[Federal Register Volume 63, Number 229 (Monday, November 30, 1998)] [Rules and Regulations] [Pages 65673-65683] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 98-31746] ----------------------------------------------------------------------- DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Parts 545, 555, and 559 [No. 98-119] RIN 1550-AB00 Electronic Operations AGENCY: Office of Thrift Supervision, Treasury. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Office of Thrift Supervision (OTS) is issuing a final rule that streamlines and updates its regulations relating to electronic operations. Under this rule, Federal savings associations may engage in prudent innovation through the use of emerging technology. The rule permits Federal savings associations to use, or participate with others to use, electronic means or facilities to perform any function, or provide any product or service, as part of an authorized activity. The rule also requires each savings association (state- or federally- chartered) to notify OTS 30 days before it establishes a transactional web site. Savings associations that present supervisory or compliance concerns may be subject to additional procedural requirements. Finally, the rule includes a conforming change to OTS's service corporation regulation, reflecting a recent statutory change. EFFECTIVE DATE: January 1, 1999. FOR FURTHER INFORMATION CONTACT: Richard Bennett, Counsel (Banking and Finance), (202) 906-7409; Karen A. Osterloh, Assistant Chief Counsel, (202) 906-6639; Paul D. Glenn, Special Counsel, Chief Counsel's Office, (202) 906-6203; Paul J. Robin, Program Analyst, Compliance Policy, (202) 906-6648; or Paul R. Reymann, Senior Policy Analyst, Supervision Policy, (202) 906-5645, Office of Thrift Supervision, 1700 G Street NW., Washington, DC 20552. SUPPLEMENTARY INFORMATION: I. Background A. Advance Notice of Proposed Rulemaking On April 2, 1997, OTS published an advance notice of proposed rulemaking (ANPR) seeking comment on all aspects of banking affected by electronic operations.1 The ANPR was designed to elicit information to enhance OTS's understanding of new electronic banking technologies and the impact of these technologies on the regulation of Federal savings associations.2 The ANPR asked a series of questions concerning the types of restrictions or requirements OTS should impose on electronic operations, including Internet banking. --------------------------------------------------------------------------- \1\ 62 FR 15626 (April 2, 1997). \2\ See 62 FR at 15631 and 15633. --------------------------------------------------------------------------- B. Notice of Proposed Rulemaking Based on the comments received on the ANPR, on October 3, 1997, OTS published a notice of proposed rulemaking (NPR) to streamline and update its regulations relating to electronic operations.3 The NPR proposed to amend OTS's electronic-related regulations to address advances in technology and to permit prudent innovation through the use of emerging technology by Federal savings associations. In crafting the proposed rule, OTS was guided by two broad principles suggested by commenters on the ANPR: --------------------------------------------------------------------------- \3\ 62 FR 51817 (October 3, 1997). The NPR contains a summary of the comments received on the ANPR. ---------------------------------------------------------------------------The public and insured depository institutions will be best served if statutory and regulatory restrictions are kept to a minimum. The premature imposition of restrictive operational standards could impede the development of improved financial services. Federal savings associations should be permitted to compete effectively with other regulated financial institutions and unregulated firms offering financial and related services. Consistent with these principles, OTS proposed a broad enabling regulation designed to allow Federal savings associations to engage in any activity through electronic means that they may conduct through more traditional delivery mechanisms. OTS proposed to eliminate three existing regulations: Sec. 545.138 (Data-Processing Services), Sec. 545.141 (Remote Services Units), and Sec. 545.142 (Home Banking Services). The elimination of these sections would not take away the authority to engage in any activities described in these sections. OTS made the proposal to enhance the ability of Federal savings associations to serve as financial intermediaries and to permit Federal savings associations to utilize fully their capacities and by-products generated in providing financial services. The proposal was consistent with the principles established in the Administration's electronic commerce policy statement.4 The NPR noted, however, that OTS would continue to gain additional experience with electronic technology and might issue more specific guidance regulating particular elements of electronic operations.5 --------------------------------------------------------------------------- \4\ See ``Framework for Global Electronic Commerce'' (July 1, 1997). \5\ 62 FR at 51820. --------------------------------------------------------------------------- C. Comments on NPR--General Discussion The comment period on the NPR closed on December 2, 1997. OTS received nine comment letters on the NPR from five Federal savings associations, two trade associations, and two technology firms. All of the commenters recognized the need for the agency to revise or remove its existing regulations in this area. Seven commenters supported the proposal's overall flexible regulatory approach, while suggesting modifications or clarifications to particular aspects of the rule. Two commenters argued that for even greater flexibility the agency should not issue any new electronic banking regulations. These two commenters suggested the agency rely entirely on flexible guidelines and advisories as technology evolves. OTS has addressed specific comments on the NPR below. D. Supplemental Notice of Proposed Rulemaking One commenter on the NPR argued that OTS should establish a procedure to review and approve new products or services, in order to protect the safety and soundness of the industry. Another urged OTS not to require a Federal savings association to obtain OTS's prior approval before adopting new technologies ``unless absolutely necessary to ensure industry-wide safety and soundness.'' After considering these comments, OTS concluded that safety and soundness and compliance considerations warranted the agency receiving advance notice of industry use of one developing technology--transactional web sites. Such web sites allow savings association customers to use the Internet to conduct a wide variety of financial transactions. They may, however, also pose particular security, compliance, and privacy risks. Accordingly, on August 13, 1998, OTS issued a supplemental notice of proposed rulemaking (Supplemental NPR) seeking comment on additional proposed rules that would require each savings association to notify OTS before [[Page 65674]] it establishes a transactional web site.6 OTS also proposed to give the Regional Offices discretion to impose additional requirements in appropriate circumstances. --------------------------------------------------------------------------- \6\ 63 FR 43327 (August 13, 1998). --------------------------------------------------------------------------- Safety and soundness and compliance considerations are similar for state-chartered and federally-chartered institutions. Thus, the Supplemental NPR proposed to require every savings association to notify OTS before it established a transactional web site and to comply with additional requirements that the Regional Offices may impose in appropriate circumstances. Since the ANPR and NPR did not specifically discuss these requirements and applied only to Federal savings associations, OTS concluded that additional public comment would assist in the development of a final rule. E. Comments on Supplemental NPR--General Discussion The comment period on the Supplemental NPR closed on September 14, 1998. OTS received nine comment letters from six Federal savings associations, two trade associations, and one public interest organization. Two commenters supported the notice requirement. Four commenters opposed the requirement. The other three commenters did not specifically support or oppose the requirement. OTS has addressed the specific comments on the Supplemental NPR below. II. Today's Final Rule Today's final rule incorporates the same broad principles and reflects the same supervisory concerns articulated in the NPR and Supplemental NPR. OTS continues to believe that it is important to have enabling regulations in this area. These regulations will help ensure that OTS has sufficient information to understand developing technologies, to provide appropriate guidance on these technologies, and to supervise electronic operations effectively. The proposed approach in the NPR and Supplemental NPR, with some modifications as discussed below, will provide both the industry and the agency with the appropriate amount of flexibility to adapt to changing conditions. Today's final rule is meant to provide authority for Federal savings associations' electronic operations and a structure for all savings associations' use of electronic means and facilities.7 Standing alone, it cannot, and does not purport to, answer all questions in this rapidly changing area. These operations, by their very nature, are evolving, presenting the industry and the agency with both old issues in a new form (e.g., the appropriate documentation to open an account) and new issues unique to electronic operations (e.g., treatment of stored value cards). The agency has issued, and will continue to issue, guidance as electronic operations evolve. This guidance has taken the form of letters to chief executive officers of savings associations, interagency examiner guidelines, revisions to the Thrift Activities Handbooks, conditions on the approval of applications, and responses to requests for legal interpretations.8 The agency expects to continually update its guidance and to continue to make it available on OTS's web