Association of Credit Union Internal Auditors



General Review AreasA1.Website Address:( HYPERLINK \l "Help_A1" Reference) A2.Is the website hosted internally or externally?(HYPERLINK \l "Help_A2"Reference)A3.Domain Names:Is more than one domain name owned and if so, what names are owned? Is the domain name expired?What kind and how much contact information is provided? (e.g. search)( HYPERLINK \l "Help_A3" Reference)A4.Is there a website compliance policy/procedure relating to various website governance issues: Updating procedures?Posting responsibility?Testing performed before posting?Handling incoming/outgoing email through the website?Protecting nonpublic consumer information?Record retention?( HYPERLINK \l "Help_A4" Reference)A5.Is the website American Disabilities Act (ADA) compliant?A quick scan tool (). ( HYPERLINK \l "Help_A5" Reference)A6.Does e-commerce/electronic computer crime insurance cover website incidents? If so, what are the coverage limitations?( HYPERLINK \l "Help_A6" Reference)A7.Are internal and external hyperlinks functional?( HYPERLINK \l "Help_A7" Reference)A8.Are popup disclosures/disclaimers present on external hyperlinks that warn consumers when they leave the Credit Union’s website?( HYPERLINK \l "Help_A8" Reference)A9.Webpage formatting:Are website pages formatted appropriately? Is the information easily readable? Is the posted information correct?( HYPERLINK \l "Help_A9" Reference)A10.If the website contains an email contact (which may or may not be an email hypertext link), does a popup disclosure or disclaimer state this may be an unsecured Internet transmission and consumers should refrain from sending personal nonpublic information via this method?Alternatively, does the Credit Union provide a secure electronic messaging method to consumers?( HYPERLINK \l "Help_A10" Reference)A11.If a the website advertises employment opportunities and accepts job applications and resumes electronically, is the transmission methodology encrypted and secured?( HYPERLINK \l "Help_A11" Reference)A12.If a financial calculator is present, does a disclaimer state inconsistencies may occur with the use of the calculator and the outcomes are not credit guarantees?( HYPERLINK \l "Help_A12" Reference)A13.Is a USA PATRIOT Act disclosure posted?( HYPERLINK \l "Help_A13" Reference)A14.Is a Member/Customer Privacy Statement posted? The Statement should include:The acceptance of cookiesExternal links to third-partiesHandling of emailsChildren’s Online Privacy Protection ActNon-customers information captured by the website( HYPERLINK \l "Help_A14" Reference)A15.Is language present to meet Child Online Privacy Protection Act (COPPA) compliance? If a ‘Kid’s Corner’ or other kid’s activities are on the site, guardian consent to minors is required fro minorsunder the age of 13. COPPA requires a clearly written privacy notice that includes:Name and contact information of the institutions.Notice about what type of information is collected, how it is used, and procedures used for its collection.Whether the information is disclosed to third-parties.Obtain verifiable guardian consent.Provide a reasonable means for guardians to review the personal information and to refuse its continued use or maintenance. Detailed removal procedures must be present.Inquiry may not ask for more information from a child than what is reasonably necessary to participate in the activity as an act of participation.Establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children.( HYPERLINK \l "Help_A15" Reference)Electronic BankingB1.Is a security logo/statement present that assures6Members that their information will be secure?( HYPERLINK \l "Help_B1" Reference)B2.Password Security Controls:Are passwords required to be changed periodically?What is the minimum password construct (length and complexity)?What type of multi-factor authentication (MFA) is implemented?Is an inactivity time-out feature enabled? Is the time reasonable?Are accounts locked out after unsuccessful access attempts for the password and for MFA? Is the lock-out tries reasonable?What is the procedure to reestablished locked-out accounts authentication for passwords and MFA?Are controls in place to limit/prevent session (webpage) caching?Do temporary assigned password expire?Do employees establish and know the members’ temporary passwords?Do temporary and initial password constructs meet the minimum required password construct?Does the application force joint account holders to share User IDs and passwords if both parties desire online access?Who are the administrators on each platform at the Credit Union?Is a fraud detection and monitoring system designed and does it consider member history and behavior to enable a timely and effective response?What are the default alert settings (e.g. user name change, password change, email address change, physical address change, etc.)?If email address changes are accepted electronically, is an alert sent to the old email address and the new email address?If electronic banking services may be enrolled through an automated system (e.g. online), how does it verify that the consumer is at least the age of 13 or does the system record the guardian’s permission to gather PII (e.g. under COPPA’s definition, email is PII)?Are dollar threshold limits placed on bill pay (individual or daily aggregate limits) and are the limits appropriate?Are member-to-member (M2M), person-to-person (P2P) payments accepted and are the limits and controls reasonable?How are mobile banking applications available to members?What operating systems support the mobile banking application?If a member submits an online loan application, is there a security logo/statement that assures the member’s personal information will transmit securely?If the ability to submit an online loan/account application is available, how is the application signature requirement handled [E-Sign]?