November 11, 2001
FYI - Two graduate students have found a way to hack
into security systems that protect many banking and e-commerce
transactions, Cambridge University said Thursday. http://news.cnet.com/news/0-1003-200-7825787.html
Information Technology and Growth in the Twelfth District - This
just-released Economic Letter tracks information technology (IT)
sector growth and slowing in
the Federal Reserve's 12th District, and examines its impact on the
District's economy. www.frbsf.org/news/releases/2001/011105.html
FYI - On November 8, 2001, the Office of Foreign Assets
Control (OFAC) has added certain entities and individuals to its
list of Specially Designated Global Terrorists (SDGTs).
Press Release: www.occ.treas.gov/ftp/alert/2001-14.txt
FYI - Mail safety concerns raised by recent anthrax
scares have prompted a 20 percent increase in the number of
Americans viewing and paying bills electronically, according to
analyst firm Gartner. http://news.cnet.com/news/0-1007-200-7798445.html
COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
INTERNET SECURITY - We continue covering some of the
issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision in May 2001.
Board and Management Oversight - Principle 3: The
Board of Directors and senior management should establish a
comprehensive and ongoing due diligence and oversight process for
managing the bank's outsourcing relationships and other third-party
dependencies supporting e-banking.
Increased reliance upon partners and third party service providers
to perform critical e-banking functions lessens bank management's
direct control. Accordingly, a comprehensive process for managing
the risks associated with outsourcing and other third-party
dependencies is necessary. This process should encompass the
third-party activities of partners and service providers, including
the sub-contracting of outsourced activities that may have a
material impact on the bank.
Historically, outsourcing was often limited to a single service
provider for a given functionality. However, in recent years, banks'
outsourcing relationships have increased in scale and complexity as
a direct result of advances in information technology and the
emergence of e-banking. Adding to the complexity is the fact that
outsourced e-banking services can be sub-contracted to additional
service providers and/or conducted in a foreign country. Further, as
e-banking applications and services have become more technologically
advanced and have grown in strategic importance, certain e-banking
functional areas are dependent upon a small number of specialized
third-party vendors and service providers. These developments may
lead to increased risk concentrations that warrant attention both
from an individual bank as well as a systemic industry standpoint.
Together, these factors underscore the need for a comprehensive and
ongoing evaluation of outsourcing relationships and other external
dependencies, including the associated implications for the bank's
risk profile and risk management oversight abilities. Board and
senior management oversight of outsourcing relationships and
third-party dependencies should specifically focus on ensuring that:
1) The bank fully understands the risks associated with entering
into an outsourcing or partnership arrangement for its e-banking
systems or applications.
2) An appropriate due diligence review of the competency and
financial viability of any third-party service provider or partner
is conducted prior to entering into any contract for e-banking
3) The contractual accountability of all parties to the outsourcing
or partnership relationship is clearly defined. For instance,
responsibilities for providing information to and receiving
information from the service provider should be clearly defined.
4) All outsourced e-banking systems and operations are subject to
risk management, security and privacy policies that meet the bank's
5) Periodic independent internal and/or external audits are
conducted of outsourced operations to at least the same scope
required if such operations were conducted in-house.
This is the last of three principles regarding Board and Management
Oversight. Next week we will begin the series on the
principles of security controls, which include Authentication,
and transaction integrity, Segregation of duties, Authorization
controls, Maintenance of audit trails, and Confidentiality of key
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
1. To assess the quality of a financial institution's compliance
management policies and procedures for implementing the privacy
regulation, specifically ensuring consistency between what the
financial institution tells consumers in its notices about its
policies and practices and what it actually does.
2. To determine the reliance that can be placed on a financial
institution's internal controls and procedures for monitoring the
institution's compliance with the privacy regulation.
3. To determine a financial institution's compliance with the
privacy regulation, specifically in meeting the following
a) Providing to customers notices of its privacy policies and
practices that are timely, accurate, clear and conspicuous, and
delivered so that each customer can reasonably be expected to
receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated
third parties, other than under an exception, after first meeting
the applicable requirements for giving consumers notice and the
right to opt out;
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information
received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in
4. To initiate effective corrective actions when violations of law
are identified, or when policies or internal controls are deficient.