September 30, 2001
FinCEN Hotline/Reporting Suspicious Transactions Relating to
the Recent Terrorist Attacks National banks are required to report
information concerning known or suspected criminal law violations relating
to the recent terrorist attacks to law enforcement authorities by filing
Suspicious ActivityReports (SARs) as expeditiously as possible.
Press Release - www.occ.treas.gov/ftp/alert/2001-10.txt
Attachment - www.occ.treas.gov/ftp/alert/2001-10a.pdf
FYI - Terrorist Additions to the OFAC SDN List - The president
has issued a new Executive Order - targeting terrorists, and a number of
new names have been added to OFAC's Specially Designated Nationals List.
News Release - www.occ.treas.gov/ftp/alert/2001-9.txt
Attachment - www.occ.treas.gov/ftp/alert/2001-9a.pdf
Targeting Terrorist Assets - On September 24, 2001, President George W.
Bush issued an Executive Order targeting terrorists. As a result, a number
of new names have been added to Treasury's Office of Foreign Assets
Control (OFAC) Specially Designated Nationals and Blocked Persons list.
Institutions Hotline Relating To Terrorist Activity - The
Treasury Department's Financial Crimes Enforcement Network has established
a FINANCIAL INSTITUTIONS HOTLINE, 1-866-556-3974, for financial
institutions to voluntarily report to law enforcement suspicious
transactions that may relate to recent terrorist activity against the
Reporting Suspicious Transactions Relating to the Recent
Terrorist Attacks to Law Enforcement - Banking organizations supervised by
the Federal Reserve and the other federal financial institutions
supervisory agencies are required to report information concerning known
or suspected criminal law violations relating to the recent terrorist
attacks to law enforcement authorities by filing Suspicious Activity
Reports as expeditiously as possible.
FYI - NCUA Chairman Dennis Dollar issued a NCUA Letter to Credit
Unions today upon receiving a formal request for assistance by the Federal
Bureau of Investigation (FBI).
FYI - The Federal Reserve Board on Friday announced that the
Consumer Advisory Council will hold its next meeting on Thursday, October
25 that will cover electronic delivery of disclosures.
COMPLIANCE - Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this
Report fall into three broad, and often overlapping, categories of
issues. However, these principles are not weighted by order of
preference or importance. If only because such weighting might
change over time, it is preferable to remain neutral and avoid such
A. Board and Management Oversight (Principles 1 to 3):
1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process for
outsourcing relationships and other third-party dependencies.
B. Security Controls (Principles 4 to 10):
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems, databases
8. Data integrity of e-banking transactions, records, and
9. Establishment of clear audit trails for e-banking
10. Confidentiality of key bank information.
C. Legal and Reputational Risk Management (Principles 11 to
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to ensure
availability of e-banking systems and services.
14. Incident response planning.
Each of the above principles will be cover over the next few weeks,
as they relate to e-banking and the underlying risk management
principles that should be considered by banks to address these
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Financial Institution Duties
( Part 3 of 6)
Requirements for Notices
Clear and Conspicuous. Privacy notices must be clear and
conspicuous, meaning they must be reasonably understandable and
designed to call attention to the nature and significance of the
information contained in the notice. The regulations do not
prescribe specific methods for making a notice clear and
conspicuous, but do provide examples of ways in which to achieve the
standard, such as the use of short explanatory sentences or bullet
lists, and the use of plain-language headings and easily readable
typeface and type size. Privacy notices also must accurately reflect
the institution's privacy practices.
Delivery Rules. Privacy notices must be provided so that each
recipient can reasonably be expected to receive actual notice in
writing, or if the consumer agrees, electronically. To meet this
standard, a financial institution could, for example, (1)
hand-deliver a printed copy of the notice to its consumers, (2) mail
a printed copy of the notice to a consumer's last known address, or
(3) for the consumer who conducts transactions electronically, post
the notice on the institution's web site and require the consumer to
acknowledge receipt of the notice as a necessary step to completing
For customers only, a financial institution must provide the initial
notice (as well as the annual notice and any revised notice) so that
a customer may be able to retain or subsequently access the notice.
A written notice satisfies this requirement. For customers who
obtain financial products or services electronically, and agree to
receive their notices on the institution's web site, the institution
may provide the current version of its privacy notice on its web
IN CLOSING - The Internet Banking News will not be published
next weekend October 7. The Internet Banking News will return
the weekend of October 14.