October 15, 2000
FYI - One of our clients recently received a letter from a company called Micromedia stating that it has registered the domain name "wwwclientbank.com, " which is very similar to the bank's URL. Micromedia now wants to sell the URL to the bank for registration cost plus out of pocket expenses for a total of something over $400.00. In checking the domain names this company has secured additional URLs of the www at the front of the bank's legitimate domain name. In July 2000, the OCC issued a warning about "Protecting Internet Addresses of National Banks" that can be reviewed at
FYI - Study after study shows that commerce sites lose customers because of slow connections.
FYI - Do you need to find a bank on the Internet? We list many US Banks on the Internet at
. Please let us know the URL for any bank not listed.
FYI - FDIC's Security Monitoring of Computer Networks http://www.fdic.gov/news/news/financial/2000/fil0067.html
FYI - Digital Signature Deployment Issues from the FDIC - http://www.fdic.gov/regulations/information/fils/banktechbulletin.html
FYI - FleetBoston Unveils Virtual Safe-Deposit Boxes - Consumers and small businesses will soon have a place to store important digital documents.
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Gathering and Retaining Intrusion Information. Particular care should be taken when gathering intrusion information.
The OCC expects management to clearly assess the tradeoff between enabling an easier recovery by gathering information about an intruder and the risk that an intruder will inflict additional damage while that information is being gathered. Management should establish and communicate procedures and guidelines to employees through policies, procedures, and training. Intrusion evidence should be maintained in a fashion that enables recovery while facilitating subsequent actions by law enforcement. Legal chain of custody requirements must be considered. In general, legal chain of custody requirements address controlling and securing evidence from the time of the intrusion until it is turned over to law enforcement personnel. Chain of custody actions, and those actions that should be guarded against, should be identified and embodied in the bank's policies, procedures, and training.
FYI COMPLIANCE - The American Bankers Association in their "ABA Bank Compliance" magazine September/October 2000 edition was kind enough to publish an article I wrote called "Don't Get an E-Byte: Common E-Violations and How to Avoid Them." If you do not have this magazine, send an e-mail to Kelly Saxton at
firstname.lastname@example.org . She will be happy to assist you.
INTERNET COMPLIANCE - Electronic Fund Transfer Act (Regulation E)
Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.
The OSC also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.
Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.
IN CLOSING - The vacation to the mountains of New Mexico was great.