September 23, 2001
COMPLIANCE - Equal Credit Opportunity Act (Regulation B)
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Risk management principles (Part 2 of 2)
The Committee recognizes that banks will need to develop risk
management processes appropriate for their individual risk profile,
operational structure and corporate governance culture, as well as
in conformance with the specific risk management requirements and
policies set forth by the bank supervisors in their particular
jurisdiction(s). Further, the numerous e-banking risk management
practices identified in this Report, while representative of current
industry sound practice, should not be considered to be
all-inclusive or definitive, since many security controls and other
risk management techniques continue to evolve rapidly to keep pace
with new technologies and business applications.
This Report does not attempt to dictate specific technical solutions
to address particular risks or set technical standards relating to
e-banking. Technical issues will need to be addressed on an on-going
basis by both banking institutions and various standards-setting
bodies as technology evolves. Further, as the industry continues to
address e-banking technical issues, including security challenges, a
variety of innovative and cost efficient risk management solutions
are likely to emerge. These solutions are also likely to address
issues related to the fact that banks differ in size, complexity and
risk management culture and that jurisdictions differ in their legal
and regulatory frameworks.
For these reasons, the Committee does not believe that a "one
size fits all" approach to e-banking risk management is
appropriate, and it encourages the exchange of good practices and
standards to address the additional risk dimensions posed by the
e-banking delivery channel. In keeping with this supervisory
philosophy, the risk management principles and sound practices
identified in this Report are expected to be used as tools by
national supervisors and implemented with adaptations to reflect
specific national requirements where necessary, to help promote safe
and secure e-banking activities and operations.
The Committee recognizes that each bank's risk profile is different
and requires a risk mitigation approach appropriate for the scale of
the e-banking operations, the materiality of the risks present, and
the willingness and ability of the institution to manage these
risks. These differences imply that the risk management principles
presented in this Report are intended to be flexible enough to be
implemented by all relevant institutions across jurisdictions.
National supervisors will assess the materiality of the risks
related to e-banking activities present at a given bank and whether,
and to what extent, the risk management principles for e-banking
have been adequately met by the bank's risk management framework.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Financial Institution Duties
( Part 2 of 6)
Notice Duties to Customers:
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether the
institution discloses or intends to disclose nonpublic personal
information, a financial institution must provide notice to its
customers of its privacy policies and practices at various times.
1) A financial institution must provide an initial notice of
its privacy policies and practices to each customer, not later than
the time a customer relationship is established. Section 4(e) of the
regulations describes the exceptional cases in which delivery of the
notice is allowed subsequent to the establishment of the customer
2) A financial institution must provide an annual notice at
least once in any period of 12 consecutive months during the
continuation of the customer relationship.
3) Generally, new privacy notices are not required for each
new product or service. However, a financial institution must
provide a new notice to an existing customer when the customer
obtains a new financial product or service from the institution, if
the initial or annual notice most recently provided to the customer
was not accurate with respect to the new financial product or
4) When a financial institution does not disclose nonpublic
personal information (other than as permitted under section 14 and
section 15 exceptions) and does not reserve the right to do so, the
institution has the option of providing a simplified notice.