[Federal Register Volume 63, Number 156 (Thursday, August 13, 1998)]
[Proposed Rules]
[Pages 43327-43330]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-21704]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 555
[No. 98-77]
RIN 1550-AB00
Electronic Operations
AGENCY: Office of Thrift Supervision, Treasury.
ACTION: Supplemental notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: On October 3, 1997, the Office of Thrift Supervision (OTS)
published a notice of proposed rulemaking (NPR) to streamline and
update its electronic operations regulations. Today's supplemental
notice of proposed rulemaking (Supplemental NPR) seeks comment on
additional proposed rules that would require each savings association
to notify OTS before it establishes a transactional web site. Savings
associations that present supervisory or compliance concerns may be
subject to additional procedural requirements.
DATES: Comments must be received on or before September 14, 1998.
ADDRESSES: Send comments to Manager, Dissemination Branch, Records
Management and Information Policy, Office of Thrift Supervision, 1700 G
Street, NW., Washington DC 20552; Attention Docket No. 98-77. These
submissions may be hand-delivered to 1700 G Street, NW., from 9:00 a.m.
to 5:00 p.m. on business days; they may be sent by facsimile
transmission to FAX Number (202) 906-7555 or by e-mail
[email protected]. Those commenting by e-mail should include
their name and telephone number. Comments will be available for
inspection at 1700 G Street, NW., from 9:00 a.m. until 4:00 p.m. on
business days.
FOR FURTHER INFORMATION CONTACT: Richard Bennett, Counsel (Banking and
Finance), (202) 906-7409; Karen A. Osterloh, Assistant Chief Counsel,
(202) 906-6639; Paul D. Glenn, Special Counsel, Chief Counsel's Office,
(202) 906-6203; Paul J. Robin, Program Analyst, Compliance Policy,
(202) 906-6648; or Paul R. Reymann, Policy Analyst, Supervision Policy,
(202) 906-5645, Office of Thrift Supervision, 1700 G Street NW.,
Washington, DC 20552.
SUPPLEMENTARY INFORMATION:
I. Background
On October 3, 1997, OTS published a notice of proposed rulemaking
(NPR) to streamline and update its regulations relating to electronic
operations.\1\ The NPR followed an April 2, 1997 advance notice of
proposed rulemaking (ANPR) seeking comment on all aspects of banking
affected by electronic operations.\2\
---------------------------------------------------------------------------
\1\ 62 FR 51817 (October 3, 1997).
\2\ 62 FR 15626 (April 2, 1997).
---------------------------------------------------------------------------
The ANPR was designed to elicit information to enhance OTS's
understanding of new electronic banking technologies and the impact of
these technologies on the regulation of Federal savings
associations.\3\ The ANPR asked a series of questions concerning the
types of restrictions or requirements OTS should impose on electronic
operations, including Internet banking.\4\
---------------------------------------------------------------------------
\3\ See 62 FR at 15631 and 15633.
\4\ See 62 FR at 15633.
---------------------------------------------------------------------------
Based on the information obtained through the ANPR, the NPR
proposed to amend OTS's electronic operations regulations to address
advances in technology and to permit prudent innovation through the use
of emerging technology by Federal savings associations. The NPR noted
that OTS would continue to gain additional experience with electronic
technology and might issue more specific guidance regulating particular
elements of electronic operations.\5\
---------------------------------------------------------------------------
\5\ 62 FR at 51820.
---------------------------------------------------------------------------
The comment period on the NPR closed on December 2, 1997. OTS
received nine comment letters on the NPR from five Federal savings
associations, two trade associations, and two technology firms. One
commenter argued that OTS should establish a procedure to review and
approve new products or services, in order to protect the safety and
soundness of the industry. Another commenter urged OTS not to require a
Federal savings association to obtain the OTS's prior approval before
adopting new technologies ``unless absolutely necessary to ensure
industry-wide safety and soundness.''
After considering these comments and reflecting on its supervisory
experience and knowledge, OTS believes that safety and soundness and
compliance considerations currently warrant the agency receiving
advance notice of industry use of one developing technology--
transactional web sites. Such web sites allow savings association
customers to use the Internet to conduct a wide variety of financial
transactions. They may, however, also pose particular security,
compliance, and privacy risks, as discussed more fully in Part II.A.,
below. The notice requirement will enable OTS to better
[[Page 43328]]
assist regulated institutions to deal with these risks. The same
considerations require that the Regional Offices have discretion to
impose additional requirements in appropriate circumstances.
