Internet Banking News

December 19, 1999

FYI -The Federal Reserve Board announced the reopening and extension of the comment period on proposals to allow electronic delivery of federally mandated disclosures. On September 14, 1999, the Board published revised proposals for public comment under five consumer protection regulations: B (Equal Credit Opportunity), E (Electronic Fund Transfers), M (Consumer Leasing), Z (Truth in Lending), and DD (Truth in Savings). Comment is requested by March 3, 2000.  

FYI - I learned at a conference that it would take the CIA 35 years to crack 128 bit encrypted data; whereas, it would take a teenage two weeks to crack 40 bit encrypted e-mail. It sure appears that using the 128 bit encrypted data is pretty safe.

FYI - This week a banker contacted us about auditing their web site because the bank examiners criticized the bank's informational site. The bank is $10 million in assets, and the web site contains five web pages.

INTERNET SECURITY - Internal controls over Internet banking systems should be commensurate with an institution's level of risk. As in any other banking area, management has the ultimate responsibility for developing and implementing a sound system of internal controls over the bank's Internet banking technology and products.

The regulators in their Internet examination procedures state that regular audits of the control systems will help ensure that the controls are appropriate and functioning properly. For example, the control objectives for an individual bank's Internet banking technology and products might focus on:

1) Consistency of technology planning and strategic goals, including efficiency and economy of operations and compliance with corporate policies and legal requirements.
2) Data availability, including business recovery planning.
3) Data integrity, including providing for the safeguarding of assets, proper authorization of transactions, and reliability of the process and output.
4) Data confidentiality and privacy safeguards.
5) Reliability of MIS.

Once control objectives are established, management has the responsibility to install the necessary internal controls to see that the objectives are met. Management also has the responsibility to evaluate the appropriateness of the controls on a cost-benefit basis. That analysis may take into account the effectiveness of each control in a process, the dollar volume flowing through the process, and the cost of the controls.

INTERNET COMPLIANCE - The OCC's Internet Banking handbook addresses the bank's compliance with applicable banking laws as follows:
1. Determine whether the bank is subject to notification requirements outlined in the Bank Service Corporation Act, section 1867(c)(2). (An example may include banks with investment in or partnerships with Internet service providers).
2. Identify whether the bank is staying informed on legal developments associated with Internet banking.
3. Review the findings from the most recent examinations (asset management, BIS, commercial, compliance, etc.) and the internal/external audit for issues associated with the institution's Internet banking products and services. If applicable, determine whether management has corrected any identified deficiencies.
4. Determine whether the FDIC notice is appropriately displayed and whether uninsured products or services are clearly designated (12 CFR 328).
5. Note whether reporting is in place to identify potential money laundering activities associated with Internet banking businesses.
6. Determine whether Office of Foreign Asset Control (OFAC) identification and reporting capabilities are maintained for Internet banking products and services.
7. As a way to expedite possible litigation and investigation resulting from security breaches, determine whether management has established a warning banner for users, announcing that intruders are accessing a private computer and that unauthorized access or use is not permitted and constitutes a crime punishable by law (18 USC 1030).
8. If the bank is aware of computer-related crimes (see AL 97-9, "Reporting Computer-Related Crimes," for guidance), determine whether a suspicious activity report was filed.
9. Determine whether the bank is providing accurate privacy disclosures associated with its Internet banking product line.

Thank you for all your support. As we move in into the new year, we will work hard to help you maintain a compliant web site and assist your bank with its Internet activities.

We will not publish a newsletter over the holiday weekend but will be back the first week in January. We hope you have a wonderful and blessed holiday season.

Back Button

Go to the Bank Web Site Audit home page.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated