel better giving out their personal information online to
traditional banks and other well-known merchants than to portals or their
Internet service providers, new research has found. http://news.cnet.com/news/0-1007-200-6861134.html?tag=mn_hd
FYI - FFIEC Guidance on
Authentication - The federal banking agencies recently issued the attached
guidance for examiners and banking organizations. The guidance
addresses authentication in an electronic banking environment.
www.federalreserve.gov/boarddocs/SRLETTERS/2001/sr0120.htm
FYI - Lifting of Mandatory
Compliance Date for Interim Rules Amending Regulations B, E, M, Z, and DD
- On August 3, 2001, the Federal Reserve Board (FRB) announced it had
lifted the October 1, 2001, mandatory compliance date for interim rules
governing the electronic delivery of certain consumer disclosures.
www.fdic.gov/news/news/financial/2001/fil0166.html
INTERNET
COMPLIANCE - Disclosures/Notices
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can
"keep" the disclosure. A consumer using certain electronic
devices, such as Web TV, may not be able to print or download the
disclosure. If feasible, a financial institution may wish to include
in its on-line program the ability for consumers to give the
financial institution a non-electronic address to which the
disclosures can be mailed.
FYI - INTERNET SECURITY - Business
travelers eager to plug their laptop computers into wireless Internet
networks cropping up at hotels, airports and coffee shops need to be on
guard: Their e-mail and Web browsing can be easily intercepted, security
experts warn. http://news.cnet.com/news/0-1004-200-6853688.html?tag=ch_mh
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
Security Controls
While the Board of Directors has the responsibility for ensuring
that appropriate security control processes are in place for
e-banking, the substance of these processes needs special management
attention because of the enhanced security challenges posed by
e-banking. This should include establishing appropriate authorization
privileges and authentication measures, logical and physical access
controls, adequate infrastructure security to maintain appropriate
boundaries and restrictions on both internal and external user
activities and data integrity of transactions, records and
information. In addition, the existence of clear audit trails for
all e-banking transactions should be ensured and measures to
preserve confidentiality of key e-banking information should be
appropriate with the sensitivity of such information.
Although customer protection and privacy regulations vary from
jurisdiction to jurisdiction, banks generally have a clear
responsibility to provide their customers with a level of
comfort. Regarding information disclosures, protection of
customer data and business availability that approaches the level
they can expect when using traditional banking distribution
channels. To minimize legal and reputational risk associated with
e-banking activities conducted both domestically and cross-border,
banks should make adequate disclosure of information on their web
sites and take appropriate measures to ensure adherence to customer
privacy requirements applicable in the jurisdictions to which the
bank is providing e-banking services.
FYI PRIVACY -
The "FFIEC InfoBase"
was created by the Task Force on Examiner Education to provide field
examiners of the five-member financial institution regulatory
agencies a fast source of introductory training and basic
information on specific topics. http://www.ffiec.gov/exam/InfoBase/start.htm
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Opt Out Right and Exceptions:
The Right
Consumers must be given the right to "opt out" of, or
prevent, a financial institution from disclosing nonpublic personal
information about them to a nonaffiliated third party, unless an
exception to that right applies. The exceptions are detailed in
sections 13, 14, and 15 of the regulations and described below.
As part of the opt out right, consumers must be given a reasonable
opportunity and a reasonable means to opt out. What constitutes a reasonable
opportunity to opt out depends on the circumstances surrounding
the consumer's transaction, but a consumer must be provided a
reasonable amount of time to exercise the opt out right. For
example, it would be reasonable if the financial institution allows
30 days from the date of mailing a notice or 30 days after customer
acknowledgement of an electronic notice for an opt out direction to
be returned. What constitutes a reasonable means to opt out
may include check-off boxes, a reply form, or a toll-free telephone
number, again depending on the circumstances surrounding the
consumer's transaction. It is not reasonable to require a consumer
to write his or her own letter as the only means to opt out. |