site at www.ots.treas.gov. --------------------------------------------------------------------------- \7\ New Sec. 555.200 is similar to the Office of the Comptroller of the Currency's (OCC) rule on furnishing of products and services by electronic means and facilities. See 12 CFR 7.1019 (1998). \8\ See, e.g., Memorandum from Richard M. Riccobono, Deputy Director, for Chief Executive Officers (November 3, 1998) (Policy Statement on Privacy and Accuracy of Personal Customer Information); Memorandum from Richard M. Riccobono, Deputy Director, for Chief Executive Officers (July 23, 1998) (Interagency Guidance on Electronic Financial Services and Consumer Compliance); Memorandum from John Downey, Executive Director, Supervision, for Chief Executive Officers (June 23, 1997) (Statement on Retail On-Line Personal Computer Banking); Thrift Activities Regulatory Handbook, Section 341, Information Technology (October 1997) (Regulatory Bulletin 32-6, October 15, 1997); Federal Financial Institutions Examinations Council (FFIEC) Information Systems Examination Handbook (1996); OTS Order No. 95-88 (May 8, 1995) (application approval of Internet bank); OTS Op. Chief Counsel (September 19, 1997) (establishment of automated loan machines). --------------------------------------------------------------------------- Further, while today's final rule removes Secs. 545.138, 545.141, and 545.142, OTS emphasizes that the new rules continue to authorize all activities formerly authorized under these provisions. III. Section-by-Section Discussion Today's final rule creates a new part 555 to address electronic operations. In the NPR, OTS originally proposed to place the electronic operations regulations in a new subpart B to part 545. However, part 545 only applies to Federal savings associations. The notice requirements proposed in the Supplemental NPR and incorporated into this final rule, however, apply to all savings associations. Thus, as proposed in the Supplemental NPR, OTS is placing the electronic operations regulations in a new part 555. A. What Does This Part Do? (Sec. 555.100) Section 555.100 explains the purpose of part 555. Subpart A explains how a Federal savings association may provide products and services through electronic means and facilities. Subpart B contains the advance notice and other requirements applicable to all savings associations. OTS received no specific comments on Sec. 555.100 of the Supplemental NPR (or on Sec. 545.140 of the NPR, which served a similar function). The section is unchanged from the Supplemental NPR. B. Authority of Federal Savings Associations to Conduct Electronic Operations (Subpart A to Part 555) 1. How May I Use or Participate With Others to use Electronic Means and Facilities? (Proposed Sec. Sec. 545.141, 545.142, and 545.143, Final Sec. 555.200) Final Sec. 555.200 combines, with changes, proposed Sec. 545.141, 545.142, and 545.143. Section 555.200(a) corresponds to proposed Sec. 545.141, but merges part of proposed Sec. 545.143. Section 555.200(b) corresponds to proposed Sec. 545.142 and also merges part of proposed Sec. 545.143. Sections 555.200(a) and 555.200(b) are discussed separately below. Section 555.200(a) Consistent with OTS's goal of minimizing regulatory restrictions on electronic operations, proposed Sec. 545.141 would have specifically permitted Federal savings associations to use electronic means or facilities to perform any authorized function or provide any authorized product or service. Electronic means or facilities would include, but would not be limited to, automated teller machines (ATMs), automated loan machines, personal computers, the Internet, the World Wide Web, telephones, and other similar electronic devices. The preamble explained that this authority would include the opening of savings or demand accounts and the establishment of loan accounts--functions previously excluded from the definition of remote service unit--because performing these functions electronically may enhance the operating flexibility of Federal savings associations. Commenters generally supported this section. One commenter, however, a trade association, argued that proposed Sec. 545.141 was too broad and did not sufficiently protect the safety and soundness of the industry. Instead, the commenter emphasized the need for a thorough risk assessment of any new delivery system to protect safety and soundness. The commenter urged OTS to establish a procedure whereby OTS would issue an approval or interpretation before a product or service was first offered electronically. Once one institution was approved to use an electronic delivery system, [[Page 65675]] approval for subsequent institutions would not be required. Presumably, subsequent institutions would be required to provide the same protections and safeguards. While OTS does not believe that a new procedure is necessary for most types of electronic operations, OTS has added subpart B to part 555, to deal with the special risks associated with transactional web sites. As discussed in Section III.C. below, subpart B will enhance OTS's ability to supervise electronic operations, particularly Internet banking activities. Three Federal savings associations asked OTS to clarify whether the new regulation would permit specific products or services. As noted in the preamble to the proposed rule, by revising its rules, OTS intends to allow Federal savings associations to engage in any authorized activity through electronic means that they may conduct through more traditional delivery mechanisms.9 To clarify this point, OTS has revised the language of Sec. 555.200(a) to provide that a Federal savings association may use electronic means or facilities ``to perform any function, or provide any product or service, as part of an authorized activity.'' --------------------------------------------------------------------------- \9\ 62 FR at 51818. --------------------------------------------------------------------------- As with all activities of Federal savings associations, OTS's position, like that of its predecessor agency, the Federal Home Loan Bank Board (FHLBB), has been that if the Home Owners' Loan Act (HOLA) 10 authorizes an activity, a specific authorizing regulation is not necessary.11 In some cases, the HOLA speaks clearly on an activity and institutions generally choose to act without obtaining agency concurrence. In other cases, where the authority is less clear or specific facts are more determinative, an application or an interpretive legal opinion may be the best route for resolving issues of first impression. --------------------------------------------------------------------------- \10\ 12 U.S.C. 1461-1468c. \11\ See, e.g., 60 FR 44442, 44444 (August 28, 1995); 48 FR 23032 (May 23, 1983). --------------------------------------------------------------------------- To assist the industry further, OTS will continue to provide both formal and informal guidance on authorized activities for Federal savings associations. If applicable statutes, regulations, court cases, and OTS opinions do not provide a sufficient basis for a Federal savings association to determine whether a product or service is authorized under the HOLA or the use of electronic means or facilities is appropriate, it may request an interpretive opinion 12 or consult with OTS's Regional Director for the Region in which its home office is located. --------------------------------------------------------------------------- \12\ See OTS Customer Service Plan--Interpretive Opinions (January 1996). Such questions may also be addressed in the context of an application process (e.g., de novo applications). --------------------------------------------------------------------------- OTS has previously provided explicit guidance on several of the questions about specific products or services raised. For example, the preamble to the proposed rule stated that Federal savings associations could establish loan accounts and open savings or demand accounts through electronic means.13 Similarly, the ANPR indicated that the term ``electronic means and facilities'' would clearly encompass new technologies that enable a depository institution to make risk-based judgments electronically.14 This would include, for example, automated credit scoring and other forms of automated underwriting. --------------------------------------------------------------------------- \13\ 62 FR at 51818. However, all statutory and regulatory restrictions associated with offering a product or service continue to apply where electronic means and facilities are used. One commenter asked whether a signed deposit application would have to be executed and transmitted with the initial deposit in hard copy. At one time, FHLBB regulations specifically imposed this type of signature card requirement. See 12 CFR 545.2(a) (1983). In May 1983, the FHLBB eliminated this specific requirement. 