ttsmedia.ttstrain.comttsmedia.ttstrain.com/esignhokm092315.docx · web viewin the house of...

E-Sign Compliance and the Account Life CycleSponsored by

September 23, 20151:30-3:30

Presented by:

Susan Costonis, C.R.C.M.Compliance Training & Consulting for Financial Institutions

E-mail: [email protected]

1E-Sign Compliance & The Product Life Cycle© Susan Costonis, C.R.C.M.Compliance Training and Consulting

TABLE OF CONTENTSOVERVIEW FOR E-SIGN COMPLIANCE ............................................................................................ 3

WEBINAR AGENDA...............................................................................................................................4OVERVIEW OF E-BANKING COMPLIANCE ISSUES.......................................................................5THE ESIGN ACT....................................................................................................................................10

PRODUCT LIFE CYCLE ........................................................................................................................ 13

THE PRODUCT LIFE CYCLE OVERVIEW........................................................................................14SEVEN STAGES OF THE PRODUCT LIFE CYCLE DIAGRAM......................................................15SEVEN STAGES OF THE PRODUCT LIFE CYCLE CHART............................................................16STAGE ONE – STRATEGIC CONSIDERATIONS.............................................................................18STAGE TWO – PRODUCT DESIGN....................................................................................................20STAGE THREE - MARKETING...........................................................................................................22STAGE FOUR – PRODCUT DELIVERY.............................................................................................24STAGE FIVE – ORIGINATION OR CONSUMMATION...................................................................26STAGE SIX – PRODUCT AND DURATION.......................................................................................27STAGE SEVEN - TERMINATION.......................................................................................................29TAKE-AWAYS FROM THE PRODUCT LIFE CYCLE PROCESS....................................................31

CONSUMER CONSENT PROCESS ...................................................................................................... 32

CONSUMER CONSENT OVERVIEW.................................................................................................33SIX STEP CONSUMER CONSENT PROCESS...................................................................................34

BASIC STEPS FOR IMPLEMENTATION ........................................................................................... 37

E-SIGN COMPLIANCE 101..................................................................................................................38FFIEC CYBERSECURITY RISK ASSESSMENT................................................................................39FFIEC E-BANKING RISKS...................................................................................................................41RISK MANAGEMENT OF E-BANKING ACTIVITIES......................................................................42BEYOND E-SIGN – BEST PRACTICES AND LEGAL CONCERNS................................................43TEN CONSIDERATIONS WHEN SELECTING AN E-SIGNATURE VENDOR..............................45E-BANKING COMPONENTS...............................................................................................................48WEBLINKING........................................................................................................................................53MANAGING VENDOR RISK...............................................................................................................54

E-SIGN RESOURCES .............................................................................................................................. 56

E-SIGN ACT...........................................................................................................................................57FIL-030-2013 WEBLINKING GUIDANCE..........................................................................................63COMMON E-SIGN QUESTIONS.........................................................................................................64FDIC E-SIGN EXAM PROCEDURES..................................................................................................66SOCIAL MEDIA AND E-BANKING MANAGEMENT GUIDANCE................................................72FEDERAL RESERVE E-SIGN CHECKLIST.......................................................................................73SOCIAL MEDIA POLICY TEMPLATE...............................................................................................76FFIEC EXAM PROCEDURES FOR E-BANKING EXAMINATIONS...............................................85APPENDIX B - GLOSSORY...............................................................................................................104WHAT”S NEW – FFIEC- CYBERSECURITY...................................................................................109SOURCES OF INFORMATION FOR MANAGING E-BANKING...................................................111


Overview for E-Sign Compliance


WEBINAR AGENDA

The world of electronic banking continues to evolve and bankers want to keep pace with technology and customer preferences. Recent surveys indicate that 51% of adults in the U.S. bank online and 32% bank with mobile phones. What steps must be followed to be in compliance with E-Sign?

WHAT YOU WILL LEARN: What are the rules? There is Federal & State Legislation for E-Sign Which deposit & lending regulations are related to E-Sign and have specific provisions

for compliance? Common questions, resources, exam procedures Consumer Consent is a Six-Step Process

1. Availability of Paper Delivery or Paper Copies2. Consent Choices3. Consumer Actions4. Hardware/Software requirements5. Affirmatively Consent6. After Consent Disclosure

Basic Steps for E-Sign Implementation1. Getting Started2. Identify Pain Points3. Build Consensus4. Vendor Selection Considerations5. Think big, but start small6. Assess the Risk7. Learn from a test project and steps to production


OVERVIEW OF E-BANKING COMPLIANCE ISSUES

The Federal Reserve Bank of Boston published a helpful summary of E-Banking issues; this is the link: https://consumercomplianceoutlook.org/2013/fourth-quarter/overview-of-e-banking-compliance-considerations/

INTRODUCTION

According to a recent survey, 51% of U.S. adults bank online, and 32% bank with their mobile phones.1 Both consumers and banks have benefited from this migration to e-banking. Consumers enjoy the convenience of conducting many banking transactions with their computers or mobile devices, while financial institutions appreciate the cost savings from e-banking. But the shift to Internet banking can also raise compliance concerns. As banks adapt products and services to allow for more electronic banking options, the risk of noncompliance with applicable consumer protection laws and regulations increases. This article provides a high-level overview of some e-banking compliance considerations for Regulation X — Real Estate Settlement Procedures Act (RESPA), Regulation Z — Truth in Lending Act (TILA), Regulation B — Equal Credit Opportunity Act (ECOA), Regulation E — Electronic Fund Transfer Act, and Regulation DD — Truth in Savings Act (TISA).

Regulations X and Z

An increasing number of residential mortgages are originated online.2 Creditors relying on electronic disclosures to satisfy mortgage disclosure requirements must ensure they are complying with the Electronic Signatures in Global and National Commerce Act (E-Sign Act), 15 U.S.C. §7001 et seq. The E-Sign Act permits the use of electronic disclosures to satisfy laws or regulations requiring written disclosures if the E-Sign Act’s consumer consent requirements are satisfied.3The Federal Reserve Board’s 2007 final rule amending Regulation Z to include E-Sign Act compliance requirements discussed which sections of the regulation that were in effect at the time require compliance with the E-Sign Act consumer consent requirements and which sections permit electronic delivery without regard to the consent requirements.4 Similarly, the Consumer Financial Protection Bureau (CFPB) amended Regulation X effective January 10, 2014, to reiterate that the electronic disclosures are permitted under the E-Sign Act for all provisions of the regulation, provided the consent requirements are satisfied.5

Institutions must ensure that when a borrower submits a completed, closed-end residential mortgage application electronically, the application disclosures currently required by Regulations X and Z are provided to consumers within three business days: the Good Faith Estimate (GFE),6 the Servicing Disclosure,7 and the early TILA disclosures.8 In addition, for closed-end


https://consumercomplianceoutlook.org/2013/fourth-quarter/overview-of-e-banking-compliance-considerations/

https://consumercomplianceoutlook.org/2013/fourth-quarter/overview-of-e-banking-compliance-considerations/

loans with adjustable rates, the disclosures required by 12 C.F.R. §1026.19(b) must be provided at application or before the consumer pays a nonrefundable fee. For home-equity lines of credit, the disclosures required by 12 C.F.R. §1026.40(d) and (e) must be provided at application unless an exception applies.9

Another concern with electronic mortgage originations is the requirement in Regulation X, 12 C.F.R. §1024.7a(4), that fees other than a credit report fee cannot be imposed until a consumer receives the GFE and indicates an intent to proceed with the transaction:

The lender is not permitted to charge, as a condition for providing a GFE, any fee for an appraisal, inspection, or other similar settlement service. The lender may, at its option, charge a fee limited to the cost of a credit report. The lender may not charge additional fees until after the applicant has received the GFE and indicated an intention to proceed with the loan covered by that GFE.10 (emphasis added)(UPDATE NOTE – The Integrated Disclosure Rule in Regulation Z becomes effective October 3, 2015 and continues this limitation.

If a consumer submits an application online, the loan originator should have a procedure to verify and capture the applicant’s intent to proceed after the required disclosures have been provided. For example, after providing the disclosures, the creditor could call the borrower or send a follow-up e-mail to determine if the borrower wants to proceed with the loan. If the creditor does this by phone, the call should be documented in the creditor’s systems.

Additionally, an institution must ensure that its online advertisements for mortgages comply with Regulation Z’s advertising requirements. The regulation contains specific advertising requirements for open-end home equity lines of credit in 12 C.F.R. §1026.16(d) and for closed-end dwelling-secured credit in 12 C.F.R. §1026.24(f). The regulation also has requirements for electronic advertisements that use terms requiring additional disclosures.11

In this changing regulatory environment, it is also important that financial institutions maintain systems to monitor and implement regulatory changes, including changes to e-banking systems, so they are prepared to implement final rules. For example, the CFPB’s integrated disclosure rule contains significant changes to the application and consummation disclosures as well as accompanying regulatory requirements that will require significant changes to creditors’ systems.

Regulation B

Regulation B requires creditors to notify consumers of the action taken on a submitted application, including those submitted electronically. The time frame depends on the creditor’s decision on the application, as prescribed by 12 C.F.R. §1002.9(a), which requires a creditor to notify an applicant of action taken within:


i. 30 days after receiving a completed application concerning the creditor’s approval of, counteroffer to, or adverse action on the application

ii. 30 days after taking adverse action on an incomplete application, unless notice is provided in accordance with paragraph (c) of this section

iii. 30 days after taking adverse action of an existing account, or

iv. 90 days after notifying the applicant of a counteroffer if the applicant does not expressly accept or use the credit offered.

For applications submitted online, a creditor must ensure its systems notify the consumer of the action taken within these time frames. Consumer adverse action notices provided electronically are subject to the E-Sign Act’s consent requirements.12

The Dodd-Frank Act amended the ECOA’s notice requirements for appraisals effective January 18, 2014. Under the amendment, a creditor must notify an applicant for a first-lien mortgage loan that the creditor may order an appraisal or other written valuation to determine the value of the property securing the loan and will promptly provide the applicant with a copy, even if the loan is not consummated.13 The appraisal or valuation may be provided electronically subject to compliance with the E-Sign Act’s consent provisions,14 while the notice may be provided without regard to the consent requirements.15

Regulation E

If a consumer applies for credit electronically, a financial institution may believe the consumer is a good candidate to repay the loan using preauthorized electronic transfers. Many institutions prefer this repayment method because the payments are automatic, as well as easier and faster to process than a check payment. However, Regulation E prohibits creditors from conditioning the extension of credit on the consumer’s agreement to repay the loan using a preauthorized electronic transfer:

No financial institution or other person may condition an extension of credit to a consumer on the consumer’s repayment by preauthorized electronic fund transfers, except for credit extended under an overdraft credit plan or extended to maintain a specified minimum balance in the consumer’s account.12 C.F.R. §1005.10(e)(1)


Thus, the creditor must ensure that its electronic application for credit does not obligate the consumer to agree to preauthorized electronic transfers to repay the obligation. A creditor may offer the consumer the option to repay through preauthorized electronic transfers, but such transfers cannot be the only permissible method of repaying the extension of credit.

Regulation DD

In addition to processing loan applications online, some financial institutions accept online applications for deposit products. Regulation DD permits electronic disclosures that comply with the requirements of the E-Sign Act and waives the E-Sign Act’s consent provisions for two requirements:16

The disclosures required by this part may be provided to the consumer in electronic form, subject to compliance with the consumer-consent and other applicable provisions of the Electronic Signatures in Global and National Commerce Act (E-Sign Act) (15 USC 7001 et seq.). The disclosures required by sections 1030.4(a)(2) [account disclosures upon request] and 1030.8 [advertising] may be provided to the consumer in electronic form without regard to the consumer-consent or other provisions of the E-Sign Act in the circumstances set forth in those sections.

It is also important to note that banks must issue TISA disclosures to a consumer who applies electronically before an account is opened or services are rendered:

If a consumer who is not present at the institution uses electronic means (for example, an Internet website) to open an account or request a service, the disclosures required under [§ 1030.4(a)(1)] must be provided before an account is opened or a service is provided.17

Therefore, banks must ensure that all necessary disclosures are issued to consumers in the required time frame for online deposit account applications.

Online advertisements are also subject to the advertisement requirements under the TISA; therefore, banks must ensure that deposit advertisements, including online advertisements, are compliant. For further information regarding advertising requirements under the TISA, refer to the article “Understanding Regulation DD’s Advertising Requirements” by Amy Armstrong that was published in the Fourth Quarter 2010 issue of Outlook.

CONCLUSION

The migration to e-banking has benefitted consumers and financial institutions. But e-banking can also raise compliance concerns under the E-Sign Act and Regulations B, E, X, Z, and DD. Financial institutions must ensure e-banking products and services comply with these laws and regulations. Specific issues and questions should be raised with your primary regulator.


1 Susannah Fox, “51% of U.S. Adults Bank Online.” Pew Research Center, Aug. 7, 2013 2 Mitch Lipka, “Online mortgages boom despite housing bust,” Reuters, Jan. 23, 2012 3 15 U.S.C. § 7001(c)(1). Outlook reviewed the consent requirements in 2009. See Jeffrey Paul

and Gary Louis, “Moving From Paper to Electronics: Consumer Compliance Under the E-Sign Act,” Consumer Compliance Outlook, Fourth Quarter 2009.

4 72 Fed. Reg. 63462 (Nov. 9, 2007). 5 See amended 12 C.F.R. §1024.3 (“The disclosures required by this part may be provided in

electronic form, subject to compliance with the consumer consent and other applicable provisions of the [E-Sign Act].”) 78 Fed. Reg. 10696, 10711 (Feb. 14, 2013).

6 12 C.F.R. §1024.7(a) 7 12 C.F.R. §1024.21(b) 8 12 C.F.R. §1026.19(a). The Dodd-Frank Wall Street Reform and Consumer Protection Act

(Dodd-Frank Act) directed the CFPB to conduct a rulemaking to integrate the RESPA and TILA mortgage disclosures required at application and at consummation into a single disclosure. The CFPB issued a final rule in November 2013 for the integrated disclosure that becomes effective August 1, 2015, 78 Fed. Reg. 79730 (Dec. 31, 2013). This article is based on the current rule.

9 12 C.F.R. 1026.40(b) 10 See 12 C.F.R. §1024.7(a)(4). The existing regulation does not define “intent to proceed.” The

CFPB’s final rule integrating the RESPA and TILA disclosures elaborates on the meaning of “intent to proceed.” See 12 C.F.R. §1026.19(e)(2)(i)(A) and Comment 19(e)(2)(i)(A)-2. This rule is effective August 1, 2015.

11 12 C.F.R. §1026.16(c) and 12 C.F.R. §1026.24(e). The Official Staff Commentary for these sections of the regulation also discusses electronic advertisements.

12 The consent requirements only apply to disclosures that must be provided in writing. For the required notices in §1002.9(a), only consumer adverse action notices must be provided in writing. The other notices can be provided electronically without regard to the consent requirements.

13 12 C.F.R. §1002.14 14 12 C.F.R. §1002.14(a)(5) 15 12 C.F.R. §1002.4(d)(2) 16 12 C.F.R. §1030.3(a) 17 12 C.F.R. §1030.4(a)(1)(ii)


THE ESIGN ACT

The ESIGN Act established the legitimacy of signing contracts and documents online, streamlining business operations and eliminating paper burdens for consumers. As anyone who has ever applied for a loan from the living room couch or opened a bank account at 2 a.m. can attest, doing business online has made life infinitely more convenient. What most people may not realize is what a large role the ESIGN Act, officially known as The Electronic Signatures in Global and National Commerce Act, played in allowing consumers to take advantage of these modern conveniences.

History of the E-Sign Act

From the beginning, the ESIGN Act had significant support in Congress. One of the most ardent supporters was Spencer Abraham, a Senator from Michigan who believed the bill would spur e-commerce by eliminating fears over the vulnerability of electronic contracts. In the House of Representatives, Rep. Tom Bliley and Rep. Anna Eshoo were two of the first legislators to show an interest in solidifying e-commerce contracts.

A number of bills relating to electronic commerce were introduced in 1999. Over the course of a year, these bills were revised, broadened, and ultimately combined. Senate Bill 761 and House Bill 1714 shared the goal of promoting electronic commerce while maintaining technological neutrality. Although HR 1714 was originally narrow in scope, it was later broadened to include many more provisions for protecting consumers.

