INTRODUCTION

With rapidly improving technology and the spread of the Internet to all areas of society, financial institutions are increasingly delivering services and information through the Internet. Accordingly, Congress, the federal banking agencies, and the financial industry itself continue to monitor and study issues related to electronic financial transactions including the development of future payment systems and new payment products, security and privacy issues in an online environment, and detection of money laundering. This Article contains a brief analysis of several recent developments relating to current risks and challenges faced by financial institutions relating to online banking services and Internet payments systems.

INCREASED SECURITY CONCERNS FOR FINANCIAL INSTITUTIONS--"PHISHING"

One of the most daunting challenges faced by financial institutions when providing services through the Internet is ensuring that their systems and information remain secure from fraudulent transactions. The most recent wide-reaching Internet fraud that financial institutions face is commonly called "phishing." "Phishing" is the term used to describe scams in which hackers and fraudsters imitate legitimate companies in e-mails to entice people to share passwords, credit card numbers, or other personal financial information. These e-mails typically request that the victim confirm or verify existing personal or account information or provide new information. The emails also contain links to bogus Web sites that resemble legitimate Web sites. By randomly casting about for information, "phishers" hope to obtain information that can enable them to access individuals' bank accounts or credit records for purposes of identity theft.

In July 2003, the Federal Bureau of Investigation (FBI) began an informational campaign to raise awareness about these e-mail scams. (1) The FBI's Internet Fraud Complaint Center (IFCC) reports a steady increase in complaints involving unsolicited e-mail directing consumers to a phony "customer service" Web site. (2) FBI Assistant Director Jana Monroe, of the FBI's Cyber Division, said that these types of schemes are contributing to a rise in identity theft, credit card fraud, and other Internet scams. (3) In addition, Director Monroe stated that the FBI's specialized Cyber Squads and Cyber Crime Task Forces are focusing on the "spoofing" problem. (4) In an international context, the FBI's Legal Attache offices coordinate international investigations. (5) These complaints have been traced back to perpetrators in England, Romania, and Russia. (6)

In addition to steps taken by law enforcement, victims of such scams, including Bank of America, eBay, Best Buy, and various other financial institutions and companies, have sent warnings to their customers about the problem. Typically, the warnings have stated that the legitimate business will never ask for a customer to verify or provide information via e-mail and that all information exchanged must be done on the legitimate Web site to ensure proper security.

The Office of the Comptroller of the Currency (OCC) has also focused on this growing problem and has issued an alert, dated September 12, 2003, to all banks it supervises. (7) The OCC has suggested the following prevention, detection, and response steps to assist in protecting against "phishing":

Prevention

* Provide notices on Web sites reminding customers that the bank will never request confidential information through e-mail and to report any such requests to the bank.

* Print warnings and notices on customer statements or other paper mailings.

* Improve authentication methods and procedures to protect against the risk of user ID and password theft from the customer through e-mail and other [fraudulent methods]. Authentication methods solely reliant on shared secrets (e.g., passwords) are more susceptible to ["]phishing["] schemes than stronger authentication methods.

* Review and, if necessary, enhance practices for protecting confidential customer data.

* Maintain current Web site certificates and describe how the customer can authenticate the bank's Web pages by checking the properties on a secure web page.

* Refer customers to or use Federal Trade Commission (["]FTC["]) resources to develop educational brochures to explain the red flags and risks of identity theft.

Detection

* Monitor accounts individually or in aggregate for unusual account activity such as address or phone number changes, large [dollar amount] or a high volume transfers, and unusual customer service requests.

* Monitor for fraudulent Web sites using variations of the bank's name.

* Establish a toll-free number for customers to verify requests for confidential information or to report suspicious e-mails.

* Train customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Response

* Incorporate notification of known e-mail-related frauds into the response program to alert customers of fraudulent requests for information and to caution them against responding.

* Establish a process to notify Internet service providers, domain name issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that are being used to facilitate ["]phishing["] or other fraudulent e-mail practices.

