Internet Banking News

September 12, 1999

FYI  - An Internet issue came to my attention this week that involves a bank's yellow page type advertisement on the Internet at an ISP or similar service. If your bank has an advertisement spot on a web site other than just the bank's name being listed, the advertisement spot must include "Member FDIC" and have the equal housing logo and the wording "Equal Housing Lender."

INTERNET COMPLIANCE - The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan. This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements. For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Compliance officers will need to review their existing compliance policies and procedures and make appropriate modifications based upon the types of products, services, and operating features of the institution's online system. The compliance program may not need to be revamped, but merely extended to address the new level of technology employed by the institution. Staff should be trained and a monitoring system implemented to review continually the content and operation of the online programs to prevent inadvertent or unauthorized changes that may affect compliance with the regulations.

Management should review and revise the institution's electronic financial services as the regulatory environment changes and electronic delivery mechanisms evolve. This will help to ensure that the institution maintains an effective compliance program.

INTERNET SECURITY - Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Banks still should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.

When institutions contract with third-party providers for information system services, they should have a sound oversight program. At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider's security program, including how the provider uses available risk assessment tools and practices. Institutions also should obtain copies of independent penetration tests run against the provider's system.

When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. If relying on the certification, banks should understand the certification process used by the organization certifying the security product.

Next week I will cover issues concerning the risk assessment process.

IN CONCLUSION - I have an e-mail newsletter called "Loan Documentation and Review Services" that deals with lending issues, bank regulatory issues, and general banking information of interest to the community banker. This newsletter will not cover Internet issues that are not already covered in the weekly "Internet Banking Issues." If you or someone in your bank would like to receive the "Loan Documentation and Review Services" newsletter, please reply with their name and e-mail address. There is no charge for the newsletter.

Back Button

Go to the Bank Web Site Audit home page.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated