R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 25, 2001

FYI - Unix bugged? - Internet Security Systems last week sounded the alarm about a serious security weakness it says is associated with Unix software from six vendors: Sun, Compaq, Hewlett-Packard, Caldera, SGI and IBM.  http://www.nwfusion.com/news/2001/1119unix.html 

INTERNET COMPLIANCE
Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers. The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means. The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s). The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous." Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected. A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

INTERNET SECURITY
- We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision in May 2001.

Security Controls -
Principle 1: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 2 of 2)

The bank must determine which authentication methods to use based on management's assessment of the risk posed by the e-banking system as a whole or by the various sub-components. This risk analysis should evaluate the transactional capabilities of the e-banking system (e.g. funds transfer, bill payment, loan origination, account aggregation etc.), the sensitivity and value of the stored e-banking data, and the customer's ease of using the authentication method.

Robust customer identification and authentication processes are particularly important in the cross-border e-banking context given the additional difficulties that may arise from doing business electronically with customers across national borders, including the greater risk of identity impersonation and the greater difficulty in conducting effective credit checks on potential customers.

As authentication methods continue to evolve, banks are encouraged to monitor and adopt industry sound practice in this area such as ensuring that:

1)  Authentication databases that provide access to e-banking customer accounts or sensitive systems are protected from tampering and corruption. Any such tampering should be detectable and audit trails should be in place to document such attempts.

2)  Any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source.

3)  Appropriate measures are in place to control the e-banking system connection such that unknown third parties cannot displace known customers.

4)  Authenticated e-banking sessions remain secure throughout the full duration of the session or in the event of a security lapse the session should require re-authentication.

PRIVACY
- We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Examination Procedures
(Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree."  Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1)  Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2)  Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3)  Frequency and effectiveness of monitoring procedures;

4)  Adequacy and regularity of the institution's training program;

5)  Suitability of the compliance audit program for ensuring that: 

     a)  the procedures address all regulatory provisions as applicable; 
     b)  the work is accurate and comprehensive with respect to the institution's information sharing practices; 
     c)  the frequency is appropriate; 
     d)  conclusions are appropriately reached and presented to responsible parties; 
     e)  steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6)  Knowledge level of management and personnel.

IN CLOSING - We hope you had a good Thanksgiving.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated