December 16, 2001
- A flaw in the Fleet Credit Card Services online site that could
have exposed hundreds of thousands of customer transactions to other
Fleet cardholders was repaired over the weekend after a customer
went public with the problem. http://www.pcworld.com/news/article/0,aid,74964,tk,dn121001X,00.asp
The Office of the Comptroller of the Currency issued new
guidance this week to help examiners and banks understand and manage
the risks associated with the merchant processing business.
Press Release - www.occ.treas.gov/ftp/release/2001-102.txt
Attachment - http://www.occ.treas.gov/handbook/merchproc.pdf
FYI - The
Federal Reserve Board on Tuesday announced that it has revised its
Policy Statement on Payments System Risk (PSR policy). www.federalreserve.gov/boarddocs/press/boardacts/2001/20011211/default.htm
FYI - Specially Designated
Nationals and Blocked Persons - On December 3, 2001, President
George W. Bush issued an Executive Order designating two entities as
"Persons Who Threaten International Stabilization Efforts in
the Western Balkans." www.fdic.gov/news/news/financial/2001/fil01103.html
COMPLIANCE - Reserve Requirements of Depository
Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
Principle 4: Banks should ensure that proper authorization
controls and access privileges are in place for e-banking systems,
databases and applications.
In order to maintain segregation of duties, banks need to strictly
control authorization and access privileges. Failure to provide
adequate authorization control could allow individuals to alter
their authority, circumvent segregation and gain access to e-banking
systems, databases or applications to which they are not privileged.
In e-banking systems, the authorizations and access rights can be
established in either a centralized or distributed manner within a
bank and are generally stored in databases. The protection of those
databases from tampering or corruption is therefore essential for
effective authorization control.
FYI - PRIVACY -
Privacy of Consumer Financial Information Description: Small Bank
Compliance Guide - The OCC has prepared a "Small Bank
Compliance Guide" to help community banks comply with the rule
implementing the privacy provisions of the Gramm-Leach-Bliley Act.
FYI - PRIVACY - Guidance on
Financial Privacy - Staff of the federal agencies that supervise
banks, thrifts, and credit unions today issued guidance to help
financial institutions comply with these agencies' consumer privacy
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 2 of 3)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial, annual and
revised notices, as well as any short-form notices that the
institution may use for consumers who are not customers. Determine
whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1),
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes
practices disclosed in the notices that exceed regulatory
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§6). Note that if
the institution shares under Section 13 the notice provisions for
that section shall also apply.
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§§4(a), 7(c), 8(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of
delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice
(§9(c)), and accessibility of or ability to retain the notice (§9(e)).
IN CLOSING - Since next weekend is the beginning of the
Holiday season, we will not publish the Internet Banking
News. The next edition of the Internet Banking News will be
December 30, 2001.