Internet Banking News

September 19, 1999

INTERNET COMPLIANCE - When on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An interim rule was issued that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures as long as the consumer agrees to such method of delivery.

Regulations clarify that written authorization for preauthorized transfers from a consumer's account include an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. The text of the electronic authorization must be displayed on a computer screen that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not a third-party merchant on behalf of the consumer.

Timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

FYI - I recommend that your bank's Electronic Fund Transfer Policy be a link off any web page that allows funds transfers or that discusses funds transfers.

INTERNET SECURITY - Issues to consider in your bank's risk assessment process include:

1) Identifying mission-critical information systems, and determining the effectiveness of current information security programs.

2) Assessing the importance and sensitivity of information, and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information.

CLIENTS: For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings.

3) Assessing the risks posed by electronic connections with business partners.

4) Determining legal implications and contingent liability concerns associated with any of the above.

COMMENT: Risk assessment is probably the most important process in determining your bank's security measures. Without a good risk assessment, there is no way you can establish security measures to protect critical data.

Back Button

Go to the Bank Web Site Audit home page.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated