Publications & Resources

January/February 2008
Focus: Compliance

Planning to Offer Internet Banking Services? Important Tips to Help You Prepare

By Angela Shoemaker

Financial institutions considering a web site or Internet-based services need to be aware of the various risks and regulations that may apply to these services. The risks and particular regulations that apply may vary depending on the types of services offered.

If your institution’s website is designed for informational purposes only and you do not offer any transactional capabilities, you will still need to be aware of the consumer compliance and advertising regulations that may apply to the products and services advertised on your website. Security of your website is also a very important consideration. Security measures should protect the web site from defacement and malicious code.

Institutions offering “transactional” websites will need to consider additional security measures to help ensure the authenticity and integrity of transactions initiated over the Internet. Security controls are necessary to protect confidential customer information from unauthorized access. Strong multi-level authentication processes will be necessary to help verify the identity of end-users.

For transactional websites, additional security measures, including access controls, encryption, firewalls, intrusion prevention systems and other application and network perimeter controls, will be necessary to protect sensitive customer information while in transit and while in storage. Financial institutions also need to be familiar with consumer regulations, such as Reg E, Reg DD, the various privacy, anti-money laundering, and anti-terrorism regulations that may also apply to the services offered.

The availability of online services and business continuity planning are also important considerations for transactional websites. As customer adoption grows so will their expectations for availability and reliability of online services.

Institutions that host their own websites and/or those that host their own transactional website products must have the technical expertise to manage these risks. The growing threats posed by hackers, viruses, and spammers are significant challenges for system administrators and network security personnel, thus for many community banks outsourcing is a viable option for managing these risks.

Institutions that outsource website hosting and/or transactional services must be diligent in monitoring their service providers. Institutions should require their service providers to perform annual SAS70 Level II audits and/or comparable security audits. Institutions should also ensure that their service providers perform independent vulnerability testing at least quarterly. To further ensure that your service providers’ controls are effectively protecting your Institution’s website and/or customer information, your Institution may also perform periodic vulnerability scans of your website.

Internet Risks

Internet scams, trojans, key stroke loggers and fake websites that attempt to glean sensitive information from your customers are serious threats for all consumers, not just those using online banking services. It’s very important that Institutions familiarize themselves with these issues so that they can develop effective controls to help mitigate the impact of these on-going threats. Such controls may include:

Enhanced or strong authentication methodologies
Masking online account numbers
Website verification
Incident response plans
Educational programs designed to inform customers about Internet security

Even with these potential Internet security risks, online banking can help protect your customers by allowing them to more closely monitor their accounts and assist in the early identification of unusual or unauthorized transactions.

Compliance Risks

Internet banking is still an area where the laws and regulations are evolving. Regulators have issued and proposed several new consumer regulations and interpretations that include guidance for compliance on the Internet. However, several issues remain unclear. The general rule of thumb is that all rules and regulations that apply in your physical location also apply on the Internet. However, as mentioned by the FFIEC in their E-Banking Booklet – dated August 2003, there are several other regulatory and legal challenges such as:

Uncertainty over legal jurisdictions and which state’s or country’s laws govern a specific e-banking transaction.
Delivery of the required credit and deposit related disclosures.
Record retention for on-line advertising, applications, disclosures and notices
Establishment of legally binding electronic agreements.

In order to help identify and manage the various compliance and legal risks, institutions should involve their compliance officers and legal counsel in the initial risk assessment and implementation processes for the establishment of Internet banking activities.

Depending on the types of services offered, applicable regulations might include:

State and federal privacy regulations
State breach notification requirements
GLBA Information Security Requirements
Computer fraud statutes
Consumer protection regulations (e.g. Regulations, Z, B, E, and DD)
The Bank Secrecy Act
The US Patriot Act
OFAC (Office of Foreign Asset Control)
The CAN SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act – 2003)
UCC (Uniform Commercial Code)
NACHA Rules
FCRA (Fair Credit Reporting Act)
FACT Act (The Fair and Accurate Credit Transactions Act - 2003, ID Theft Red Flags)
E-Sign (The Electronic Signatures in Global and National Commerce Act - 2000)
UETA (Uniform Electronic Transaction Act - 1999)
Proposed Reg GG (Prohibition on Funding of Unlawful Internet Gambling

Institution Risk Management Processes

Financial Institutions that offer Internet banking services should expand their information security programs to address online services. An institution’s risk management processes for Internet banking services may also include:

Comprehensive Internet banking policy and daily operating procedures for granting online account access, account reconciliations, and review of daily system reports.

Compliance and/or legal review of all Internet disclosures, forms, and customer agreements. Institutions will need to ensure consistency of online disclosures with disclosures provided off-line.

Review of website advertising and control processes for making website changes.

Establishment of record retention requirements for various system generated reports, emails, and advertisements displayed on web sites.

Back-up copies of websites and/or system related software (if applicable).

Annual internal audits and compliance reviews to review adherence to policy guidelines.

Periodic reporting to the board of directors or executive management on system availability and customer adoption rates.

Continued new legislation and the lack of clear guidance in some areas can make compliance on the Internet challenging. Financial institution compliance officers and their service providers must remain ever-vigilant to stay apprised of the evolving regulatory environment and risks associated with Internet banking.

Other Good Resources

The following resource list will assist institutions in compliance risk management on the Internet.

The Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbooks
http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

The Federal Trade Commission has very good resources on Internet advertising, the prevention of identify theft, and compliance with the Children’s Online Privacy Protection Act (COPPA).
http://www.ftc.gov/bcp/edu/microsites/idtheft/

http://www.ftc.gov/bcp/conline/edcams/kidzprivacy/index.html

Several federal and state regulators (NCUA, FDIC, OCC) have specific sections of their web sites devoted to Internet banking and e-commerce related topics.

FDIC’s Financial Institution Letters on E-Banking
http://www.fdic.gov/regulations/information/fils/index.html

NCUA Guidance on Information Systems and Technology
http://www.ncua.gov/IST/index.htm

Office of the Comptroller of the Currency
http://www.occ.treas.gov/netbank/netbank.htm

Numerous trade association and commercial resources are also available to assist institutions in establishing Internet related services.

Angela Shoemaker is financial institution compliance manager for FundsXpress Financial Network, Inc. in Austin, Tex. She can be reached at 1-800-419-8804 ext. 2563 or angela.shoemaker@fxfn.com.