FYI - Bank of New York seeks to
avert charges - Bank of New York Co. Inc. is talking to U.S.
prosecutors about paying a $24 million penalty in order avoid a
criminal indictment on charges of failing to report suspicious
activity at a branch, the Wall Street Journal reported on Tuesday.
FYI - Scammers Exploit
DomainKeys Anti-phishing Weapon - Numerous and prolific, phishing
scammers continue to claim victims, recently damaging the reputation
of the most promising technology deployed to thwart them.
FYI - Big Boost In Phishing
Attacks Driven By Bot Networks - Phishing fraudsters dramatically
anted up last month by using automated tools and networks of hacked
computers to double the number of sites that illegally collect
financial information, the Anti-Phishing Working Group.
FYI - Hackers hijack county
phones - Hackers broke into the Linn County government's phone
system earlier this month and billed the county for many hours worth
of expensive international calls.
NCUA - Letter to
Corporate Credit Unions 2004-05 -Business Continuity Planning and
Business Critical Processes - The purpose of this letter is to
provide corporate credit unions guidance regarding business
FFIEC Guidance on the use of Free and Open Source Software - The
federal banking, thrift, and credit union regulatory agencies have
published guidance for examiners, financial institutions, and
technology service providers on the acquisition and use of free and
open source software.
Return to the top
of the newsletter
INTERNET COMPLIANCE -
Disclosures/Notices (Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information
INSURANCE (Part 1 of 2)
Financial institutions have used insurance coverage as an effective
method to transfer risks from themselves to insurance carriers.
Insurance coverage is increasingly available to cover risks from
security breaches or denial of service attacks. For example, several
insurance companies offer e - commerce insurance packages that can
reimburse financial institutions for losses from fraud, privacy
breaches, system downtime, or incident response. When evaluating the
need for insurance to cover information security threats, financial
institutions should understand the following points:
! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses
related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic
environment for these factors.
! Insurance cannot adequately cover the reputation and compliance
risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that
certain security practices are in place.
the top of the newsletter
IT SECURITY QUESTION:
SERVICE PROVIDER OVERSIGHT-SECURITY
6. Determine if institution oversight of third party provider
security controls is adequate.
7. Determine if any third party provider access to the institution's
system is controlled according to "Authentication and Access
Controls" and "Network Security" procedures.
8. Determine if the contract requires secure remote communications,
9. Determine if the institution appropriately assessed the third
party provider's procedures for hiring and monitoring personnel who
have access to the institution's systems and data.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Reuse & Redisclosure of nonpublic personal information received
from a nonaffiliated financial institution under Sections 14 and/or
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure and reuse of
the information where the institution is the recipient of nonpublic
personal information (§11(a)).
B. Select a sample of data received from nonaffiliated financial
institutions, to evaluate the financial institution's compliance
with reuse and redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below
(§11(a)(1)(i) and (ii)).
2. Verify that the institution only uses and shares the data
pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).
IN CLOSING - The FFIEC interagency
Internet guidelines require financial institution web sites to comply
with consumer compliance, advertising, notifications, weblinking, and other federal
regulations. We have identified 17 federal regulations and over 130 issues
that relate to an institution's web site. We also verify weblinks for
functionality and appropriateness. As a former bank examiner with
over 40 year experience, we audit web sites following the FFIEC Internet
guidelines for financial institutions across the country. Visit
and learn how we can assist your financial institution.