48 FR 23032 (May 23, 1983). \14\ 62 FR at 15632. --------------------------------------------------------------------------- In addition, OTS and the FHLBB have long recognized that Federal savings associations may open accounts and transfer funds for persons overseas. For example, the FHLBB opined that Federal savings associations may solicit deposits and open accounts for individuals who are not citizens or residents of the United States by mail or electronic means.15 Since this is an authorized activity under the HOLA, this final rule permits a Federal savings association to engage in this activity through electronic operations. However, Federal savings associations engaging in such electronic activities must comply with all applicable requirements, including addressing safety and soundness concerns and ensuring compliance with other federal laws and requirements.16 --------------------------------------------------------------------------- \15\ See Memorandum from Jack D. Smith, Deputy General Counsel, FHLBB, to Alvin Smuzynski, Deputy Director, Supervisory Activities (December 7, 1987). Pursuant to that opinion, the institution was permitted to undertake the activity where the institution maintained the deposits in United States dollar denominations, offered standard money market and term certificate of accounts with interest rates and other terms and conditions that were the same as those offered by the institution to those residing in the United States, and complied with the requirements applicable to the type of accounts. See also FHLBB Op. General Counsel (May 10, 1984). \16\ OTS anticipates that it will shortly publish a proposed ``Know Your Customer'' rule, as part of an interagency rulemaking effort. --------------------------------------------------------------------------- OTS has not opined on whether certain activities cited by commenters are authorized for Federal savings associations. Specifically, one commenter asked whether a Federal savings association may issue, use, and deal in all forms of electronic monetary value, including stored value and smart-card technologies. Another commenter asked whether a Federal savings association may use and participate in digital authentication and certification, including serving as a certificate authority (an entity certifying electronic signatures for use in electronic commerce). OTS has not opined on whether every activity that could involve the use of electronic money or participation in digital authentication regimes is an authorized activity for Federal savings associations.17 With any new activity, the factual context and the accompanying safeguards are often critical to determining whether and how an activity may be conducted, whether or not electronic means are involved. Thus, OTS believes that it is important that savings associations continue to consult with their Regional Offices to obtain up-to-date guidance as they move forward in the use of electronic means and facilities. --------------------------------------------------------------------------- \17\ With regard to electronic monetary value, OTS has opined that a Federal savings association has authority to market and sell prepaid telephone cards as agent for a telephone company. OTS Op. Chief Counsel (August 29, 1996). We also note that the other federal banking agencies have indicated that financial institutions may deal in other types of electronic monetary value. See OCC Interpretive Letter No. 718 (March 14, 1996) (national banks may dispense alternate media such as public transportation tickets, event and attraction tickets, gift certificates, prepaid phone cards, promotional and advertising materials, electronic benefits transfer scripts, and credit and debit cards) and Federal Deposit Insurance Corporation General Counsel's Op. No. 8, published in, 61 FR 40490 (Aug. 2, 1996) (discussing whether, and under what circumstances, funds underlying stored value cards may be considered deposits under the Federal Deposit Insurance Act, 12 U.S.C. 1811-1835a). With regard to digital authentication and certification, Federal savings associations have incidental authority under the HOLA to guarantee customer signatures for documentary transactions in which an association has an interest as part of its deposit taking, lending, or trust business, as well as guarantees executed as a separate customer service with respect to stock transfers and similar transactions in which the association has no direct interest. FHLBB Op. General Counsel (August 11, 1981). In addition, the OCC has authorized a national bank operating subsidiary to act as a certification authority and repository for certificates that verify digital signatures. The authority was not limited to transactions in which the subsidiary had a direct interest. OCC Op. Chief Counsel (January 12, 1998) (Operating Subsidiary Application by Zions First National Bank, Salt Lake City, Utah). OTS believes the reasoning of the other regulators appears persuasive. OTS will consider these opinions when it reviews a Federal savings association's authority to conduct such activities as these issues are presented to the agency. --------------------------------------------------------------------------- Another Federal savings association asked OTS to adopt an expansive [[Page 65676]] interpretation of the phrase ``authorized product or service.'' The commenter's proposed interpretation would clarify that as long as the primary electronic product or activity is permitted, the Federal savings association may provide a minor ancillary application, even though the ancillary application is not specifically authorized by the HOLA. Federal savings associations possess powers that are incident to the express powers of Federal savings associations, as set forth in the HOLA.18 Today's final rule allows Federal savings associations to use electronic means or facilities to perform any function, or provide any product or service, as part of an authorized activity, including activities authorized under the incidental powers doctrine. OTS will review whether particular activities are authorized as incidental powers on a case-by-case basis as these issues are presented to the agency. --------------------------------------------------------------------------- \18\ See OTS Op. Chief Counsel (August 29, 1996) at 2. --------------------------------------------------------------------------- As noted above, Sec. 555.200(a) continues to permit Federal savings associations to perform all data processing and transmission services formerly authorized under Sec. 545.138(a) and (b). When Sec. 545.138 was promulgated in 1983, the FHLBB imposed certain data and customer restrictions designed to ensure that a Federal savings association would conduct data processing and transmission services consistent with the authority provided in HOLA.19 OTS recognizes that the HOLA may authorize the provision of data processing services in additional circumstances. Accordingly, the final rule, like the OCC's rule, does not impose specific data or customer restrictions. Rather, final Sec. 555.200(a) merely requires that services provided through electronic means and facilities must be a ``part of an authorized activity.'' This restriction means that data processing and transmission services provided must be authorized under the HOLA, either expressly or as an incidental power. --------------------------------------------------------------------------- \19\ See 48 FR 7428, 7429-7430 (February 22, 1983). --------------------------------------------------------------------------- Final Sec. 555.200(a) has also been revised to incorporate provisions in proposed Sec. 545.143, entitled ``How may I participate with others in the use of electronic means and facilities?'' Proposed Sec. 545.143 would have permitted a Federal savings association to participate with others to perform, provide, or deliver activities, functions, products, or services described in the proposed rule. A Federal savings association could have participated with an entity that is not subject to examination by a Federal agency regulating financial institutions only if that entity agreed, in writing, to permit OTS to examine its electronic means or facilities, to pay for any related OTS examination fees, and to make all relevant records in its possession, written or electronic, available to OTS for examination. OTS also indicated that if the participation by a Federal savings association was through a service corporation, OTS's service corporation rules would apply.20 --------------------------------------------------------------------------- \20\ See 12 CFR 559.4 (1998). --------------------------------------------------------------------------- The Examination Parity and Year 2000 Readiness for Financial Institutions Act,21 has obviated the need for proposed Sec. 545.143 as a separate section of the rule. Section 3 of this legislation provides: --------------------------------------------------------------------------- \21\ Pub. L. No. 105-164 (enacted March 20, 1998). [I]f a savings association, a subsidiary thereof, or any savings and loan affiliate or entity, as identified by section 8(b)(9) of the Federal Deposit Insurance Act [12 U.S.C. 1818(b)(9)], that is regularly examined or subject to examination by the Director [of OTS], causes to be performed for itself, by contract or otherwise, any service authorized under [HOLA] * * *, such performance shall be subject to regulation and examination by the Director to the same extent as if such services were being performed by the savings --------------------------------------------------------------------------- association on its own premises. In light of this legislation, today's final rule simply clarifies the authority of a Federal savings association to participate with others to perform any function, or provide any product or service, as part of an authorized activity, through electronic means and facilities. This language has been merged into final Sec. 555.200(a). OTS is making a similar conforming change to Sec. 555.200(b), discussed below. In making these changes, OTS is removing the proposed requirement concerning record availability since this requirement is implicit in examinations authorized by the legislation. OTS is also removing the proposed requirement concerning examination fees. The other banking agencies do not charge fees specifically for examinations of service providers. OTS does not intend to impose fees for the examination of service providers, except as otherwise provided for under OTS's assessment rule and Thrift Bulletins. While the relevance of many of the comments on proposed Sec. 545.143 has been negated by this intervening legislation, it is useful to respond to some of the points raised by commenters on the NPR. Two commenters criticized the third party examination, fee, and record requirements as burdensome and unnecessary. In implementing the new legislation, OTS will focus its service provider examinations on those whose activities could have a direct impact on the safety and soundness of savings associations.