Because the safety and soundness and compliance considerations are
similar for state-chartered and federally-chartered institutions, this
Supplemental NPR proposes to require every savings association to
notify OTS before it establishes a transactional web site and comply
with additional requirements that the Regional Offices may impose in
appropriate circumstances. Since the ANPR and NPR did not specifically
discuss these requirements and the ANPR and NPR applied only to Federal
savings associations, OTS has concluded that additional public comment
would assist in the promulgation of a final rule.
This Supplemental NPR supplements, rather than supersedes the NPR.
OTS intends to promulgate one final rule implementing the NPR and the
Supplemental NPR. However, rather than codifying the final rule in part
545 as OTS had proposed, OTS is proposing to codify the final rule in a
new part 555. The reason is that part 545 only applies to Federal
savings associations while the new requirements proposed would apply to
all savings associations. When OTS publishes the final rule, it intends
to take the provisions designated as subpart B to part 545 in the NPR
and redesignate them, in final form, as subpart A to the new part 555
proposed today. As explained in proposed Sec. 555.100, subpart A to
part 555 would apply only to Federal savings associations, whereas
subpart B to part 555 would apply to all savings associations.
II. Supplemental Proposed Provisions
A. Must I Inform OTS Before I Use Electronic Means or Facilities?
(Proposed Sec. 555.300)
Proposed Sec. 555.300(a) sets forth the general rule that a savings
association does not have to inform OTS in advance when it plans to use
electronic means and facilities except under two circumstances. OTS
encourages a savings association to consult with the appropriate
Regional Office before it begins activities using electronic means or
facilities, even where not required to inform OTS in advance. As with
other activities, OTS will continue to rely on its existing supervisory
examinations and application processes to ensure the savings
association's ability to engage in new activities in a safe, sound,
secure, and compliant manner.6
---------------------------------------------------------------------------
\6\ OTS reviews the safety and soundness of new activities, the
appropriateness of the internal controls and security precautions,
and compliance with applicable laws and regulations on a case-by-
case and institution-by-institution basis in connection with
applications and through the examination process. For institutions
subject to an application process (e.g., de novo applications),
these initial safety and soundness and compliance determinations
will be made in the application review. After application approval
or where no application is required, safety and soundness and
compliance will generally be assessed as a part of the examination
process. This process will review and assess the institution's
identification of risks of the activity, the steps it has taken to
mitigate these risks, the testing it has undertaken to ensure safety
and soundness, and its compliance monitoring process.
---------------------------------------------------------------------------
The proposed rule contains two exceptions to this general rule.
First, proposed Sec. 555.300(b) would require every savings association
to notify OTS before it establishes a transactional web site. OTS
proposes to define a ``transactional web site'' for purposes of this
rule as an Internet site that enables users to conduct financial
transactions such as accessing an account, obtaining an account
balance, transferring funds, processing bill payments, opening an
account, applying for or obtaining a loan, or purchasing other products
or services.
OTS believes that using a web site to conduct such activities
raises safety and soundness and compliance concerns not present when
the activities are conducted through more established technologies. OTS
has been, and continues to be, concerned with the adequacy of firewalls
to prevent hackers from breaking into an association's computer systems
and thereby jeopardizing the association's security.7
However, OTS is also concerned about other operational and compliance
risks presented by Internet banking and intends to increase its
monitoring of web sites for compliance with disclosure laws and
regulations. Additionally, OTS is concerned about protecting the
privacy of individuals submitting information (or about whom
information has been submitted).8 The collection of baseline
information on transactional web sites is an important and integral
part of OTS efforts to enhance its supervision of Internet banking
activities.
---------------------------------------------------------------------------
\7\ Statistics from the United States Senate's Permanent
Investigations Subcommittee indicate that banking, insurance and
securities firms collectively lost more than $800 million in 1996 to
computer crimes. This figure is expected to grow as more financial
services firms conduct business over the Internet. Susana Schwartz,
Internet Security: The Bane of Electronic Commerce?, 22 Insurance &
Technology 40 (Sept. 1997). A 1996 survey by the Computer Security
Institute and the Federal Bureau of Investigations found that of 428
corporations, government agencies, financial institutions, and
universities surveyed, 53 percent reported having been victims of
computer viruses and 42 percent acknowledged unauthorized use of
their computer systems in the prior 12 months. Id. In 1995, the FBI
estimated that computer criminals cost United States businesses $7.5
billion a year. Losses ranged from outright industrial espionage and
willful destruction of files and data to the cost of fixing security
problems. David H. Freedman et al., Cracker, 122 U.S. News & World
Report 56 (June 2, 1997).
