September 3, 2000
FYI - The OCC, the FRB, the FDIC, and the OTS jointly announced proposed consumer protection rules for the sale of insurance products by depository institutions. The proposed rule published in today's Federal Register implements section 305 of the recently enacted Gramm-Leach-Bliley Act. We think these issues will affect your web site if the site is advertising insurance products. Please review the proposed regulation and respond to your regulator by October 5, 2000.
FYI - The Federal Reserve Board announced that wireless personal digital assistants can be used to read items on the Board's public web site.
FYI - If you have not heard, Bank of America Goes Wireless. http://www.pcworld.com/cgi-bin/pcwtoday?ID=18309
FYI - The FRB has a web page for consumers regarding home equity loans that you may find interesting at
FYI - The Financial Crimes Enforcement Network (FinCEN) published in the Federal Register an interim rule that amended the exemption provisions for filing currency transaction reports contained in the Bank Secrecy Act regulations.
Press release - http://www.occ.treas.gov/ftp/bulletin/2000-24.txt
Attachment - http://www.occ.treas.gov/ftp/regs/2000-24a.txt
FYI - We have completed our test program of checking links and home page changes and have decided not to continue these checks at this time. Please contact me if you have any questions or suggestions.
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review security strategies and plans.
Senior management and the board of directors are responsible for overseeing the development and implementation of their bank's security strategy and plan. Key elements to be included in those strategies and plans are an intrusion risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. These elements are needed for both internal and outsourced operations.
The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions. In assessing the risks, management should gather information from multiple sources, including (1) the value and sensitivity of the data and processes to be protected, (2) current and planned protection strategies, (3) potential threats, and (4) the vulnerabilities present in the network environment. Once information is collected, management should identify threats and the likelihood of those threats materializing, rank critical information assets and operations, and estimate potential damage.
The analysis should be used to develop an intrusion protection strategy and risk management plan. The intrusion protection strategy and risk management plan should be consistent with the bank's information security objectives. It also should balance the cost of implementing adequate security controls with the bank's risk tolerance and profile. The plan should be implemented within a reasonable time. Management should document this information, its analysis of the information, and decisions in forming the protection strategy and risk management plan. By documenting this information, management can better control the assessment process and facilitate future risk assessments.
INTERNET COMPLIANCE - Disclosures/Notices
Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.
Financial institutions advertising or selling nondeposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with nondeposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the nondeposit investment product or its lack of FDIC insurance.