Internet Banking News
September 5, 1999
1) FRB Press Release dated August 31, 1999, regarding electronic delivery
of periodic statements reads - "The Federal Reserve Board today published an interim
rule to Regulation DD, which implements the Truth in Savings Act. The rule permits
depository institutions to deliver disclosures on periodic statements to a consumer's
e-mail account or post them on a web site, if the consumer agrees. The interim rule is
effective September 1, 1999. Under an earlier interim rule published by the Board in March
1998, periodic statements and other disclosures required under Regulation E (which
implements the Electronic Fund Transfer Act) may be delivered electronically if the
consumer agrees. Institutions commonly provide a single periodic statement that complies
with Regulations E and DD."
2) INTERNET COMPLIANCE - THE ROLE OF CONSUMER COMPLIANCE IN DEVELOPING AND IMPLEMENTING
When violations of the consumer protection laws regarding a financial institution's
electronic services have been cited, generally the compliance officer has not been
involved in the development and implementation of the electronic services. Therefore, it
is suggested that management and system designers consult with the compliance officer
during the development and implementation stages in order to minimize compliance risk. The
compliance officer should ensure that the proper controls are incorporated into the system
so that all relevant compliance issues are fully addressed. This level of involvement will
help decrease an institution's compliance risk and may prevent the need to delay
deployment or redesign programs that do not meet regulatory requirements.
FYI - The role of the Compliance Officer is changing. Not only must they understand
the regulations as they apply to "brick and mortar banking" but also banking on
the Internet, since the compliance laws apply to both. The biggest change is that the
Compliance Officer will need to understand the programing language of web pages.
Understanding web page programming will allow the Compliance Officer to converse with the
web page designers and programmers.
3) INTERNET SECURITY - RISK ASSESSMENT/MANAGEMENT
A thorough and proactive risk assessment is the first step in establishing a sound
security program. This is the ongoing process of evaluating threats and vulnerabilities,
and establishing an appropriate risk management program to mitigate potential monetary
losses and harm to an institution's reputation. Threats have the potential to harm an
institution, while vulnerabilities are weaknesses that can be exploited.
The extent of the information security program should be commensurate with the degree of
risk associated with the institution's systems, networks, and information assets. For
example, compared to an information-only Web site, institutions offering transactional
Internet banking activities are exposed to greater risks. Further, real-time funds
transfers generally pose greater risks than delayed or batch-processed transactions
because the items are processed immediately. The extent to which an institution contracts
with third-party vendors will also affect the nature of the risk assessment program.
FYI - [Company]'s Internet policy should establish procedures that will annually
analyze the risks associated with the Internet with special attention to changes made
since the last risk assessment review.
ON THE LIGHT SIDE: My neighbor works in the operations department in the central office of
a large bank. Employees in the field call him when they have problems with their
computers. One night he got a call from a man in one of the branch banks who had this
question: "I've got smoke coming from the back of my terminal. Do you guys have a