\22\ Data processing servicers and ATM servicers are among the types of service providers OTS examines because they provide functions critical to financial operations. --------------------------------------------------------------------------- \22\ See Statement of Ellen Seidman, Director, Office of Thrift Supervision, concerning Examination Parity and Year 2000 Readiness for Financial Institutions Act, before the Committee on Banking and Financial Services, United States House of Representatives, February 5, 1998, at 8-10. --------------------------------------------------------------------------- Another Federal savings association explained that the software industry is wary of providing unrestricted access to their information without explicit assurances of confidentiality to protect proprietary trade secrets. The commenter stated that, at a minimum, the final rule should provide that any information reviewed or gathered during an examination of a service provider will be treated as ``unpublished OTS information'' under 12 CFR 510.5 (1998), which provides confidentiality safeguards. OTS treats service provider examination reports as confidential unpublished OTS information.\23\ Consistent with this regulation, these reports are not publicly available, but OTS does share the examination reports of service providers with the Federal banking agencies. It also shares relevant portions of the examination reports with Federal and State savings associations that use the services of those service providers. --------------------------------------------------------------------------- \23\ See 12 CFR 510.5(a)(2)(ii) (1998). --------------------------------------------------------------------------- Section 555.200(b) Former Sec. 545.138(c) subjected marketing by-products and excess capacity of data processing and transmission services to significant restrictions. In contrast, under proposed Sec. 545.142, a Federal savings association could market and sell electronic capacities and by- products to third parties if it acquired or developed the capacities and by-products in good faith as part of providing financial services. The proposed rule was substantially identical to the OCC rule on marketing and selling such capacities.\24\ --------------------------------------------------------------------------- \24\ See 12 CFR 7.1019 (1998). --------------------------------------------------------------------------- Two commenters expressly supported the proposed section. Upon further review, OTS believes it is necessary to make two minor clarifications to Sec. 555.200(b). First, the final rule indicates that the marketing and selling of electronic capacities and by-products to third-parties is to enable Federal savings [[Page 65677]] associations to optimize their resources. This language conforms the OTS rule more closely to the OCC's rule. Second, the final rule indicates that a Federal savings association may also participate with others to market and sell electronic capacities and by-products to third-parties. Like the revision to Sec. 555.200(a) discussed above, this change incorporates part of Sec. 555.143 of the proposed rule. One Federal savings association asked OTS to define the phrase ``electronic capacities and by-products'' to clarify that Federal savings associations may provide ``fully integrated solutions to a range of business needs.'' These solutions may involve a combination of software development, computer systems design and construction, electronic communication (including sending electronic mail), and data processing and storage. OTS does not believe it is appropriate to make the clarification requested by the commenter. As long as a Federal savings association acquired or developed its electronic capacities and by-products in good faith as part of providing financial services, the Federal savings association may market and sell them to third-parties. OTS cautions, however, that to the extent a Federal savings association may wish to engage in additional activities in connection with the marketing and sale of such capacities and by-products, the additional activities must be authorized under the HOLA, either expressly or as an incidental power. 2. What Precautions Must I Take? (Proposed Sec. 545.144, Final Sec. 555.210) Although OTS believes that it is vital that Federal savings associations establish appropriate internal controls for risks and security measures when they engage in electronic operations, it did not propose to codify static risk or security requirements. Because methods of electronic commerce and their attendant security measures are continually evolving, OTS's proposed rule reflected the view that it is impracticable to prescribe security measures that would remain useful for the indefinite future. Instead, proposed Sec. 545.144 would have required a Federal savings association to adopt standards and policies designed to ensure secure operations. In addition, the proposed rule would have required a Federal savings association to implement security measures adequate to prevent unauthorized access to its records and its customers' records, and to prevent financial fraud through the use of electronic means or facilities. The proposed rule also stated that a Federal savings association must comply with the current security devices requirements of part 568, if it provides an ATM, an automated loan machine, or another similar electronic device. One Federal savings association noted that the banking industry has not yet embraced any particular standards with respect to encryption, authentication, digital signatures, and other technical matters affecting transmission over the Internet. Accordingly, the commenter urged OTS to avoid imposing unnecessary regulatory impediments or micro-managing system implementation or maintenance. While the commenter was not critical of proposed Sec. 545.144, the commenter criticized OTS's imposition of certain security-related conditions on approvals of recent applications, such as requiring an applicant to have its delivery of services over the Internet tested and reviewed by independent computer security specialists before commencing operation. The commenter urged OTS to reconsider whether there is a need to impose such conditions. In approving applications to commence operations, OTS requires proof that adequate security measures are in place for safe, sound, and secure operations. To date, these requirements routinely have included testing and review by independent computer security specialists. OTS tailors specific conditions on a case-by-case basis. It may be possible that future applications may not raise these security concerns. However, currently OTS believes such a condition in application approval orders remains essential to safe and sound internal operations. Similarly, under the notice procedures in subpart B to part 555 of this final rule (including the 30-day advance notice requirement), OTS will have an opportunity to consider, before any savings association establishes a transactional web site, whether the savings association will be able to conduct such operations in a safe, sound, secure, and compliant manner. In the preamble to the proposed rule, OTS indicated that it ``expects Federal savings associations to establish security measures that are consistent with current industry standards, and to continually monitor and regularly update these security procedures to keep pace with changes to industry standards.'' 25 One trade association urged OTS to incorporate this statement in the final rule. --------------------------------------------------------------------------- \25\ 62 FR at 51819. --------------------------------------------------------------------------- OTS believes that such interpretive statements are best contained in OTS policy statements, advisories, and other explanatory materials, rather than the regulation. For similar reasons, OTS has deleted from the final rule the proposed statement indicating that Federal savings associations should adopt standards and policies on security issues. Instead, the rule requires Federal savings associations to implement security measures designed to ensure secure operations. Another trade association urged OTS to provide guidelines alerting Federal savings associations to security issues that should be addressed before a new electronic delivery mechanism is implemented. As summarized in Section II above, OTS has issued such guidelines and advisories to Federal savings associations, both on its own and as part of FFIEC. OTS has made clarifying revisions to the section. These revisions require that the management of Federal savings associations identify, assess, and mitigate potential risks and establish prudent internal controls, in addition to implementing security measures that are designed to ensure secure operations.26 These risks may be strategic, legal, regulatory, or operational.27 --------------------------------------------------------------------------- \26\ Further guidance on these requirements is provided in Appendix A to Part 570, section 341 of the Thrift Activities Regulatory Handbook, and Statement on Retail On-Line Personal Computer Banking. \27\ See Statement on Retail On-Line Personal Computer Banking. --------------------------------------------------------------------------- C. Requirements Applicable to All Savings Associations 1. Must I Inform OTS Before I Use Electronic Means or Facilities? (Sec. 555.300) Proposed Sec. 555.300(a) of the Supplemental NPR sets forth the general rule that a savings association does not have to inform OTS before it uses electronic means and facilities. However, two exceptions apply. First, proposed Sec. 555.300(b) would require a savings association to file a written notice with OTS before it establishes a transactional web site. Second, proposed Sec. 555.300(c) would provide that if the OTS Regional Office has informed a savings association of any supervisory or compliance concerns that may affect the savings association's use of electronic means or facilities, the savings association must follow any additional procedures the Regional Office has imposed in writing. Proposed Sec. 555.300(a) also would encourage savings associations to consult with OTS even in circumstances not covered by the notice requirement or other procedures in Sec. 555.300(b) or (c). [[Page 65678]] Four commenters indicated that the proposed notice requirement would help OTS to monitor adequately savings associations' technological innovations and to assess security, compliance, and privacy risks. Some commenters, however, expressed concerns. Four commenters argued that the notice requirement would place savings associations at a competitive disadvantage, since other banking regulators do not impose a similar notice requirement. OTS does not anticipate that the notification requirement will place savings associations at a significant competitive disadvantage. As discussed below, in general, once an association has addressed any follow-up questions from the Regional Office and the 30-day period has expired, the association will be free to bring its transactional web site on- line. No affirmative authorization from OTS is necessary except where the Regional Office may otherwise indicate. While providing this information will impose a minimal burden on savings associations, the process will allow individual associations, and the industry as a whole, to reap important benefits. The notice will make it easier for OTS to obtain information on the industry's use of transactional web sites. As a result, OTS will be better able to assist associations that are contemplating or already conducting Internet operations to identify and address the risks that accompany such activities. The information will also broaden OTS's awareness of trends in Internet banking operations, which OTS can share with institutions. It will also efficiently allow OTS to keep abreast of significant changes in the way particular savings associations interact with their existing or potential customers to enable OTS to issue appropriate guidance. Finally, the procedure responds to the concern raised by the commenter on the NPR who indicated that OTS should be vigilant about new electronic operations raising safety and soundness concerns, since the procedure will assist OTS to supervise effectively the electronic operations of savings associations.28 --------------------------------------------------------------------------- \28\ A September 30, 1998 report prepared, at OTS's request, by the Office of Inspector General (OIG), United States Department of the Treasury, made several suggestions. Among these were that OTS: (1) develop a complete list of savings associations providing on- line and Internet banking services; (2) enhance monitoring of savings associations' web sites for compliance with federal disclosure regulations and laws, and (3) begin to focus more on the operational risks presented by on-line and Internet banking. The OIG recommended these steps to help OTS determine risks, plan strategic examination coverage, identify staff development needs, and foster examination uniformity and consistency. See Office of Inspector General, U.S. Dep't of the Treasury, Consultative Report on the Office of Thrift Supervision Examination of On-Line and Internet Banking Risks, (OIG-CA-98-003, 1998). --------------------------------------------------------------------------- One commenter asserted that transactions conducted over the Internet pose no more risk than transactions performed using other technologies for which no prior notice is required. This commenter also asserted that the notice was unnecessary since the industry already fully understands the risks associated with the Internet. OTS does not agree that transactions conducted over the Internet pose no more risk than transactions performed through other more established technologies.29 While it is true that risks are inherent in all electronic capabilities, the use of an electronic channel such as the Internet to deliver products and services introduces unique risks due to the increased speed at which systems operate, user anonymity, and broad access in terms of geography, user groups, applications, databases, and peripheral systems. --------------------------------------------------------------------------- \29\ See 63 FR at 43328. --------------------------------------------------------------------------- As explained in the preamble to the Supplemental NPR, OTS has been, and continues to be, concerned with the adequacy of firewalls to prevent hackers from breaking into an association's computer systems and thereby jeopardizing the association's security.30 OTS is also concerned about other operational and compliance risks presented by Internet banking and intends to increase its monitoring of web sites for compliance with disclosure laws and regulations.31 Additionally, OTS is concerned about protecting the privacy of individuals submitting information (or about whom information has been submitted).32 --------------------------------------------------------------------------- \30\ Id. \31\ As noted in the preamble to the Supplemental NPR, OTS is aware that advertising and disclosure problems may apply equally to transactional and informational web sites. OTS believes, however, that the need for advance notice is greater where such concerns are combined with the other compliance, security, and privacy issues related to transactional web sites. To minimize regulatory burden, OTS is limiting the advance notice requirement to transactional web sites. However, OTS will continue to examine both types of web sites for operational and compliance problems. See 63 FR at 43329 n. 11. \32\ 63 FR at 43328. --------------------------------------------------------------------------- Even traditional risks that are similar to those in customary banking activities must be considered in a new light. For example, if an association conducts lending or deposit gathering activities over an electronic channel, credit risks must be considered in the context of the high-speed, wide-access electronic environment. The collection of baseline information on transactional web sites is an important and integral part of OTS efforts to enhance its supervision of Internet banking activities. Another commenter noted that the costs of developing a web site are substantial and would be incurred before the savings association files the notice. Consistent with Sec. 555.300(a), OTS encourages associations concerned about expending resources to develop a transactional web site to consult with their Regional Office in the early stages of development, even before filing a notice. In lieu of the notice requirement, several commenters urged OTS to continue to rely on existing supervisory guidance, examination oversight, and application processes to ensure that Internet activities are conducted in a safe, sound, secure, and compliant manner. One commenter encouraged OTS to address transactional web sites in the Statement on Retail On-Line Personal Computer Banking and in additional questions in the Pre-Examination Response Kit. Another commenter suggested that the additional guidance should address such issues as development costs, security and privacy issues, and compliance matters. OTS has provided and will continue to provide important guidance to the industry. OTS has addressed development costs, security, privacy, and compliance matters in its Statement on Retail On-Line Personal Computer Banking and in section 341 of the Thrift Activities Regulatory Handbook. OTS will update and supplement this guidance as necessary. However, this guidance is not a substitute for OTS's obtaining information necessary for proper supervision. OTS proposed to define a transactional web site as ``an Internet site that enables users to conduct financial transactions such as accessing an account, obtaining an account balance, transferring funds, processing bill payments, opening an account, applying for or obtaining a loan, or purchasing other products or services.'' 33 Four commenters supported OTS's proposed definition. Two commenters indicated that the Supplemental NPR adequately distinguished between transactional and informational web sites. --------------------------------------------------------------------------- \33\ 63 FR at 43330 (proposed Sec. 555.300(b)). --------------------------------------------------------------------------- In light of the generally favorable comments, OTS does not believe significant changes to the definition are necessary. However, OTS is making one clarifying change to the definition of transactional web site in response to a comment. The commenter recommended clarifying the meaning of the phrase ``purchasing other products [[Page 65679]] or services'' used in the definition. The final rule clarifies that the phrase refers to any authorized products or services. Another commenter asked OTS whether a new notice would be required when the type and level of activities conducted on a transactional web site are increased or substantially modified. A new notice will not be required in such circumstances. Once the savings association alerts OTS about its transactional web site, the agency will be able to monitor and examine the web site without a need for subsequent notices when changes are made.34 --------------------------------------------------------------------------- \34\ However, as noted in the preamble to the Supplemental NPR, before a savings association may change an informational web site to a transactional web site, the savings association must file a notice with OTS. 63 FR at 43329 n. 9. --------------------------------------------------------------------------- Other commenters, however, suggested further revisions or clarifications that OTS believes would be too limiting. One commenter indicated that the covered web sites should be those that transact business equivalent to a branch through which money passes. Another argued that a web site is not transactional if an applicant may only complete and return a loan application electronically, but would be transactional if the web site also permits the application to be processed through an automated credit scoring system and is used to notify the customer of an approval or denial. OTS does not agree that transactional web sites subject to the notice requirement should be limited to those that are used for monetary transactions or are used to notify the customer of an application approval or denial. The same concerns about providing a secure environment apply where confidential information is exchanged in other circumstances that are transactional, but do not necessarily constitute a monetary transaction or notification on an application. However, it is appropriate to clarify a related matter. OTS will not consider a web