( HYPERLINK \l "Help_B2" Reference)On-line BankingMobile BankingText BankingAudio BankingBill PayOnline Loan ApplicationOnline Mortgage ApplicationOnline Account OpeningB3.Are inactive online banking accounts tracked and disabled after an appropriate period of inactivity?( HYPERLINK \l "Help_B3" Reference)B4.Is E-Sign / Uniform Electronic Transaction Act (UETA) (state law) adhered? This Act states that a consumer's consent to receive electronic records is valid only if the consumer consents electronically or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.( HYPERLINK \l "Help_B4" Reference)B5.Does a statement exist that describes the necessary hardware/software requirements to utilize the on-line banking system?( HYPERLINK \l "Help_B5" Reference)B6.Is Regulation E disclosures stated and are they in a printable format? The disclosure should include:Liability of memberCredit Union’s telephone number and addressDefinition of business daysTypes of transfers and limitationsFeesMember’s right to receive documentationStop payment rights and procedures.Credit Union’s liability for failing to stop certain transactionsConfidentiality/information sharing proceduresError resolution procedure( HYPERLINK \l "Help_B6" Reference)Savings AccountsC1.If savings rates are disclosed, is a stated effective date present and are the rates disclosed as an ‘Annual Percentage Yield’? Are the rates correct?( HYPERLINK \l "Help_C1" Reference)C2.Is the NCUA logo and/or share insurance statement present on the bottom of all web pages offering services and is the logo/statement displayed in a readable font size? If non-insured financial services are offered on a page, disclosure should state this insurance exclusion.( HYPERLINK \l "Help_C2" Reference)C3.Savings considerations:Are the minimum amounts to both open and earn dividends/interest disclosed? Is it disclosed that “fees may reduce earnings on the accounts?” Is a fee schedule disclosed? If a fee schedule is disclosed, is it linked to this page or on the page that describes the accounts?( HYPERLINK \l "Help_C3" Reference)Loan AccountsD1.Is the Equal Credit Opportunity Act (ECOA) logo present on this webpage and presented in a readable font size?( HYPERLINK \l "Help_D1" Reference)D2.If loan rates are posted, are effective dates posted and are the rates current? Are the rates posted to the correct decimal place?( HYPERLINK \l "Help_D2" Reference)Social MediaE1.Social media concerns:Does the Credit Union utilize social media for business use (e.g. Facebook, Twitter, YouTube, Google+)? Who are the administrators?Is the social media channels updated with relevant information? Are unapproved hyperlinks present from these channels?Are appropriate disclosures complied with on any advertisements?(HYPERLINK \l "Help_E1"Reference)E2.Did the Board approve a credit union social media use policy and social media risk assessment? Did the Board include social media use in the Credit Union’s strategic plan?( HYPERLINK \l "Help_E2" Reference)E3.If a policy exists, does it address:The business-case, goals, and objectives for the use of social media products?Parties responsible for the updating, monitoring, and maintenance of the social media products?How negative comments posted about the Credit Union is handled?( HYPERLINK \l "Help_E3" Reference)E4.Did the Board establish a risk management program appropriate with the size and complexity of the credit union and breadth of involvement with social media?( HYPERLINK \l "Help_E4" Reference)Reference SectionGeneral Review AreasA1. The name of the website.(HYPERLINK \l "Reference_A01"Back)A2.If the website is hosted internally, it should reside in a DMZ. A DMZ is a segregated area of the network that uses logical controls to restrict access to the internal network. Management should be able to provide a network diagram showing where the website resides within the network. Management should restrict programming and administration rights to only those employees with a legitimate business reason.( HYPERLINK \l "Reference_A02" Back)A3.Alternate Credit Union registered domain names may confuse account holders, inviting phishing attempts. Credit Unions “should ensure their domain name is registered to them, under their control, and clearly communicated their customers (OCC Alert 2000-9)." In addition, detailed domain registry contact information for the administrator (name and email) may provide a launching pad for social engineering attacks.( HYPERLINK \l "Reference_A03" Back)ernance procedures should include retaining printed or electronic pages of the website every time site revisions are performed. This does not mean a copy must be retained for changing interest/loan rates or the fee schedule. The copies should assist management if questioned by regulators or litigation proceedings how website information was presented to the public.( HYPERLINK \l "Reference_A04" Back)A5.The Credit Union’s website must follow the World Wide Web Consortium’s (W3C) main international standards for the World Wide Web and its accessibility. W3C created the Web Content Accessibility Guidelines (WCAG 2.0).( HYPERLINK \l "Reference_A05" Back)A6.Depending on the importance of the website for service delivery, management should consider purchasing additional ecommerce insurance (NCUA Letter to Credit Unions 01-CU-12). Some operational factors may include: downtime/availability, reputational costs, restoration costs, electronic crime, failure of service provider etc.( HYPERLINK \l "Reference_A06" Back)A7.Management should audit internal/external hyper links on a frequent basis to determine functionality. If external links are not audited, account holders/browsers may be sent to inappropriate websites, incurring reputational risk (NCUA Letter to Credit Unions 02-FCU-04 and OCC Bulletin 2001-31). ( HYPERLINK \l "Reference_A07" Back)A8.Web linking relationships add legal and reputational risk exposure. Risks should be mitigated by speedbumps (e.g. pop-up disclosures), agreements with these partners, and audit procedures (NCUA Letter to Credit Unions 02-FCU-04 and OCC Bulletin 2001-31).( HYPERLINK \l "Reference_A08" Back)A9.The website should be easily readable and navigable. The website should follow a logical layout with an emphasis on the ease of use. To achieve efficiency, the pages should use ‘back’ or ‘to top’ hyperlinks. Webpages should fit the full screen and information should not be obscured by page template designs. Management must make disclosures clear and conspicuous. In addition, posted information must be current and accurate.( HYPERLINK \l "Reference_A09" Back)A10.Management should warn email users about the possible loss of confidentiality to lessen legal and reputational risk exposure.( HYPERLINK \l "Reference_A10" Back)A11.Even though job applications and resumes may not contain consumers’ traditional personally identifiable information, these documents contain confidential information elements. Depending on the definition of personally identifiable information, the enclosed information may qualify. Since the Credit Union is in the reputation and securing financial information business, management should extend security over this information.( HYPERLINK \l "Reference_A11" Back)A12.Management must assume responsibility for web linking relationships. If the financial calculator is erroneous, management should not be liable for the calculation, but only for the web link (NCUA Letter to Credit Unions 02-FCU-04 and OCC Bulletin 2001-31).( HYPERLINK \l "Reference_A12" Back)A13.The USA PATRIOT Act is an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act” of 2001. Management must disclose to a potential member account holder that the Credit Union will verify the individual’s identity as part of their member information security program to prevent fraudulent and illegal activities.( HYPERLINK \l "Reference_A13" Back)A14.The Privacy Policy should be posted explaining the Credit Union’s position on consumer privacy. In addition, a security statement should be posted or included in the Privacy Policy. A Privacy Policy is required by the Gramm-Leach-Bliley Act. NCUA Rules and Regulations, Part 716, requires the notice to call attention to the nature and significant of the information in thepolicy if management uses text or visual cues to encourage scrolling to view the entire notice and to ensure that other elements on the website (such as text graphics, hyperlinks, or sound) do not distract attention from the notice. Management must either place the notice on a highly frequently accessed screen (such as a home page or page where transactions are conducted) or place a link on a screen frequently accessed by consumers that connects directly to the notice and is labeled appropriately to convey the importance, nature, and relevance of the notice.( HYPERLINK \l "Reference_A14" Back)A15.Management must comply with the Children’s’ Online Privacy Protection Act (COPPA) of 1998 requirements. Management should periodically verify that the Credit Union does not collect information from minors. ( HYPERLINK \l "Reference_A15" Back)Electronic BankingB1.Internet banking should be performed through a secured connection. Security should be evidenced by a “lock” logo in the corner of the URL line and/or by other security accepted means.( HYPERLINK \l "Reference_B01" Back)B2.Internet banking should minimally follow the same password standards and controls construct reflected in industry standards and best practices. If the industry standards are not enforceable,management should formally acknowledge the risk in the electronic banking services risk assessment and consult with their vendor for support. Internet banking should use automatic log-offs. Users may access their accounts electronically and leave the access point unattended.The time-out period should be reasonable. Management should enable controls to prevent session caching and not allow unauthorized individuals from using the ‘back’ button command on the Internet browser to view or gain access to the member’s account.If loan applications are taken online, management should assure the applicant his/her personal nonpublic information is transmitted securely. This may be evidenced by the ‘lock’ logo or by ‘https://’ or by other means.If online loan applications are accepted, management should be able to demonstrate how they conform to E-Sign requirements. A method must exist to show that the loan application in fact originated from the applicant and that the applicant attests the information submitted is accurate and truthful. NCUA Letter 01-RA-03 provides additional information.