December 2, 2001
FYI - Letter to Credit Unions 01-CU-20 -- Due
Diligence Over Third Party Service Providers
COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account
at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to
satisfy the requirement to deliver by electronic communication any
of these disclosures and other information required by the act and
regulations, as long as the consumer agrees to such method of
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not specifically mentioned in the commentary, this
applies to all new banking services including electronic financial
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
Principle 2: Banks should use transaction authentication methods
that promote non-repudiation and establish accountability for
creating proof of the origin or delivery of electronic information
to protect the sender against false denial by the recipient that the
data has been received, or to protect the recipient against false
denial by the sender that the data has been sent. Risk of
transaction repudiation is already an issue with conventional
transactions such as credit cards or securities transactions.
However, e-banking heightens this risk because of the difficulties
of positively authenticating the identities and authority of parties
initiating transactions, the potential for altering or hijacking
electronic transactions, and the potential for e-banking users to
claim that transactions were fraudulently altered.
To address these
heightened concerns, banks need to make reasonable efforts,
commensurate with the materiality and type of the e-banking
transaction, to ensure that:
1) E-banking systems are designed to reduce the likelihood that
authorized users will initiate unintended transactions and that
customers fully understand the risks associated with any
transactions they initiate.
2) All parties to the transaction are positively authenticated
and control is maintained over the authenticated channel.
3) Financial transaction data are protected from alteration
and any alteration is detectable.
Banking organizations have begun to employ various techniques that
help establish non-repudiation and ensure confidentiality and
integrity of e-banking transactions, such as digital certificates
using public key infrastructure (PKI).
A bank may issue a digital certificate to a customer or
counterparty to allow for their unique identification/authentication
and reduce the risk of transaction repudiation. Although in some
countries customers’ rights to disclaim transactions is provided
in specific legal provisions, legislation has been passed in certain
national jurisdictions making digital signatures legally
enforceable. Wider global legal acceptance of such techniques is
likely as technology continues to evolve.
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Procedures (Part 3 of 3)
E. Ascertain areas of risk associated with the financial
institution's sharing practices (especially those within Section 13
and those that fall outside of the exceptions ) and any weaknesses
found within the compliance management program. Keep in mind any
outstanding deficiencies identified in the audit for follow-up when
completing the modules.
F. Based on the results of the foregoing initial procedures and
discussions with management, determine which procedures if any
should be completed in the applicable module, focusing on areas of
particular risk. The selection of procedures to be employed depends
upon the adequacy of the institution's compliance management system
and level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced to cites
within the regulation.
Additionally, there are cross-references to a more comprehensive
checklist, which the examiner may use if needed to evaluate
compliance in more detail.
G. Evaluate any additional information or documentation discovered
during the course of the examination according to these procedures.
Note that this may reveal new or different sharing practices
necessitating reapplication of the Decision Trees and completion of
additional or different modules.
H. Formulate conclusions.
1) Summarize all findings.
2) For violation(s) noted, determine the cause by identifying
weaknesses in internal controls, compliance review, training,
management oversight, or other areas.
3) Identify action needed to correct violations and weaknesses
in the institution's compliance system, as appropriate.
4) Discuss findings with management and obtain a commitment
for corrective action.