October 14, 2001
- An online gift certificate company said a hacker that blackmailed
it for weeks after pilfering its customer information has apparently
carried out threats of disclosing the data to its customers.
FYI TECHNOLOGY RISK - In a speech before the FFIEC Risk
Management Planning Seminar San Francisco on October 11, 2001, FDIC
Chairman Don Powell stated in part:
"The transformation to a digital world is altering both the nature of
risk and its impact. Our growing reliance on technologies, particularly
Internet technologies, exposes banks to the ultimate risks - that the
technologies are disrupted and criminals misuse them.
We've always understood that these networks are one of the battlegrounds
on which terrorists will engage us. But now we understand just how much
damage these terrorists are prepared to do.
So we need to do whatever it takes to stay on top of security and our
vendor relationships. We must protect our part of the infrastructure,
because as banks increase their dependence on new technologies, the
consequences of an interruption of these services can become quite severe.
Also, as new products become available, banks should carefully plan the
implementation of new technologies and fully understand the risks they
- Due to heightened security concerns, FFIEC is changing the
mailing addresses for all CRA and HMDA data submissions effective
COMPLIANCE - Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's online
system top-level page, or "home page", to be an advertisement.
Therefore, according to these agencies' interpretation of their rules,
financial institutions subject to the regulations should display the
official advertising statement on their home pages unless subject to one
of the exceptions described under the regulations. Furthermore, each
subsidiary page of an online system that contains an advertisement should
display the official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information about
the FDIC's interpretation can be found in the Federal Register, Volume 62,
Page 6145, dated February 11, 1997.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Board and Management Oversight
The Board of Directors and senior management are responsible for
developing the banking institution's business strategy. An explicit
strategic decision should be made as to whether the Board wishes the bank
to provide e-banking transactional services before beginning to offer such
services. Specifically, the Board should ensure that e-banking plans are
clearly integrated within corporate strategic goals, a risk analysis is
performed of the proposed e-banking activities, appropriate risk
mitigation and monitoring processes are established for identified risks,
and ongoing reviews are conducted to evaluate the results of e-banking
activities against the institution's business plans and objectives.
In addition, the Board and senior management should ensure that the
operational and security risk dimensions of the institution's e-banking
business strategies are appropriately considered and addressed. The
provision of financial services over the Internet may significantly modify
and/or even increase traditional banking risks (e.g. strategic,
reputational, operational, credit and liquidity risk). Steps should
therefore be taken to ensure that the bank's existing risk management
processes, security control processes, due diligence and oversight
processes for outsourcing relationships are appropriately evaluated and
modified to accommodate e-banking services.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by the
financial regulatory agencies in May 2001.
Financial Institution Duties
( Part 4 of 6)
Requirements for Notices
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to consumers who
are not customers a "short form" initial notice together with an
opt out notice stating that the institution's privacy notice is available
upon request and explaining a reasonable means for the consumer to obtain
it. The following is a list of disclosures regarding nonpublic personal
information that institutions must provide in their privacy notices, as
1) categories of information collected;
2) categories of information disclosed;
3) categories of affiliates and nonaffiliated third parties to whom
the institution may disclose information;
4) policies with respect to the treatment of former customers'
5) information disclosed to service providers and joint marketers
6) an explanation of the opt out right and methods for opting out;
7) any opt out notices the institution must provide under the Fair
Credit Reporting Act with respect to affiliate information sharing;
8) policies for protecting the security and confidentiality of
9) a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14 and 15).