site to be transactional simply because it allows the sending of e-mail messages. For an association simply to include an e-mail address on its web site does not necessarily invite the public to attempt to conduct transactions with the association over the Internet or to submit confidential information. For example, the public may use the e-mail address for a variety of tasks (e.g., inquiring about products or services offered, requesting that a customer service representative call, or asking that forms or information be mailed). In contrast, a web site that provides an electronic application form for transmission to the association by e-mail would be considered transactional. Such an application, by its nature, is designed to conduct a transaction and will likely actively elicit the submission of confidential information to the association over the Internet through the questions contained in the application. One commenter recommended that OTS define an ``informational web site.'' OTS does not believe that a separate definition of this term is necessary. As noted in the preamble to the Supplemental NPR, an informational web site is a non-transactional web site, such as one limited to advertising and fee and rate posting.35 --------------------------------------------------------------------------- \35\ 63 FR at 43329. --------------------------------------------------------------------------- Six commenters opposed a notice requirement for electronic activities other than a transactional web site. Three commenters explained that OTS already has sufficient authority to examine any activity that raises safety and soundness concerns. OTS is not requiring a notice under Sec. 555.300(b) for any activities using electronic means or facilities other than transactional web sites. For example, a savings association would not be required to notify OTS before it establishes an informational web site.36 As with other activities, OTS will continue to rely on its existing supervisory examinations and application processes to ensure the savings association's ability to engage in new activities in a safe, sound, secure, and compliant manner.37 --------------------------------------------------------------------------- \36\ However, OTS has implemented a change to the Thrift Financial Report (TFR). The electronic filing software now collects information on all savings associations' Internet web site addresses. This change was effective for the third quarter 1998 TFR. \37\ OTS reviews the safety and soundness of new activities, the appropriateness of the internal controls and security precautions, and compliance with applicable laws and regulations on a case-by- case and institution-by-institution basis in connection with applications and through the examination process. For institutions subject to an application process (e.g., de novo applications), these initial safety and soundness and compliance determinations will be made in the application review. After application approval or where no application is required, safety and soundness and compliance will generally be assessed as a part of the examination process. This process will review and assess the institution's identification of risks of the activity, the steps it has taken to mitigate these risks, the testing it has undertaken to ensure safety and soundness, and its compliance monitoring process. --------------------------------------------------------------------------- As technologies emerge, OTS may revise the rule to require notice of activities other than establishing a transactional web site. Similarly, as technologies mature and the industry and OTS gain additional experience, OTS may revise the rule to no longer require notice before establishing a transactional web site. OTS is also making an editorial change to Sec. 555.300(a). The change clarifies that OTS encourages consultations with the Regional Office regardless of whether the notice requirement in Sec. 555.300(b) or the additional procedures in Sec. 555.300(c) apply. 2. How do I Notify OTS? (Sec. 555.310) Proposed Sec. 555.310 of the Supplemental NPR described the advance notice procedures. Proposed Sec. 555.310(a) would require a savings association to provide a written notice to the appropriate Regional Office at least 30 days before establishing a transactional web site. Proposed Sec. 555.310(b) contained a transition provision applicable to transactional web sites established after the date of the association's last regular onsite OTS safety and soundness examination but before the effective date of the rule. Two commenters supported the 30-day advance notice period. Another commenter argued that the 30-day notice period would be too long and suggested a 10-day notice period. Another commenter urged OTS to permit a savings association to apprise OTS within 30 days after establishing a transactional web site. This notice would permit OTS to review the web site in an examination. OTS has decided to retain the 30-day advance notice procedure as proposed. As discussed above, OTS does not anticipate this procedure will be burdensome. Thirty days is an appropriate time period to allow OTS to consider the notice and ask any follow-up questions that may be necessary. In the Supplemental NPR, OTS did not propose to prescribe any particular form for the notice. Proposed Sec. 555.310(a) would simply require that a savings association describe the transactional web site, indicate the date the transactional web site will become operational, and list a contact familiar with the deployment, operation, and security of the transactional web site. The preamble to the Supplemental NPR indicated that, upon receipt of the notice, the Regional Office may require additional information to ensure that the savings association will operate the transactional web site in a safe, sound, secure, and compliant manner.38 The preamble further indicated that OTS contemplated that the notice may be brief. It contained sample language that read: --------------------------------------------------------------------------- \38\ 63 FR at 43329. [Name of savings association] plans to establish a transactional web site on the Internet at [URL]. It will be operational on [Date]. The site will contain mortgage loan applications that can be transmitted securely [[Page 65680]] to our loan processing office. For further information contact: [Name at telephone number, e-mail].39 --------------------------------------------------------------------------- \39\Id. Four commenters stated that OTS should not require any information in the notice beyond that described in the Supplemental NPR. One commenter specifically endorsed OTS's sample statement in the preamble as sufficient. One commenter, however, recommended that institutions describe how they will conduct the activity, the type of security they will use, the internal controls they will follow, and the program they will follow to ensure compliance with all applicable laws and regulations. Another commenter observed that an overview of controls and safeguards designed to preserve privacy and security and protect against financial fraud would be sufficient. 40 One commenter suggested that if OTS discovers that new information is necessary following this rulemaking, it should require this information in guidance, rather than in a revised rule. --------------------------------------------------------------------------- \40\ One commenter, however, noted that security information may be difficult to obtain when the web site is maintained by a service bureau. This commenter noted that service bureaus often claim that the release of such information will compromise their systems. --------------------------------------------------------------------------- OTS is adopting the requirements concerning the contents of the notice as proposed. It believes these requirements will provide sufficient information to the Regional Offices without being burdensome or inflexible. The guidance contained in the preamble to the Supplemental NPR, including the sample language set forth above, remains valid. Several commenters sought clarification of the review procedures. One commenter sought assurance that the notice process was informational only. Two commenters sought clarification whether OTS would approve or disapprove notices (e.g., where there are supervisory or compliance concerns). One noted that if prior OTS approval is required, the notice process would impose substantial financial, strategic, and compliance risks on institutions. Another commenter urged OTS to review all notices within the notice period and quickly act to prevent a savings association from establishing a transactional web site that could threaten its safety and soundness. The procedure will work as follows: The savings association will file a written notice with the Regional Office. The Regional Office will review the notice and may ask follow-up questions. In general, once an association has addressed those follow-up questions from the Regional Office and the 30-day period has expired, the association will be free to bring its transactional web site on-line. No affirmative authorization from OTS is necessary except where the Regional Office may otherwise indicate. If, however, by the end of the 30-day period, the Regional Office informs the association that there are supervisory or compliance concerns that may affect the association's establishment of a transactional web site, the association must follow any procedures that the Regional Office imposes in writing. The procedures the Regional Office may impose could include, for example, requiring further information to be submitted or precautions to be taken before the savings association may establish the transactional web site, limiting in some fashion the ways in which the association may use the transactional web site, or prohibiting the association from establishing a transactional web site. One commenter opposing notice procedures observed that the advance notice only made sense if the Regional Office would review the notice before the roll-out of the web site. This commenter, however, predicted that OTS Regional Offices may apply inconsistent standards and that this