The richer the site, the greater the reg burden.
By Nancy D. Castiglione, contributing editor and principle, D-C Compliance Services, Highlands Ranch, Colo.,
Better websites mean tougher compliance
It’s the rare bank that does not have a website, and most banks have evolved beyond a basic information-only website that displays static information. The industry has moved from the innovator phase through the rapid growth phase to the current maturing phase of sophistication and refinement of web banking features as depicted in this month’s cover story (p. 35). As the bank websites have matured, so have the compliance requirements and responsibilities that are associated with establishing and maintaining the websites. Compliance requirements affect just about all phases of the bank-customer relationship. Possibly the only aspect of the bank-customer relationship that is not typically associated with the internet is the collections function.
With all of these relationships there are compliance issues of disclosure, privacy, security, risk assessment, fairness, and accuracy. There are technical requirements and there are broad regulatory expectations that are harder to put a finger on.
In some cases, banks have solved the basic compliance issues by finding ways to simplify or streamline website presentation. For example, instead of trying to figure out which web pages need to have the Member FDIC language based on the requirements of the applicable regulation, many banks have decided to put the FDIC statement in the footer of every page of the site (which can create another problem if the site contains information about investments). Many banks have built tables for rate disclosures for their websites that comply with Regulation DD or Regulation Z requirements that can be more easily updated with the latest rates plugged into them each time rates are changed.
In other cases, banks have solved their compliance issues by avoiding troublesome areas. If a bank has been criticized by regulators or auditors for inaccurate disclosures based on triggering terms of Regulation Z, it might simply eliminate the triggering terms from the site and direct consumers to call the bank for specific information.
Four web compliance trouble spots
With aging (pardon me, maturing) comes different aches and pains in website compliance. While missing FDIC and Equal Housing Lender logos may not be common compliance problems anymore, there are still plenty of compliance concerns to watch for in the area of internet website compliance. Here are four to watch:
E-Sign The Electronic Signatures in Global and National Commerce Act (E-Sign) has been in effect since 2001. In essence, E-Sign provides validity to electronic documents and electronic signatures and contains requirements for the use of electronic disclosures in consumer transactions.
The Federal Reserve attempted to create rules to establish uniform standards for the electronic delivery of disclosures required under the consumer protection regulations of Z (Truth in Lending), B (Equal Credit Opportunity), E (Electronic Funds Transfer), M (Consumer Leasing), and DD (Truth in Savings). Interim rules were finalized in 2001, but were subsequently made voluntary by the Fed later that year.
Most recently, in November 2007, the Federal Reserve Board issued final rules relating to electronic disclosures that conform to E-Sign requirements. Furthermore, these new rules amending Regulations Z, B, E, M and DD are no longer voluntary. Compliance with the provisions will be required by Oct. 1, 2008.
Banks are in the process of determining what, if any changes are needed to their internet banking services and disclosures in order to comply with the changes to the regulations. Because the amendments are mandatory, there is less confusion about the status of the regulations. According to one examiner I spoke with, the final rules provides examiners with teeth.
Some of the most troublesome aspects of E-Sign that are not addressed in the Federal Reserve consumer regulation amendments are the practical application of getting a consumer’s affirmative consent to receiving disclosures electronically and how to get the consumer to demonstrate that he/she can access information in electronic form. Richard Insley of APR Systems, Inc., a recognized expert in internet bank compliance, says that there is a big difference between “demonstration,” which is required by E-Sign, and “declaration.” Many banks try to use a declaration by the consumer that electronic disclosures are desired or acceptable, without requiring consumers to demonstrate their ability to receive disclosures in electronic form. The regulators do not prescribe a certain way that banks must use for getting a consumer to demonstrate the ability to receive disclosures in electronic form. However, the regulators do expect that banks use a method that achieves the desired result.
Compliance controls The regulators are becoming more interested in the processes and controls in place to prevent compliance problems and detect such problems early so that they can be corrected. Waiting for the examiners to come in annually or less frequently to identify compliance concerns leaves a bank vulnerable for too long to the reputational and other risks of noncompliance.
Good internal controls relative to a bank’s internet website should involve:
• Written policies and procedures that address the regulatory requirements applicable to the bank’s website and its functions;
• Templates for portions of the website that have frequent updates;
• Compliance officer’s involvement in approving additions and changes to the website;
• Training for the appropriate employees about website compliance requirements;
• Periodic monitoring and audit of the website for regulatory compliance and other regulatory considerations;
• Vendor management and oversight if the website is handled externally;
• Senior management oversight of website strategy and direction.
If, despite such controls, a bank has compliance concerns with its website, does the bank have a process for correcting those deficiencies and documenting the corrections? That’s a critical step.
Security As bank websites get more functionality beyond display of information, security becomes even more important—both customer and bank security. Many of the regulatory advisements in the past few years have been related to security issues, such as multifactor authentication, threat response programs, identity theft scams, and website spoofing. Banks and consumers are warned not to use e-mail to communicate personal financial information to each other that can be used to steal someone’s identity. Banks are strongly encouraged to use multiple authentication factors to provide customer access to account information to decrease the risk of intrusion by unauthorized parties. Banks are expected to develop processes for notifying regulators and customers when a breach of security is detected that could impact customer information.
Updates and changes Evolution in bank websites means change. There are ongoing changes caused by product changes and routine rate changes. Web pages are periodically redesigned to provide a fresh look or easier navigation. Any time there are changes, there is an increased risk for compliance errors, particularly if the bank’s compliance officer is not included in the review process.
A related problem is the delay in making changes to correct compliance deficiencies. If a bank uses a third party to operate its website, there could be delays in getting changes made that are needed to meet compliance requirements. Some-times the third party is unwilling to make changes, because they either do not understand the bank regulatory requirements or they don’t care. If a bank is the first or only one to bring the problem to its attention, the third party may not want to put in the work or expense to deal with the issue.
It would be wrong to assume that once a website is in place, an annual compliance monitoring review is sufficient to keep the bank in compliance. That may have been the case in the past, but not now.
Don’t lose sight of the basics
Websites of banks may be maturing and creating new compliance concerns. But, the old basic compliance requirements have not gone away. Banks still need to be sure to remember the old standbys, such as:
• Include all required disclosures when a Regulation Z or DD triggering term is included in the website;
• Spell out the term “Annual Percentage Yield” somewhere in the site and don’t use only the abbreviation, APY;
• Use privacy notices on the website that match the bank’s written privacy notice and the bank’s actual privacy practices;
• Equal Housing Lender logos must be legible—not too blurred or too small;
• Application forms must contain the required disclosures about requests for income or monitoring information.
The list could go on. Bank website compliance rules are still around and growing in complexity. Keep one eye on the old favorites and the other on the future possibilities of the internet and how to comply in both worlds. BJ
The electronic version of this article available at: http://lb.ec2.nxtbook.com/nxtbooks/sb/ababj0408/index.php?startid=54