\8\ OTS has been studying compliance and privacy issues relating
to savings association web sites and notes that a number of industry
and governmental studies have reported on these issues. For example,
two recent industry studies reported a significant number of
potential violations of advertising and disclosure requirements on
the web sites of banks and other financial service providers, though
these studies did not focus on savings associations. The identified
problems included failure to: (1) use the term ``annual percentage
rate'' or ``APR'' and provide advertising disclosures required by
Regulation Z (Truth in Lending Act), (2) include the Equal Housing
Lender logotype and legend as required by the Fair Housing Act, (3)
post annual percentage yields as required by the Truth In Savings
Act, and (4) provide disclaimers that non-insured products are not
insured by the Federal Deposit Insurance Corporation as required by
FDIC regulations. See Richard Insley, Click Here To Violate the Law
(visited July 30, 1998) <http://www.moneypage.com/features/
RegZWebsiteViolations.htm>; Jo Ann S. Barefoot, Don't Get You
Compliance Record Tangled in the Web, ABA Banking Journal 26-30
(June 1998). Similarly, a recent Federal Trade Commission report
included an analysis of 125 web sites operated by financial service
providers. It found that while 97 percent of the sites collected
personal information, only 17 percent of those sites contained
appropriate disclosures such as a privacy policy notice or an
information practice statement. See Federal Trade Commission,
Privacy Online: A Report to Congress (June 1998) at 22, 24, 27.
The industry and FTC reports identified only those compliance
problems that could be readily observed by viewing the web site.
These studies raise serious and legitimate concerns regarding both
informational and transactional web sites. Because savings
associations could perform a broad range of activities through
transactional web sites, OTS believes that transactional web sites
are likely to raise other more complex compliance and privacy
issues, in addition to those identified in the studies.
---------------------------------------------------------------------------
While collecting this information will impose a minimal burden on
savings associations, it will also allow individual associations, and
the industry as a whole, to reap important benefits. OTS will be better
able to assist associations that are contemplating or already
conducting Internet operations to identify and address the risks that
accompanying such activities. This will help institutions avoid
problems and protect consumers. The information will also broaden the
agency's awareness of trends in Internet banking operations, which it
can share with institutions.
At this time, OTS is not proposing to require a notice under
Sec. 555.300(b) for any activities using electronic means or facilities
other than transactional web sites. For example, a savings association
would not be required, under this paragraph, to notify OTS before it
establishes an informational web site
[[Page 43329]]
(i.e., a non-transactional web site) such as a web site limited to
advertising and fee and rate posting.9 OTS, however, expects
savings associations to inform the Regional Office of the informational
web site address (the Uniform Resource Locator or
``URL'').10 This will assist OTS to obtain the information
it needs for efficient supervision, particularly in the compliance
area.11 As technologies emerge, OTS may revise the rule to
require notice of activities other than establishing a transactional
web site. As technologies mature and the industry and OTS gain
additional experience, OTS may revise the rule to no longer require
notice before establishing a transactional web site.
---------------------------------------------------------------------------
\9\ Of course, before a savings association could change an
informational web site to a transactional web site by adding
features enabling users to conduct financial transactions on the web
site, the savings association would have to file a notice with OTS.
\10\ OTS is currently considering whether to require this
information as part of the Thrift Financial Report reporting
process.
\11\ OTS is aware that the advertising and disclosure problems
identified by the industry studies cited in footnote 8 above apply
equally to transactional and informational web sites. OTS believes,
however, that the need for advance notice is greater where such
concerns are combined with the other compliance, security, and
privacy issues applicable to transactional web sites. To minimize
regulatory burden, OTS is proposing to limit the advance notice
requirement to transactional web sites. However, OTS will continue
to examine both types of web sites for operational and compliance
problems.
---------------------------------------------------------------------------
Second, a filing may also be required in the circumstances
described in proposed Sec. 555.300(c). If the OTS Regional Office has
informed a savings association of supervisory or compliance concerns
that may affect the savings association's use of electronic means or
facilities, the savings association must follow any additional
procedures the Regional Office has imposed in writing.
B. How Do I Notify OTS? (Proposed Sec. 555.310)
Proposed Sec. 555.310 describes the notice procedures applicable to
notices required by Sec. 555.300(b). Because establishing a
transactional web site is the only activity that would require such a
notice, the notice procedures have been tailored to that activity.
Proposed Sec. 555.310(a) would require a savings association to
provide a written notice to the appropriate Regional Office at least 30
days before establishing a transactional web site. OTS does not propose
to prescribe any particular form for the notice, but contemplates that
it may be brief. The proposed regulation would simply require that a
savings association describe the transactional web site, indicate the
date the transactional web site will become operational, and list a
contact familiar with the deployment, operation, and security of the
transactional web site. Upon receipt of the notice, the Regional Office
may determine that additional information is required to ensure that
the savings association will operate the transactional web site in a
safe, sound, secure, and compliant manner.
A typical notification might include the following text:
[Name of savings association] plans to establish a transactional web
site on the Internet at [URL]. It will be operational on [Date]. The
site will contain mortgage loan applications that can be transmitted
securely to our loan processing office. For further information
contact: [Name at telephone number, e-mail].
This notification requirement would further the approach in the
ANPR and NPR by facilitating OTS's ability to obtain information on the
industry's use of transactional web sites. It would also efficiently
allow OTS to keep abreast of significant changes in the way particular
savings associations interact with their existing or potential
customers to enable OTS to issue appropriate guidance. Finally, it
would respond to the concern raised by the comments on the NPR that OTS
should be vigilant about new electronic operations raising safety and
soundness concerns, by assisting OTS to supervise effectively the
electronic operations of savings associations.
Proposed Sec. 555.310(b) contains a transition provision applicable
to the notice requirement in Sec. 555.310(a). It provides that if a
savings association established a transactional web site after the date
of its last regular onsite OTS safety and soundness examination but
before the effective date of the final rule, it would have to file a
notice describing its activity within 30 days from the effective date
of the final rule. OTS notes that if a savings association began the
activity before its last regular onsite OTS safety and soundness
examination, Sec. 555.310 would not apply to that activity.
III. Request for Comments
OTS invites comments on all aspects of this Supplemental NPR, but
requests that commenters limit their comments to new matters raised by
this Supplemental NPR, rather than matters addressed in the NPR. OTS
solicits specific comment on the following questions:
1. Should OTS require a notice before an association establishes a
transactional web site? Why or why not?
2. Is OTS's proposed definition of a ``transactional web site''
appropriate? Are there alternative terms or definitions that are
commonly used and understood in the industry that should be
substituted? Is the difference between a transactional web site and an
informational web site clear and appropriate?
3. Should OTS require a notice for any other activities such as
establishing any type of web site on an in-house server, providing e-
mail access for the public, or collecting personal information through
an interactive web site tool such as a mortgage calculator?
4. What information should be required in the notice filed with
OTS? Should OTS require the savings association to provide additional
information such as: (a) how it will conduct an activity, including
descriptions of security and internal controls (e.g., the encryption
level used, the testing that has been performed), or (b) how it will
ensure compliance with laws and regulations (e.g., disclosure
requirements)?
5. Is it appropriate for OTS to require the notification 30 days
before a savings association begins an activity?
IV. Executive Order 12866
The Director of OTS has determined that this proposed rule does not
constitute a ``significant regulatory action'' for the purposes of
Executive Order 12866.
V. Paperwork Reduction Act of 1995
OTS invites comment on:
Whether the proposed information collection contained in this
proposal is necessary for the proper performance of OTS's functions,
including whether the information has practical utility;
(1) The accuracy of OTS's estimate of the burden of the proposed
information collection;
(2) Ways to enhance the quality, utility, and clarity of the
information to be collected;
(3) Ways to minimize the burden of the information collection on
respondents, including through the use of automated collection
techniques or other forms of information technology; and
(4) Estimates of capital and start-up costs of operation,
maintenance and purchases of services to provide information.
Respondents are not required to respond to this collection of
information unless it displays a currently valid OMB control number.
The collection of information requirements contained in this
proposal have been submitted to the Office of Management and Budget for
review in accordance with the Paperwork Reduction Act of 1995 (44
U.S.C.
[[Page 43330]]
3507(d)). Comments on the collections of information should be sent to
the Office of Management and Budget, Paperwork Reduction Project
(1550), Washington, DC 20503, with copies to the Regulations and
Legislation Division, Chief Counsel's Office, Office of Thrift
Supervision, 1700 G Street, NW., Washington, DC 20552.
The collection of information requirements in this proposed rule
are found in 12 CFR 555.300 and 555.310. OTS requires this information
for the proper supervision of electronic operations by savings
associations. The likely respondents/recordkeepers are savings
associations.