By the time the ESIGN Act was signed into law by President Bill Clinton on June 30, 2000, a handful of states had already passed laws regarding electronic recordkeeping. What the ESIGN Act did for the nation, however, was to establish a federal safety net to ensure that electronic contracts would be legal for interstate and global commerce.

Electronic Signature Validity

Before the ESIGN Act was signed, businesses were struggling with how to handle online transactions. Although many companies were accepting electronic signatures, there were still questions as to how well these signatures would stand up in court.

The ESIGN Act confirmed that electronic signatures have the same legal standing as pen-and-paper signatures, and a contract or record of transactions may not be denied legal effect or ruled unenforceable simply because it is in electronic form. Eleven years have passed since the ESIGN Act was signed into law, and numerous court cases have fully supported the legal integrity of e-signatures.


The Act grandfathered in existing agreements that were delivered electronically prior to October 1, 2000, although all agreements made after that date must follow the guidelines set forth in the ESIGN Act in order to be considered legally binding.

Consent and Disclosures

The ESIGN Act encourages that consumers have given consent and received any necessary disclosures as part of the electronic contracting process. The consumer is to be provided with a “clear and conspicuous statement” regarding the option to receive the record in a non-electronic form, if any, and the right to withdraw consent at any time. In practice, however, few companies that utilize electronic signature technology in their business operations provide clients with the option to receive paper contracts. These businesses are still in compliance with federal guidelines, as the ESIGN Act consumer consent provisions clearly state that a paper option is not required, and failure to obtain such consent does not affect the validity of any executed document.

However, the consumer should always be provided with information on how to access and retain the electronic record or document, based on the hardware or software being used. By confirming the receipt of a record electronically, a consumer has demonstrated that he can access and retain the electronic information.

Retaining Original Documentation

Businesses must retain evidence of contractual agreements to fulfill legislative requirements and to clarify any future questions about the legitimacy of a contract or the details of specific terms. This is true whether a document is in paper or electronic format. One of the advantages of an e-signature software service is that it stores executed agreements in a secure online archive, easily satisfying the retention requirements. Guidelines require that these records remain accurate and accessible to all parties involved for a length of time that is determined by the state agency or governing body having jurisdiction over a specific type of document, contract, or transaction.

Federal and State Regulations

One of the reasons why Congress was so motivated to pass the ESIGN Act in 2000 was to ensure that interstate commerce would not be complicated by competing e-signature laws in various states. Thus, the ESIGN Act established that its specific guidelines may only be modified or limited by states in the case of adopting the Uniform Electronic Transactions Act (UETA), which almost all states subsequently did, or when alternative and similar procedures were provided.

Exceptions to the E-Sign Act

While the ESIGN Act has been lauded for its comprehensiveness, the Act does not apply to every type of documentation. Certain types of records and documents are not covered by the ESIGN Act. These include:


Wills, codicils, and trusts Adoption paperwork Divorce decrees Certain areas of the Uniform Commercial Code Court orders and notices Official court documents, including briefs and pleadings Notices of the termination of utility services Notices of default, foreclosure, repossession, or eviction The cancellation of insurance benefits Product recalls or notices of material failures Documentation accompanying the transportation of hazardous materials


Product Life Cycle


THE PRODUCT LIFE CYCLE OVERVIEW

In today’s highly competitive banking environment, a financial institution may believe that making changes to the products and services it offers provides an advantage over its rivals and a path to higher profits. While it is understandable that an institution may want to respond to a competitive environment with new products and services, this decision is not without risks. New products or services may be subject to complex regulatory requirements and may necessitate staff training, new disclosures and forms, updated policies and procedures, and system changes and testing. Changes to products and services should also be consistent with corporate strategic objectives. Financial institutions that are successful in introducing new products or services employ a structured and repeatable process to manage any associated compliance risks. “By considering risks before introducing new products and services, management can identify and mitigate them in advance and avoid potentially costly and unintended consequences.”

Management teams that successfully identify and roll out new products and services typically have a documented, repeatable, and auditable process to guide their decision making. In practice, this often means that the board approves and the management team follows comprehensive new product policies and procedures, documents decisions sufficiently, and ensures that all relevant functions within the organization appropriately engage with one another.Management and the board are wise to assess the sufficiency of their new product policies and procedures. They may want to consider whether these policies:

Require management and staff from various functions – including compliance, accounting, risk, internal audit, and line management – to vet, review, and recommend new products and services for senior management or board approval;

Cover the investigative stages of new products and services as well as the approval and deployment stages;

Require that operating policies and procedures are updated to provide clear guidance to staff on how to comply with all legal or regulatory requirements associated with the new product to avoid violations of law and undue exposure to legal liability prior to product introduction;

Address and mitigate risks throughout the product life cycle, including pricing, marketing, distribution, accounting, and ongoing service and maintenance; and

Require a post-decision review to determine whether the new product or service met the expectations and assumptions used to support the decision.

SEVEN STAGES OF THE PRODUCT LIFE CYCLE DIAGRAM


The product life cycle consists of different stages that a product or service goes through from inception to termination. The following table details the different stages and provides an illustrative (though not exhaustive) list of factors to consider at each stage of the process to help manage consumer compliance risk.

Each of the seven stages in the life cycle process are reviewed in the next sections along with, associated risks at each stage, and some of the management considerations at that specific stage.

SEVEN STAGES OF THE PRODUCT LIFE CYCLE CHART


STAGE DEFINITION CONSIDERATIONS1. Strategic

ConsiderationsIncorporates the strategic analysis behind an established, new, or modified product: this includes analyzing the strategic fit for the institution and its customers, as well as any components tied to product development (controls, compensation, platforms, etc.) and the overall benefit of the product to the institution and to consumers

Strategic goals and areas of expertise

Involvement of the board of directors, management, business line, legal, and compliance

Regulations or guidance

Emerging issues related to the product, including legal activity

Processes (developing procedures and operating systems, training staff, monitoring activities, and setting controls)

Use and role of third parties

2. Product Design Addresses the process of developing the actual product and specific considerations such as profitability and fee structure

Target market Relationship to other

products Applicability of laws

and regulations Types of fees assessed Delivery systems

3. Marketing Outlines the manner in which the product is targeted and marketed

Advertising Cross-selling to

customers Targeting solicitations

4. Product Delivery

Incorporates the components of the initial interface, including the selling and/or application process

Steering risk Applications Disclosures Fees and terms Role of compensation

and incentives


STAGE DEFINITION CONSIDERATIONS5. Origination or

ConsummationDescribes the process by which a customer qualifies for and obtains the product or service

Disclosures Incentives and

compensation structures

Pricing and underwriting discretion

6. Product Use and Duration

Incorporates any and all aspects of a product after the origination or consummation stage; includes servicing, maintenance, dispute and resolution, changes in terms, default or misuse, additional fees, or other costs

Periodic statements and disclosures

•Servicing practices and third-party servicers

Communications Repayment options Mobile banking

platforms Delivery systems Complaints

7. Termination Addresses the process of the consumer voluntarily discontinuing use of the product, or the institution’s process of discontinuing the product, or any other process in which the relationship between the consumer and the product ends

Communications Procedures and

practices Loss mitigation,

collection, and foreclosure


STAGE ONE – STRATEGIC CONSIDERATIONS

Board and Senior Management Involvement The products and services that a financial institution offers reflect the board’s and senior management’s compliance risk appetite and should align with the institution’s strategic plan and its level of expertise. It is important that all key stakeholders — directors, compliance officers, marketing officers, general counsel, operations management, and other senior management — be involved in strategic product decisions. Fully engaging key stakeholders enhances the process of identifying and managing risks. It is helpful to articulate strategic goals for new products and services with measurable objectives (e.g., to increase market share or to increase noninterest income) and to identify the expected benefit to customers. The goals should be vetted with the board and senior management who need to consider the following issues:

The financial institution’s risk appetite Its areas of expertise and its ability to deliver the new product or service Consumers’ perceived need for the product Current federal and state consumer protection laws, regulations, and guidance Financial institution resources Anticipated future regulatory requirements Legal challenges related to the product or service, including lawsuits, consumer

complaints, or public enforcement actions

From a supervisory standpoint, compliance examiners will often evaluate new products and services because they can increase consumer compliance risk. Management teams are encouraged to discuss proposed new products and services with their regulators to ensure that any regulatory concerns are addressed early in the decision-making process. Resources and Expertise Another consideration is whether the institution has the resources and expertise to offer the product or service. Regulators have seen management teams too often introduce product offerings without fully understanding the compliance requirements, the potential risks, the impact on customers, and the resources needed to successfully introduce and provide ongoing operational support for the new product or service. Potential factors to consider include the following:

What knowledge is needed to effectively deliver the product or service? Does the financial institution currently possess, or can it cost effectively acquire, the

required expertise and staffing level — not only in the business line but also in the compliance and audit areas?

Can the financial institution’s computer systems handle the increased usage resulting from any new products or services?


Does the financial institution currently possess, or can it cost effectively acquire, operational capacity to deliver the product or service (e.g., automated processing, centralized operations, use of third-party service providers)?

What are the consequences of noncompliance or failure to deliver the product as promised?

Third Parties The decision to use third-party vendors for a product or service should be considered during the strategic planning process. When properly chosen and managed, third parties can provide an institution with valuable expertise and service that the institution cannot cost effectively provide on its own. The depth and formality of a service provider risk management program will depend on a number of factors, including the complexity and materiality of the activity being outsourced.

Nonetheless, overreliance on third parties increases compliance risk if they are not adequately monitored. Financial institutions that do not have the requisite expertise or that do not ensure adequate oversight over their service providers are more likely to encounter challenges complying with the applicable regulatory requirements. In more serious instances, they may be exposed to third-party activities that adversely impact consumers, and such actions may result in adverse outcomes for the financial institution, including enforcement actions and penalties in the most extreme cases.


STAGE TWO – PRODUCT DESIGN

Considerations at this stage include the specific features and benefits that will define the product. Examiners occasionally observe that compliance staff members are either absent from the product design and development process or involved only in the final review of a product before it is introduced or after it has been launched and transactions have been consummated. Successful management teams involve compliance staff throughout the entire design and development process. Risk analysis in the design stage should focus on the specific requirements applicable to the particular product as designed. This helps to ensure that the institution develops an appropriate internal control infrastructure around the product to ensure compliance and to reduce the risk of harm to the consumer. Fairness Successful products and services are designed with fairness in mind. This means delivering a value proposition in which the financial institution earns a profit while satisfying a customer need. It is more than simply complying with specific regulatory requirements, since technical compliance alone does not mean that a product is free from potential consumer harm. As the Federal Reserve Board and the Federal Deposit Insurance Corporation (FDIC) stated in their 2004 joint guidance for unfair or deceptive acts or practices (UDAP): “[T]here may be circumstances in which an act or practice violates section 5 of the FTC Act even though the institution is in technical compliance with other applicable laws, such as consumer protection and fair lending laws. [Financial institutions] should be mindful of both possibilities.”With the continued regulatory focus on fairness and consumer harm, institutions should always consider possible UDAP implications for their products and services and should address them early in the design process and monitor them throughout the product life cycle. Examples of questions to ask include:

Does the product or service provide a win-win situation in which a customer need is satisfied and the bank earns a profit?

Are the features or terms difficult for the customer to understand? Can communications about the product’s terms and features be made clearly,

conspicuously, accurately, and timely? Does the product have unintended consequences that could be harmful to

customers?

Complexity As financial products and services become increasingly complex, the potential for consumer harm increases. Product features such as numerous conditional requirements, options, or variations contribute to complexity and the level of inherent compliance risk. When a product is overly complex, consumers may not understand all of its features or costs. Moreover, institutions may not be able to deliver the product as promised. Product attributes that may contribute to increased inherent compliance risk include:


Offering large numbers of similar accounts — for example, credit cards or deposit accounts — that have many different features, terms, or conditions makes it challenging for the consumer to compare them and understand the differences.

Making product changes during the life cycle that will require additional disclosures and/or actions by the institution to comply with legal or regulatory requirements.

Including features that can be explained only with disclosures that use dense, legal language and that span many pages.

To mitigate the risk involved with complex products and services, management may wish to consider simplifying product and service offerings during this stage.


STAGE THREE - MARKETING

Marketing involves much more than simply advertising, and the associated compliance risks extend well beyond meeting technical advertising rules. For example, the Interagency Fair Lending Examination Procedures discuss fair lending risks that can arise in marketing, such as the use of marketing programs for residential loan products that exclude geographies within the institution’s assessment or marketing area that have significantly higher percentages of minority group residents than the rest of the assessment or marketing area. For this reason, it is important that compliance and marketing staff collaborate in developing all marketing strategies. Bringing compliance into the process early is a sound practice because it is more difficult and costly to make changes later in the process. An illustrative list of marketing questions for management to consider includes:

Is the product accurately portrayed and disclosed in all marketing materials (this would include not just advertising but scripts, training materials, and similar items)?

Can a consumer readily understand and reap the benefits of the product? Has staff been appropriately trained to sell the product? Did the compliance staff participate in, or at least review, the marketing strategies

and materials for compliance with applicable laws and regulations?

UDAP risk increases when products and services are targeted to potentially vulnerable populations. As stated in the UDAP Guidance:

The need for clear and accurate disclosures that are sensitive to the sophistication of the target audience is heightened for products and services that have associated with abusive practices. Accordingly financial institutions should take particular care in marketing credit and other products and services to the elderly, the financially vulnerable, and customers who are not financially sophisticated. Advertisements A number of federal laws and regulations apply to advertisements for consumer products and services. Some of the common applicable federal laws and regulations include (but are not limited to): PRODUCT/SERVICE LAW/REGULATIONAll consumer financial products and services

UDAP

Credit Equal Credit Opportunity Act (ECOA)/Regulation BFair Housing ActTruth in Lending Act/Regulation Z

Deposit FDIC RegulationsTruth in Savings Act/Regulation DD

Overdrafts Electronic Fund Transfer Act/Regulation ETruth in Savings Act/Regulation DD

Credit Reports Fair Credit Reporting Act/Regulation V


It is important that advertisements, including those on the web and in social media, are reviewed to ensure they comply with these and any other applicable laws or regulations. State law also may apply and should be considered


STAGE FOUR – PRODCUT DELIVERY

During the product delivery stage, risk analysis should focus on the initial customer interaction, including the sales and application processes. The interaction will vary based on the institution’s delivery channels, which may include traditional retail branches, the Internet, mobile applications, social media, brokers, referral sources, or other channels. It is essential that the risks within each delivery channel are identified. For example, institutions that use social media for product delivery may be exposed to increased reputation risk arising from any negative public reviews or comments. Activities that result in dissatisfied customers and/or negative publicity could harm the reputation and standing of the financial institution, even if the financial institution has not violated any laws. Therefore, financial institutions engaged in social media will want to be sensitive to, and properly manage, the reputation risks that arise from these activities.

During product delivery, compliance risks arise from regulatory requirements and restrictions regarding applications and the delivery and content of disclosures. For example, creditors must comply with the ECOA (Regulation B), which limits applicant information that may be collected, sets time frames for responding to applicants, and requires applicants to be notified of the action taken within a certain time frame. As another example, Regulation E imposes disclosure requirements and substantive restrictions on overdraft programs. Generally speaking, a financial institution may not impose an overdraft fee for a point-of-sale transaction unless the consumer has been given a disclosure and has elected to opt in to the program.

Increasingly, financial institutions are using third parties to deliver the institution’s products or are engaging in co-branding relationships in which third-party products are offered under the institution’s name. In many of these arrangements, the third party is positioned directly between the financial institution and the customer and is closely involved in product and service delivery, often with unfettered access to consumers. Because the board and senior management are ultimately responsible for all aspects of the institution’s operations, effective due diligence and ongoing supervision of the third parties will help to mitigate risks from these arrangements. A proactive approach to oversight may also help financial institutions identify and correct issues as they arise and before they result in violations of law or harm to consumers. As discussed earlier, institutions should also consider fairness in product delivery.

