Internet Banking News
September 12, 1999
FYI - An Internet issue came to my attention this week that
involves a bank's yellow page type advertisement on the Internet at an ISP or similar
service. If your bank has an advertisement spot on a web site other than just the bank's
name being listed, the advertisement spot must include "Member FDIC" and have
the equal housing logo and the wording "Equal Housing Lender."
INTERNET COMPLIANCE - The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or technology plan. This
profile will establish a framework from which the compliance officer and technology staff
can discuss specific technical elements that should be incorporated into the system to
ensure that the online system meets regulatory requirements. For example, the compliance
officer may communicate with the technology staff about whether compliance
disclosures/notices on a web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required disclosures are
presented to the consumer. The compliance officer can also be an ongoing resource to test
the system for regulatory compliance.
Compliance officers will need to review their existing compliance policies and procedures
and make appropriate modifications based upon the types of products, services, and
operating features of the institution's online system. The compliance program may not need
to be revamped, but merely extended to address the new level of technology employed by the
institution. Staff should be trained and a monitoring system implemented to review
continually the content and operation of the online programs to prevent inadvertent or
unauthorized changes that may affect compliance with the regulations.
Management should review and revise the institution's electronic financial services as the
regulatory environment changes and electronic delivery mechanisms evolve. This will help
to ensure that the institution maintains an effective compliance program.
INTERNET SECURITY - Performing a sound risk assessment is critical to establishing an
effective information security program. The risk assessment provides a framework for
establishing policy guidelines and identifying the risk assessment tools and practices
that may be appropriate for an institution. Banks still should have a written information
security policy, sound security policy guidelines, and well-designed system architecture,
as well as provide for physical security, employee education, and testing, as part of an
When institutions contract with third-party providers for information system services,
they should have a sound oversight program. At a minimum, the security-related clauses of
a written contract should define the responsibilities of both parties with respect to data
confidentiality, system security, and notification procedures in the event of data or
system compromise. The institution needs to conduct a sufficient analysis of the
provider's security program, including how the provider uses available risk assessment
tools and practices. Institutions also should obtain copies of independent penetration
tests run against the provider's system.
When assessing information security products, management should be aware that many
products offer a combination of risk assessment features, and can cover single or multiple
operating systems. Several organizations provide independent assessments and
certifications of the adequacy of computer security products (e.g., firewalls). While the
underlying product may be certified, banks should realize that the manner in which the
products are configured and ultimately used is an integral part of the products'
effectiveness. If relying on the certification, banks should understand the certification
process used by the organization certifying the security product.
Next week I will cover issues concerning the risk assessment process.