DATE: March
2002 LETTER NO.: 02-FCU-04
TO:
All Federal Credit Unions
SUBJ:
Weblinking Relationships
ENCL:
OCC Bulletin 2001-31
Dear Board
of Directors:
The
National Credit Union Administration (NCUA) board recently approved
NCUA Rules and Regulations, Part 721, Incidental Powers. Categories
of activities pre-approved as incidental powers necessary for Federal
Credit Unions (FCUs) to carry on business include:
-
Electronic
Financial Services (Part 721.3(c)) - authorizes FCUs to offer
through electronic means any services, products, functions, or activities
that a credit union could otherwise perform, provide, or deliver
to members.
-
Finder
Activities (Part 721.3(f)) - authorizes FCUs to introduce or
otherwise bring together outside vendors with its members for the
negotiation and consummation of transactions. Included in this
authorization is the ability that the credit union can provide information
to members about the products and services of third parties.
Credit
unions are increasingly using their electronic financial service infrastructure
to provide finder activities to assist their members. This is most
commonly evidenced by credit union web sites on the Internet containing
links to third-party web sites. These linked third-party sites can
provide a variety of important services to the membership. However,
these weblinking relationships may also expose the credit union to additional
risk.
Risks
Before entering into any new
activity, the credit union board should properly evaluate the credit union’s
risks, develop appropriate policies, contract appropriately with third
parties, seek the advice of legal counsel, and provide the necessary staff
training. The same risks associated with the use of information technology
also apply in establishing a weblinking relationship:
- Strategic Risk
– Failure to plan adequately for weblinking. Management should determine
the needs of the membership and select an appropriate third party
to assist in meeting those needs.
- Transaction Risk
– Failure to determine the security and reliability of linked third-party
web sites. Management should assess the security and performance
reliability of web sites whose performance is beyond their control.
- Compliance Risk
– Failure to verify that the third-party web site complies with all
applicable laws (HMDA, Privacy, etc.). Management should evaluate
linked third-party web sites for compliance where applicable.
- Reputation Risk
– Failure to address and manage the public perception of linked sites.
Management should determine if the information, links and advertising
appearing on such sites is appropriate.
Linking
Methodology
There
are several ways to present a linked third-party web site. In some
cases, a linked third-party web site is displayed in its own window
without reference to the credit union. In other instances, a linked
third-party web site is displayed in a window framed with the credit
union’s name.
Credit
unions may increase their risk of exposure to liability by framing a
third-party web site because the member may think they are still at
the credit union’s web site. In some cases, members may believe the
credit union endorses the information, product or services offered by
linked third parties, or that the insurance protections afforded the
member at the credit union also apply to the products offered at the
linked third-party web site.
Disclaimers
When providing links to third-party
web sites, credit unions are strongly encouraged to include a clearly
written, conspicuous disclaimer that addresses the following:
- The member is leaving
the credit union’s web site;
- The member is linking
to an alternate web site not operated by the credit union;
- The credit union is
not responsible for the content of the alternate web site;
- The credit union does
not represent either the third party or the member if the two enter
into a transaction; and
- Privacy and security
policies may differ from those practiced by the credit union.
Appropriate
Policies
Management should develop detailed,
written policies that address the following:
- Selection criteria
– Determine type of web site needed and contract with each third party,
or an intermediary party, who will arrange the FCU’s links.
- Due diligence
– Determine the third party’s financial stability, customer service
standards, privacy, security, performance, and veracity of web-site
content.
- Web-site reviews
– Determine the frequency and process for reviewing the linked web
sites for appropriate presentation and content.
- Implementation –
Determine the appropriate manner in which to implement links to various
third parties depending on the relationship. For example, there may
be instances where linking is intentionally transparent to the members.
This may occur in situations where a credit union hosts its own web
site containing marketing and contact information, but offers on-line
account access via a button on their web site that links to a third
party. The linked third party acts on behalf of the credit union
to provide electronic account access for the members. This alternate
web site is actually supporting a part of the credit union’s site.
In such cases, it may not be necessary for members to distinguish
the third-party site from the credit union’s web site.
Agreements
Contracts should be clearly
written and contain understandable and enforceable definitions of all
obligations, liabilities, and recourse arrangements. Appropriate contract
provisions include:
- Establishing the relationship
between the credit union and the third party specifying that they
are not forming a partnership or entering into a joint relationship.
- Excluding links that
would violate any federal, state, or local laws, rules, or regulations.
- Excluding links or portions
of a linked web site that the credit union determines is unacceptable.
- Limiting risk when entering,
maintaining, and ending the weblinking relationship.
- Including guidelines
for adding new products or services.
- Addressing security
and privacy issues.
- Including the conditions
for ending or terminating the link.
- Specifying that the
entity providing the link is directly responsible to the credit union,
if using an intermediary party.
Training
Staff
involved in managing the weblinking arrangement should have sufficient
training and guidance to carry out the board’s desires including:
- Selecting third-party
relationships
- Monitoring the activity
of third-party web sites
- Conducting ongoing due
diligence of third parties
References
Enclosed
for your review is the Office of the Comptroller of the Currency’s (OCC)
recently issued OCC Bulletin 2001-31, Weblinking. The OCC Bulletin
discusses the risks and related control mechanisms that credit unions
should consider when they establish weblinking relationships.
In addition,
NCUA has published guidance papers to assist FCUs in evaluating the
risks and understanding the legal requirements involved in some of these
activities. This guidance includes:
1)
NCUA Letter to Credit Unions No. 01-CU-11 (August 2001), focuses primarily
on the electronic aspects of member data security;
2)
NCUA Letter to Credit Unions No 01-CU-09 (September 2001),
guidance on how credit unions should protect member information from
identity theft and pretext calling;
3)
NCUA Letter to Credit Unions No. 01-CU-04 (March 2001), encouraging
credit unions to consider the benefits of offering Internet-based
electronic financial services to your credit union’s membership;
4)
NCUA Letter to Credit Unions No. 01-CU-02 (February 2001), offering
guidance on the privacy of consumer financial information;
5)
NCUA Letter to Credit Unions No. 109 (September 1, 1989), discussing
risks associated with certain computer operations;
6)
NCUA Letter to Credit Unions No. 97-CU-5, addressing electronic financial
services;
7)
NCUA Letter to Credit Unions No. 00-CU-11, regarding risk management
of outsourced technology services; and
8)
NCUA Interpretive Ruling and Policy Statement 85-1, covering trustees
and custodians of pension plans.
NCUA’s published
guidance, along with NCUA’s regulations, are available from the agency’s
website at www.ncua.gov.
Additional
interpretive letters and guidance issued by other federal financial
institution regulators may assist you in understanding an activity’s
risks, for example, OCC Bulletin 2001-12 on bank-provided account aggregation
services and OCC Advisory Letter 2000-9 on third-party risk. The
OCC guidance is available from the agency’s website at http://www.occ.treas.gov.
Depending on the activities an FCU undertakes, it may also need to comply
with applicable state laws and consult with its own legal counsel and
other professional advisers.
If you have
any questions or concerns, please contact your NCUA Regional Office.
Sincerely,
/S/
Dennis Dollar
Chairman
Enclosure
The Enclosure of this Letter
to FCUs is a Bulletin published by another agency. It is available as
a PDF document.
OCC
Bulletin 2001-31
|