Another key concern is the risk that a customer may be inappropriately steered to a particular product, especially one that involves higher cost or questionable benefit given the particular customer’s circumstances. This risk is exacerbated when incentives, including compensation structures, reward employees or third parties for selling products. Appropriate disclosure of the product cost, features, and limitations to the consumer is critical for these types of products. For example, many institutions offer an overdraft line of credit. If a fee is incurred to transfer funds from the line of credit to the customer’s savings or checking account to cover an overdraft, or if an annual fee is incurred to maintain the line of credit, the fees should be adequately disclosed. If customers do not receive a clear explanation of the overdraft program, or if misleading sales


tactics are used, they may be unable to make an informed decision about the product and may expose the institution to UDAP risk. To help manage product delivery risk, management should consider the following illustrative list of questions:

Has the institution identified and addressed the risks associated with the applicable delivery channels?

How will the institution comply with the laws and regulations that govern the sales and application processes?

Are there compensation or other incentives that may drive risky behavior by employees?

If third parties are used, is the oversight sufficient and effective? Will consumers receive all the necessary information to make an informed

decision about the product during their initial interaction with the financial institution?


STAGE FIVE – ORIGINATION OR CONSUMMATION

Once the customer has decided on a product or service, factors to consider at the origination or consummation stage include qualifying the customer for the product, providing the required disclosures, and ensuring the disclosures accurately reflect the contractual costs and terms of the transaction. Depending on the product or service being offered and its means of delivery, specific regulatory requirements, including disclosures, may apply. For example, an institution that originates products online will also generally provide the requisite disclosures through electronic means, subjecting the institution to the provisions of the Electronic Signatures in Global and National Commerce Act (E-Sign Act). For credit products, the institution should also consider potential fair lending risk. Inadequately controlled pricing and underwriting discretion increases the risk of disparities on a prohibited basis. Strong controls around product pricing and underwriting can mitigate these risks. Financial institutions should have well-documented qualification standards and pricing guidelines. Recognizing, documenting, and monitoring exceptions to policy are critical for mitigating fair lending risk. When evaluating for UDAP risk during origination and consummation, the disclosures, product materials, and contractual agreements should be consistent with one another and clear, especially as they relate to the costs and terms of the transaction. In addition, disclosures or any other product information provided to the consumer should not include claims, representations, or statements that may mislead consumers about the cost, value, availability, cost savings, benefits, or terms of the product. As discussed earlier, compliant disclosures alone are not sufficient to prevent a UDAP finding if the consumer was otherwise misled about material product features. To ensure the risk is appropriately managed during origination and consummation, management should consider the following illustrative list of questions:

Has the financial institution considered the risks for each origination channel? For example, risks associated with retail originations will differ from wholesale originations.

Has the financial institution considered the potential for fair lending and UDAP risk during product origination and consummation?

Has the institution implemented appropriate controls to mitigate any perceived risk?

Are the disclosures, product materials, and contractual agreements consistent with one another and clear?

WARNING!Disclosures or any other product information provided to the consumer should not include claims, representations, or statements that may mislead consumers about the cost, value, availability, cost savings, benefits, or terms of the product.


STAGE SIX – PRODUCT AND DURATION

The compliance risk of a product or service varies depending on its complexity and the duration of its use. The risk is typically greater for complex products such as a home equity line of credit or products that involve change over their life cycle (such as a variable rate mortgage), and when the usage period is long (such as a 30-year mortgage). By contrast, products that only involve a single point-in-time transaction have less risk. For example, the servicing of a mortgage loan is subject to numerous regulatory requirements during its long life cycle. These can include frequent borrower communications (such as periodic statements and subsequent disclosures), processing of regular payments, and the need to abide by specific servicing rules. Conversely, a remittance transfer, once sent, will likely have regulatory risk only if a consumer files a dispute, which generally must be done within 180 days of the disclosed funds availability date.

Regulatory Requirements and Guidance Depending on the product, service, or the delivery system used, specific regulatory requirements and restrictions may apply. The more common requirements and restrictions may include, but are not limited to:

Annual privacy notices Periodic statements

Subsequent disclosures may include those for: Changes in terms Account renewal/maturity Interest rate adjustment and/or payment change Force-placed insurance Adverse action

New servicing practices may include those for: Prompt crediting of payments Timely provision of payoff statements Error resolution and information requests Default monitoring and servicing of delinquent accounts Loss mitigation and foreclosure Debt collection

An institution should also consider guidance issued by regulatory agencies. For example, the federal banking agencies recently issued guidance on home equity lines of credit (HELOCs) nearing their end-of-draw periods. As noted in the guidance, supervised institutions are expected to promote compliance with applicable laws and regulations and to have adequate risk management practices to monitor, manage, and control the risks in their HELOC portfolios as lines near their end-of-draw periods.


Complaints Regularly reviewing and evaluating customer complaints can provide insights into how well customers understand the institution’s products and services. Complaints can come from a variety of sources, including customer service calls, written complaints to the financial institution or its primary regulator, customer reviews, or social media. Because complaints can serve as an early indicator of potential concerns, managing a product or service successfully will include a process to monitor and analyze complaints. While it is important to address the specific concerns of any particular customer, determining whether an issue is systemic and whether other customers may be affected is also important.


STAGE SEVEN - TERMINATION

Remember the old hit song, “Breaking Up Is Hard To Do”? The last phase of the product life cycle involves terminating a product or service. This may occur when a product has a fixed maturity, a customer voluntarily closes an account, or bank management decides to discontinue a product or service. Over time, especially in an environment of rapid technological change, customer demand for certain products and services may change. For example, consumers have largely shifted away from using paper checks and are relying instead on bill pay services, debit and credit cards, and, increasingly, mobile payments to make payments or purchase goods and services. An illustrative list of factors to consider during both customer and financial institution initiated termination of a product or service includes: Financial Institution Initiated Termination

Does the financial institution provide advance notice to customers to allow them sufficient time to migrate to another product or service?

Is the institution complying with any applicable regulatory requirements? For example, the Real Estate Settlement Procedures Act (Regulation X) requires mortgage loan servicers to notify mortgage borrowers at least 15 days in advance when the servicer changes. Similarly, the Truth in Lending Act (Regulation Z) requires that if the owner of a loan sells or transfers it, the new owner must notify the borrower of the transfer.

Has the institution trained staff to answer questions from affected customers?

Is the institution discontinuing a credit product entirely or closing only certain accounts? If the latter is the case, would the closure criteria disproportionately affect customers on a prohibited basis?

Are the institution’s foreclosure processes and controls effective and do they comply with consumer protection regulations?

Product Maturity and Voluntary Account Closures Does the institution respond accordingly to voluntary account closures?

For example, Regulation Z contains specific requirements for responding to payoff requests.

Does the financial institution comply with applicable regulatory and contractual agreements at product maturity or voluntary account closure? For example, when a certificate of deposit account automatically renews, the financial institution may be required to send a maturity notice and renew the certificate of deposit according to the previous account agreement. Innovation, market conditions, and consumer demand will always lead to new products and services in the financial services industry.


The institutions that are most successful in introducing new products and services consider consumer compliance risk throughout the product life cycle. This framework considers various institutional, legal and regulatory, and environmental risk factors that may be present at each life cycle stage of the product or service. This comprehensive approach for managing compliance risk helps to ensure that financial institutions can obtain the benefits of the new products and services and avoid the unintended consequences that can derail an institution’s product strategy. Specific issues and questions should be raised with your primary regulator.


TAKE-AWAYS FROM THE PRODUCT LIFE CYCLE PROCESS

Innovation, market conditions, and consumer demand will always lead to new products and services – change is inevitable! The financial institutions that are the most successful in introducing new products and services consider consumer compliance risk throughout the product life cycle. This framework considers various institutional, legal, regulatory, and environmental factors that may be present at each life cycle stage of the product or service. This comprehensive approach for managing compliance risk helps to ensure that financial institutions can obtain the benefits of the new products and services and avoid the unintended consequences that can derail an institutions product strategy. ASK PERMISSSION, NOT FORGIVENESS – DISCUSS NEW INITIATIVES WITH YOUR PRIMARY REGULATOR!


Consumer Consent Process


CONSUMER CONSENT OVERVIEW

The world of electronic banking (e-banking) has been evolving for the past 40 years. It started in the 1970s with the introduction of automated teller machines (ATMs), which provided basic services, including access to cash and balance information. In the 1980s, as customers demanded remote services, we witnessed the development of in-home banking using a terminal, keyboard, television, and telephone lines for accessing deposit account information and transferring funds between accounts. In the 1990s, the emergence of the Internet had a significant impact on e-banking because of the widespread adoption of personal computers with Internet capabilities.

To facilitate and encourage electronic commerce, Congress enacted the Electronic Signatures in Global and National Commerce Act (E-Sign Act) on June 30, 2000.

The E-Sign Act states that the validity or enforceability of a contract, electronic record, or signature for a transaction affecting interstate commerce cannot be challenged solely because it is in electronic form or because an electronic signature or record was used in the formation of the contract

E-SIGN ACT COMPLIANCE REQUIREMENTS

When businesses are legally required to make information available to a consumer in writing, the information can be delivered electronically as long as there is prior compliance with the E-Sign Act's consumer consent requirements. The requirements, which are discussed below, are fairly detailed to ensure that consumers receive the necessary protections in the electronic information (e.g., Truth in Lending disclosures).


SIX STEP CONSUMER CONSENT PROCESS

Step 1 - Availability of Paper Delivery or Paper Copies

Before seeking a consumer's consent to use electronic records, institutions must inform the consumer in a clear and conspicuous statement of any right or option to have the record provided in non-electronic form, the right to withdraw that consent, the consequences of withdrawing consent (including terminating the relationship), and any fees imposed in the event of withdrawal. Institutions must also inform consumers of their right to request a paper copy of an electronic record and whether any fees apply.

Step 2 - Consent Choices

Before seeking a consumer's consent to the use of electronic records, a financial institution must inform the consumer in a clear and conspicuous statement whether consent relates to a particular transaction only or whether consent relates to broader categories of information. Most financial institutions choose a product-by-product consent process.

Step 3 - Consumer Actions

Financial institutions must disclose to consumers the procedures to withdraw consent at a later date and to update the consumer's contact information, such as notifying the financial institution when the consumer's e-mail address changes.

Step 4 - Hardware/Software Requirements

Financial institutions must provide consumers with a statement detailing the hardware and software requirements to access and retain electronic records.

Step 5 - Affirmatively Consent

To ensure a consumer can communicate electronically with the financial institution to which consent has been provided, the E-Sign Act requires that the consumer provide consent electronically "in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent."

Step 6 - "After Consent" Disclosure

To ensure continued electronic access, financial institutions must provide consumers with a statement detailing any revised hardware and software requirements for access to and retention


of electronic records, and the right to withdraw consent without the imposition of any fees for such withdrawal and without the imposition of any condition or consequence that was not disclosed. After providing this statement, institutions must again obtain consumers' affirmative consent as in Step 5. The procedures in Step 6 must be followed when the changes in hardware and software requirements create a material risk that consumers will not be able to access or retain electronic records.

The most difficult part of the E-Sign Act's rules involves the correct method for consumers to "demonstrate" that they can access the required information electronically (Step 5). To ensure compliance with this requirement, financial institutions are encouraged to develop procedures to ensure they maintain records of the consumer's consent process. A financial institution's failure to obtain consumer consent properly can significantly affect its compliance with consumer laws and regulations such as Regulation E's error resolution procedure. Under Regulation E, the customer generally has 60 days from receiving a periodic statement to claim an error.5If the statements are sent only electronically and the e-sign consent requirement was not obtained properly, the error period could be extended until a paper statement that includes the error is provided.

RELATIONSHIP OF E-SIGN ACT AND BOARD'S REGULATIONS

In 2007, the Board of Governors of the Federal Reserve System (Board) adopted amendments to five of its regulations (Regulations B, E, M, Z, and DD) providing that certain disclosures may be provided to consumers in electronic form, rather than on paper, without obtaining consent under the E-Sign Act. The amendments apply to the situation in which, for example, a consumer accesses an application or advertisement for credit or other financial services on the Internet. The Board stated that it believed that applying the consumer consent provisions in such situations could impose substantial burdens on electronic commerce and make it more difficult for consumers to gather information and shop for credit.

It is important to emphasize that these special provisions apply only to the specific sections of the regulations affected by the amendments (i.e., primarily disclosures affecting applications, solicitations, and advertising). For other disclosures — for example, under Regulation Z, account-opening disclosures, periodic statements, and change-in-terms notices — creditors are required to obtain the consumer's consent, in accordance with the E-Sign Act, to provide such disclosures in electronic form, or else provide disclosures in paper form. Also, the E-Sign Act does not affect the regulatory requirements for the timing, content, and format of consumer notices and disclosures. For example, §1026.5a of Regulation Z requires that credit card solicitation and application disclosures of the annual percentage rate for credit card purchase transactions must appear in a tabular format and be in a specified minimum font size. Creditors


providing credit card solicitation and application disclosures electronically would still be required to adhere to these requirements.

Record Retention Issues

Retention by Financial Institutions. Under the E-Sign Act, if a financial institution is legally required to maintain copies of a contract or other records of a transaction, the institution may rely on an electronic record of the information that accurately reflects the information in the contract or other record, and that remains accessible to all persons who are legally entitled to access the information in a form that can later be reproduced.

Retainable Form for Consumers. The Board stated in the Federal Register preamble to the November 2007 final rule that financial institutions satisfy the requirement to provide electronic disclosures in a form that the consumer can retain if the disclosures are provided in a standard electronic format that can be downloaded and saved or printed on a typical home personal computer.

OTHER CONSUMER LAWS AND REGULATIONS

It is not necessary for a specific law or regulation to address compliance with the E-Sign Act because the act states that electronic documents and electronic signatures have the same validity as paper documents and handwritten signatures, notwithstanding any statute, regulation, or other rule of law generally. Therefore, documents such as the Department of Housing and Urban Development's HUD-1 and the good faith estimate forms required by the Real Estate Settlement Procedures Act can be provided in electronic formats. The revised requirements for Integrated Disclosures under Truth in Lending, effective October 3, 2015, allow the Loan Estimate and Closing Disclosures to be provided in electronic format.


Basic Steps for Implementation


E-SIGN COMPLIANCE 101

The E-SIGN Act, or Electronic Signatures in Global and National Commerce Act, establishes that electronic signatures, contracts and records are valid or enforceable if they meet certain criteria. The act is applying to an increasing number of Ninth District banks as they expand the product lines and services they offer electronically. As a result, examiners continue to identify violations involving electronic delivery of disclosures during consumer compliance examinations.

When must a bank follow the consent requirements of the E-SIGN Act?Banks’ reliance on the electronic version of a disclosure related to a loan, deposit account or banking service triggers the requirements of the E-SIGN Act. Put simply, banks must ensure that they meet requirements of the E-SIGN Act as they eliminate paper disclosures.

What does the E-SIGN Act require?The E-SIGN Act does not alter or limit any existing disclosure requirements or require any person to agree to use or accept electronic records or signatures. Consumers must consent to receiving disclosures electronically. The bank must do the following for customers prior to obtaining their consent:

Indicate whether customers have a right or option to receive information on paper. Identify whether the consent relates to a particular transaction (e.g., account opening

disclosures) or to ongoing disclosures over the course of the relationship (e.g., monthly statements and change-in-terms notices).

Explain that the consumer has the right to withdraw consent and provide the procedures to withdraw consent as well as the consequences of withdrawing consent, such as fees, termination of the relationship, loss of preferred pricing or having to switch account types.

Describe the procedures for updating the consumer’s contact information. Outline the hardware and software requirements for accessing and retaining records. Explain how to obtain paper disclosures after consent has been given and describe any

associated fees. Consumers must also consent electronically, or electronically confirm consent, in a

manner that reasonably demonstrates their ability to receive or access the information electronically. Having consumers retrieve a code contained within in a document sent to them is one way to demonstrate accessing of information.


FFIEC CYBERSECURITY RISK ASSESSMENT

See the “Resources:” section for additional information.

This is a portion of the “OVERVIEW” for Chief Executive Officers and Boards of Directors

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Upon completion of both parts, management can evaluate whether the institution’s inherent risk and preparedness are aligned.

