R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 12, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - Bank of New York seeks to avert charges - Bank of New York Co. Inc. is talking to U.S. prosecutors about paying a $24 million penalty in order avoid a criminal indictment on charges of failing to report suspicious activity at a branch, the Wall Street Journal reported on Tuesday. http://www.msnbc.msn.com/id/6617856/

FYI - Scammers Exploit DomainKeys Anti-phishing Weapon - Numerous and prolific, phishing scammers continue to claim victims, recently damaging the reputation of the most promising technology deployed to thwart them. http://www.eweek.com/article2/0%2C1759%2C1732576%2C00.asp

FYI - Big Boost In Phishing Attacks Driven By Bot Networks - Phishing fraudsters dramatically anted up last month by using automated tools and networks of hacked computers to double the number of sites that illegally collect financial information, the Anti-Phishing Working Group. http://informationweek.com/shared/printableArticle.jhtml?articleID=54200569

FYI - Hackers hijack county phones - Hackers broke into the Linn County government's phone system earlier this month and billed the county for many hours worth of expensive international calls. http://www.gazettetimes.com/articles/2004/11/24/news/community/wedloc05.txt

NCUA - Letter to Corporate Credit Unions 2004-05 -Business Continuity Planning and Business Critical Processes - The purpose of this letter is to provide corporate credit unions guidance regarding business continuity planning www.ncua.gov/CorporateCU/CorpLetters/2004/2004-05.pdf 

FYI - FFIEC Guidance on the use of Free and Open Source Software - The federal banking, thrift, and credit union regulatory agencies have published guidance for examiners, financial institutions, and technology service providers on the acquisition and use of free and open source software. www.federalreserve.gov/BoardDocs/SRLetters/2004/sr0417.HTM 

Return to the top of the newsletter

Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE  (Part 1 of 2)

Financial institutions have used insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Insurance coverage is increasingly available to cover risks from security breaches or denial of service attacks. For example, several insurance companies offer e - commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:

! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic environment for these factors.
! Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that certain security practices are in place.

Return to the top of the newsletter


6. Determine if institution oversight of third party provider security controls is adequate.

7. Determine if any third party provider access to the institution's system is controlled according to "Authentication and Access Controls" and "Network Security" procedures.

8. Determine if the contract requires secure remote communications, as appropriate.

9. Determine if the institution appropriately assessed the third party provider's procedures for hiring and monitoring personnel who have access to the institution's systems and data.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (11(a)(1)(i) and (ii)).

2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (11(a)(1)(iii)).

- The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated