Internet Banking News

July 25, 1999

1) Once again the Comptroller is speaking out about customer privacy. This week he told a House panel that Congress should consider strengthening the consumer privacy protections included in pending financial modernization legislation. The Comptroller further stated that the relationship between banks and their customers is built upon the pervasive assumption of customers that their banks will maintain the confidentiality of that relationship. However, technological advances and competitive pressures have placed a premium on the availability of personal information.

COMMENT: The complete text of the Comptroller's testimony can be found at From a liability standpoint, be certain that your privacy statement matches the bank's practices.

2) INTERNET COMPLIANCE - Truth in Lending Act (Regulation Z) - Advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with 226.16 and 226.24. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with 226.16(c) and 226.24(d), which describe the requirements for multiple-page advertisements.

COMMENT: Regulation Z applies when the bank's web site states specific credit terms. The disclosures shall also be clear and conspicuous. Sections 226.16 and 226.24 can be found at

3) INTERNET SECURITY - A financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate information security program. A comprehensive information security policy should outline a proactive and ongoing program incorporating three components:


Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. The FDIC paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems.

I will cover Detection and Response over the next two weeks.

COMMENT: It goes with out saying that the Board of Directors must be involved with your Internet activities. Your bank probably already has a Bank Information Systems steering committee. This committee should be given the responsibility of Internet security, or another committee should be formed to specifically address Internet issues. In either case, there should be at least quarterly reports to the Board regarding the bank's Internet activities.

Back Button

Go to the Bank Web Site Audit home page.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated