|
September 9, 2001
MUST
READ - Study
Finds Banks Miss the Mark Online - Unisys report finds banks aren't doing enough to
support customers on the Web.
http://www.pcworld.com/news/article/0,aid,60963,tk,dn090601X,00.asp
FYI - NCUA - Interim Final Rules Amending Regulations B, E,
M, Z, and DD - Electronic Delivery of Required Disclosures - As credit unions continue to expand their use of electronic
technology, they should carefully consider compliance issues governing
electronic commerce.
www.ncua.gov/ref/reg_alerts/01-RA-08.pdf
FYI - Electronic Data Security
Overview - In response to the Gramm-Leach-Bliley Act (GLBA), the National
Credit Union Administration recently issued a revision to the NCUA Rules
& Regulations Part 748, Security Program, Report of Crime and
Catastrophic Act and Bank Secrecy Act Compliance.
www.ncua.gov/ref/letters/01-CU-11.pdf
FYI - NCUA - Authentication in
an Electronic Banking Environment - The purpose of this letter is to make
you aware of guidance recently released by the Federal Financial
Institutions Examination Council to financial institutions regarding
authenticating users in an electronic banking environment.
www.ncua.gov/ref/letters/01-CU-10.pdf
INTERNET
COMPLIANCE - This is the first of two comments
regarding Electronic Fund Transfer Act (Regulation E.)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Risk management challenges
The Electronic Banking Group (EBG) noted that the fundamental
characteristics of e-banking (and e-commerce more generally) posed a
number of risk management challenges:
1.
The speed of change relating to technological and customer
service innovation in e-banking is unprecedented. Historically, new
banking applications were implemented over relatively long periods
of time and only after in-depth testing. Today, however, banks are
experiencing competitive pressure to roll out new business
applications in very compressed time frames – often only a few
months from concept to production. This competition intensifies the
management challenge to ensure that adequate strategic assessment,
risk analysis and security reviews are conducted prior to
implementing new e-banking applications.
2.
Transactional
e-banking web sites and associated retail and wholesale business
applications are typically integrated as much as possible with
legacy computer systems to allow more straight-through processing of
electronic transactions. Such straight-through automated processing
reduces opportunities for human error and fraud inherent in manual
processes, but it also increases dependence on sound systems design
and architecture as well as system interoperability and operational
scalability.
3.
E-banking increases banks’
dependence on information technology, thereby increasing the
technical complexity of many operational and security issues and
furthering a trend towards more partnerships, alliances and
outsourcing arrangements with third parties, many of whom are
unregulated. This development has been leading to the creation of
new business models involving banks and non-bank entities, such as
Internet service providers, telecommunication companies and other
technology firms.
4) The Internet is ubiquitous and global by nature. It is an
open network accessible from anywhere in the world by unknown
parties, with routing of messages through unknown locations and via
fast evolving wireless devices. Therefore, it significantly
magnifies the importance of security controls, customer
authentication techniques, data protection, audit trail procedures,
and customer privacy standards.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Consumer and Customer:
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides one
or more financial products or services to the consumer that are to
be used primarily for personal, family, or household purposes.
For example, a customer relationship may be established when a
consumer engages in one of the following activities with a financial
institution:
1) maintains a deposit or investment account;
2) obtains a loan;
3) enters into a lease of personal property; or
4) obtains financial, investment, or economic advisory
services for a fee.
Customers are entitled to initial and annual privacy notices
regardless of the information disclosure practices of their
financial institution.
There is a special rule for loans. When a financial institution
sells the servicing rights to a loan to another financial
institution, the customer relationship transfers with the servicing
rights. However, any information on the borrower retained by the
institution that sells the servicing rights must be accorded the
protections due any consumer.
Note that isolated transactions alone will not cause a consumer to
be treated as a customer. For example, if an individual purchases a
bank check from a financial institution where the person has no
account, the individual will be a consumer but not a customer of
that institution because he or she has not established a customer
relationship. Likewise, if an individual uses the ATM of a financial
institution where the individual has no account, even repeatedly,
the individual will be a consumer, but not a customer of that
institution. |
