Feds Buckle Down on Customer Information Security
Featured Author - Laura Taylor
- February 9, 2002
In an effort to improve the state of consumer privacy,
the Federal Reserve Board,
the Federal Deposit Insurance Corporation (FDIC),
the Office of the Comptroller of the Currency (OCC),
and the Office of Thrift Supervision,
on January last year announced that they have put together joint guidelines to safeguard confidential customer information. The guidelines, that took effect last July, implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA) initiated by the Senate Banking Committee, and passed into law on November 4, 1999. This announcement had significant implications for online banking institutions
This is good news for both consumers and the banking industry. Online banks develop many strategic relationships with online merchants. In doing so, sensitive customer information currently can be transmitted across insecure networks in plaintext, without significant recourse or penalties. It will be up to the online banks to make sure their merchant partners are complying with these new regulations. While this undoubtedly increases the workload for online financial institutions, it will also give them leverage to force their merchant partners to comply with standard best-practice information security measures.
While most online banks and merchants acknowledge the importance of data security, it is often the last thing taken into consideration when architecting an online payment system. In some cases, an online payment system can consist of an intricate interconnection of networks between a bank, a managed service provider, an online merchant, and a payment processing order fulfillment organization. Making sure they all have their ducks lined up when it comes to privacy and security is no easy task.
According to these new guidelines, the onus will be put on the online financial institution to make sure that their strategic merchant and service provider partners are all in compliance. Online banks will be setting a precedent for their ASPs, ISPs, and their merchant partners, who will have no choice but to follow suit if they expect to obtain these financial institutions as their customers.
According to Greg Caruso, Chief Technology Officer at online financial institution ClarityBank.com, "This doesn't come as a surprise. As bank customers ourselves, we've always understood the need for our customer's privacy. We're not in the business of selling our customer's information. But as with all new guidelines, we'll be reviewing our IT security policy, web site and vendor relationships to make sure we're in compliance."
For online banks, these new guidelines will require that they are not only going to be held responsible for securing customer information, but they will also need to establish a formal Information Security Program as well (if they don't already have one). The Information Security Program will be required to develop a written plan that contains policies and procedures for managing and controlling risks, and protects against anticipated threats and potential hazards. Testing, implementing, and adjusting the plan periodically will also be subject to audits by Federal regulators.
How can an online bank make this tough job easier? By selecting a service providers that have well-managed information security departments. A good Information Security Officer at an ASP or ISP ought to be able to assist the online banking institution with fulfilling their compliance requirements. Managed service providers that are unable to meet the security requirements of online financial institutions will be at a distinct disadvantage when it comes to obtaining new eCommerce customers. An ASP or ISPs Information Security Officer will become increasingly visible, and will be a key player in obtaining new financial customers.
About the Author
Laura Taylor is the Chief Technical Officer of Relevant Technologies (http://www.relevanttechnologies.com) a leading provider of original information security content, research advisory services, and best practice IT management consulting services. You can contact her by e-mail on firstname.lastname@example.org.