Internet Banking News

November 21, 1999

FYI - The NCUA is amending its regulations that implement the Truth in Savings Act. This interim rule allows credit unions to deliver, in electronic form, periodic statement disclosures required by NCUA's regulations if the member agrees to this form of delivery. The press release can be found at

INTERNET SECURITY - The OCC's handbook "Internet Banking," has the following procedures for examiners regarding firewalls:
1. Evaluate the process management uses to determine the appropriate type of web site (informational, communicative, or transactional) for the bank's Internet-based banking business.
2. Determine whether the institution has a sound process to ensure adequate control over the path between the web site and the institution's internal networks or computer systems.
3. Determine the process management employs to ensure that the firewall prevents unauthorized access to internal networks and computer systems.
4. If the firewall was commercially purchased, determine whether the bank has an adequate process to ensure that the responsibilities of the bank and vendor are well defined.
5. Determine the adequacy of the administration of the bank's firewall configuration and whether it ensures that:
a) Software change control procedures are appropriate.
b) Vendors provide timely fixes or upgrades and whether management implements them in a timely manner.
c) Changes in firewall configuration are tested prior to implementation.
d) Operating system control features have been invoked.
e) Operating system software default settings are adequate.
6. Determine whether the bank has an adequate process for:
a) Conducting penetration testing and certification.
b) Reviewing the qualifications of the company/person performing the certification.
7. Determine whether the bank has an effective process to assess the adequacy of physical controls in place to restrict access to firewall servers and components.
8. Determine whether the institution has an adequate process to identify any remote access, other than through a firewall, and how management monitors and controls that access.
9. Determine the adequacy of the institution's process to restrict access to firewall configuration documentation.

FYI - The above list of questions should be used when your computer operations are being audited. Your Internet and network policies should also address these issues.

INTERNET COMPLIANCE - In those instances where an electronic form of communication is permissible by regulation, you should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery.

FYI - When your customers sign up for Internet banking is the best time to get the customer's permission to deliver disclosure electronically.

PRIVACY - The principles of fair information practice are defined as:
"Notice" included statements informing the consumer about what information was collected, how the information was collected, how the collected information would be used, and whether the site said anything about its use or non-use of "cookies."
"Choice" included statements that informed consumers of any opportunity to exercise choice about whether they want to be contacted by the financial institution (internal opt out) or whether consumers could exercise choice about the disclosure of information to third parties (external opt out).
"Access" included statements describing how consumers might ask questions about or review information collected about them. Additionally, "access" included statements related to how consumers could correct inaccuracies in information that the institution maintains about them.
"Security" included statements informing consumers about the steps taken to provide security for information during on-line transmission and while stored by the financial institution. This could include statements related to the use of a secure server.
"Contact" included statements informing consumers about how they could submit questions or complaints about privacy.

FYI - This would be a good time to review your privacy statement to make sure that the statements includes the above principles of fair information.

WEB PAGES - A couple of weeks ago, a reader ask me to comment about "cookies." A "cookie" is information placed on a consumer's computer hard drive by a web site's server that allows the web site to monitor the user's visit to the site. The cookie can contain such information as login and registration information, and a consumer's interests as indicated by the pages visited at the web site. I found a web site dedicated to "cookies" at that will give you more information and answer any additional questions. "Cookies" are not evil and can be a benefit to your Internet experience.

If you have an Internet subject you would like me to comment on, please send me an e-mail at

The next publication of the "Internet Banking News" will be December 5, 1999.

Have a very happy Thanksgiving,

Back Button

Go to the Bank Web Site Audit home page.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated