No. 2001-04

DATE: October 17, 2001

SUBJ: Internet Based Application Controls

TO: The Corporate Credit Union Addressed

A substantial number of corporate credit unions are utilizing Web based technology to deliver member services. Most systems involve the use of Web browsers by natural person credit union staff to access a corporate’s databases to perform a variety of services, including: account inquiries; account transfers; wires; ACH file transfers, image access, and cash delivery. Other Web based services such as certificate purchases and redemptions and loan processing are in development and should be available in the near future. The growth of these services is a clear indication of their popularity and effectiveness. It is likely that, over time, the majority of services provided by corporate credit unions will be delivered in this manner.

The attachment, “Guidelines for Internet Based Application Controls,” is intended to provide guidance to corporate credit unions as to OCCU’s expectations in the area of application controls and administration. It is understood that compensating controls and other factors could be in place to mitigate risks involved in member service delivery systems. Clearly, each corporate’s system will be unique and may warrant a somewhat different approach to managing the associated risk. However, the guidelines provide a starting point for discussion between examiners and corporate staff to ensure our mutual goal of sound security practices. OCCU welcomes your comments and questions in this ongoing process.

Please contact your district examiner, this office, or your State Supervisory Authority on any application control matters you would like to discuss.

Sincerely,

Robert F. Schafer
Director
Office of Corporate Credit Unions

OCCU/JWV:DAS:ds
Attachment

cc: State Supervisory Authorities
NASCUS
NAFCU
ACCU