* Increase suspicious activity monitoring and employ additional identity verification controls.

* If fraud is detected in connection with customer accounts, the bank should report the fraud and consider offering its customers assistance consistent with the comprehensive guidance on reporting and customer assistance. (8)

RECENT FFIEC GUIDANCE

In response to the rapidly increasing use of the Internet by financial institutions to provide various services and information to their customers, the Federal Financial Institutions Examination Council (FFIEC) has issued an updated E-Banking manual describing the latest developments in e-banking operations of financial institutions, the risks faced by financial institutions, and the risk management tools and techniques to control these various risks. (9) In light of the ever-increasing security and fraud risks faced by financial institutions, the manual contains, not surprisingly, a significant discussion on information security. The manual sets forth a list of general controls that each financial institution should have in place to identify vulnerabilities in Internet systems and protect from external security threats. These controls include the following:

* Ongoing knowledge of attack sources, scenarios, and techniques.

* Up-to-date equipment inventories and network maps sufficient to support timely security updating.

* Rapid response capability to react to newly-discovered vulnerabilities.

* Network access controls over external connections.

* System "hardening," which is the process of removing or disabling unnecessary or insecure services and files that are manufacturer set defaults. Many times manufacturer set defaults are not sufficiently secure for a financial institution environment.

* Controls to prevent malicious code.

* Rapid intrusion detection and response procedures.

* Physical security of computing devices.

* User enrollment, change, and termination procedures.

* Authorized use policy.

* Processes to identify, monitor, and address training needs.

* Independent testing. (10)

Additionally, the FFIEC published an updated Audit Manual. (11) As stated in the Audit Manual, the FFIEC believes:

A well-planned, properly structured audit program is essential to

evaluate risk management practices, internal control systems, and

compliance with corporate policies concerning IT-related risks at

institutions of every size and complexity. Effective audit

programs are risk-focused, promote sound IT controls, ensure the

timely resolution of audit deficiencies, and inform the board of

directors of the effectiveness of risk management practices. (12)

Accordingly, the Audit Manual describes the roles and responsibilities of the board of directors, management, and internal or external auditors and identifies effective practices for information technology audit programs. (13)

Although the FFIEC manuals are primarily written to guide the federal banking agencies and third-party service providers, the manuals provide a valuable resource to financial institutions by helping to identify and manage risks and to institute programs and safeguards for the institutions' current and future Internet-related services. The booklets may be accessed at the FFIEC's Web site. (14)

WEBLINKING

The federal banking agencies have identified "Weblinking" as an activity that requires a financial institution's increased attention. (15) A large number of financial institutions maintain Web sites, and a significant number of financial institution Web sites contain links to other Web sites ("Weblinks"), which are not controlled by the financial institution or reviewed by any regulatory agency. This can result in various risks to the financial institution, the most significant of which are "reputation risk" and "compliance risk." (16)

To address the risks inherent in financial institution Weblinking, the federal banking regulatory agencies issued interagency guidance on Weblinking activity. (17) Prior to the issuance of that document, the previous guidance was issued by the OCC in 2001. (18) Although Weblinking is not a new activity, the federal banking agencies have attempted to re-emphasize the risks posed by Weblinking and the importance of adopting appropriate risk controls.

The interagency guidance offers examples of what constitutes reputation risk. Such risks include customer confusion as to which entity is offering a certain product or service, customer confusion as to whether such product or service is being endorsed by the financial institution, customer dissatisfaction with a product or service offered through a Weblink, and confusion as to whether such products or services are covered by any regulatory protections. (19)

Similarly, there are compliance risks to consider when allowing another Web site to create a link to the Web site of the financial institution. (20) Compliance risks to consider include how customer information may be used or shared by the linking party and whether the technology being used by the linking party is secure. (21) Naturally, the level of risk depends on what is being offered through the link and whether such link allows the customer to interact with the linking party. (22) Both reputation risk and compliance risk will be greater if the products or services being offered through the link appear to be related to the financial institution, such as mortgages, credit cards, or other financial services, rather than if the link is to an online bookstore or auction site. (23)

The interagency guidance suggests that financial institutions considering a Weblinking arrangement with third parties take steps to prevent customer confusion, such as ensuring that the name of the linking party and the appearance of the Web site are not similar to those of the financial institution. (24) Additionally, the interagency guidance cautions that financial institutions should be aware that customers may have a heightened expectation of those parties linked to the financial institution Web site and may assume that the financial institution has engaged in extensive due diligence with regard to such companies. (25) Customers may also expect that products and services offered through linked sites are federally insured or guaranteed by the financial institution. (26)

The interagency guidance suggests that financial institutions engage in due diligence with any parties with which they are considering a linking arrangement, and that the terms and conditions of the arrangement be in writing. (27) Items to review before agreeing to a linking arrangement include the type of products or services offered by the company, the general character of the company and its offerings, any past regulatory compliance issues, and excessive customer complaints about the company. (28)

Weblinking agreements should include termination provisions, customer service provisions, contingency plans for linking party insolvency and security breaches, and only those activities permitted within the financial institution's scope of permissible activities. (29) Additionally, any agreement should include provisions indemnifying the financial institution for dissatisfied customers or regulatory noncompliance of the linking party, as well as intellectual property infringement and breach of privacy claims. (30)

Finally, a financial institution permitting third parties to link to its Web site should use "clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites." (31) Devices such as "pop up" windows, bold graphics, framing, intermediate Web pages (called "speed bumps") and the like can alert customers that they are leaving the financial institution Web site and that the financial institution privacy policy may no longer apply. (32)

PROTECTION OF WEB ADDRESSES

In July 2000, the OCC issued an alert regarding the need for financial institutions to carefully select and protect their Internet addresses. (33) Although this alert was issued in 2000, it bears mentioning in connection with the interagency guidance on Weblinking activity because several financial institutions discovered that sites with similar Internet addresses had been created to look like genuine bank sites. For example, although "www.citibank.com" brings one to the Citibank site, the address www.citbank.com (i.e., without the second "i") brings one to a Web site promising an assortment of services, including mortgages, credit cards, and other financial services. Although this Web site does not resemble the real Citibank site, it does not attempt to clarify that it is not the Citibank site. Bank names can easily be mistyped and consumers can easily be directed to Web sites that are either similar or deliberately visually identical. Such sites can cause customer confusion, resulting in customers inadvertently transmitting confidential information to the fraudulent sites. Due to the ease with which anyone can register a domain name, financial institutions must be vigilant in monitoring their domain names.

WEB ACCESSIBILITY GUIDELINES DEVELOPED

As use of the Internet has spread into more areas of society including commerce, education, employment, and social settings, the Internet has been replacing more traditional forms of delivery of information and services. (34) This raises the question whether an institution needs to take special steps to provide for accessibility by disabled individuals to the institution's information and services available through its Internet Web site. (35) According to the World Wide Web Consortium ("W3C"), the organization that is spearheading the demand for measures to provide such accessibility, almost ten percent of the population is impaired from accessing information on typical Web sites due to various disabilities. (36) For many of these individuals, accessibility is more critical than for the general population. (37)

Currently, only certain federal government agencies are required to implement special measures to provide such Web site accessibility pursuant to section 508 of the Rehabilitation Amendment Act of 1998. (38) Certain groups have been demanding better Web usability and accessibility for the blind, deaf, and mobility-impaired. These groups have had some success in getting companies to implement some measures to improve such accessibility on a voluntary basis. Further, some court cases have been brought contending that companies are required by the Americans with Disabilities Act (ADA) to implement special measures to make their Web sites more accessible to disabled individuals