Inherent Risk Profile

Cybersecurity inherent risk is the level of risk posed to the institution by the following:

Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats

Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls. The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution

When each of the activities, services, and products are assessed, management can review the results and determine the institution’s overall inherent risk profile


Cybersecurity Maturity

The Assessment’s second part is Cybersecurity Maturity, designed to help management measure the institution’s level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:

Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience

The domains include assessment factors and contributing components. Within each component, declarative statements describe activities supporting the assessment factor at each maturity level. Management determines which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.


FFIEC E-BANKING RISKS

This is the link the FFIEC IT Examination Handbook InfoBase portion that outlines various E-Banking Risks. The subsections include:

Subsections Transaction/Operations Risk (SEE BELOW)

Credit Risk

Liquidity, Interest Rate, Price/Market Risks

Compliance/Legal Risk

Strategic Risk

Reputation Risk

Transaction/Operations risk arises from fraud, processing errors, system disruptions, or other unanticipated events resulting in the institution's inability to deliver products or services. This risk exists in each product and service offered. The level of transaction risk is affected by the structure of the institution's processing environment, including the types of services offered and the complexity of the processes and supporting technology.

In most instances, e-banking activities will increase the complexity of the institution's activities and the quantity of its transaction/operations risk, especially if the institution is offering innovative services that have not been standardized. Since customers expect e-banking services to be available 24 hours a day, 7 days a week, financial institutions should ensure their e-banking infrastructures contain sufficient capacity and redundancy to ensure reliable service availability. Even institutions that do not consider e-banking a critical financial service due to the availability of alternate processing channels, should carefully consider customer expectations and the potential impact of service disruptions on customer satisfaction and loyalty.

The key to controlling transaction risk lies in adapting effective policies, procedures, and controls to meet the new risk exposures introduced by e-banking. Basic internal controls including segregation of duties, dual controls, and reconcilements remain important. Information security controls, in particular, become more significant requiring additional processes, tools, expertise, and testing. Institutions should determine the appropriate level of security controls based on their assessment of the sensitivity of the information to the customer and to the institution and on the institution's established risk tolerance level. Security controls are discussed in this booklet's "Risk Management of E-Banking Activities" section under the heading "Information Security Program."


RISK MANAGEMENT OF E-BANKING ACTIVITIES

Source: http://ithandbook.ffiec.gov/it-booklets/e-banking/risk-management-of-e-banking-activities.aspx

E-banking has unique characteristics that may increase an institution's overall risk profile and the level of risks associated with traditional financial services, particularly strategic, operational, legal, and reputation risks. These unique e-banking characteristics include:

Speed of technological change,

Changing customer expectations,

Increased visibility of publicly accessible networks (e.g., the Internet),

Less face-to-face interaction with financial institution customers,

Need to integrate e-banking with the institution's legacy computer systems,

Dependence on third parties for necessary technical expertise, and

Proliferation of threats and vulnerabilities in publicly accessible networks.

Management should review each of the processes discussed in this section to adapt and expand the institution's risk management practices as necessary to address the risks posed by e-banking activities. While these processes mirror those discussed in other booklets of the IT Handbook, they are discussed below from an e-banking perspective. For more detailed information on each of these processes, the reader should review the corresponding booklet of the IT Handbook.


http://ithandbook.ffiec.gov/it-booklets/e-banking/risk-management-of-e-banking-activities.aspx

http://ithandbook.ffiec.gov/it-booklets/e-banking/risk-management-of-e-banking-activities.aspx

BEYOND E-SIGN – BEST PRACTICES AND LEGAL CONCERNS

Compliance with the e-signature laws is a very basic step in selecting a system for electronic signature transactions. Like their paper counterparts, electronically signed documents can become the subject of a dispute.

In the event of a dispute regarding an electronically executed contract, merely complying with ESIGN is not enough. The signature process must provide enough proof to uphold the transaction.

Vendor selection, due diligence and TESTING are critical components of implementing a successful E-SIGN process. These are some possible “best practices” for electronic signature products. The ideal product will provide or function as follows:

Audit trail tracks all signer actions

Secure encryption so documents can be read and signed only by designated users

Unique Signatures created by each user, accessible only to that user, and stored securely online

Sign Document Blocks so users can ‘initial’ and ‘sign’ specific areas of a document

User Authentication leveraging email, access code, and/ or third party ID check

Time-Stamping of every step in the document process

Transaction Summary provides complete document history

Intent to Sign

A key convention in the paper world, precise signature placement is important criteria in establishing the signer’s intent. Similar considerations should be made when adopting an electronic signature process.

Record Retention

Few organizations find the requirements for record retention under UETA and ESIGN strict enough in comparison to their standards for mitigating risk. Most notably, the storage systems


associated with any electronic signature system must be rigorously secure from a physical and technological standpoint.

Admissibility into Evidence

The Federal Rules of Evidence and the Uniform Rules of Evidence generally allow for electronic records and their reproductions to be admissible into evidence. This applies to electronic signatures stored in a computer or server, so that any printout or output readable by sight, shown to reflect the data accurately, is considered an original. In the case of an electronic signature, then, it is important to demonstrate to the satisfaction of the courts that:

1. the appropriate level and amount of information surrounding the signing process was retained, and

2. the system used to retain the information is itself reliable.


TEN CONSIDERATIONS WHEN SELECTING AN E-SIGNATURE VENDOR

1. Are e-signed documents legally protected?

In highly regulated industries and for high-value transactions, it’s best to have the most legal

protection to avoid customer disputes. Although e-signatures are ESIGN and UETA compliant

and give electronic signatures the same legal weight as traditional wet signatures, e-signed

documents need additional evidence in order to be repudiated in court. Look for an e-signature

solution that has process evidence to capture the steps a customer took to e-sign a document.

Also consider an e-signature solution with embedded audit trails that keep a detailed log of time

stamps of the customer’s steps when e-signing a document.

2. Are e-signatures secure?

Documents and e-signatures should be protected using digital signature technology which creates

a digital fingerprint of the document and can be used in the future to verify the integrity of the

electronic record. When looking for your e-signature vendor, make sure your vendor offers a

solution to protect your documents so they cannot be tampered with easily, and if they are

tampered with in the slightest, the e-signature will be visibly invalidated.

3. Are e-signed documents safe in the cloud?

When it comes to e-signatures and the cloud, choose an e-signature vendor that has a robust

cloud infrastructure and the ability to protect the confidentiality, integrity and availability of your

data. Coupled with a robust cloud infrastructure, look for an e-signature vendor that has achieved

security certifications like SOC 2, which illustrates that the vendor meets the highest standard for

cloud security and data protection.

4. Is it easy to use?

The key driver for user adoption is to have an e-signature solution that is easy to use. Choose an

e-signature solution that will simplify the e-signature process for both your employees and your

customers.

5. Does the e-signature solution support different signature capture methods?45

E-Sign Compliance & The Product Life Cycle© Susan Costonis, C.R.C.M.Compliance Training and Consulting

There are various ways to sign a document. Initialing a document, simply clicking to sign the

document, or allowing your customers to create a handwritten signature on their own mobile

device, gives flexibility on how a financial institution wants customers to e-sign the documents.

Look for an e-signature solution that supports different signature caption methods that fit your e-

signing needs.

6. Is the e-signature solution customizable?

When considering an e-signature vendor, make sure the e-signature solution allows for the

customization of your financial institution’s branding in the solution to provide a positive

experience for the customers.

7. Is the e-signature solution mobile-friendly?

With customers on the go and heavily relying on their smartphones and tablets for everyday

transactions, consider an e-signature solution that allows your customers to e-sign documents

from their mobile devices. Look for an e-signature vendor that optimizes the signing process on

all mobile devices and platforms, giving your customers a user-friendly, tailored experience

when e-signing documents.

8. How flexible is the e-signature solution?

It’s important to find an e-signature solution that ties in with the current processes and

workflows of your financial institution. Look for an e-signature solution that can integrate with

the systems and collaboration tools your financial institution uses. Some e-signature solutions

also have Sandbox environments and SDKs to help you integrate e-signatures with your

organization’s document generation, content management and other systems.

9. Does the e-signature vendor understand the unique requirements of a financial

institution?

All e-signature solutions are successful at helping organizations eliminate the paper-process of

obtaining wet signatures, but some vendors may fall short when it comes to specific-industry

knowledge of their prospective clients. It is important to partner with an e-signature vendor that

has expert knowledge of the laws and regulations of the banking industry.


http://docs.e-signlive.com/doku.php?id=esl:e-signlive

https://developers.silanis.com/?_ga=1.164092607.1232054319.1431711023

10. Does the e-signature vendor have a favorable reputation in the industry?

Doing adequate due diligence before committing to an e-signature solution is a regulatory

REQUIREMENT! Find out what your peers are saying about e-signature solutions already

implemented in their financial institutions; ask your primary regulatory for additional guidance.


E-BANKING COMPONENTS

The FFIEC IT Examination Handbook Infobase has several helpful resources for e-banking at this link: http://ithandbook.ffiec.gov/it-booklets/e-banking/introduction/e-banking-components.aspx

Here are some key points:

E-banking systems can vary significantly in their configuration depending on a number of factors. Financial institutions should choose their e-banking system configuration, including outsourcing relationships, based on four factors:

1. Strategic objectives for e-banking;

2. Scope, scale, and complexity of equipment, systems, and activities;

3. Technology expertise; and

4. Security and internal control requirements.

Financial institutions may choose to support their e-banking services internally. Alternatively, financial institutions can outsource any aspect of their e-banking systems to third parties. The following entities could provide or host (i.e., allow applications to reside on their servers) e-banking-related services for financial institutions:

Another financial institution,

Internet service provider,

Internet banking software vendor or processor,

Core banking vendor or processor,

Managed security service provider,

Bill payment provider,

Credit bureau, and

Credit scoring company.

E-banking systems rely on a number of common components or processes. The following list includes many of the potential components and processes seen in a typical institution:

Website design and hosting,

Firewall configuration and management,48

E-Sign Compliance & The Product Life Cycle© Susan Costonis, C.R.C.M.Compliance Training and Consulting

http://ithandbook.ffiec.gov/it-booklets/e-banking/introduction/e-banking-components.aspx

http://ithandbook.ffiec.gov/it-booklets/e-banking/introduction/e-banking-components.aspx

Intrusion detection system or IDS (network and host-based),

Network administration,

Security management,

Internet banking server,

E-commerce applications (e.g., bill payment, lending, brokerage),

Internal network servers,

Core processing system,

Programming support, and

Automated decision support systems.

These components work together to deliver e-banking services. Each component represents a control point to consider.

Through a combination of internal and outsourced solutions, management has many alternatives when determining the overall system configuration for the various components of an e-banking system. However, for the sake of simplicity, this booklet presents only two basic variations. First, one or more technology service providers can host the e-banking application and numerous network components as illustrated in the following diagram. In this configuration, the institution's service provider hosts the institution's website, Internet banking server, firewall, and intrusion detection system. While the institution does not have to manage the daily administration of these component systems, its management and board remain responsible for the content, performance, and security of the e-banking system.


Figure 1: Third-Party Provider Hosted E-Banking Diagram

Text Description of Figure 1

This diagram illustrates the transaction flow for one possible configuration where the bank relies on a technology service provider to host its Internet banking application.

Internet banking customer sends an e-banking transaction through their Internet Service Provider (ISP) via a phone, wireless, or broadband connection.

The customer's ISP routes the transaction through the Internet and sends it to the e-banking service provider's ISP, which routes it to the provider.

The transaction enters the provider's network through a router, which directs the e-banking transaction through a firewall to the application running on the Internet banking server.

The website server and Internet banking server may have host-based intrusion detection system (IDS) software monitoring the server and its files to provide alerts of potential unauthorized modifications.

-Network IDS software may reside at different points within the network to analyze the message for potential attack characteristics that suggest an intrusion attempt.


The Internet banking application processes the transaction against account balance data through a real time connection to the core banking system or a database of account balance data, which is updated periodically from the core banking system.

The Internet banking server has a firewall filtering Internet traffic from its internal network.

Second, the institution can host all or a large portion of its e-banking systems internally. A typical configuration for in-house hosted, e-banking services is illustrated below. In this case, a provider is not between the Internet access and the financial institution's core processing system. Thus, the institution has day-to-day responsibility for system administration.

Figure 2: In-House E-Banking Diagram

Text Description of Figure 2 This diagram illustrates the transaction flow for one possible configuration in which the bank hosts the Internet banking application.

- Internet banking customer sends an e-banking transaction through their Internet Service Provider (ISP) via a phone, wireless, or broadband connection.

- The customer's ISP routes the transaction through the Internet and sends it to the e-banking service bank's ISP, which routes it the provider.


- The transaction enters the bank's network through a router, which directs the Internet-banking transaction through a firewall to the application running on the Internet banking server.

- The bank typically has several Internet application servers that could include a website server, e-mail server, proxy server, and domain name server (DNS) in addition to the Internet banking

application server.

- The router will typically send the transaction around the other application servers directly to the Internet banking server unless it is a non-banking transaction.

- The website server and Internet banking server may have host-based intrusion detection system (IDS) software monitoring the server and its files to provide alerts of potential unauthorized

modifications.

Network IDS software may reside at different points within the network to analyze the message for potential attack characteristics that suggest an unauthorized intrusion attempt.

- The Internet banking application processes the transaction against account balance data through a real time connection to the core banking system or a database of account balance data, which is

updated periodically from the core banking system.

- The Internet banking server has a firewall filtering Internet traffic from the bank's internal network.


WEBLINKING

A large number of financial institutions maintain sites on the World Wide Web. Some websites are strictly informational, while others also offer customers the ability to perform financial transactions, such as paying bills or transferring funds between accounts.

Virtually every website contains "weblinks." A weblink is a word, phrase, or image on a webpage that contains coding that will transport the viewer to a different part of the website or a completely different website by just clicking the mouse. While weblinks are a convenient and accepted tool in website design, their use can present certain risks. Generally, the primary risk posed by weblinking is that viewers can become confused about whose website they are viewing and who is responsible for the information, products, and services available through that website. There are a variety of risk management techniques institutions should consider using to mitigate these risks. These risk management techniques are for those institutions that develop and maintain their own websites, as well as institutions that use third-party service providers for this function. The agencies have issued guidance on weblinking that provides details on risks and risk management techniques financial institutions should consider. See the interagency guidance titled "Weblinking: Identifying Risks and Risk Management Techniques" issued April 23, 2003 by the Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS) (the agencies) for specific risk and risk management guidance.


MANAGING VENDOR RISK

So what steps should a financial institution take to ensure it meets the requirements of

the Gramm-Leach-Bliley Act (GLBA)?

From loan reviews to service organization controls (SOC) reports, financial institutions often

choose to outsource a spectrum of services. While outsourcing allows a financial institution to

shift daily functions to a third-party vendor, it still retains responsibility for those activities.

Therefore, federal regulations require financial institutions to develop and maintain a vendor

management program designed to protect customer data.

GLBA Requirements

The GLBA requires financial institutions to take various steps to provide physical, technical, and

administrative safeguards for customer records and data. These requirements include vendor

oversight, and for compliance, a financial institution must:

Apply appropriate due diligence when choosing service providers,

Require service providers via contract to implement proper data security processes, and

Monitor service providers through activities such as reviewing audits and test results as

directed by the bank’s risk assessment. Additionally, for high-risk vendors (such as

outsourced core processors and Internet-banking providers), the bank should monitor and

validate controls through periodic self-assessments or other means.

Three Steps for Completing a Risk Assessment

The GLBA emphasizes a risk-based approach to compliance, which can minimize the burden for

smaller community banks. The appropriate vendor management program scope depends on the

bank’s size and risk profile. Therefore banks should begin by conducting a risk assessment, as

outlined in the below three steps.


http://www.cricpa.com/glossary.aspx#Service%20Organization%20Controls%20(SOC)

1. Inventory all vendors with access to customer data.

2. Detail each vendor’s access including whether it is physical, remote, on-site

electronic access, and others.

3. Prioritize vendors according to access levels and the potential impact of a related

breach on the bank and its customers. Remember that access is not necessarily

defined by job function. For example, a janitorial service may not deal with

customer data, but it may have physical access if it works unsupervised in a room

with unlocked filing cabinets.

Know When to Hold ‘Em.