inconsistency could be problematic since web sites provide services nationwide. The commenter suggested that the final rule should require the Regional Office to notify the thrift of any conditions it would impose on web site operations. OTS will issue industry guidance to help a savings association deploy a transactional web site in a safe, sound, secure, and compliant manner. OTS will also issue uniform guidance to its Regional Offices to verify that transactional web sites are in compliance with the industry guidance and this regulation and that savings associations have established an adequate infrastructure for operating safe, sound, secure, and compliant transactional web sites. One commenter urged OTS to require public notice and comment before a savings association may establish a transactional web site. This commenter indicated that, in some states, financial institutions must provide public notice and comment before opening a deposit-collecting branch or deposit-taking ATM. OTS does not believe it is appropriate to require a public comment procedure. Moreover, OTS posts notices on its web site upon filing. The same policy will apply to notices for transactional web sites. This procedure will provide adequate information to the public. IV. Other Rule Provisions A. Conforming Amendment to Branch Offices Regulation The proposed rule would revise OTS's branch office regulation to clarify that electronic facilities (such as automated loan machines) are not branch offices. Three commenters specifically supported this section, although two requested clarifications. One Federal savings association argued that the final rule should indicate that all electronic facilities and the Internet are excluded from the definition of ``branch office.'' The proposed rule would have excluded an ``electronic facility'' from the definition of ``branch office,'' but did not indicate that an ``electronic means'' was also excluded. For consistency in terminology, the final rule has been revised to exclude all ``electronic means or facilities'' from the definition of ``branch office.'' Under Sec. 555.200(a), the Internet continues to be an electronic means or facility and is not considered to be a branch. Another Federal savings association asked whether a ``hybrid office'' would be treated as a branch office. This commenter defined a hybrid office as an office in which a Federal savings association conducts the majority of its operations electronically, but conducts some functions in person by appointment. The type of office the commenter has described may be either a branch office \41\ or an agency \42\ depending upon the types of services provided. A Federal savings association may request an OTS opinion if it requires further guidance on this topic.\43\ --------------------------------------------------------------------------- \41\ 12 CFR 545.92 (1998). \42\ 12 CFR 545.96 (1998). \43\ OTS will shortly undertake another rulemaking to clarify the regulations governing various types of offices. --------------------------------------------------------------------------- B. Conforming Amendment to Subordinate Organizations Rule The Examination Parity and Year 2000 Readiness for Financial Institutions Act, discussed above, applies to Federal and State savings associations and provides OTS with the authority to examine service corporations. Accordingly, OTS is conforming the service corporation examination provision of its Subordinate Organizations regulation, 12 CFR 559.3(o)(2), to reflect this authority. V. Other Issues Raised by Commenters A. Preemption One Federal savings association commenting on both the NPR and the [[Page 65681]] Supplemental NPR urged OTS to add specific preemption provisions stating that OTS's electronic operations regulations preempt state laws purporting to restrict or govern the electronic operations of federal savings associations. The commenter noted that various states have enacted such laws. The commenter argued that preemption would encourage Federal savings associations to participate in various electronic banking activities, facilitate the development of best industry practices, and prevent the development of a patchwork of conflicting state and local rules. Electronic operations and related state and federal laws are still evolving. Thus, OTS believes it is premature to craft specific preemption regulations in the area of electronic operations. OTS intends to address specific state laws on a case-by-case basis as they are raised to the agency. The commenter may have raised this matter, in part, because the electronic operations provisions will not be placed in part 545, but rather in a new part 555. Part 545 currently contains regulations pertaining to electronic operations \44\ and also contains a general provision preempting state laws affecting ``Operations.'' \45\ However, the movement of the electronic operation provisions to a new part 555 does not indicate a substantive change. OTS will apply principles of preemption consistently with its prior interpretations of OTS's authority under the HOLA.\46\ Accordingly, the regulations in subpart A to part 555 will have preemptive effect where appropriate to: (1) facilitate the safe and sound operations of a Federal savings association, (2) enable a Federal savings association to operate according to the best thrift institution practices in the United States, or (3) further other purposes of the HOLA.\47\ --------------------------------------------------------------------------- \44\ 12 CFR 545.138, 545.141, and 545.142 (1998). \45\ 12 CFR 545.2 (1998). \46\ See 12 CFR 545.2 (Operations), 557.11-557.13 (Deposits), and 560.2 (Lending and Investment) (1998). \47\ Accord 12 CFR 557.11(a) and 560.2(a) (1998). --------------------------------------------------------------------------- When evaluating preemption of a state law, OTS will focus first on the underlying activity affected by the state law. For example, if a state law affects a Federal savings association's ability to take deposits or lend using electronic means and facilities, OTS will apply the part 557 or part 560 preemption analysis for deposit or lending activities, respectively. OTS will evaluate other activities that may be conducted electronically, on a case-by-case basis. While OTS intends to give Federal savings associations maximum flexibility to operate electronically according to a uniform federal scheme of regulation, OTS has recognized that some types of state laws, under certain circumstances, generally will not be preempted.\48\ Consistent with this approach, OTS will determine that a state law regulating electronic operations is not preempted if it furthers a vital state interest, and either has only an incidental effect on Federal savings associations' ability to provide financial services electronically or is not otherwise contrary to the purposes of OTS's rule. --------------------------------------------------------------------------- \48\ See 12 CFR 557.13 and 560.2(c) (1998). --------------------------------------------------------------------------- B. Community Reinvestment Act Several commenters on the NPR addressed the impact of emerging electronic technologies on Community Reinvestment Act (CRA) requirements. The comments generally argued that the current CRA requirements do not: (1) provide adequate recognition of loans, investments and services generated outside of a Federal savings association's traditional assessment area (i.e. the area surrounding its branch network), or (2) permit Federal savings associations with Internet operations to define their CRA assessment areas more broadly than the branch network concept allows. Some commenters offered options intended to address these types of concerns. These included allowing Federal savings associations that engage in alternate delivery systems to be treated as limited purpose institutions or to define an assessment area in a manner that is tied to the customer base rather than a particular geography. One commenter on the Supplemental NPR expressed concern that financial institutions may use web sites to conduct business nationwide, but would be required to include only certain geographical areas in their CRA assessment areas. Currently, OTS is working on an interagency basis to resolve these concerns and other CRA issues arising from the use of alternative methods of delivering financial products and services. The interagency effort involves revisiting the definition of an assessment area for institutions that use alternative delivery systems. Until this interagency effort is completed, OTS intends to allow the new electronic technologies to develop within the existing CRA regulatory framework. Specific CRA issues that arise in connection with an application will continue to be handled on a case-by-case basis in an effort to adapt existing laws to modern technologies and innovations. 49 An institution, of course, always has the option of taking advantage of the flexibility in the existing CRA regulation by developing and seeking approval of a strategic plan that would link CRA performance to its particular business strategy. 