October 1, 2000
FYI - A company that provides financial services for 10,000 clients--including banks, securities firms and credit unions--is scrambling to clear up a report last weekend that said it suffered a major security breach.
FYI - The FDIC announced the publication of "Tips for Safe Banking Over the Internet," a new brochure intended to help consumers better understand their rights and responsibilities when banking over the Internet. The brochure was produced in collaboration with the FRB of New York, the OCC, and the OTS. It is our recommendation, that Your Bank link this site off the home page or the terms and use statement.
FYI - The Federal Reserve Board published a final rule amending Regulation Z, which implements the Truth in Lending Act, to revise the disclosure requirements for credit and charge card solicitations and applications. If you are advertising credit card rates, we believe this ruling will apply to Your Bank's site.
FYI - Application by Wilber National Bank, Oneonta, New York, to establish an operating subsidiary to provide internet access to bank customers in the bank's service area.
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Intrusion Response Policies and Procedures. Management should establish, document, and review the policies and procedures that guide the bank's response to information system intrusions. The review should take place at least annually, with more frequent reviews if the risk exposure warrants them.
Policies and procedures should address the following:
1. The priority and sequence of actions to respond to an intrusion. Actions should address the containment and elimination of an intrusion and system restoration. Among other issues, containment actions include a determination of which business processes must remain operational, which systems may be disconnected as a precaution, and how to address authentication compromises (e.g., revealed passwords) across multiple systems.
2. Gathering and retaining intrusion information, as discussed below.
3. The employee's authority to act, whether by request or by pre-approval, and the process for escalating the intrusion response to progressively higher degrees of intensity and senior management involvement.
4. Availability of necessary resources to respond to intrusions. Management should ensure that contact information is available for those that are responsible for responding to intrusions.
5. System restoration tools and techniques, including the elimination of the intruder's means of entry and back doors, and the restoration of data and systems to the pre-intrusion state.
6. Notification and reporting to operators of other affected systems, users, regulators, incident response organizations, and law enforcement. Guidelines for filing a Suspicious Activity Report for suspected computer related crimes are discussed below, and in OCC Advisory Letter 97-9, "Reporting Computer Related Crimes" (November 19, 1997).
7. Periodic testing, as discussed below.
8. Staff training resources and requirements.
INTERNET COMPLIANCE - Disclosures/Notices
Several consumer regulations provide for disclosures and/or notices to consumers. The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means. The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s). The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.
Disclosures are generally required to be "clear and conspicuous." Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers" and "hotlinks" that will automatically present the disclosures to customers when selected. A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.
VACATION - I will be on vacation from Thursday, October 5 through Thursday, October 12. I will be trail riding with my horse Gray Ghost in the mountains of New Mexico and Colorado. If you need to get hold of me, send an e-mail, and I will get back to you on Friday, October 13. Since I am not taking my computer, there will be no newsletter next weekend.