Although not currently required by law, financial institutions may want to consider implementing some or all of the W3C's Web Content Accessibility Guidelines 1.0 ("WCAG 1.0 Guidelines"), which establish principles for accessible design, such as the need to provide equivalent alternatives for auditory and visual information. (41) Each guideline has associated "checkpoints" explaining how these accessibility principles apply to specific features of sites. For example, providing alternative text for images ensures that information is available to a person who cannot see images. Similarly, providing captions for audio files makes such audio information available to someone who cannot hear. (42) Generally, the WCAG 1.0 Guidelines deal with reduction of barriers on Web pages providing educational programs, employment-related information or workplace Intranets, information on civic activities or programs, e-commerce sites, and other information. (43) They recommend the following fourteen general principles of accessible design:

1. Provide equivalent alternatives to auditory and visual content.

2. Don't rely on color alone.

3. Use markup and style sheets and do so properly.

4. Clarify natural language usage.

5. Create tables that transform gracefully.

6. Ensure that pages featuring new technologies transform gracefully.

7. Ensure user control of time-sensitive content changes.

8. Ensure direct accessibility of embedded user interfaces.

9. Design for device-independence.

10. Use interim solutions.

11. Use W3C technologies and guidelines.

12. Provide context and orientation information.

13. Provide clear navigation mechanisms.

14. Ensure that documents are clear and simple. (44)

A company wishing to implement these guidelines may need to have its Web designers obtain further guidance on what W3C means by some of these guidelines so that they can find ways of implementing these guidelines in specific contexts. Although there is a cost associated with this, W3C contends that complying with these guidelines makes good business sense because it will enhance the market share and audience reach of a Web site and increase its general usability. Further, incorporating these guidelines into a Web site design can be something that the company can point to as demonstrating the company's commitment to social responsibility and equity of access to information and services. (45)

CAN-SPAM ACT

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM Act" or the "Act"), was enacted this year and signed by the President in December 2003. (46) The CAN-SPAM Act took effect January 1, 2004 and preempts many provisions of existing state anti-spam laws, including the highly restrictive California law that was set to take effect in January 2004. (47)

The CAN-SPAM Act does not prohibit the sending of commercial electronic mail messages (CEMMs), which are "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." (48) It does, however, prohibit certain fraudulent and misleading practices, and requires senders of commercial e-mails to label these messages accordingly and to give recipients a means to "opt out" of future mailings from those senders. (49) The Act also authorizes the FTC and state authorities to bring enforcement proceedings against violators, and requires the FTC to consider the establishment of a national "do-not-spam" list similar to the "do-not-call" registry that now restricts telemarketing calls. (50)

One of the Act's surprising features is its failure to create a broad exemption for e-mails sent to recipients with whom the sender has a preexisting or current business relationship. Such an exemption, which is common in state anti-spam laws, permits businesses to contact their past and present customers without observing all of the restrictions that apply to e-mails sent to strangers. Instead of creating a preexisting or current business relationship exemption, the new Act recognizes only a narrow category of "transactional or relationship messages," which include:

an electronic mail message the primary purpose of which is--

(i) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender

(ii) to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient

(iii) to provide--

(I) notification concerning a change in the terms or features of

(II) notification of a change in the recipient's standing or status with respect to

(III) at regular periodic intervals, account balance information or other type of account statement with respect to, a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender

(iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled

or

(v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender. (51)

The Act authorizes the FTC to modify this definition of "transactional or relationship message" as needed to accommodate changes in technology and e-mail practices and to accomplish the purposes of the Act. (52)

The new Act will have little impact on unethical businesses that already engage in fraudulent or deceptive practices by means of e-mail. Those enterprises likely will locate their servers offshore or take other measures to avoid prosecution and simply will continue to operate as usual. The greatest impact will be on legitimate businesses that use e-mail as a marketing or customer service channel. Those businesses will want to study the new law thoroughly and ensure that adequate compliance measures are in place.

