December 5, 1999
FYI - This past week I was privileged to speak about Internet banking compliance and
security at the Bankers' Compliance Group seminar held in California. The Bankers'
Compliance Group specializes in compliance regulations for bankers. I want to thank Mark
Moore with the law firm of Aldrich and Bonnefin for inviting me to participate in their
seminar. You want to bookmark their web site at http://www.bankerscompliancegroup.com for
future reference for Your Bank.
INTERNET SECURITY - The OCC Internet Banking handbook states that well-defined policies
will help a bank develop a sound system of controls and ultimately reduce the
vulnerability to penetration. Well-defined control objectives will help the systems
administrator or vendors to properly configure the firewall. Such policies also will give
auditors a standard to measure against when performing tests. Some considerations for bank
firewall policies include:
1) Communicating the bank's policy with respect to monitoring employee use of data
communications networks, including electronic mail and the Internet.
2) Requiring virus checking for all diskettes or downloads from other than authorized
sources. Even diskettes received from other employees can be contaminated with a virus and
should be scanned before use, especially on a PC connected to the bank's network.
3) Determining the bank's policy for the access to PCs and the bank's network after
hours for uses that are not related to work.
4) Informing employees of the consequences of violating the institution's network usage
5) Limiting access to and use of administrator level capabilities of the firewall
hardware and software.
6) Requiring periodic review of the vulnerabilities of the bank's firewalls from known
threats including, penetration testing.
7) Regularly logging and reviewing all activity.
INTERNET COMPLIANCE - Financial institutions advertising or selling non-deposit
investment products on-line should ensure that consumers are informed of the risks
associated with nondeposit investment products as discussed in the "Interagency
Statement on Retail Sales of Non Deposit Investment Products." On-line systems should
comply with this Interagency Statement, minimizing the possibility of customer confusion
and preventing any inaccurate or misleading impression about the nature of the nondeposit
investment product or its lack of FDIC insurance.
1) Not FDIC Insured
2) No Bank Guarantee
3) May Lose Value
In addition, the logo format disclosures should be boxed, set in bold face type, and
displayed in a conspicuous manner.
PRIVACY - Financial institutions should review their internal controls to ensure that
these controls prevent the improper disclosure of personal information to third parties.
Banks with outsourcing arrangements may need to be especially cognizant of privacy
concerns as outsourcing arrangements present a greater potential for banks to lose control
over consumer information. Banks that lose control of consumers' information are subject
to liability and reputation risk. Internal controls should incorporate a monitoring and
review mechanism that will test compliance with established privacy policies and
WEB PAGES - I would recommend that you establish a log for each web page. The web page
log will keep track of the date the web page was created, the date of changes, and the
description of the change. The web page logs will come in handy to show examiners when
changes were made to help you with record retention requirements.