Based on the financial institution’s risk assessment and available resources, management can

establish appropriate policies and procedures for selecting vendors, reviewing service contracts,

and overseeing vendor operations.


E-SIGN Resources


E-SIGN ACT

This is a link to the Cornell Law School version of the E-SIGN Act:

https://www.law.cornell.edu/uscode/text/15/chapter-96

The title of the statute is

15 U.S. Code Chapter 96 - ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE

These are the sections:

§ 7001 - General rule of validity § 7002 - Exemption to preemption § 7003 - Specific exceptions § 7004 - Applicability to Federal and State governments § 7005 - Studies § 7006 - Definitions

15 U.S. Code § 7001 - General rule of validity(a) In general- Notwithstanding any statute, regulation, or other rule of law (other than this subchapter and subchapter II of this chapter), with respect to any transaction in or affecting interstate or foreign commerce—

(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and

(2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.(b) Preservation of rights and obligations. This subchapter does not—

(1) limit, alter, or otherwise affect any requirement imposed by a statute, regulation, or rule of law relating to the rights and obligations of persons under such statute, regulation, or rule of law other than a requirement that contracts or other records be written, signed, or in nonelectronic form; or

(2) require any person to agree to use or accept electronic records or electronic signatures, other than a governmental agency with respect to a record other than a contract to which it is a party.

(c) Consumer disclosures (1) Consent to electronic records. Notwithstanding subsection (a) of this section, if a statute, regulation, or other rule of law requires that information relating to a transaction or transactions in or affecting interstate or foreign commerce be provided or made


https://www.law.cornell.edu/uscode/text/15/chapter-96

available to a consumer in writing, the use of an electronic record to provide or make available (whichever is required) such information satisfies the requirement that such information be in writing if— (A) the consumer has affirmatively consented to such use and has not withdrawn such consent;(B) the consumer, prior to consenting, is provided with a clear and conspicuous statement—

(i) informing the consumer of (I) any right or option of the consumer to have the record provided or made available on paper or in nonelectronic form, and (II) the right of the consumer to withdraw the consent to have the record provided or made available in an electronic form and of any conditions, consequences (which may include termination of the parties’ relationship), or fees in the event of such withdrawal;(ii) informing the consumer of whether the consent applies (I) only to the particular transaction which gave rise to the obligation to provide the record, or (II) to identified categories of records that may be provided or made available during the course of the parties’ relationship;(iii) describing the procedures the consumer must use to withdraw consent as provided in clause (i) and to update information needed to contact the consumer electronically; and(iv) informing the consumer (I) how, after the consent, the consumer may, upon request, obtain a paper copy of an electronic record, and (II) whether any fee will be charged for such copy;

(C) the consumer— (i) prior to consenting, is provided with a statement of the hardware and software requirements for access to and retention of the electronic records; and(ii) consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent; and

(D) after the consent of a consumer in accordance with subparagraph (A), if a change in the hardware or software requirements needed to access or retain electronic records creates a material risk that the consumer will not be able to access or retain a subsequent electronic record that was the subject of the consent, the person providing the electronic record—

(i) provides the consumer with a statement of (I) the revised hardware and software requirements for access to and retention of the electronic records, and (II) the right to withdraw consent without the imposition of any fees for such withdrawal and without the imposition of any condition or consequence that was not disclosed under subparagraph (B)(i); and(ii) again complies with subparagraph (C).


(2) Other rights (A) Preservation of consumer protections

Nothing in this subchapter affects the content or timing of any disclosure or other record required to be provided or made available to any consumer under any statute, regulation, or other rule of law.

(B) Verification or acknowledgment

If a law that was enacted prior to this chapter expressly requires a record to be provided or made available by a specified method that requires verification or acknowledgment of receipt, the record may be provided or made available electronically only if the method used provides verification or acknowledgment of receipt (whichever is required).

(3) Effect of failure to obtain electronic consent or confirmation of consent

The legal effectiveness, validity, or enforceability of any contract executed by a consumer shall not be denied solely because of the failure to obtain electronic consent or confirmation of consent by that consumer in accordance with paragraph (1)(C)(ii).

(4) Prospective effect

Withdrawal of consent by a consumer shall not affect the legal effectiveness, validity, or enforceability of electronic records provided or made available to that consumer in accordance with paragraph (1) prior to implementation of the consumer’s withdrawal of consent. A consumer’s withdrawal of consent shall be effective within a reasonable period of time after receipt of the withdrawal by the provider of the record. Failure to comply with paragraph (1)(D) may, at the election of the consumer, be treated as a withdrawal of consent for purposes of this paragraph.

(5) Prior consent

This subsection does not apply to any records that are provided or made available to a consumer who has consented prior to the effective date of this subchapter to receive such records in electronic form as permitted by any statute, regulation, or other rule of law.

(6) Oral communications

An oral communication or a recording of an oral communication shall not qualify as an electronic record for purposes of this subsection except as otherwise provided under applicable law.

(d) Retention of contracts and records (1) Accuracy and accessibility. If a statute, regulation, or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign


commerce be retained, that requirement is met by retaining an electronic record of the information in the contract or other record that— (A) accurately reflects the information set forth in the contract or other record; and(B) remains accessible to all persons who are entitled to access by statute, regulation, or rule of law, for the period required by such statute, regulation, or rule of law, in a form that is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise.

(2) Exception

A requirement to retain a contract or other record in accordance with paragraph (1) does not apply to any information whose sole purpose is to enable the contract or other record to be sent, communicated, or received.

(3) Originals

If a statute, regulation, or other rule of law requires a contract or other record relating to a transaction in or affecting interstate or foreign commerce to be provided, available, or retained in its original form, or provides consequences if the contract or other record is not provided, available, or retained in its original form, that statute, regulation, or rule of law is satisfied by an electronic record that complies with paragraph (1).

(4) Checks

If a statute, regulation, or other rule of law requires the retention of a check, that requirement is satisfied by retention of an electronic record of the information on the front and back of the check in accordance with paragraph (1).

(e) Accuracy and ability to retain contracts and other records

Notwithstanding subsection (a) of this section, if a statute, regulation, or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign commerce be in writing, the legal effect, validity, or enforceability of an electronic record of such contract or other record may be denied if such electronic record is not in a form that is capable of being retained and accurately reproduced for later reference by all parties or persons who are entitled to retain the contract or other record.

(f) Proximity

Nothing in this subchapter affects the proximity required by any statute, regulation, or other rule of law with respect to any warning, notice, disclosure, or other record required to be posted, displayed, or publicly affixed.

(g) Notarization and acknowledgment


If a statute, regulation, or other rule of law requires a signature or record relating to a transaction in or affecting interstate or foreign commerce to be notarized, acknowledged, verified, or made under oath, that requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable statute, regulation, or rule of law, is attached to or logically associated with the signature or record.

(h) Electronic agents

A contract or other record relating to a transaction in or affecting interstate or foreign commerce may not be denied legal effect, validity, or enforceability solely because its formation, creation, or delivery involved the action of one or more electronic agents so long as the action of any such electronic agent is legally attributable to the person to be bound.

(i) Insurance

It is the specific intent of the Congress that this subchapter and subchapter II of this chapter apply to the business of insurance.

(j) Insurance agents and brokers. An insurance agent or broker acting under the direction of a party that enters into a contract by means of an electronic record or electronic signature may not be held liable for any deficiency in the electronic procedures agreed to by the parties under that contract if—

(1) the agent or broker has not engaged in negligent, reckless, or intentional tortious conduct;(2) the agent or broker was not involved in the development or establishment of such electronic procedures; and(3) the agent or broker did not deviate from such procedures.

DEFINITIONS IN § 7006

(1) Consumer The term “consumer” means an individual who obtains, through a transaction, products or services which are used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.(2) Electronic The term “electronic” means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.(3) Electronic agent The term “electronic agent” means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part without review or action by an individual at the time of the action or response.(4) Electronic record


The term “electronic record” means a contract or other record created, generated, sent, communicated, received, or stored by electronic means.(5) Electronic signature The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.(6) Federal regulatory agency The term “Federal regulatory agency” means an agency, as that term is defined in section 552(f) of title 5.(7) Information The term “information” means data, text, images, sounds, codes, computer programs, software, databases, or the like.(8) Person The term “person” means an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, governmental agency, public corporation, or any other legal or commercial entity.(9) Record The term “record” means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.(10) Requirement The term “requirement” includes a prohibition.(11) Self-regulatory organization The term “self-regulatory organization” means an organization or entity that is not a Federal regulatory agency or a State, but that is under the supervision of a Federal regulatory agency and is authorized under Federal law to adopt and administer rules applicable to its members that are enforced by such organization or entity, by a Federal regulatory agency, or by another self-regulatory organization.(12) State The term “State” includes the District of Columbia and the territories and possessions of the United States.(13) Transaction. The term “transaction” means an action or set of actions relating to the conduct of business, consumer, or commercial affairs between two or more persons, including any of the following types of conduct—

(A) the sale, lease, exchange, licensing, or other disposition of (i) personal property, including goods and intangibles, (ii) services, and (iii) any combination thereof; and(B) the sale, lease, exchange, or other disposition of any interest in real property, or any combination thereof.


FIL-030-2013 WEBLINKING GUIDANCE

This is the link to the FIL: https://www.fdic.gov/news/news/financial/2003/fil0330.html

These are the sections:

A. RISK DISCUSSION

customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;

customer dissatisfaction with the quality of products or services obtained from a third party; and

customer confusion as to whether certain regulatory protections apply to third-party products or services.

Reputation Risk

Trade NamesWebsite AppearanceCompliance Risk

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking RelationshipsDue DiligenceAgreements

Implementing Weblinking RelationshipsDisclaimers and Disclosures

Monitoring Weblinking Relationships

Managing Service Providers


https://www.fdic.gov/news/news/financial/2003/fil0330.html

COMMON E-SIGN QUESTIONS

The reason E-SIGN is getting so much attention now is that regulatory and technological changes are forcing the industry to find new ways of achieving compliance in a cost-effective manner, which almost always involves the use of electronic signatures or providing important documents electronically. For example, the Right to an Appraisal changes made to Regulation B have forced lenders who do a lot of mortgage loans to provide large numbers of appraisals economically and, consequently, electronically.

Furthermore, the demand for electronic products and services is growing, including mobile banking, remote deposit transfers, e-statements, and online banking. These products and services must provide federally required disclosures in an electronic format that necessarily require electronic signing. This widespread use has financial institutions and even regulators taking a second look at E-SIGN requirements.

COMMON QUESTIONS

1. We do not open online accounts but offer paperless statements. Is E-SIGN required?

Yes, E-SIGN is applicable. This is a good example of where affirmative consent is needed. You must provide consumers with the E-SIGN notice (about 3 paragraphs explaining the consumer’s rights to withdraw consent and receive paper statements, how to do so, and the software/hardware requirements needed to receive disclosures electronically). This may already be written into your e-statements agreement. This can be a blanket consent for all electronic documents or consent just for this product.

2. Can we decline a deposit account if the consumer declines to receive electronic statements?

You cannot require consumers to use electronic records. E-SIGN gives the consumer a right to request and receive paper records. However, you are permitted to charge a reasonable fee for photocopying or hardcopy records.

3. Do we have to notify the customer every time there is a change in our hardware or software requirements?

The act requires that if, after consent is provided, a change is made in the hardware or software requirements needed to access or retain the electronic disclosures, and the change creates a material risk that the consumer will not be able to access or retain an electronic disclosure that


was the subject of the prior consent, the consumer must be provided with an appropriate notice of the change and must re-consent electronically in a manner that reasonably demonstrates the consumer’s ability to access the electronic notice or disclosure.

4. If the ECOA appraisal regulation applies to certain business loans, we do not need to follow the E-SIGN requirements per my understanding. Can we just email the business the appraisal or is there a more acceptable practice?

The first part of E-SIGN establishes the validity of electronic records and signatures for all commerce or trade. This is true for everyone, but the consumer protection requirements (the E-SIGN notice, the right to opt out, affirmative consent) are just for individual consumers, not for businesses. You may provide business appraisals however you choose and so email is acceptable. You must ensure that the electronic document (appraisal) is accurate, can be reproduced by the recipient, and is provided in a secure or safe manner for all customers business or consumer.

5. When a person signs up for e-statements, does the institution have an obligation to verify that the customer is able to view their statement and the ability to prove the customer has viewed it? For instance, once the customer accepts receiving e-statements, do we need to send the customer a sample e-statement and have the customer verify that they can read the statement?

E-SIGN requires that the consumer consent “in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.” This can be accomplished in various ways including test documents, pin codes, and clicking links. You are not obligated to confirm that the consumer is opening or reading the electronic documents only that they can if they so choose.


FDIC E-SIGN EXAM PROCEDURES

The link to the FDIC Compliance Exam manual is:https://www.fdic.gov/regulations/compliance/manual/index.html

The exam procedures were updated in January 2014, and are found in Chapter X, Other Compliance Issues, X-3.1

SEE THE NEXT PAGES FOR THE PROCEDURES


https://www.fdic.gov/regulations/compliance/manual/index.html

EXAMINATION PROCEDURES:


SOCIAL MEDIA AND E-BANKING MANAGEMENT GUIDANCE

See YOUR primary regulator’s exam procedures, but the following regulations and laws should be part of a monitoring and audit review of the e-banking program.

Compliance and Legal Risks

Truth in Savings Act/Regulation DD

Fair Lending Laws: Equal Credit Opportunity Act/Regulation B and Fair Housing Act

Truth in Lending Act/Regulation Z

Real Estate Settlement Procedures Act

Fair Debt Collection Practices Act

Unfair, Deceptive, or Abusive Acts or Practices

Deposit Insurance or Share Insurance

Electronic Fund Transfer Act/Regulation E & Check rules

Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML)

Community Reinvestment Act

Privacy

CAN-SPAM Act and Telephone Consumer Protection Act

Children’s Online Privacy Protection Act

Fair Credit Reporting Act

Reputation Risk – Fraud, Third Party Risk, Privacy, Complaints

Employee Use of Social Media Sites

Operational Risk


FEDERAL RESERVE E-SIGN CHECKLIST

This is a link to the entire CA-0310 Consumer Affairs Electronic Examination Checklist

http://www.federalreserve.gov/boarddocs/caletters/2003/0310/caltr0310.htm

One of the sections includes E-Sign

See the next pages for the checklist items


http://www.federalreserve.gov/boarddocs/caletters/2003/0310/caltr0310.htm

XYZ BANK

Subject : Social Media PolicyItem Number : CP-100 Effective Date : 07/24/12Revision Date : 2/24/15 Page Number :

SOCIAL MEDIA POLICY TEMPLATE

Purpose

The internet and the use of social networking/media have presented new challenges to the bank. While expanding marketing efforts and communications with the public, it is necessary to control the banks branding on various social media as information pertains to the bank and its customers. For the purposes of this policy, social media means any facility for online publication and commentary, including without limitation blogs, wiki's, social networking sites such as Facebook, LinkedIn, Twitter, Flickr, and YouTube. This policy is in addition to and complements any existing or future policies regarding the use of technology, computers, e-mail and the internet. These controls apply to employees who post and contribute to these site types for both professional and personal use.

This is not to be construed as any attempt to restrict any employees’ legal rights to discuss wages, terms of employment or conditions of work, during non-working hours and in non-working areas.

Statement Of Policy

XYZ Bank recognizes the importance of using social networking/media including blogs, postings on wikis and other interactive sites, postings on video or picture sharing sites to inform and communicate with the public about the products and services we offer as well as the banks community involvement. The use of social media is encouraged and supported by the bank as this will shape public perception and further develop the banks brand. The bank also recognizes that proprietary and confidential information about the bank, its employees and customers must remain protected. Employees posting must protect the privacy, confidentiality, and interests of the bank and our current and potential products, employees, vendors, customers, and competitors.


XYZ BANK


I. APPOINTED USERS:

Management will designate a {Point of Contact (POC)} who is aware of, and trained to address the risks associated with social media and who is able to identify and report on issues surrounding the banks social media involvement.

The {POC} will appoint selected bank employees to post on the bank’s social media sites. These posts will promote the bank’s products, services and goodwill in the communities we serve. The employees will be granted access to the social media sites and will be allowed access while at work. Employees will be selected based on their knowledge of the banks products, services and activities as well as their knowledge of proper use of the social media sites.

