Internet Banking
News
January 9, 2000
FYI - It is my option that the banks should NOT take stop payment orders over the Internet. First, you need to check the
Uniform Commercial Code in your state regarding the proper procedures to handle stop payment requests. Some states allow a phone call, while others do not. The customer must follow up the phone call with a written request. There is also the issue of when the stop payment request was received by the bank. When a customer sends an e-mail, it is possible that the bank's server is down or some other Internet problem
occurs and the bank does not receive the e-mail. Even if the bank receives the e-mail, when was the e-mail actually received? Was the e-mail received when the computer got the e-mail or when the bank employee opened the e-mail? If you are offering Internet banking, you need to disclose the bank's stop payment policy. For more clarification, you may want to talk with the bank's counsel.
INTERNET SECURITY - The OCC's Internet Banking Handbook discusses what the examiner will question regarding Internet monitoring activities as follows:
1. Discuss with management the techniques used to monitor the security of Internet banking systems. Obtain and review sample reports such as:
a. Penetration test scope and results.
b. Security violation information.
c. Real-time intrusion detection reports.
d. Reports depicting security breaches or system intrusion.
2. Determine whether security analysis software is used and note its capabilities.
3. Determine whether management conducts or has employed outside vendors to conduct penetration testing. Assess whether:
a. An objective party performs penetration testing.
b. Persons performing the tests are appropriately bonded.
c. Penetration testing is performed at least annually or at an acceptable frequency based on management's risk analysis and risk tolerance.
d. Test information and documentation is strictly controlled.
4. Determine how management monitors and detects internal or external network intrusion including whether:
a. Monitoring software is used to track real-time network traffic.
b. A qualified individual is responsible for regularly monitoring network traffic.
c. Activity logs are maintained and reviewed on a regular basis.
d. Intrusion detection techniques allow for immediate notification of network administrators or security personnel.
e. Security policies define reportable events.
f. Processes are incorporated to assure appropriate levels of management, directors, and external authorities are notified.
5. Determine through review of reports or inquiries of management whether the bank has experienced any of the following occurrences. If so, document in work papers:
a. Any alteration of the bank's home page.
b. Any unauthorized access from external or internal sources.
c. Financial damage incurred as a result of any unauthorized intrusion. If losses have been sustained, determine if the bank filed a suspicious activity report per OCC Advisory Letter 97-9, "Reporting Computer-Related Crimes."
6. Determine whether management has emergency response procedures and evaluate whether they are effective in handling an unauthorized intrusion. Discuss and document controls for remote access including whether:
a. Security policies address remote access.
b. Staff is aware of policies and adherence is monitored.
c. Audit logs are maintained to monitor remote access.
INTERNET COMPLIANCE - According to the OCC, "compliance risk" is the risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank's clients may be ambiguous or untested. Compliance risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to a diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and lack of contract enforceability.
Most Internet banking customers will continue to use other bank delivery channels. Accordingly, national banks will need to make certain that their disclosures on Internet banking channels, including Web sites, remain synchronized with other delivery channels to ensure the delivery of a consistent and accurate message to customers.
Next week, we will cover specific consumer issues raised by the OCC.
PRIVACY - While the regulations regarding consumer privacy policies do not go into affect until the end of 2000, I would strongly suggest that you develop a written consumer privacy policy today. This will result in one less examination comment. In addition, it will also give you time to make any examiner recommended changes.
YEAR 2000 WEB PAGE - You may want to change your Year 2000 web page to read something like "After the New Year celebration, it is business as usual at
Our Bank. As anticipated, we have encountered no date change problems. Our team of employees is here to offer you the quality services and products you have come to expect from
Our Bank. Best wishes for a happy New Year."
WEB PAGES - This year the examiners will be taking their first look at
Your Bank's web site and your Internet/network security. While they will review your site for compliance, they will also review your privacy policy, Internet policy, e-mail policy, and Internet/network security policy. In addition, the examiners will review your strategic plan and the bank's future plans regarding Internet activities.
|
