November 21, 1999
FYI - The NCUA is amending its regulations that implement the Truth in
Savings Act. This interim rule allows credit unions to deliver, in electronic form,
periodic statement disclosures required by NCUA's regulations if the member agrees to this
form of delivery. The press release can be found at http://www.ncua.gov/news/proposed_regs/707e.html.
INTERNET SECURITY - The OCC's handbook "Internet Banking," has the following
procedures for examiners regarding firewalls:
1. Evaluate the process management uses to determine the appropriate type of web site
(informational, communicative, or transactional) for the bank's Internet-based banking
2. Determine whether the institution has a sound process to ensure adequate control over
the path between the web site and the institution's internal networks or computer systems.
3. Determine the process management employs to ensure that the firewall prevents
unauthorized access to internal networks and computer systems.
4. If the firewall was commercially purchased, determine whether the bank has an adequate
process to ensure that the responsibilities of the bank and vendor are well defined.
5. Determine the adequacy of the administration of the bank's firewall configuration and
whether it ensures that:
a) Software change control procedures are appropriate.
b) Vendors provide timely fixes or upgrades and whether management implements them in a
c) Changes in firewall configuration are tested prior to implementation.
d) Operating system control features have been invoked.
e) Operating system software default settings are adequate.
6. Determine whether the bank has an adequate process for:
a) Conducting penetration testing and certification.
b) Reviewing the qualifications of the company/person performing the certification.
7. Determine whether the bank has an effective process to assess the adequacy of physical
controls in place to restrict access to firewall servers and components.
8. Determine whether the institution has an adequate process to identify any remote
access, other than through a firewall, and how management monitors and controls that
9. Determine the adequacy of the institution's process to restrict access to firewall
FYI - The above list of questions should be used when your computer operations are
being audited. Your Internet and network policies should also address these issues.
INTERNET COMPLIANCE - In those instances where an electronic form of communication is
permissible by regulation, you should ensure that the consumer has agreed to receive
disclosures and notices through electronic means. Additionally, institutions may want to
provide information to consumers about the ability to discontinue receiving disclosures
through electronic means, and to implement procedures to carry out consumer requests to
change the method of delivery.
FYI - When your customers sign up for Internet banking is the best time to get the
customer's permission to deliver disclosure electronically.
PRIVACY - The principles of fair information practice are defined as:
· "Notice" included statements informing the consumer about what information
was collected, how the information was collected, how the collected information would be
used, and whether the site said anything about its use or non-use of "cookies."
· "Choice" included statements that informed consumers of any opportunity to
exercise choice about whether they want to be contacted by the financial institution
(internal opt out) or whether consumers could exercise choice about the disclosure of
information to third parties (external opt out).
· "Access" included statements describing how consumers might ask questions
about or review information collected about them. Additionally, "access"
included statements related to how consumers could correct inaccuracies in information
that the institution maintains about them.
· "Security" included statements informing consumers about the steps taken to
provide security for information during on-line transmission and while stored by the
financial institution. This could include statements related to the use of a secure
· "Contact" included statements informing consumers about how they could submit
questions or complaints about privacy.
FYI - This would be a good time to review your privacy statement to make sure that the
statements includes the above principles of fair information.
WEB PAGES - A couple of weeks ago, a reader ask me to comment about "cookies." A
"cookie" is information placed on a consumer's computer hard drive by a web
site's server that allows the web site to monitor the user's visit to the site. The cookie
can contain such information as login and registration information, and a consumer's
interests as indicated by the pages visited at the web site. I found a web site dedicated
to "cookies" at http://www.cookiecentral.com/
that will give you more information and answer any additional questions.
"Cookies" are not evil and can be a benefit to your Internet experience.
If you have an Internet subject you would like me to comment on, please send me an e-mail
The next publication of the "Internet Banking News" will be December 5, 1999.
Have a very happy Thanksgiving,