II. DEFINITIONS:

The following are key definitions:

1. Avatar – A computer user's graphic representation of him/herself. These need not be actual images of a person.

2. Blog – Short for Web log. A website where a blog author can post information on a specific topic targeted to a specific audience. A blog, if commenting is enabled, allows members of the public to post comments about posts by the blog author.

3. Social Media -- Social media websites or technologies such as smartphone applications tied to a social media website focus on creating and contributing to online social communities. These communities have a specific purpose and connect users from different locations and interest areas. Social media websites offer many different ways for users to share information including video, audio, images, website links, and other content.

4. Social Networking – These are collectively tools used to connect people who share common interests or backgrounds through the use of web-based services. Typically, these sites use multiple methods to connect to registered users such as status updates, (micro-blogging such as Twitter), instant messaging, blogs, polls, photo sharing, video sharing, etc.


XYZ BANK


“Social media” and “social networking” are often used interchangeably.

5. Wiki – A wiki is a web-based tool that allows for collaborative development of documents, such as policy or presentations by allowing visitors to add, remove, edit and change content, with or without the need for registration depending on the settings. A wiki also allows for posting links to other Web pages in order to connect the information.

III. EMPLOYEE CODE OF CONDUCT – ETHICS POLICY:

The same standards of conduct required in the Employee Code of Conduct and Ethics Policy are applicable on the internet and when the employee is involved in social networking.

XYZ Bank employees who are not specifically authorized are not allowed to publish or comment via social media in any way during work hours or using work facilities, or in any way that suggests they are doing so in connection with XYZ Bank. XYZ Bank employees who are authorized employees in the {Marketing Dept. / POC} are free to publish or comment via social media in accordance with this policy.

Employees may use a pseudonym on social networking sites to protect their real identity. These must be tasteful and used consistently. The employee must notify {insert POC} when they register on a social networking site and provide their username when they will be participating on behalf of the bank. Employee posts should always be identified as such.

When posting on a social networking site and referring to the bank in any way, the employee must identify themselves as an employee of the bank and that the views expressed are theirs alone and do not necessarily represent the views of the bank.

Senior management will identify certain employees/officers as authorized representatives who may post and comment on behalf of the bank.

Employees may not share information that is confidential or proprietary about the bank. This includes information about examinations/audits, upcoming products or services,


XYZ BANK


financial condition (other than what is available from the FDIC or is otherwise available to the public,) the number of employees, the bank’s strategic plan, or any other information that has not been publicly released by the bank.

These are given as examples only and do not cover the range of what the bank considers private, confidential or proprietary. If the employee has any question about whether information has been released publicly they should speak with their manager and the {Marketing department / POC} before releasing information that could potentially harm the bank, or our current and potential products and services, employees, vendors, or customers.

The bank logo and trademarks may not be used without explicit permission. This is to prevent the appearance that the employee is an authorized representative. Any authorized representative may use the bank logo to include as an avatar.

Employees must post respectfully about the bank, its employees, customers, vendors, and competitors. You may not engage in name calling or behavior that will reflect negatively on the bank’s reputation. Employees are an extension of XYZ Bank’s brand and are encouraged to use good personal judgment when engaging in social media networks through personal accounts. Employees should consider the appropriateness of posts, comments, pictures, or any other communications and how the communications may affect the employee’s, or consequently the bank’s, reputation prior to sharing the communications through any social media channels, personal or otherwise.

Recognize that employees are legally liable for anything they write or present online. Employees can be disciplined by the bank for commentary, content, or images that are defamatory, pornographic, proprietary, harassing, libelous, or that can create a hostile work environment.

Posting on social networking sites should not interfere with an employee’s primary job duties or customer service commitments.

IV. CONFIDENTIALITY:

No personally identifiable or confidential information will be posted without approval of the individual to whom that information applies. An acceptable example of this includes a


XYZ BANK


photograph of a customer with their executed model release after being recognized at a bank or community function. An unacceptable example would be responding to a customer’s inquiry as to their deposit account balance with that balance. A customer’s name, account number, address, Social Security number, and similar data should never be posted. If the customer is able to post and provides this type of information, it should be removed.

V. COPYRIGHTS:

Copyrights will be respected by the bank. When quoting content from outside the bank, employees should never quote more than short excerpts of another’s work, and always attribute such work to the original author/source. When appropriate, a link to the referenced content is recommended.

VI. DIVERSITY, DISCRIMINATION:

Readers of the banks social media posts, employees, and customers represent a diverse community and include many different customs, values and interests. Nothing should be stated which conflicts with the banks directives. All posts should be respectful and in no way indicate any discriminatory practice toward anyone on the basis of race, color religion, national origin, sex, marital status, age, income from public assistance, handicap or familial status.

VII. DISCLAIMER:

Wherever practical, all posts should include a disclaimer stating that while the person posting is an employee of the bank, anything posted is that person’s personal opinion, and not necessarily the opinion of XYZ Bank. This is intended to separate employee comments from the official position of the bank.

The {POC} will provide employees with applicable disclaimer language and assist with determining where and how to use them.


XYZ BANK


VIII. COMPLIANCE:

All postings on social media sites will be reviewed by a second party prior to making the post. The content will be reviewed for compliance with this policy, all laws and regulations applicable to the content, as well as spelling, grammar and wording.

IX. ADMINISTRATIVE ENFORCEMENT:

Policy violations will be subject to disciplinary action, up to and including termination for cause.


The policy below is for the bank’s website and is for the bank’s disclosure to the public.XYZ Bank’s Social Networking Policy for Public Use.Access to the bank’s social networking pages may be terminated if a user uploads or otherwise makes directly accessible content which infringes on any other party’s copyrights, is considered offensive, off topic, spam, to be a personal attack, threatening, derogatory, non-constructive, political or religious in nature. This includes text, links, photos and images. The content will be removed upon discovery and users will be warned. XYZ Bank may terminate repeat offenders access to the XYZ Bank’s social networking sites.

No confidential, personal or banking information should be shared on social networking sites and will be removed upon discovery by the XYZ Bank.

XYZ Bank does not endorse any comments made by its employees, unless they are an authorized representative of the bank. All statements and viewpoints expressed in the comments are strictly those of the commenter alone, and do not constitute an official position of XYZ Bank unless they are posted by an authorized representative of the bank. Employees of the bank must identify themselves in all posts. This fact may be material to other readers.

Note: I have seen web policies address the above with the additional disclaimer that photos of people may be posted by the bank. These may be from functions sponsored by the bank, contest winners, etc. The bank would provide a link to a form if the person wanted the photo removed – an opt-out method. A policy such as this should be reviewed by counsel. This is the use of a person’s likeness for advertising and Model Releases should be obtained in advance, in my opinion.

82

These procedures will help employees authorized to use social media on the bank’s behalf to make appropriate decisions about work-related blogging and the contents of blogs, social media postings on wikis and other interactive sites, postings on video or picture sharing sites, or in the comments that are made online on blogs, elsewhere on the internet, and in responding to comments from posters either publicly or via email.

I. ESTABLISHING A SOCIAL MEDIA ACCOUNT

Assistance in setting up social media accounts and their settings can be obtained from XYZ Bank's {POC}.

Social media identities, logon ID's and user names may not use XYZ Bank's name without prior approval from the {POC.}

Passwords used for any social media account should not be the same password as used to logon to bank systems.

Employees may use a pseudonym on social networking sites to protect their real identity. These must be tasteful and used consistently. The employee must notify {insert POC} when they register on a social networking site and provide their username when they will be participating on behalf of the bank. Employee posts should always be identified as such.

An employee/officer who is an authorized representative and is allowed to post on behalf of the bank may use their official XYZ Bank photograph as a profile photograph. Senior management will dictate official spokesperson(s) that will use their official photograph and real name.

II. POSTING GUIDANCE

All posts will be reviewed prior to sending the content to the social media site. Depending on the content, the post will be reviewed for:

Spelling Grammar Wording Content accuracy Photo releases Compliance with applicable laws and regulations including those pertaining to human

resources, regulatory compliance and the bank’s policy

If an error is made in a post, correct it as quickly as possible. If a post is modified, make it clear that this was done. If a claim is made that a post was improper (such as the post is

83

that persons copyrighted material or is defamatory comment), address these concerns quickly. It is better to remove it immediately to lessen the possibility of a legal action.

When necessary, a spell checker should be used or posts should be first drafted in a program which includes this and the post pasted over.

III. DISCLAIMERS

Possible disclaimers the {POC} may want included in posts, as appropriate are:1. XYZ Bank and I are not providing investment advice, opinions of law, and these

comments should not be construed as legal advice. This does not represent an electronic signature for E-SIGN.

2. Opinions expressed are my own and are not necessarily those of XYZ Bank. I am not providing investment advice, opinions of law, and these comments should not be construed as legal advice. This does not represent an electronic signature for E-SIGN.

3. Opinions expressed are my own and are not necessarily those of XYZ Bank.

If a post requires a disclaimer because of the subject matter, but there is insufficient space for the disclaimer, the post should not be made. In its place the post may offer contact information so that a more detailed response may be offered via the telephone, secured email, postal mail, etc.

IV. CONTROLS/AUDITS

Independent testing of the bank’s social media efforts will be conducted on at least an annual basis. This review will be to ensure compliance with the approved policy and procedures and to ensure that necessary follow-up activities are conducted in a timely manner.

V. REPORTING

The {POC} will submit a report on an annual basis to the board of directors regarding the:

a. The effectiveness of marketing thru social mediab. Risks (including reputation) that emerge thru postingsc. Direct follow-up (if any) to specific postingsd. References to Complaints and Inquiries that are received. These include fair

lending, Real Estate Settlement Practice Act (RESPA), Unfair, Deceptive or Abusive Acts or Practices (UDAAP) identity theft Red Flags and other complaints tracked by the bank. (This report may be abbreviated if detailed in a specific Complaint and Inquiry policy report.)

84

FFIEC EXAM PROCEDURES FOR E-BANKING EXAMINATIONS

Source: http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-a-examination-procedures.aspx

IntroductionThe examiner's primary goal in reviewing e-banking activities is to determine whether the institution is providing e-banking products and services in a safe and sound manner that supports compliance with consumer-protection regulations. This determination is based on whether the institution's risk management practices are commensurate with the level of risk in its e-banking activities.

The e-banking examination procedures are a tool to help examiners reach conclusions regarding the effectiveness of an institution's risk management of e-banking activities. Examiners should use their judgment, consistent with the institution's supervisory strategy, in selecting applicable examination objectives and determining the need for specific testing of controls. Examiners may rely on the work of auditors and consultants deemed independent and competent in establishing their examination scope.

The examination procedures that follow focus on the risks inherent in the processes and technologies supporting e-banking products and services. They supplement, but do not replace, procedures from other IT Handbook booklets that apply to general IT activities (e.g., program development and maintenance, networking, information security, etc.). Depending on the scope of coverage targeted, examiners should consider using these procedures in combination with others from the IT Handbook and related issuances.

The structure of the e-banking examination procedures parallels the structure of the narrative portion of this booklet. The procedures cover:

Setting the examination scope,

Evaluating board and management oversight,

Assessing the information security program,

Reviewing legal and compliance issues, and

Deriving exam conclusions.

Depending on the complexity of the institution's activities and the scope of prior reviews, it is generally not necessary to complete all of the examination objectives or procedures in order to reach conclusions on the effectiveness of the financial institution's risk management processes.

85

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-a-examination-procedures.aspx

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-a-examination-procedures.aspx

The procedures are designed for conducting targeted, integrated reviews of new or significantly expanded e-banking services. However, for follow-up activities or e-banking reviews conducted as part of a comprehensive review of an institution's IT activities, examiners should customize their e-banking coverage to avoid duplication of topics covered in other examination programs.

This section of the booklet also includes discussion points examiners can use as a reference when talking to management as they are considering or implementing e-banking products and services and a sample list of items to include in the request letter for each of the objectives stated in the examination procedures.

Discussion Points for Examiners

Financial institutions frequently contact examiners seeking guidance on things to consider when they plan to offer or expand e-banking services. The following discussion points are offered as a guide to assist examiners when discussing e-banking plans and strategies with institution management.

Strategic Plans - Decisions on e-banking should be consistent with the financial institution's strategic and operating business plans. Any decision to offer or expand e-banking services should consider customer demand for the services, competitive issues, and the risks in the technology. The institution should periodically evaluate the success of its e-banking strategy and make changes as appropriate.

Impact on Earnings and Capital - Financial institution management should have realistic projections of the expected impact of e-banking on earnings and capital. If management projects a significant impact then profitability plans should address pricing and marketing expenses. If management projects rapid growth in loans or deposits, then plans should address the impact on liquidity, asset quality, and capital adequacy.

E-Banking Software and Service Provider Selection - Financial institutions should provide an appropriate level of due diligence in selecting third-party providers or developing systems in-house. User departments should be involved in the selection process since they will work with the system on a daily basis once it is operational.

Security - Financial institution management should understand security issues associated with e-banking. Security issues include customer verification and authentication, data confidentiality and integrity, and intrusion prevention and detection. Management should measure the effectiveness of security controls.

Internal Controls and Audit - The institution's board and management should ensure that internal control and audit processes are adequate to enable the identification, measurement, and monitoring of the risks associated with e-banking. Management should attempt to quantify increased expenses and losses due to internal control-related weaknesses and fraud.

86

Legal Requirements - Management should research and understand various legal requirements, including compliance issues, as part of the e-banking decision process. Many legal issues are evolving and will require management to monitor developments.

Vendor Management - Research of outsourcing arrangements should include consideration of potential vendors' financial condition, reputation and expertise, years in business, history of service interruptions and recoveries, and future business plans. Selection should also consider the ability to agree on a contract that clearly defines responsibility for maintaining and sharing information and any resulting liability for its unauthorized use or disclosure.

Business Continuity Planning - Whether provided by the financial institution or a third party, management should plan for recovery of critical e-banking technology and business functions and develop alternate operating processes for use during service disruptions.

Insurance - A review of insurance coverage may be in order to determine if existing policies specifically cover or exclude activities conducted over open networks like the Internet.

Expertise - The financial institution should ensure it has the proper level of expertise to make business decisions regarding e-banking and network security. The board of directors and senior management may need to enhance their understanding of technology issues. If such expertise is not available in-house, the institution should consider engaging outside expertise.

General Procedures

Objective 1: Determine the scope for the examination of the institution's e-banking activities consistent with the nature and complexity of the institution's operations.spacer

1. Review the following documents to identify previously noted issues related to the e-banking area that require follow-up:

Previous regulatory examination reports

Supervisory strategy

Follow-up activities

Work papers from previous examinations

Correspondence

2. Identify the e-banking products and services the institution offers, supports, or provides automatic links to (i.e., retail, wholesale, investment, fiduciary, e-commerce support, etc.).

3. Assess the complexity of these products and services considering volumes (transaction and dollar), customer base, significance of fee income, and technical sophistication.

87

4. Identify third-party providers and the extent and nature of their processing or support services. 5. Discuss with management or review MIS or other monitoring reports to determine the institution's recent experience and trends for the following:

Intrusions, both attempted and successful;

Fraudulent transactions reported by customers;

Customer complaint volumes and average time to resolution; and

Frequency and duration of service disruptions.

6. Review audit and consultant reports, management's responses, and problem tracking systems to identify potential issues for examination follow-up. Possible sources include:

Internal and external audit reports and SSAE-16 Attestation reports and reviews for service providers,

Security reviews/evaluations from internal risk review or external consultants (includes vulnerability and penetration testing), and

Findings from GLBA security and control tests and annual GLBA reports to the board.

7. Review network schematic to identify the location of major e-banking components. Document the location and the entity responsible for development, operation, and support of each of the major system components.

8. Review the institution's e-banking site(s) to gain a general understanding of the scope of e-banking activities and the website's organization, structure, and operability. 9. Discuss with management recent and planned changes in:

The types of products and services offered;

Marketing or pricing strategies;

Network structure;

Risk management processes, including monitoring techniques;

Policies, processes, personnel, or controls, including strategies for intrusion responses or business continuity planning;

Service providers or other technology vendors; and

The scope of independent reviews or the individuals or entities conducting them.