Unlike the highly restrictive California statute that was set to take effect in January 2004, the CAN-SPAM Act allows companies to send e-mail ads to potential customers, even when the recipients have not given prior consent to such mailings and the sender does not have a preexisting or current business relationship with the recipient. The CAN-SPAM Act casts a wide net over any and all attempts to conceal the origins of e-mail ads or the identities of their senders. Specific prohibited practices include falsification of header information, false registrations for e-mail accounts or IP addresses used in connection with e-mail ads, and retransmissions of e-mail ads for the purpose of concealing their origins. (53) The statute permits the mailing of e-mail ads to persons who have not agreed to receive them and who have no preexisting or current business relationship with the sender. The sender of such e-mails must, however, give recipients the means of asking not to receive future e-mail ads from that sender. (54) Specifically, the e-mail must give the recipient the ability to send a reply message or other "Internet-based communication" that opts out of future e-marls from the sender. (55) Also, the recipient's ability to make such an opt out response must be good for at least thirty days after the original message is sent. (56)

If the recipient of an e-mail ad has exercised his or her right to refuse future mailings, the sender must honor that request. Specifically, the sender must cease transmission of e-mail ads to that recipient after ten business days from the date of receipt of the opt out request. (57) The sender also is generally prohibited from selling or otherwise transferring e-mail addresses of persons who have opted out of future mailings. (58) The new Act requires e-mail advertisers to identify their messages as advertisements or solicitations, and to do so by means that are "clear and conspicuous." (59)

Perhaps the most important provision of the new Act is its preemption language. Specifically, the CAN-SPAM Act

supersedes any statute, regulation, or rule of a State or

political subdivision of a State that expressly regulates the

use of electronic mail to send commercial messages, except to

the extent that any such statute, regulation, or rule prohibits

falsity or deception in any portion of a commercial electronic

mail message or information attached thereto. (60)

By preempting state anti-spam restrictions not directly related to fraud or deception, the new Act protects legitimate businesses against more restrictive state legislation and simplifies the task of compliance with anti-spam requirements.

Unlike the California statute and some other state anti-spam laws, the new Act does not permit recipients of commercial e-mails to sue the senders for violations of the Act. Enforcement will be primarily by means of actions brought by the FTC or state law enforcement authorities. Internet service providers, however, have a right to bring civil lawsuits against violators that adversely affect those providers. (61)

The Act delegates a substantial set of studies, reports, and rulemaking activities to the FTC, including the task of defining some of the Act's key terms. For example, the FTC will define the circumstances under which an e-mail's primary purpose will be found to be the promotion or advertisement of a commercial product or service--an important requirement for classification of a message as a CEMM covered by the Act. (62)

(1.) Press Release, Federal Bureau of Investigation, FBI Says Web 'Spoofing' Scams are a Growing Problem (July 21, 2003), available at http://www.fbi.gov/pressrel/pressrel03/spoofing072103.htm.

(2.) Id.

(3.) Id.

(4.) Id.

(5.) Id.

(6.) Id.

(7.) Customer Identity Theft: E-Mail-Related Fraud Threats, OCC Alert 2003-11 (Sept. 12, 2003) [hereinafter OCC Alert 2003-11], available at http://www.occ.treas.gov/ftp/alert/2003-11.doc.

(8.) Id. at 2-3 (citations omitted).

(9.) See Federal Financial Institutions Examination Council, E-Banking: IT Examination Handbook (2003), available at http://wwv.ffiec.gov/ffiecinfobase/booklets/e_banking/e_banking.pdf.

(10.) Id. at 28-30.

(11.) Federal Financial Institutions Examination Council, Audit: IT Examination Handbook (2003), available at http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit.pdf.

(12.) Id. at 1.

(13.) Id.

(14.) Federal Financial Institutions Examination Council, FFIEC IT Examination Handbook, at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01html (last visited Apr. 8, 2004).

(15.) See Weblinking: Identifying Risks and Risk Management Techniques, OCC Bulletin 2003-15 (April 23, 2003) [hereinafter OCC Bulletin 2003-15], available at http://www.occ.treas.gov/ftp/bulletin/2003-15a.pdf.