Estimated average annual burden hours per respondent: 2 hours.
Estimated number of respondents: 100 respondents.
Estimated total annual reporting burden: 200 hours.
Start up costs to respondents: None.
VI. Regulatory Flexibility Act Analysis
Pursuant to section 605(b) of the Regulatory Flexibility Act, OTS
certifies that this proposed rule will not have a significant impact on
a substantial number of small entities. In conjunction with the NPR,
this Supplemental NPR should make it easier for savings associations,
including small institutions, to engage in electronic operations. While
it imposes a notice requirement on savings associations using one
particular type of electronic means or facility (i.e., a transactional
web site) and allows Regional Office to impose case-by-case
restrictions for supervisory or compliance reasons, these requirements
are the minimum necessary for proper supervision, and should not have a
significant impact on a substantial number of small institutions.
VII. Unfunded Mandates Act of 1995
Section 202 of the Unfunded Mandates Reform Act of 1995, Pub. L.
104-4 (Unfunded Mandates Act), requires that an agency prepare a
budgetary impact statement before promulgating a rule that includes a
Federal mandate that may result in expenditure by state, local, and
tribal governments, in the aggregate, or by the private sector, of $100
million or more in any one year. If a budgetary impact statement is
required, section 205 of the Unfunded Mandates Act also requires an
agency to identify and consider a reasonable number of regulatory
alternatives before promulgating a rule. OTS has determined that the
proposed rule will not result in expenditures by state, local, or
tribal governments or by the private sector of $100 million or more.
Accordingly, this rulemaking is not subject to section 202 of the
Unfunded Mandates Act.
List of Subjects 12 CFR Part 555
Accounting, Consumer protection, Credit, Electronic funds
transfers, Investments, Reporting and recordkeeping requirements,
Savings associations.
Accordingly, the Office of Thrift Supervision proposes to amend
chapter V, title 12 of the Code of Federal Regulations by adding part
555 as set forth below:
PART 555--ELECTRONIC OPERATIONS
Sec.
555.100 What does this part do?
Subpart A--Authority of Federal Savings Associations To Conduct
Electronic Operations [Reserved]
Subpart B--Requirements Applicable to All Savings Associations
555.300 Must I inform OTS before I use electronic means or
facilities?
555.310 How do I notify OTS?
Authority: 12 U.S.C. 1462a, 1463, 1464.
Sec. 555.100 What does this part do?
Subpart A of this part describes how a Federal savings association
may provide products and services through electronic means and
facilities. Subpart B of this part contains requirements applicable to
all savings associations.
Subpart A--Authority of Federal Savings Associations to Conduct
Electronic Operations [Reserved]
Subpart B--Requirements Applicable to All Savings Associations
Sec. 555.300 Must I inform OTS before I use electronic means or
facilities?
(a) General. A savings association (``you'') are not required to
inform OTS before you use electronic means or facilities, except as
provided in paragraphs (b) and (c) of this section. OTS encourages you
to consult with your Regional Office before you engage in activities
using electronic means or facilities in circumstances not covered by
paragraphs (b) or (c) of this section.
(b) Activities requiring advance notice. You must file a written
notice as described in Sec. 555.310 before you establish a
transactional web site. A transactional web site is an Internet site
that enables users to conduct financial transactions such as accessing
an account, obtaining an account balance, transferring funds,
processing bill payments, opening an account, applying for or obtaining
a loan, or purchasing other products or services.
(c) Other procedures. If the OTS Regional Office has informed you
of any supervisory or compliance concerns that may affect your use of
electronic means or facilities, you must follow any procedures it has
imposed in writing.
Sec. 555.310 How do I notify OTS?
(a) Notice requirement. You must file a written notice with the
appropriate Regional Office at least 30 days before you establish a
transactional web site. The notice must do three things:
(1) Describe the transactional web site.
(2) Indicate the date the transactional web site will become
operational.
(3) List a contact familiar with the deployment, operation, and
security of the transactional web site.
(b) Transition provision. If you established a transactional web
site after the date of your last regular onsite OTS safety and
soundness examination but before [Effective date of final rule], you
must file a notice describing your activity by [30 days after effective
date of final rule].
Dated: August 7, 1998.
By the Office of Thrift Supervision.
Ellen Seidman,
Director.
[FR Doc. 98-21704 Filed 8-12-98; 8:45 am]
BILLING CODE 6720-01-P