50 --------------------------------------------------------------------------- \49\ While not specifically involving electronic operations, the 1997 application from the Travelers Group is illustrative of an institution's efforts to develop a new approach on CRA. The Travelers Group filed an application to convert a state-chartered bank to a Federal savings association charter. The converted Federal savings association was to engage in consumer lending and trust services nationwide. In its application, Travelers stated that its CRA obligation extended throughout all the communities where it does business and made an initial pledge to make at least $430 million of home equity loans to low- and moderate-income borrowers over three years. OTS approved Travelers' application. See Order No. 97-120 (November 24, 1997). \50\ See 12 CFR 563e.27 (1998). --------------------------------------------------------------------------- C. Other Interagency Issues Both trade association commenters on the NPR urged OTS, other Federal bank regulators, and the Treasury Department to coordinate their activities to ensure the development of consistent approaches to electronic operations issues, to minimize regulatory burdens, and to avoid potential conflicts. One commenter on the Supplemental NPR indicated it would only support the notice requirement for transactional web sites if all banking regulators imposed the same requirement on their regulated institutions. As OTS issues rules and guidance on electronic operations, it continually strives for consistency with other Federal banking regulators. Accordingly, OTS will continue to participate in all interagency efforts to establish consistent regulatory approaches to electronic operations issues. One Federal savings association noted that when the Federal banking agencies and the Department of Justice review a merger or acquisition for its impact on competition, the analysis focuses on the relevant product and geographic markets. These concepts generally require an analysis of deposits taken, loans made, and services provided in the geographic areas served by the combining institutions. The commenter urged the Federal banking agencies to view Internet banking activities as outside the scope of the traditional antitrust analysis and recognize that current technology gives Federal savings associations and banks the ability to conduct business with customers all over the country. The entry of financial institutions into electronic operations raises a host of new issues. OTS has attempted through [[Page 65682]] this rulemaking and guidelines to address issues that have arisen. To date, the antitrust issue cited by the commenter has not been a critical issue in an application. Currently, financial business through electronic operations constitutes a very small portion of financial services offered by Federal savings associations. OTS will consider providing guidance on this issue and other issues in the future should they emerge as prominent issues. VI. Executive Order 12866 The Director of OTS has determined that this final rule does not constitute a ``significant regulatory action'' for the purposes of Executive Order 12866. VII. Paperwork Reduction Act of 1995 The collection of information requirements in this rule have been submitted to and approved by the Office of Management and Budget in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) under OMB control number 1550-0095. Comments on all aspects of this information collection should be sent to the Office of Management and Budget, Paperwork Reduction Project (1550-0095), Washington, DC 20503, with copies to the Regulations and Legislation Division, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552. Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a currently valid OMB control number. The valid OMB control number assigned to the collection of information in this final rule is displayed at 12 CFR 506.1. The collection of information requirements are found in 12 CFR 555.300 and 555.310. OTS requires this information for the proper supervision of electronic operations by savings associations. The likely respondents/recordkeepers are savings associations. VIII. Regulatory Flexibility Act Analysis Pursuant to section 605(b) of the Regulatory Flexibility Act, OTS certifies that this regulation will not have a significant impact on a substantial number of small entities. This final rule should make it easier for Federal savings associations, including small institutions, to engage in electronic operations. While it imposes a notice requirement on savings associations using one particular type of electronic means or facility (i.e., a transactional web site) and allows Regional Offices to impose case-by-case restrictions for supervisory or compliance reasons, these requirements are the minimum necessary for proper supervision and should not have a significant impact on a substantial number of small institutions. IX. Unfunded Mandates Act of 1995 Section 202 of the Unfunded Mandates Reform Act of 1995, Pub. L. 104-4 (Unfunded Mandates Act), requires that an agency prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in expenditure by state, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. OTS has determined that the rule will not result in expenditures by state, local, or tribal governments or by the private sector of $100 million or more. Accordingly, this rulemaking is not subject to section 202 of the Unfunded Mandates Act. List of Subjects 12 CFR Part 545 Accounting, Consumer protection, Credit, Electronic funds transfers, Investments, Reporting and recordkeeping requirements, Savings associations. 12 CFR Part 555 Accounting, Consumer protection, Credit, Electronic funds transfers, Investments, Reporting and recordkeeping requirements, Savings associations. 12 CFR Part 559 Reporting and recordkeeping requirements, Savings associations, Securities. Accordingly, the Office of Thrift Supervision amends chapter V, title 12 of the Code of Federal Regulations as set forth below: PART 545--OPERATIONS 1. The authority citation for part 545 continues to read as follows: Authority: 12 U.S.C. 1462a, 1463, 1464, 1828. 2. Section 545.92 is amended by revising paragraph (a) to read as follows: Sec. 545.92 Branch offices. (a) General. A branch office of a Federal savings association is any office other than its home office, agency office, administrative office, data processing office, or an electronic means or facility under part 555 of this chapter. * * * * * Secs. 545.138 through 545.142 [Removed] 3. Sections 545.138 through 545.142 are removed. 4. Part 555 is added to read as follows: PART 555--ELECTRONIC OPERATIONS Sec. 555.100 What does this part do? Subpart A--Authority of Federal Savings Associations to Conduct Electronic Operations 555.200 How may I use or participate with others to use electronic means and facilities? 555.210 What precautions must I take? Subpart B--Requirements Applicable to All Savings Associations 555.300 Must I inform OTS before I use electronic means or facilities? 555.310 How do I notify OTS? Authority: 12 U.S.C. 1462a, 1463, 1464. Sec. 555.100 What does this part do? Subpart A of this part describes how a Federal savings association may provide products and services through electronic means and facilities. Subpart B of this part contains requirements applicable to all savings associations. Subpart A--Authority of Federal Savings Associations to Conduct Electronic Operations Sec. 555.200 How may I use or participate with others to use electronic means and facilities? (a) General. A federal savings association (``you'') may use, or participate with others to use, electronic means or facilities to perform any function, or provide any product or service, as part of an authorized activity. Electronic means or facilities include, but are not limited to, automated teller machines, automated loan machines, personal computers, the Internet, the World Wide Web, telephones, and other similar electronic devices. (b) Other. To optimize the use of your resources, you may market and sell, or participate with others to market and sell, electronic capacities and by-products to third-parties, if you acquired or developed these capacities and by-products in good faith as part of providing financial services. Sec. 555.210 What precautions must I take? If you use electronic means and facilities under this subpart, your management must: [[Page 65683]] (a) Identify, assess, and mitigate potential risks and establish prudent internal controls; and (b) Implement security measures designed to ensure secure operations. Such measures must be adequate to: (1) Prevent unauthorized access to your records and your customers' records; (2) Prevent financial fraud through the use of electronic means or facilities; and (3) Comply with applicable security devices requirements of part 568 of this chapter. Subpart B--Requirements Applicable to All Savings Associations Sec. 555.300 Must I inform OTS before I use electronic means or facilities? (a) General. A savings association (``you'') are not required to inform OTS before you use electronic means or facilities, except as provided in paragraphs (b) and (c) of this section. However, OTS encourages you to consult with your Regional Office before you engage in any activities using electronic means or facilities. (b) Activities requiring advance notice. You must file a written notice as described in Sec. 555.310 before you establish a transactional web site. A transactional web site is an Internet site that enables users to conduct financial transactions such as accessing an account, obtaining an account balance, transferring funds, processing bill payments, opening an account, applying for or obtaining a loan, or purchasing other authorized products or services. (c) Other procedures. If the OTS Regional Office informs you of any supervisory or compliance concerns that may affect your use of electronic means or facilities, you must follow any procedures it imposes in writing. Sec. 555.310 How do I notify OTS? (a) Notice requirement. You must file a written notice with the appropriate Regional Office at least 30 days before you establish a transactional web site. The notice must do three things: (1) Describe the transactional web site. (2) Indicate the date the transactional web site will become operational. (3) List a contact familiar with the deployment, operation, and security of the transactional web site. (b) Transition provision. If you established a transactional web site after the date of your last regular onsite OTS safety and soundness examination but before January 1, 1999, you must file a notice describing your activity by February 1, 1999. PART 559--SUBORDINATE ORGANIZATIONS 5. The authority citation for part 559 continues to read as follows: Authority: 12 U.S.C. 1462, 1462a, 1463, 1464, 1828. 6. Section 559.3 is amended by revising paragraph (o)(2) to read as follows: Sec. 559.3 What are the characteristics of, and what requirements apply to, subordinate organizations of federal savings associations? * * * * * (o) * * * (2) A service corporation is subject to examination by OTS. * * * * * Dated: November 20, 1998. By the Office of Thrift Supervision. Ellen Seidman, Director. [FR Doc. 98-31746 Filed 11-27-98; 8:45 am] BILLING CODE 6720-01-P