December 19, 1999
FYI -The Federal Reserve Board announced the reopening and extension of the comment
period on proposals to allow electronic delivery of federally mandated disclosures. On
September 14, 1999, the Board published revised proposals for public comment under five
consumer protection regulations: B (Equal Credit Opportunity), E (Electronic Fund
Transfers), M (Consumer Leasing), Z (Truth in Lending), and DD (Truth in Savings). Comment
is requested by March 3, 2000. http://www.bog.frb.fed.us/boarddocs/press/BoardActs/1999/19991209/
FYI - I learned at a conference that it would take the CIA 35 years to crack 128 bit
encrypted data; whereas, it would take a teenage two weeks to crack 40 bit encrypted
e-mail. It sure appears that using the 128 bit encrypted data is pretty safe.
FYI - This week a banker contacted us about auditing their web site because the bank
examiners criticized the bank's informational site. The bank is $10 million in assets, and
the web site contains five web pages.
INTERNET SECURITY - Internal controls over Internet banking systems should be
commensurate with an institution's level of risk. As in any other banking area, management
has the ultimate responsibility for developing and implementing a sound system of internal
controls over the bank's Internet banking technology and products.
The regulators in their Internet examination procedures state that regular audits of
the control systems will help ensure that the controls are appropriate and functioning
properly. For example, the control objectives for an individual bank's Internet banking
technology and products might focus on:
1) Consistency of technology planning and strategic goals, including efficiency and
economy of operations and compliance with corporate policies and legal requirements.
2) Data availability, including business recovery planning.
3) Data integrity, including providing for the safeguarding of assets, proper
authorization of transactions, and reliability of the process and output.
4) Data confidentiality and privacy safeguards.
5) Reliability of MIS.
Once control objectives are established, management has the responsibility to install
the necessary internal controls to see that the objectives are met. Management also has
the responsibility to evaluate the appropriateness of the controls on a cost-benefit
basis. That analysis may take into account the effectiveness of each control in a process,
the dollar volume flowing through the process, and the cost of the controls.
INTERNET COMPLIANCE - The OCC's Internet Banking handbook addresses the bank's
compliance with applicable banking laws as follows:
1. Determine whether the bank is subject to notification requirements outlined in the Bank
Service Corporation Act, section 1867(c)(2). (An example may include banks with investment
in or partnerships with Internet service providers).
2. Identify whether the bank is staying informed on legal developments associated with
3. Review the findings from the most recent examinations (asset management, BIS,
commercial, compliance, etc.) and the internal/external audit for issues associated with
the institution's Internet banking products and services. If applicable, determine whether
management has corrected any identified deficiencies.
4. Determine whether the FDIC notice is appropriately displayed and whether uninsured
products or services are clearly designated (12 CFR 328).
5. Note whether reporting is in place to identify potential money laundering activities
associated with Internet banking businesses.
6. Determine whether Office of Foreign Asset Control (OFAC) identification and reporting
capabilities are maintained for Internet banking products and services.
7. As a way to expedite possible litigation and investigation resulting from security
breaches, determine whether management has established a warning banner for users,
announcing that intruders are accessing a private computer and that unauthorized access or
use is not permitted and constitutes a crime punishable by law (18 USC 1030).
8. If the bank is aware of computer-related crimes (see AL 97-9, "Reporting
Computer-Related Crimes," for guidance), determine whether a suspicious activity
report was filed.
9. Determine whether the bank is providing accurate privacy disclosures associated with
its Internet banking product line.
Thank you for all your support. As we move in into the new year, we will work hard to
help you maintain a compliant web site and assist your bank with its Internet activities.
We will not publish a newsletter over the holiday weekend but will be back the first
week in January. We hope you have a wonderful and blessed holiday season.