88

10. Based on the findings from the previous steps, determine the scope of the e-banking review. Discuss, as appropriate, with the examiner or office responsible for supervisory oversight of the institution. Select from among the following examination objectives and procedures those that are appropriate to the examination's scope. When more in-depth coverage of an area is warranted, examiners should select procedures from other booklets of the IT Handbook as necessary (e.g., "Information Security Booklet," "Retail Payments Systems Booklet," etc.). For more complex e-banking environments, examiners may need to integrate IT coverage with business line-specific coverage. In those cases, examiners should consult other subject matter experts and consider inclusion of the member agency's expanded procedures (e.g., compliance, retail lending, fiduciary/asset management, etc.).

BOARD AND MANAGEMENT OVERSIGHT

Objective 2: Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit. 1. Evaluate the institution's short- and long-term strategies for e-banking products and services. In assessing the institution's planning processes, consider whether:

The scope and type of e-banking services are consistent with the institution's overall mission, strategic goals, operating plans, and risk tolerance;

The institution's MIS is adequate to measure the success of e-banking strategies based on clearly defined organizational goals and objectives;

Management's understanding of industry standards is sufficient to ensure compatibility with legacy systems;

Cost-benefit analyses of e-banking activities consider the costs of start-up, operation, administration, upgrades, customer support, marketing, risk management, monitoring, independent testing, and vendor oversight (if applicable);

Management's evaluation of security risks, threats, and vulnerabilities is realistic and consistent with institution's risk profile;

Management's knowledge of federal and state laws and regulations as they pertain to e-banking is adequate; and

A process exists to periodically evaluate the institution's e-banking product mix and marketing successes and link those findings to its planning process.

2. Determine whether e-banking guidance and risk considerations have been incorporated into the institution's operating policies to an extent appropriate for the size of the financial institution and the nature and scope of its e-banking activities. Consider whether the institution's policies and practices:

89

Include e-banking issues in the institution's processes and responsibilities for identifying, measuring, monitoring, and controlling risks;

Define e-banking risk appetite in terms of types of product or service, customer restrictions (local/domestic/foreign), or geographic lending territory;

Consider, if appropriate, e-banking activities as a mission-critical activity for business continuity planning;

Assign day-to-day responsibilities for e-banking compliance issues including marketing, disclosures, and BSA/OFAC issues;

Require e-banking issues to be included in periodic reporting to the board of directors on the technologies employed, risks assumed, and compensating risk management practices;

Maintain policies and procedures over e-commerce payments (i.e., bill payment or cash management) consistent with the risk and controls associated with the underlying payment systems (check processing, ACH, wire transfers, etc.);

Establish policies to address e-commerce support services (aggregation, certificate authority, commercial website hosting/design, etc.);

Include e-banking considerations in the institution's written privacy policy; and

Require the board of directors to periodically review and approve updated policies and procedures related to e-banking.

3. Assess the level of oversight by the board and management in ensuring that planning and monitoring are sufficiently robust to address heightened risks inherent in e-banking products and services. Consider whether:

The board reviews, approves, and monitors e-banking technology-related projects that may have a significant impact on the financial institution's risk profile;

The board ensures appropriate programs are in place to oversee security, recovery, and third-party providers of critical e-banking products and services;

Senior management evaluates whether technologies and products are in line with the financial institution's strategic goals and meet market needs;

Senior management periodically evaluates e-banking performance relative to original/revised project plans;

Senior management has developed, as appropriate, exit strategies for high-risk activities; and

Institution personnel have the proper skill sets to evaluate, select, and implement e-banking technology.

4. Evaluate adequacy of key MIS reports to monitor risks in e-banking activities. Consider monitoring of the following areas:

90

Systems capacity and utilization;

Frequency and duration of service interruptions;

Volume and type of customer complaints, including time to successful resolution;

Transaction volumes by type, number, dollar amount, behavior (e.g., bill payment or cash management transaction need sufficient monitoring to identify suspicious or unusual activity);

Exceptions to security policies whether automated or procedural;

Unauthorized penetrations of e-banking system or network, both actual and attempted;

Losses due to fraud or processing/balancing errors; and

Credit performance and profitability of accounts originated through e-banking channels.

5. Determine whether audit coverage of e-banking activities is appropriate for the type of services offered and the level of risk assumed. Consider the frequency of e-banking reviews, the adequacy of audit expertise relative to the complexity of e-banking activities, the extent of functions outsourced to third-party providers. The audit scope should include:

Testing/verification of security controls, authentication techniques, access levels, etc.;

Reviewing security monitoring processes, including network risk analysis and vulnerability assessments;

Verifying operating controls, including balancing and separation of duties; and

Validating the accuracy of key MIS and risk management reports.

Objective 3: Determine the quality of the institution's risk management over outsourced technology services.

1. Assess the adequacy of management's due diligence activities prior to vendor selection. Consider whether:

Strategic and business plans are consistent with outsourcing activity, and

Vendor information was gathered and analyzed prior to signing the contract, and the analysis considered the following:

Vendor reputation

Financial condition;

Costs for development, maintenance, and support;

Internal controls and recovery processes; and

Ability to provide required monitoring reports.

91

2. Determine whether the institution has reviewed vendor contracts to ensure that the responsibilities of each party are appropriately identified. Consider the following provisions if applicable:

Description of the work performed or service provided;

Basis for costs, description of additional fees, and details on how prices may change over the term of the contract;

Implementation of an appropriate information security program;

Audit rights and responsibilities;

Contingency plans for service recovery;

Data backup and protection provisions;

Responsibilities for data security and confidentiality and language complying with the GLBA 501(b) guidelines regarding security programs;

Hardware and software upgrades;

Availability of vendor's financial information;

Training and problem resolution;

Reasonable penalty and cancellation provisions;

Prohibition of contract assignment;

Limitations over subcontracting (i.e., prohibition or notification prior to engaging a subcontractor for data processing, software development, or ancillary services supporting the contracted service to the institution);

Termination rights without excessive fees, including the return of data in a machine-readable format in a timely manner;

Financial institution ownership of the data;

Covenants dealing with the choice of law (United States or foreign nation); and

Rights of federal regulators to examine the services, including processing and support conducted from a foreign nation.

3. Assess the adequacy of ongoing vendor oversight. Consider whether the institution's oversight efforts include:

Designation of personnel accountable for monitoring activities and services;

Control over remote vendor access (e.g., dial-in, dedicated line, Internet);

Review of service provider's financial condition;

92

Periodic reviews of business continuity plans, including compatibility with those of the institution;

Review of service provider audits (e.g., third-party reviews) and regulatory examination reports; and

Review and monitoring of performance reports for services provided.

INFORMATION SECURITY PROCESS

Objective 4: Determine if the institution's information security program sufficiently addresses e-banking risks.

1. Determine whether the institution's written security program for customer information required by GLBA guidelines includes e-banking products and services.

2. Discuss the institution's e-banking environment with management as applicable. Based on this discussion, evaluate whether the examination scope should be expanded to include selected Tier II procedures from the IT Handbook's "Information Security Booklet." Consider discussing the following topics:

Current knowledge of attackers and attack techniques;

Existence of up-to-date equipment and software inventories;

Rapid response capability for newly discovered vulnerabilities;

Network access controls over external connections;

Hardening of systems;

Malicious code prevention;

Rapid intrusion detection and response procedures;

Physical security of computing devices;

User enrollment, change, and termination procedures;

Authorized use policy;

Personnel training;

Independent testing; and

Service provider oversight.

3. Determine whether the security program includes monitoring of systems and transactions and whether exceptions are analyzed to identify and correct noncompliance with security policies as appropriate. Consider whether the institution adequately monitors the following:

93

Systems capacity and utilization;

The frequency and duration of service interruptions;

The volume and type of customer complaints, including time to resolution;

Transaction volumes by type, number, and dollar amount;

Security exceptions;

Unauthorized penetrations of e-banking system or network, both actual and attempted (e.g., firewall and intrusion detection system logs); and

E-banking losses due to fraud or errors.

4. Determine the adequacy of the institution's authentication methods and need for multi-factor authentication relative to the sensitivity of systems or transactions. Consider the following processes:

Account access

Intrabank funds transfer

Account maintenance

Electronic bill payment

Corporate cash management

Other third-party payments or asset transfers

5. If the institution uses passwords for customer authentication, determine whether password administration guidelines adequately address the following:

Selection of password length and composition considering ease of remembering, vulnerability to compromise, sensitivity of system or information protected, and use as single- or multi-factor authentication;

Restrictions on the use of automatic log-on features;

User lockout after a number of failed log-on attempts - industry practice is generally no more than 3 to 5 incorrect attempts;

Password expiration for sensitive internal or high-value systems;

Users' ability to select and/or change their passwords;

Passwords disabled after a prolonged period of inactivity;

Secure process for password generation and distribution;

Termination of customer connections after a specified interval of inactivity - industry practice is generally not more than 10 to 20 minutes;

94

Procedures for resetting passwords, including forced change at next log-on after reset;

Review of password exception reports;

Secure access controls over password databases, including encryption of stored passwords;

Password guidance to customers and employees regarding prudent password selection and the importance of protecting password confidentiality; and

Avoidance of commonly available information (i.e., name, social security number) as user IDs.

6. Evaluate access control associated with employee's administrative access to ensure:

Administrative access is assigned only to unique, employee-specific IDs;

Account creation, deletion, and maintenance activity is monitored; and

Access to funds-transfer capabilities is under dual control and consistent with controls over payment transmission channel (e.g., ACH, wire transfer, Fedline).

7. Evaluate the appropriateness of incident response plans. Consider whether the plans include:

A response process that assures prompt notification of senior management and the board as dictated by the probable severity of damage and potential monetary loss related to adverse events;

Adequate outreach strategies to inform the media and customers of the event and any corrective measures;

Consideration of legal liability issues as part of the response process, including notifications of customers specifically or potentially affected; and

Information-sharing procedures to bring security breaches to the attention of appropriate management and external entities (e.g., regulatory agencies, Suspicious Activity Reports, information-sharing groups, law enforcement, etc.).

8. Assess whether the information security program includes independent security testing as appropriate for the type and complexity of e-banking activity. Tests should include, as warranted:

Independent audits

Vulnerability assessments

Penetration testing

Objective 5: Determine if the institution has implemented appropriate administrative controls to ensure the availability and integrity of processes supporting e-banking services.

95

1. Determine whether employee authorization levels and access privileges are commensurate with their assigned duties and reinforce segregation of duties. 2. Determine whether controls for e-banking applications include:

Appropriate balancing and reconciling controls for e-banking activity;

Protection of critical data or information from tampering during transmission and from viewing by unauthorized parties (e.g., encryption);

Automated validation techniques such as check digits or hash totals to detect tampering with message content during transmission;

Independent control totals for transactions exchanged between e-banking applications and legacy systems; and

Ongoing review for suspicious transactions such as large-dollar transactions, high transaction volume, or unusual account activity

3. Determine whether audit trails for e-banking activities are sufficient to identify the source of transactions. Consider whether audit trails can identify the source of the following:

On-line instructions to open, modify, or close a customer's account;

Any transaction with financial consequences;

Overrides or approvals to exceed established limits; and

Any activity granting, changing, or revoking systems access rights or privileges (e.g., revoked after three unsuccessful attempts).

4. Evaluate the physical security over e-banking equipment, media, and communication lines. 5. Determine whether business continuity plans appropriately address the business impact of e-banking products and services. Consider whether the plans include the following:

Regular review and update of e-banking contingency plans;

Specific staff responsible for initiating and managing e-banking recovery plans;

Adequate analysis and mitigation of any single points of failure for critical networks;

Strategies to recover hardware, software, communication links, and data files; and

Regular testing of back-up agreements with external vendors or critical suppliers.

LEGAL AND COMPLIANCE ISSUES

96

Objective 6: Assess the institution's understanding and management of legal and compliance issues associated with e-banking activities.

1. Determine how the institution stays informed on legal and regulatory developments associated with e-banking and thus ensures e-banking activities comply with appropriate consumer compliance regulations. Consider:

Existence of a process for tracking current litigation and regulations that could affect the institution's e-banking activities;

Assignment of personnel responsible for monitoring e-banking legislation and the requirements of or changes to compliance regulations; and

Inclusion of e-banking activity and website content in the institution's compliance management program.

2. Review the website content for inclusion of federal deposit insurance logos if insured depository services are offered (12 CFR 328 or 12 CFR 740).

3. Review the website content for inclusion of the following information which institutions should consider to avoid customer confusion and communicate customer responsibilities:

Disclosure of corporate identity and location of head and branch offices for financial institutions using a trade name;

Disclosure of applicable regulatory information, such as the identity of the institution's primary regulator or information on how to contact or file a complaint with the regulator;

Conspicuous notices of the inapplicability of FDIC/NCUA insurance to, the potential risks associated with, and the actual product provider of, the specific investment and insurance products offered;

Security policies and customer usage responsibilities (including security disclosures and Internet banking agreements);

On-line funds transfer agreements for bill payment or cash management users; and

Disclosure of privacy policy - financial institutions are encouraged, but not required, to disclose their privacy policies on their websites - to include:

o Conspicuous" disclosure of the privacy policy on the website in a manner that complies with the privacy regulation and

o Information on how to "opt out" of sharing (if the institution shares information with third parties).

4. If the financial institution electronically delivers consumer disclosures that are required to be provided in writing, assess the institution's compliance with the E-Sign Act. Review to determine whether:

97

The disclosures:

Are clear and conspicuous;-

Inform the consumer of any right or option to receive the record in paper or non-electronic form;

-Inform the consumer of the right to withdraw consent, including any conditions, consequences, or fees associated with such action;

-Inform consumers of the hardware and software needed to access and retain the disclosure for their records; and

-Indicate whether the consent applies to only a particular transaction or to identified categories of records.

The procedures the consumer uses to affirmatively consent to electronic delivery reasonably demonstrate the consumer's ability to access/view disclosures.

5. Determine whether e-banking support services are in place to facilitate compliance efforts, including:

Effective customer support by the help desk, addressing:

Complaint levels and resolution statistics,-

Performance relative to customer service level expectations, and-

Review of complaints/problems for patterns or trends indicative of processing deficiencies or security weaknesses.

Appropriate processes for authenticating and maintaining electronic signatures (E-Sign Act).

6. As applicable, determine whether the financial institution has considered the applicability of various laws and regulations to its e-banking activities:

Monitoring of potential money-laundering activities associated with e-banking required by the Bank Secrecy Act (31 CFR 103.18);

Filing of Suspicious Activity Reports for unusual or unauthorized e-banking activity or computer security intrusions requirements (regulation cites vary by agency);

Screening of on-line applications and activity for entities/countries prohibited by the Office of Foreign Asset Control (31 CFR 500 et. seq.); and

Authenticating new e-banking customers using identification techniques consistent with the requirements of Bank Secrecy Act (31 CFR 103) and the USA PATRIOT Act [12 CFR 21 (OCC), 12 CFR 208 and 211 (Board), 12 CFR 326 (FDIC), 12 CFR 563 (OTS), and 12 CFR 748 (NCUA)].

98

7. If overview of e-banking compliance identifies weaknesses in the institution's consideration and oversight of compliance issues, consider expanding coverage to include more detailed review using agency-specific compliance examination procedures.

EXAMINATION CONCLUSIONS

Objective 7: Develop conclusions, communicate findings, and initiate corrective action on violations and other examination findings.

1. Assess the potential impact of the examination conclusions on the institution's CAMELS and Uniform Rating System for Information Technology (URSIT) ratings.

2. As applicable to your agency, identify risk areas where the institution's risk management processes are insufficient to mitigate the level of increased risks attributed to e-banking activities. Consider:

Transaction/operations risk

Credit risk

Liquidity risk

Interest rate and price/market risk

Compliance/legal risk

Strategic risk

Reputation risk

3. Prepare a summary memorandum detailing the results of the e-banking examination. Consider:

Deficiencies noted and recommended corrective action regarding deficient policies, procedures, practices, or other concerns;

Appropriateness of strategic and business plans;

Adequacy and adherence to policies;

Adequacy of security controls and risk management systems;

Compliance with applicable laws and regulations;

Adequacy of internal controls;

Adequacy of audit coverage and independent security testing;

Other matters of significance; and

Recommendations for future examination coverage (including need for additional specialized expertise).

99

4. Discuss examination findings and conclusions with the examiner-in-charge. As appropriate, prepare draft report comments that address examination findings indicative of:

Significant control weaknesses or risks (note the root cause of the deficiency, consequence of inaction or benefit of action, management corrective action, the time frame for correction, and the person responsible for corrective action);

Deviations from safety and soundness principles that may result in financial or operational deterioration if not addressed; or

Substantive noncompliance with laws or regulations.

5. In coordination with the examiner-in-charge, discuss findings with institution management including, as applicable, conclusions regarding applicable ratings and risks. If necessary, obtain commitments for corrective action.

6. Revise draft e-banking comments to reflect discussions with management and finalize comments for inclusion in the report of examination.

7. As applicable, according to your agency's requirements/instructions, include written comments specifically stating what the regulator should do in the future to effectively supervise e-banking in this institution. Include supervisory objectives, time frames, staffing, and workdays required. 8. Update the agency's information systems and applicable report of examination schedules or tables as applicable.

E-Banking Request Letter Items

Objective 1 - Determine the scope for the examination of the institution's e-banking activities consistent with the nature and complexity of the institution's operations.

An organization chart of e-banking personnel including the name, title, and phone number of the e-banking examination contact.

A list of URLs for all financial institution-affiliated websites.

A list all e-banking platforms utilized and network diagrams including servers, routers, firewalls, and supporting system components.

A list of all e-banking related products and services including transaction volume data on each if it is available.

A description of any changes in e-banking activities or future e-banking plans since the last exam.

Diagrams illustrating the e-banking transaction workflow.

100

Copies of recent monitoring reports that illustrate trends and experiences with intrusion attempts, successful intrusions, fraud losses, service disruptions, customer complaint volumes, and complaint resolution statistics.

Copies of findings from, and management/board responses to, the following:

Internal and external audit reports (including third-party reviews on service providers and testing of the information security program),

- Annual tests of the written information security program as required by GLBA,

Vulnerability assessments,

Penetration tests, and

- Other independent security tests or e-banking risk reviews

Objective 2 - Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit.

Internal or external audit schedules, audit scope, and background/training information on individuals conducting e-banking audits.

Descriptions of e-banking-related training provided to employees including date, attendees, and topics.

Strategic plans or feasibility studies related to e-banking.

Insurance policies covering e-banking activities such as blanket bond, errors and omissions, and any riders relating to e-banking.

Copies of recent management and board reports that measure or analyze e-banking performance both strategically and technically, such as percentage of customers using e-banking channels or system capacity to maintain current and planned level of transactional activity.

Objective 3 - Determine the quality of the institution's risk management over outsourced technology services.

Policies and procedures related to vendor management

A list of all third-party providers, contractors, or support vendors, including the name, services provided, address, and phone number for each.

Documentation supporting initial or ongoing due diligence of the above vendors including financial condition, service level performance, security reporting, audit reports, security assessments, and disaster recovery tests as appropriate.

Vendor contracts (make available upon request).

101

Objective 4 - Determine if the institution has appropriately modified its information security program to incorporate e-banking risks.

Findings from security risk assessments pertaining to e-banking activities.

Information security policies and procedures associated with e-banking systems, products, or services, including policies associated with customer authentication, employee e-mail usage, and Internet usage.

A list or report of authorized users and access levels for e-banking platforms, including officers, employees, system vendors, customers, and other users.

Samples of e-banking-related security reports reviewed by IT management, senior management, or the board including suspicious activity, unauthorized access attempts, outstanding vulnerabilities, fraud or security event reports, etc.

Documentation related to any successful e-banking intrusion or fraud attempt.

If e-banking is hosted internally, provide the following additional information:

A list of security software tools employed by the institution including product name, vendor name, and version number for filtering routers, firewalls, network-based intrusion detection software (IDS), host-based IDS, and event correlation analysis software (illustrate placement on network diagram);

Policies related to identification and patching of new vulnerabilities; and

Descriptions of router access control rules, firewall rules, and IDS event detection and response rules including the corresponding logs.

Objective 5 - Determine if the institution has implemented appropriate administrative controls to ensure the availability, and integrity of processes supporting e-banking services.

E-banking policies and procedures related to account opening, customer authentication, maintenance, bill payment or e-banking transaction processing, settlement, and reconcilement.

Business resumption plans for e-banking services.

Objective 6 - Assess the institution's understanding and management of legal and compliance issues associated with e-banking activities.

Policies and procedures related to e-banking consumer compliance issues including website content, disclosures, BSA, financial record keeping, and the institution's trade area.

A list of any pending lawsuits or contingent liabilities with potential losses relating to e-banking activities.

Documentation of customer complaints related to e-banking products and services.

102

Copies of, or publicly available weblinks to, privacy statements, consumer compliance disclosures, security disclosures, and e-banking agreements.

If financial institution provides cross-border e-banking products and services, provide the following additional information.

Policies for, or a description of, permissible cross-border e-banking including types of products and services such as account opening, account access, or funds transfer, and restrictions such as geographic location, citizenship, etc.

Policies for, or a description of, the institution's due diligence process for accepting cross-border business.

103

APPENDIX B - GLOSSARY

This is from the FFIEC website. This is the link: http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx

Appendix B: GlossaryD E F G H I K L M N P R S T U V W

DDigital Certificate - The electronic equivalent of an ID card that authenticates the originator of a digital signature.

Direct Data Feed - A process used by information aggregators to gather information directly from a website operator rather than copying it from a displayed webpage.

EE-Banking - The remote delivery of new and traditional banking products and services through electronic delivery channels.

E-mail Server - A computer that manages e-mail traffic.

Encryption - A data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that data appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.

FFirewall - A hardware or software link in a network that relays only data packets clearly intended and authorized to reach the other side.

Framing - A frame is an area of a webpage that scrolls independently of the rest of the webpage. Framing generally refers to the use of a standard frame containing information (like company name and navigation bars) that remains on the screen while the user moves around the text in another frame.

GGateway Server - A computer (server) that connects a private network to the private network of a servicer or other business.

HHacker - An individual who attempts to break into a computer without authorization.

Hardening - The process of securing a computer’s administrative functions or inactivating those features not needed for the computer’s intended business purpose.

104

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#W

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#V

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#U

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#T

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#S

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#R

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#P

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#N

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#M

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#L

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#K

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#I

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#H

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#G

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#F

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#E

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx#D

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx

http://ithandbook.ffiec.gov/it-booklets/e-banking/appendix-b-glossary.aspx

Hash Totals - A numerical summation of one or more corresponding fields of a file that would not ordinarily be summed. Typically used to detect when changes in electronic information have occurred.

Hosting - See "Website Hosting".

HTML - Abbreviation for “Hypertext Markup Language.” A set of codes that can be inserted into text files to indicate special typefaces, inserted images, and links to other hypertext documents.

Hyperlink - An item on a webpage that, when selected, transfers the user directly to another location in a hypertext document or to another webpage, perhaps on a different machine. Also simply called a “link.”

IInterface - Computer programs that translate information from one system or application into a format required for use by another system or application.

Internet - A worldwide network of computer networks, governed by standards and protocols developed by the Internet Engineering Task Force (IETF).

Internet Service Provider (ISP) - A company that provides its customers with access to the Internet (e.g., AT&T, Verizon, CenturyLink).

Interoperability Standards/Protocols - Commonly agreed on standards that enable different computers or programs to share information. Example: HTTP (Hypertext Transfer Protocol) is a standard method of publishing information as hypertext in HTML format on the Internet.

KKiosk - A publicly accessible computer terminal that permits customers to directly communicate with the financial institution via a network.

LLegacy Systems - A term commonly used to refer to existing computers systems and applications with which new systems or applications must exchange information.

Lockout - The action of temporarily revoking network or application access privileges, normally due to repeated unsuccessful logon attempts.

MMnemonic - A symbol or expression that can help someone remember something. For example, the phrase “Hello! My name is Bill. I'm 9 years old.” might help an individual remember a secure 10-character password of “H!MniBI9yo.”

105

NNetwork Administrator - The individual responsible for the installation, management, and control of a network.

PPasswords - A secret sequence of characters that is used as a means of authentication.

Patching - Software code that replaces or updates other code. Frequently patches are used to correct security flaws.

Penetration Test - The process of using approved, qualified personnel to conduct real-world attacks against a system so as to identify and correct security weaknesses before they are discovered and exploited by others.

Personal Digital Assistant (PDA) - A pocket-sized, special-purpose personal computer that lacks a conventional keyboard.

Phishing - A digital form of social engineering that uses authentic-looking — but bogus — e-mail to request information from users or direct them to fake Web sites that request information.

PKI - Abbreviation for “public key infrastructure.” The use of public key cryptog-raphy in which each customer has a key pair (i.e., a unique electronic value called a public key and a mathematically-related private key). The private key is used to encrypt (sign) a message that can only be decrypted by the cor-responding public key or to decrypt a message previously encrypted with the public key. The public key is used to decrypt a message previously encrypted (signed) using an individual's private key or to encrypt a message so that it can only be decrypted (read) using the intended recipient’s private key. See "Encryption".

Pop-Up Box - A dialog box that automatically appears when a person accesses a webpage.

Private Key - See "PKI".

Proxy Server - An Internet server that controls client computers’ access to the Internet. Using a proxy server, a company can stop employees from accessing undesirable websites, improve performance by storing webpages locally, and hide the internal network's identity so monitoring is difficult for external users.

Public Key - See "PKI".

RRepudiation - The denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.

Router - A hardware device that connects two or more networks and routes incoming data packets to the appropriate network.

106

SScript - A file containing active content; for example, commands or instructions to be executed by the computer.

Server - A computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.

Smart Cards - A card with an embedded computer chip on which information can be stored and processed.

Sreen Scraping - A process used by information aggregators to gather information from a customer’s website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator’s site. The process is analogous to “scraping” the information off the computer screen.

SSL (Secure Socket Layer) - An encryption system developed by Netscape. SSL protects the privacy of data exchanged by the website and the individual user. It is used by websites whose names begin with https instead of http.

Suspicious Activity Report (SAR) - Reports required to be filed by the Bank Secrecy Act when a financial institution identifies or suspects fraudulent activity.

TToken - A small device with an embedded computer chip that can be used to store and transmit electronic information.

Topology - A description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.

UURL - Abbreviation for “Uniform (or Universal) Resource Locator.” A way of specifying the location of publicly available information on the Internet, in the form: protocol://machine:port number/filename. Often the port number and/or filename are unnecessary.

VVirtual Mall - An Internet website offering products and services from multiple vendors or suppliers.

Virtual Private Network (VPN) - A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.

Virus - Malicious code that replicates itself within a computer.

107

WWeblinking - The use of hyperlinks to direct users to webpages of other entities.

Website - A webpage or set of webpages designed, presented, and linked together to form a logical information resource and/or transaction initiation function.

Website Hosting - The service of providing ongoing support and monitoring of an Internet-addressable computer that stores webpages and processes transactions initiated over the Internet.

Wireless Application Protocol (WAP) - A data transmission standard to deliver wireless markup language (WML) content.

Wireless Gateway Server - A computer (server) that transmits messages between a computer network and a cellular telephone or other wireless access device.

Wireless Phone - See "Cellular Telephone".

Worm - A self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is primarily because of security vulnerabilities on the target computers.

108

WHAT”S NEW – FFIEC- CYBERSECURITY

There are numerous resources for Cybersecurity on the FFIEC website, including a “Cybersecurity Assessment Tool”. Here is the link to the resource and some of the highlights:

https://www.ffiec.gov/cyberassessmenttool.htm

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.

The following resources can help management and directors of financial institutions understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions.

Overview for Chief Executive Officers and Boards of Directors (PDF)

Cybersecurity Assessment Tool (PDF)

User’s Guide (PDF) Inherent Risk Profile (PDF) Cybersecurity Maturity (PDF)

Additional Resources

Appendix A: Mapping Baseline Statements to the FFIEC IT Handbook (PDF) Appendix B: Mapping to NIST Cybersecurity Framework (PDF) Appendix C: Glossary (PDF)

Print all documents at once (PDF)

FFIEC Cybersecurity Assessment Tool Presentation View Slides (PDF) | View Video

Process Flow for Institutions:

Step 1: Read Overview for Chief Executive Officers and Boards of Directors to gain insights on the benefits to institutions of using the Assessment, the roles of the CEO and Board of

109

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_CEO_Board_Overview_June_2015_PDF1.pdf

http://youtu.be/HUw8CtrIIzg

https://www.ffiec.gov/pdf/cybersecurity/Cybersecurity%20Assessment%20Tool%20Slides_June_30_2015.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_with_Overview_and_Additional_Resources_June_2015_PDF1_5.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_C_Glossary_June_2015_PDF5.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_A_Map_to_FFIEC_Handbook_June_2015_PDF3.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_CS_Maturity_June_2015_PDF2_c.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_Inherent_Risk_Profile_June_2015_PDF2_b.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_User_Guide_June_2015_PDF2_a.pdf

https://www.ffiec.gov/cyberassessmenttool.htm

Directors, a high-level explanation of the Assessment, and how to support implementation of the Assessment.

Step 2: Read the User's Guide to understand all of the different aspects of the Assessment, how the inherent risk profile and cybersecurity maturity relate, and the process for conducting the Assessment.

Step 3: Complete Part 1: Inherent Risk Profile of the Cybersecurity Assessment Tool to understand how each activity, service, and product contribute to the institution’s inherent risk and determine the institution’s overall inherent risk profile and whether a specific category poses additional risk.

Step 4: Complete Part 2: Cybersecurity Maturity of the Cybersecurity Assessment Tool to determine the institution’s cybersecurity maturity levels across each of the five domains.

Step 5: Interpret and Analyze Assessment Results to understand whether the institution’s inherent risk profile is appropriate in relation to its cybersecurity maturity and whether specific areas are not aligned. If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing a strategy to improve the maturity levels.

Refer to the User's Guide for additional explanation of Steps 3, 4, and 5.

In addition to the “Overview for Chief Executive Officers and Boards of Directors”, the FFIEC has released the following documents to assist institutions with the Assessment.

Appendix A: Mapping Baseline Statements to FFIEC IT Handbook Appendix B: Mapping to NIST Cybersecurity Framework Appendix C: Glossary

110

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_C_Glossary_June_2015_PDF5.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_A_Map_to_FFIEC_Handbook_June_2015_PDF3.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_CS_Maturity_June_2015_PDF2_c.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_Inherent_Risk_Profile_June_2015_PDF2_b.pdf

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_User_Guide_June_2015_PDF2_a.pdf

SOURCES OF INFORMATION FOR MANAGING E-BANKING

The FFIEC has numerous resources to assist with managing the risks of E-Banking. Here is a link to a portion of those resources:

http://ithandbook.ffiec.gov/it-booklets/e-banking.aspx

E-BankingThis booklet, one of several comprising the FFIEC Information Technology Examination Handbook (IT Handbook), provides guidance to examiners and financial institutions on identifying and controlling the risks associated with electronic banking (e-banking) activities.

Downloads Printable Version of E-Banking IT Booklet

Workprogram - Generic word-processing version

Workprogram - Microsoft Word 2000 version

Chapters Introduction

E-Banking Risks

Risk Management of E-Banking Activities

Appendix A: Examination Procedures

Appendix B: Glossary

Appendix C: Laws, Regulations, and Guidance

Appendix D: Aggregation Services

Appendix E: Wireless Banking

GO TO APPENDIX C: Laws, Regulations, and Guidance. There are resources listed BY regulator.

FIND YOUR REGULATOR!

These are the BASIC laws:

Resource Title Type Date12 USC 1861-1867(c): Bank Service Company Act Laws N/A15 USC 6801 and 6805(b): Gramm-Leach-Bliley Act (GLBA) Laws N/A18 USC 1030: Fraud and Related Activity in Connection with Computers

Laws N/A

111

http://ithandbook.ffiec.gov/it-booklets/e-banking.aspx

Pub. L. No. 106-229: Electronic Signatures in Global and National Commerce Act (E-Sign Act)

Laws N/A

Pub. L. No. 107-56: USA PATRIOT Act Laws N/A

112