December 12, 1999
IMPORTANT - The Blanket Bond does NOT cover non-employee computer fraud, fraudulent
voice instructions and fraudulent telefacs requests unless there is an endorsement to
cover such activity. At present, I am not aware of an endorsement to cover a fraudulent
e-mail from a bank customer. This information supplied by Fidelity and Deposit. Please
double check with the bonding company to be sure that R. Kinney Williams & Associates
is covered regarding Internet activities.
FYI - The results of an Internet survey conducted by the California Department of
Banking. The survey can be found at http://www.sbd.ca.gov/bulletin/1997/Internet.htm.
FYI - The FFIEC believes that financial institutions may be exposed to higher levels of
fraudulent and malicious attempts to exploit information systems during the century date
change. For more information refer to the press release at http://www.fdic.gov/news/news/financial/1999/FIL99107a.html.
INTERNET SECURITY - Before you can determine the scope of the security policy and the
auditing procedures, R. Kinney Williams & Associates needs to conduct a risk
assessment of your computer and Interment operations. This is what the OCC has to say
about risk management:
Financial institutions should have a technology risk management process to enable them
to identify, measure, monitor, and control their technology risk exposure. Examiners
should refer to OCC Bulletin 98-3, "Technology Risk Management" for additional
guidance on this topic. Risk management of new technologies has three essential elements:
1. The planning process for the use of the technology. 2. Implementation of the
technology. 3. The means to measure and monitor risk.
The OCC's objective is to determine whether a bank is operating its Internet banking
business in a safe and sound manner. The OCC expects banks to use a rigorous analytic
process to identify, measure, monitor, and control risk. Examiners will determine whether
the level of risk is consistent with the bank's overall risk tolerance and is within the
bank's ability to manage and control.
INTERNET COMPLIANCE - Electronic Fund Transfer Act (Regulation E)
Generally, when on-line banking systems include electronic fund transfers that debit or
credit a consumer's account, the requirements of the Electronic Fund Transfer Act and
Regulation E apply. Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to satisfy the
requirement to deliver by electronic communication any of these disclosures and other
information required by the act and regulations, as long as the consumer agrees to such
method of delivery.
Accordingly, institutions must ensure that consumers who sign-up for a new banking
service are provided with disclosures for the new service. Although not specifically
mentioned in the commentary, this includes electronic financial services.
Additionally, a written authorization for preauthorized transfers from a consumer's
account includes an electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security code. An example of a
consumer's authorization that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization via a home banking
system. To satisfy the regulatory requirements, the institution must have some means to
identify the consumer (such as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the electronic authorization must
be displayed on a computer screen or other visual display that enables the consumer to
read the communication from the institution. Only the consumer may authorize the transfer
and not, for example, a third-party merchant on behalf of the consumer.
PRIVACY - The FDIC supports industry self-regulation that is specific, meaningful and
effective. The agency believes it is a good business practice for financial institutions
to adopt responsible privacy policies and information practices, disclose those policies
and practices to increase consumer knowledge and understanding, and take other prompt,
effective actions necessary to provide consumers with privacy protections in the online
The FDIC recognizes that information collection practices will vary among financial
institutions. Therefore, it encourages banks to develop and implement information
practices that best serve the needs of the bank and its customers. Such actions are good
risk management and will enhance consumer confidence in online banking.
TEXAS BANKS - The Texas Business and Commerce Code, Section 26.02 deals with the
statute of frauds. You will recall the statute of frauds relates to requirements that
certain contracts be in writing to be enforceable. A loan agreement for over $50,000 must
be in writing to be enforceable, and the rights of the parties are governed solely by the
writing if the lender complies with Section 26.02, which include the posted notice and the
customer's signature acknowledging the effect of Section 26.02. Everette Jobe, General
Counsel for the Texas Department of Banking, in an informal statement said "I tend to
believe that Internet transactions should be treated the same as transactions at
"off-premises electronic deposit facilities" with respect to the notice posting
requirement, without regard to whether the Internet server is on the bank's premises or
hosted by an ISP."
CLIENTS - This means that your web site needs a link to notice in Section 26.02. This
notice link should be on your home page and all lending web pages especially if you are
using online loan applications. You will find the required notice at http://www.banking.state.tx.us/legal/rules/text/03%2D34.html.
If your state has some bank posting requirements, the chances are the posting needs to
be on R. Kinney Williams & Associates's web page. Please send me an e-mail of any
posting requirements. I will verify if the posting needs to be on web sites and will
comment in a future newsletter.