September 16, 2001
- NCUA - Recent Final Rule - 12 CFR Part 701 - NCUA is
issuing a final rule that relaxes certain provisions in NCUA’s
regulations for advertising and posting notice of nondiscrimination
in real estate-related lending.
COMPLIANCE - This is the last of two comments
regarding Electronic Fund Transfer Act (Regulation E.)
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated on-line. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Risk management principles (Part 1 of 2)
Based on the early work of the Electronic Banking Group EBG, the
Committee concluded that, while traditional banking risk management
principles are applicable to e-banking activities, the complex
characteristics of the Internet delivery channel dictate that the
application of these principles must be tailored to fit many online
banking activities and their attendant risk management challenges.
To this end, the Committee believes that it is incumbent upon the
Boards of Directors and banks' senior management to take steps to
ensure that their institutions have reviewed and modified where
necessary their existing risk management policies and processes to
cover their current or planned e-banking activities. Further, as the
Committee believes that banks should adopt an integrated risk
management approach for all banking activities, it is critical that
the risk management oversight afforded e-banking activities becomes
an integral part of the banking institution's overall risk
To facilitate these developments, the Committee asked the EBG to
identify the key risk management principles that would help banking
institutions expand their existing risk oversight policies and
processes to cover their e-banking activities and, in turn, promote
the safe and sound electronic delivery of banking products and
These Risk Management Principles for Electronic Banking, which are
identified in this Report, are not put forth as absolute
requirements or even "best practice" but rather as
guidance to promote safe and sound e-banking activities. The
Committee believes that setting detailed risk management
requirements in the area of e-banking might be counter-productive,
if only because these would be likely to become rapidly outdated by
the speed of change related to technological and product innovation.
Therefore the principles included in the present Report express
supervisory expectations related to the overall objective of banking
supervision to ensure safety and soundness in the financial system
rather than stringent regulations.
The Committee is of the view that such supervisory expectations
should be tailored and adapted to the e-banking distribution channel
but not be fundamentally different to those applied to banking
activities delivered through other distribution channels.
Consequently, the principles presented below are largely derived and
adapted from supervisory principles that have already been expressed
by the Committee or national supervisors over a number of years. In
some areas, such as the management of outsourcing relationships,
security controls and legal and reputational risk management, the
characteristics and implications of the Internet distribution
channel introduce a need for more detailed principles than those
expressed to date.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Financial Institution Duties ( Part 1 of 6)
The regulations establish specific duties and limitations for a
financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal information
outside the exceptions will have to provide opt out rights to their
customers and to consumers who are not customers. All financial
institutions have an obligation to provide an initial and annual
notice of their privacy policies to their customers. All financial
institutions must abide by the regulatory limits on the disclosure
of account numbers to nonaffiliated third parties and on the
redisclosure and reuse of nonpublic personal information received
from nonaffiliated financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears in the
Notice and Opt Out Duties to Consumers:
If a financial institution intends to disclose nonpublic
personal information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception does
not apply, then the financial institution must provide to the
1) an initial notice of its privacy policies;
2) an opt out notice (including, among other things, a
reasonable means to opt out); and
3) a reasonable opportunity, before the financial
institution discloses the information to the nonaffiliated third
party, to opt out.
The financial institution may not disclose any nonpublic personal
information to nonaffiliated third parties except under the
enumerated exceptions unless these notices have been provided and
the consumer has not opted out. Additionally, the institution must
provide a revised notice before the financial institution begins to
share a new category of nonpublic personal information or shares
information with a new category of nonaffiliated third party in a
manner that was not described in the previous notice.
Note that a financial institution need not comply with the initial
and opt-out notice requirements for consumers who are not customers
if the institution limits disclosure of nonpublic personal
information to the exceptions.
IN CLOSING - At this time of national tragedy, my
associates and I join all Americans in offering their prayers and
sympathy to all those who were affected by the events of Tuesday,
September 11, 2001. We have placed the American flag on our
web sites to show the world that we are Americans and nothing will
defeat this great country.