(16.) Id. at 2.

(17.) See generally id.

(18.) See generally OCC Alert 2003-11, supra note 7.

(19.) OCC Bulletin 2003-15, supra note 15, at 2-3.

(20.) Id. at 3.

(21.) Id.

(22.) Id.

(23.) Id. at 3-4.

(24.) Id. at 5.

(25.) Id. at 4.

(26.) Id.

(27.) Id. at 6.

(28.) Id.

(29.) Id. at 7.

(30.) Id.

(31.) Id. at 8.

(32.) Id.

(33.) Protecting Internet Addresses of National Banks, OCC Alert 2000-9, at 1 (July 19, 2000), available at http://www.occ.treas.gov/ftp/alert/2000-9.doc.

(34.) Suzanne Robitaille, The ADAs Next Step: Cyberspace, BUS. WK. ONLINE (July 28, 2003), at http://www.businessweek.com/technology/content/jul2003 /tc20030725_6346_tc078.htm.

(35.) Id.

(36.) World Wide Web Consortium, Fact Sheet for "Web Content Accessibility Guidelines 1.0", at 5, at http://www.w3.org/1999/05/WCAG-REC-fact.html (last visited Apr. 8, 2003) [hereinafter Fact Sheet].

(37.) Id.

(38.) 29 U.S.C. [section] 794d(a)(1)(A) (2000).

(39.) Robitaille, supra note 34.

(40.) Sandra Clark, A Case for Accessibility: As the world becomes more reliant on the Internet, accessibility will become more of an issue, 5 COLDFUSION DEVELOPER'S J. 16 (Sept. 1, 2003), available at http://www. sys-con.com/coldfusion/article.cfm?id = 645.

(41.) Fact Sheet, supra note 36.

(42.) See id.

(43.) Id.

(44.) World Wide Web Consortium, Web Content Accessibility Guidelines 1.0, at Guidelines 1-14, at http://www.w3.org/TR/WAI-WEBCONTENT/(last visited Apr. 10, 2004).

(45.) World Wide Web Consortium, Auxiliary Benefits of Accessible Web Design, at http://www.w3.org/ WAI/bcase/benefits.html (last visited Apr. 10, 2004).

(46.) Pub. L. 108-187, 117 Stat. 2699 (2003).

(47.) 15 U.S.C. [section] 7707(b)(1).

(48.) Id. at [section] 7702(a) (emphasis added).

(49.) Id. [subsection] 7703, 7704(a).

(50.) Id. [section] 7708(a).

(51.) Id. [section] 7702(17)(A).

(52.) Id. [section] 7702(17)(B).

(53.) 18 U.S.C. [section] 1037(a)(3).

(54.) 15 U.S.C. [section] 7704(a)(3)(A).

(55.) Id. [section] 7704(a)(3)(A)(i).

(56.) Id. [section] 7704(a)(3)(A)(ii).

(57.) Id. [section] 7704(a)(4)(A)(i).

(58.) Id. [section] 7704(a)(4)(A)(iv).

(59.) Id. [section] 7704(a)(5)(A)(i).

(60.) Id. [section] 7707(b)(1).

(61.) Id. [section] 7706(g)(1). Other, industry specific agencies also may bring actions under the Act. Those agencies include the Office of the Comptroller of the Currency, the Securities and Exchange Commission, and the insurance regulators of the various states. Id. [section] 7706(b).

(62.) Id. [section] 7702(2)(C).

By Mark T. Gillett, Obrea O. Poindexter, Veronica McGregor, and Martin Villongco *

* Mr. Gillett and Mr. Villongco practice law with Morrison & Foerster LLP in Los Angeles, California, Ms. Poindexter practices law with Morrison & Foerster LLP Washington, D.C., and Ms. McGregor practices law with Morrison & Foerster LLP in San Francisco, California. Mr. Gillett, Ms. McGregor, and Mr. Villongco are members of the California bar, and Ms. Poindexter is a member of the Pennsylvania bar.