December 30, 2001
Guidance Concerning Correspondent Accounts Established or Maintained for Certain
Foreign Banking Institutions - On
October 26, 2001, the President signed into law the USA PATRIOT Act (the Act).
Title III of the Act makes a number of amendments to the anti-money laundering
provisions of the Bank Secrecy Act. www.fdic.gov/news/news/financial/2001/fil01110.html
FYI - Proposed Check
Truncation Act - The Federal Reserve Board has proposed that Congress
enact a law that would facilitate check truncation. www.federalreserve.gov/PaymentSystems/truncation/default.htm
FYI - Delays in Mail Delivery to FDIC Addressees in Washington,
DC - Since October 22, 2001, mail service provided by the United States
Postal Service to Federal Deposit
Insurance Corporation addressees in
Washington, DC, has been disrupted, causing delays in mail delivery to the FDIC.
COMPLIANCE - The
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed. This
level of involvement will help decrease an institution's compliance
risk and may prevent the need to delay deployment or redesign
programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required
disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
INTERNET SECURITY - We continue covering some of the issues
discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision
in May 2001.
Principle 5: Banks should ensure that appropriate measures are in
place to protect the data integrity of e-banking transactions,
records and information.
Data integrity refers to the assurance that information that is
in-transit or in storage is not altered without authorization.
Failure to maintain the data integrity of transactions, records and
information can expose banks to financial losses as well as to
substantial legal and reputational risk.
The inherent nature of straight-through processes for e-banking may
make programming errors or fraudulent activities more difficult to
detect at an early stage. Therefore, it is important that banks
implement straight-through processing in a manner that ensures
safety and soundness and data integrity.
As e-banking is transacted over public networks, transactions are
exposed to the added threat of data corruption, fraud and the
tampering of records. Accordingly, banks should ensure that
appropriate measures are in place to ascertain the accuracy,
completeness and reliability of e-banking transactions, records and
information that is either transmitted over Internet, resident on
internal bank databases, or transmitted/stored by third-party
service providers on behalf of the bank. Common practices used to
maintain data integrity within an e-banking environment include the
transactions should be conducted in a manner that makes them highly
resistant to tampering throughout the entire process.
2) E-banking records
should be stored, accessed and modified in a manner that makes them
highly resistant to tampering.
transaction and record-keeping processes should be designed in a
manner as to make it virtually impossible to circumvent detection of
4) Adequate change
control policies, including monitoring and testing procedures,
should be in place to protect against any e-banking system changes
that may erroneously or unintentionally compromise controls or data
5) Any tampering with
e-banking transactions or records should be detected by transaction
processing, monitoring and record keeping functions.
FYI PRIVACY - Frequently Asked Questions for the Privacy Regulation- The
Federal Deposit Insurance Corporation is issuing the attached staff guidance to
help financial institutions comply with Part 332 of the FDIC Rules and
Regulations, "Privacy of Consumer Financial Information."
PRIVACY - We continue covering various issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt
out notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers
(customers and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written records where available, determine if the institution has
adequate procedures in place to provide the opt out notice and
comply with opt out directions of consumers (customers and those who
are not customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time
allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii),
d. Adequacy of procedures to implement and track the status of
a consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)).
IN CLOSING -We hope you had a wonderful Holiday and that
the New Year brings you happiness and prosperity.