( HYPERLINK \l "Reference_B02" Back)B3.Dormant electronic banking services accounts should be disabled after an appropriate period of disuse. Management should limit undue risk exposure and actively monitor electronic banking services usage.( HYPERLINK \l "Reference_B03" Back)B4.If management requires contract documents and regulatory disclosures to be “in writing”, the policy is: “All contractual and disclosure communication with customers that must be in writing will be delivered in paper form.” If these items are delivered electronically, management will have to initiate an email based delivery of electronic documents to satisfy the FRB and NCUA’s Truth-in-Savings regulation, and implement the E-Sign disclosure and opt-in (consumer consent), including the “Esign handshake”. Management must give the consumer a consent form acknowledging the consumer’s right to receive the disclosure in paper form, the ability to withdraw their consent to electronic notification, and any fees associated with changingthe consent format.( HYPERLINK \l "Reference_B04" Back)B5.Management should provide electronic banking services instructions and documentation on the necessary system resources required to enable elected services. ( HYPERLINK \l "Reference_B05" Back)B6.Management should provide Regulation E disclosures via the website. The disclosure should be at the time the member contracts for an electronic funds transfer service or before the first electronic fund transfer is made involving the member’s account. The Credit Union may send the disclosure electronically, as long as the disclosure is clear and readily understandable andin a form the member may keep.( HYPERLINK \l "Reference_B06" Back)Savings AccountsC1.If deposit account dividend/interest rates are posted, the effective date should be posted and the dividend/interest rate posted as Annual Percentage Yield. The type size must be readable (Truth-in-Savings Act).( HYPERLINK \l "Reference_C01" Back)C2.Management must place the NCUA logo and statement on the home page and on every page that offers depository accounts. If noninsured accounts are offered, management must clearly designate and disclose these accounts as not insured. The statement must state the deposits are insured by the applicable federal insurance agency up to $250,000. The official advertising statement must comply with 12(CFR) NCUA’s Rules and Regulations, Part 740—Accuracy of Advertising and Notice of Insured Status. ( HYPERLINK \l "Reference_C02" Back)C3.The minimum amount to open a deposit account and the minimum amount required to earn dividends/interest must be disclosed. In addition, a fee schedule should be posted, with an effective date. A statement disclosing that fees may reduce earnings on the account should also be on the page.(HYPERLINK \l "Reference_C03"Back)Loan AccountsD1.The Equal Housing Lender logo must appear on any Credit Union webpage that involves loans for the purpose of purchasing, constructing, improving, repairing, or maintaining a dwelling (12 CFR 338.3). The Equal Credit Opportunity Act (ECOA) is a prohibition against advertisements that discourage applications. ECOA and Regulation B prohibit creditors from discriminating on certain bases (race, sex, etc.) with respect to any aspect of a credit transaction. "Any aspect" includes advertisements of loan products--otherwise, a creditor might think it could surreptitiously discriminate by advertising in a way that would discourage applications from members of groups against whom the creditor would otherwise openly discriminate.( HYPERLINK \l "Reference_D01" Back)D2.Truth-in-Lending requires if loan rates are posted, management must state the Annual Percentage Rate. The effective date for the loan rates should also be disclosed.( HYPERLINK \l "Reference_D02" Back)Social MediaE1.Social media channels must be updated regularly to demonstrate management’s selected channel proficiency. Each different social media channel should be displayed or used slightly different – one display format or use type is not appropriate. If these channels contain links to other videos or other social media links, they should be approved and appropriate.( HYPERLINK \l "Reference_E01" Back)E2.The use of social media by the Credit Union should be governed by a Board-approved policy, either stand-alone or incorporated into another policy. Strategic planning should indicate the uses/plans for social media (e.g. gaining additional members, improving loan demand, etc.).( HYPERLINK \l "Reference_E02" Back)E3.The policy should establish the business case for the use of social media, risk management and control procedures, responsibilities for monitoring and updating content on social media, compliance with all applicable consumer protection laws and regulations, acceptable use of social media (for example, what type of information is the Credit Union allowed to put on social media, are comments and “likes” allowed, etc.).( HYPERLINK \l "Reference_E03" Back)E4.A risk management program, commensurate with the size and complexity of the Credit Union, as well as the nature of the use of social media, should be present. The FFIEC guidance on Social Media provides more detailed information.( HYPERLINK \l "Reference_E04" Back) ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download