January 2, 2000
FYI - A Chinese court has upheld the death sentence for a man who hacked into the computer system of a state bank to steal money. The Financial News article can be found at
INTERNET SECURITY - The OCC's Internet Banking handbook states that "The risk planning process is the responsibility of the board and senior management. They need to possess the knowledge and skills to manage the bank's use of Internet banking technology and technology-related risks. The board should review, approve, and monitor Internet banking technology-related projects that may have a significant impact on the bank's risk profile. They should determine whether the technology and products are in line with the bank's strategic goals and meet a need in their market. Senior management should have the skills to evaluate the technology employed and risks assumed. Periodic independent evaluations of the Internet banking technology and products by auditors or consultants can help the board and senior management fulfill their responsibilities."
FYI - It is recommended that the bank's IS manager prepare a presentation about Internet activities and technology to present to the Directors. The board minutes should reflect this presentation. Also, any Internet or IS seminars are recommended for senior management.
INTERNET COMPLIANCE - When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services. Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk. The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.
FYI - The role of the Compliance Officer is changing. Not only must they understand the regulations that apply to "brick and mortar banking" but also compliance on the Internet, since the compliance laws apply to both. The biggest change is that the Compliance Officer will need to understand the
programming language of web pages, which allow the Compliance Officer to converse with the web page designers and programmers.
PRIVACY - In cooperation with other federal bank and thrift regulatory agencies, the FDIC conducted a survey of the Internet privacy policies of insured depository institutions during May and July of 1999. The survey's purpose was to review the data collection practices and on-line privacy disclosures of the financial services industry.
We wish you a very prosperous new year.