R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 11, 2001

FYI - Two graduate students have found a way to hack into security systems that protect many banking and e-commerce transactions, Cambridge University said Thursday.  http://news.cnet.com/news/0-1003-200-7825787.html 

FYI - Information Technology and Growth in the Twelfth District - This just-released Economic Letter tracks information technology (IT) sector growth and slowing in the Federal Reserve's 12th District, and examines its impact on the District's economy.  www.frbsf.org/news/releases/2001/011105.html

FYI
- On
November 8, 2001, the Office of Foreign Assets Control (OFAC) has added certain entities and individuals to its list of Specially Designated Global Terrorists (SDGTs).
Press Release: www.occ.treas.gov/ftp/alert/2001-14.txt
Attachment: www.occ.treas.gov/ftp/alert/2001-14a.pdf

FYI - Mail safety concerns raised by recent anthrax scares have prompted a 20 percent increase in the number of Americans viewing and paying bills electronically, according to analyst firm Gartner.  http://news.cnet.com/news/0-1007-200-7798445.html 

INTERNET COMPLIANCETRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.


INTERNET SECURITY - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision in May 2001.

Board and Management Oversight - Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.

Increased reliance upon partners and third party service providers to perform critical e-banking functions lessens bank management's direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary. This process should encompass the third-party activities of partners and service providers, including the sub-contracting of outsourced activities that may have a material impact on the bank.

Historically, outsourcing was often limited to a single service provider for a given functionality. However, in recent years, banks' outsourcing relationships have increased in scale and complexity as a direct result of advances in information technology and the emergence of e-banking. Adding to the complexity is the fact that outsourced e-banking services can be sub-contracted to additional service providers and/or conducted in a foreign country. Further, as e-banking applications and services have become more technologically advanced and have grown in strategic importance, certain e-banking functional areas are dependent upon a small number of specialized third-party vendors and service providers. These developments may lead to increased risk concentrations that warrant attention both from an individual bank as well as a systemic industry standpoint.

Together, these factors underscore the need for a comprehensive and ongoing evaluation of outsourcing relationships and other external dependencies, including the associated implications for the bank's risk profile and risk management oversight abilities. Board and senior management oversight of outsourcing relationships and third-party dependencies should specifically focus on ensuring that:

1) The bank fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-banking systems or applications.

2) An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-banking services.

3) The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined.

4) All outsourced e-banking systems and operations are subject to risk management, security and privacy policies that meet the bank's own standards.

5)  Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.

This is the last of three principles regarding Board and Management Oversight.  Next week we will begin the series on the principles of security controls, which include Authentication, Non-repudiation, Data and transaction integrity, Segregation of duties, Authorization controls, Maintenance of audit trails, and Confidentiality of key bank information.

PRIVACY - We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Examination Objectives 

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a)  Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice; 
b)  Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out; 
c)  Appropriately honoring consumer opt out directions; 
d)  Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e)  Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated