R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 18, 2001

FYI - Banking giant Citibank announced that it will soon remove fees for all U.S. transactions on its online payment service.  http://news.cnet.com/news/0-1007-200-7891983.html?tag=ch_mh 

FYI -
Specially Designated Nationals and Blocked Persons - On November 7, 2001, the Department of the Treasury's Office of Foreign Assets Control amended its listing of specially designated nationals and blocked persons by adding a significant number of terrorist organizations and individuals, including certain money transmitters and others in the United States.  www.fdic.gov/news/news/financial/2001/fil0197.html

FYI - Specially Designated Nationals and Blocked Persons - On November 7, 2001, the Department of the Treasury's Office of Foreign Assets Control amended its listing of specially designated nationals and blocked persons by adding a significant number of terrorist organizations and individuals, including certain money transmitters and others in the United States.  www.fdic.gov/news/news/financial/2001/fil0197.html

FYI -
Fed Announces Results of Study of the Payments System First Authoritative Study in 20 Years - New data collected by the Federal Reserve System suggest check writing in the United States is steadily giving way to electronic forms of payment as consumers, businesses, and financial institutions seek to be more efficient and cost-effective.
www.federalreserve.gov/boarddocs/press/General/2001/20011114/default.htm

INTERNET COMPLIANCE
The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services. Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk. The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan. This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements. For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

INTERNET SECURITY
- We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision in May 2001.

While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking.
  Over the next number of weeks we will cover the principles of Security Controls.

Security Controls -
Principle 1: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 1 of 2)

It is essential in banking to confirm that a particular communication, transaction, or access request is legitimate. Accordingly, banks should use reliable methods for verifying the identity and authorization of new customers as well as authenticating the identity and authorization of established customers seeking to initiate electronic transactions.

Customer verification during account origination is important in reducing the risk of identity theft, fraudulent account applications and money laundering. Failure on the part of the bank to adequately authenticate customers could result in unauthorized individuals gaining access to e-banking accounts and ultimately financial loss and reputational damage to the bank through fraud, disclosure of confidential information or inadvertent involvement in criminal activity.

Establishing and authenticating an individual's identity and authorization to access banking systems in a purely electronic open network environment can be a difficult task. Legitimate user authorization can be misrepresented through a variety of techniques generally known as "spoofing." Online hackers can also take over the session of a legitimate authorized individual through use of a "sniffer" and carry out activities of a mischievous or criminal nature. Authentication control processes can in addition be circumvented through the alteration of authentication databases.

Accordingly, it is critical that banks have formal policy and procedures identifying appropriate methodology(ies) to ensure that the bank properly authenticates the identity and authorization of an individual, agent or system by means that are unique and, as far as practical, exclude unauthorized individuals or systems. Banks can us a variety of methods to establish authentication, including PINs, passwords, smart cards, biometrics, and digital certificates. These methods can be either single factor or multi-factor (e.g. using both a password and biometric technology to authenticate). Multi-factor authentication generally provides stronger assurance.

PRIVACY
- We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Examination Procedures
(Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1)  Notices (initial, annual, revised, opt out, short-form, and simplified);

2)  Institutional privacy policies and procedures, including those to: 
     a)  process requests for nonpublic personal information, including requests for aggregated data; 
     b)  deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders); 
     c)  prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and 
     d)  prevent the unlawful disclosure of account numbers;

3)  Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4)  Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5)  Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6)  Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7)  Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8)  Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9)  Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).

IN CLOSING
- We greatly appreciate your business and want to wish you a wonderful Thanksgiving.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated