R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

August 8, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - Making customers jump through hoops - For example, every time a mortgage customer forgets his or her password to access account information online, it can costs the lender up to $50 to go through the process of issuing another one. http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=524b1bd4-03fe-43b5-8ef3-3d6f63befa4f&newsType=Opinion

FYI - Open source. Love it or hate it, but can you trust it? -Open source software (OSS) is firmly entrenched in the infrastructure of the Internet, and is now making inroads into the security market too. But although the darling of techies everywhere, OSS has its doubters. In particular, many corporate managers have concerns about support, accountability, and longevity. http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=2fb46e5f-590c-41ea-9ebd-7f4c6b6af248&newsType=Opinion

FYI - Consumers still falling for phish - Fake e-mails fool users 28 percent of the time, study finds - Confused by what's arriving in your inbox? You're not alone. Nearly one out of three Internet users were unable to tell the difference between fraudulent e-mails designed to steal their identities and legitimate corporate e-mail, a new study finds. http://www.msnbc.msn.com/id/5519990/

FYI - GAO - Information Technology: Training Can Be Enhanced by Greater Use of Leading Practices.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-04-791
Highlights - http://www.gao.gov/highlights/d04791high.pdf

FYI - Financial Firm Sanctioned For Deleting, Withholding E-Mail - A federal judge has sanctioned UBS AG for destroying or failing to produce in a timely manner E-mails.

FYI - Government auditors slam IRS for IT security risks - Auditors from the U.S. Department of the Treasury have issued two reports about IT security risks at the Internal Revenue Service, one saying that contractors working on IRS systems "committed numerous security violations" and the other taking the agency to task over unauthorized use of PDAs. http://www.computerworld.com/printthis/2004/0,4814,94741,00.html

Return to the top of the newsletter

We complete our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."   


Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  


Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third - party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include:

! Altering data,
! Deleting production and back up data,
! Crashing systems,
! Destroying systems,
! Misusing systems for personal gain or to damage the institution,
! Holding data hostage, and
! Stealing strategic or customer data for corporate espionage or fraud schemes.


Financial institutions should verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional criminal background and credit checks. Institutions should verify that contractors are subject to similar screening procedures. Typically, the minimum verification considerations include:

! Character references;
! Confirmation of prior experience, academic record, and professional qualifications; and
! Confirmation of identity from government issued identification.

After employment, managers should remain alert to changes in employees' personal circumstances that could increase incentives for system misuse or fraud.

Return to the top of the newsletter


6. Determine whether appropriate warning banners are displayed when applications are accessed.

7. Determine whether appropriate logs are maintained and available to support incident detection and response efforts.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1)  maintains a deposit or investment account; 

2)  obtains a loan; 

3)  enters into a lease of personal property; or 

4)  obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent penetration study of {custom4}'s network connection to the Internet that meets the regulatory requirements.  We are trained information systems auditors that only work with financial institutions.  As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For more information, visit http://www.internetbankingaudits.com/.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated