Weblinking: Compliance Advice from the OCC

Hard on the heels of the FRB's interim rules on electronic disclosures comes guidance from the OCC on Weblinks. This guidance, OCC Bulletin 2001-31, describes the agency's expectations with regard to any weblinking that a bank engages in.

The bulletin identifies specific concerns including reputation risk, transaction risk, privacy and security, compliance, and strategic or legal risk. In addition to raising these specific concerns and providing guidance on how to manage them, the bulletin identifies ways to approach risk identification and risk management more generally.

Banks should conduct "sufficient due diligence" to evaluate the third parties' ability to provide service and maintain adequate security and privacy levels for bank customers. Relationships with third party weblinks should be based on formal, written contracts or agreements that clearly define rights and obligations of both parties. Finally, the bulletin advises banks to display "appropriate disclosures" on the bank's website to ensure that customers clearly understand the difference between bank and third-party products.

Finders
The bulletin draws on a prior interpretation that national banks may act as "finders" in bringing together buyers and sellers. (12 CFR 7.1002) In doing so, the OCC "expects" that banks will take reasonable steps to clearly distinguish between products and services that are offered by the bank and those that are offered by third parties.

Compensation for the finders activity is usually compensable. However, the bulletin warns that any transactions that would be subject to RESPA must comply with that law's restrictions on compensation for referrals. The bulletin mentions this concern several times, just to be sure the reader gets the point.

Reputation Risk
Risk to the bank's reputation is based on the concept that customers have expectations of the bank - high expectations. Falling short of these expectations can cause a drop in the bank's reputation. This attention given to customers' expectations to measure risk is similar to the considerations raised in evaluating unfair and deceptive trade practices. It is yet another pronouncement that management should carefully consider what customers expect from banks.

Damage to the bank's reputation can also result from weaknesses in a third party's security and privacy policies. Closely linked to customer perception risk, this appears to equate - in the customers' eyes - third party problems with bank problems. Ultimately, the risk to the bank rests not only on its own policies and procedures, but also on those of any third parties with which the bank is linked.

Something to watch for - which basically requires regular and frequent monitoring - is changes to the third party's website that could affect the bank's reputation. This concern includes changes to the third party's website and additional links to and from that website with other third parties.

Transaction Risk
The security of customers, of customer information, and customer transactions should be a bank priority when evaluating and monitoring third party websites. If the third party does not maintain a level of transaction security appropriate for banking, customers should be made aware of the differences in security through various types of warnings and disclosures before entering into a third party transaction - or even before going to the third party's weblink.

Banks should evaluate the third party sites for encryption policies, use of account numbers and passwords, and access controls. In addition, banks should review and monitor how well the links function technically. Technical problems may result in errors that lead to transaction risk.

Compliance Risk
The ability of a national bank to link to other websites is based on the status of a national bank as a "finder." The linking activity must meet the criteria of 12 CFR 7.1002.

In addition, the linking activity must comply with all consumer protection regulations that apply to the bank's own operations. This means that protections conferred by such regulations as Truth in Lending, Electronic Funds Transfers, Equal Credit Opportunity, and Fair Credit Reporting could apply to transactions.

All compensation structures should also comply with appropriate laws, including RESPA's prohibitions against kickbacks in transactions that are federally related mortgages.

Strategic Risk
This risk results from a failure to plan properly for hyperlinks and their actual implementation. Hyperlinks should only be established after careful research and due diligence. The bank should actively select appropriate parties for hyperlinking. These selections should fit into the banks business strategies and goals; not occur at random.

Finally, the bank should have a contingency plan for each hyperlink and the services offered through the link. The third party may change, fail, or otherwise fall short of the bank's goals and needs. The bank should have a plan for responding to that contingency while protecting its customers' interests.

The bank should protect its interests with contracts. Any contract with a third party providing a hyperlink should be based on a written contract that provides for legal responsibilities, liability for failures, remedies, and termination of the arrangement by the bank.

The contract should also specify the range of activity provided in the link. This type of agreement should provide not only that specific services will be provided; it should also specify that services will not be added that have not been reviewed and approved by the bank.

Due Diligence
OCC's bulletin sets out criteria for banks to study in the due diligence phase of selecting third parties for hyperlinks.

The due diligence procedure should include a review of the third party's financials, the nature of products or services offered by the third party, its customer service standards, privacy policies, and security procedures. Compare these to the same policies and practices of the bank and identify any differences.

If the third party's practices differ, it is an invitation to customer confusion. At a minimum, any differences should be disclosed and explained, but the bank should also consider whether the differences should prevent the alliance.

Another important step in due diligence is evaluation of the third party's website. How does it present to consumers? How will consumers see the website?

Disclosures and Disclaimers
Never try to fool the customer. This is the driving principle behind disclosures. In the case of hyperlinks, both the bank's website and the third party's website should enable the consumer to know what site they are in and the nature of business or service being conducted.

This disclosure concept reflects the concerns behind disclosures for non-insured products offered by the bank. The standard is fairly similar. The customer should be able to clearly understand when they are in a bank's cyber-lobby and when they have left it. The test for the effectiveness of the disclosures is the customer's perception. This bulletin actually makes a plea for plain-English, easy-to-understand disclosures and icons - and asks banks to avoid the unreadable legalese disclosures which may be legally precise but incomprehensible to most consumers. The bulletin discusses the use of "obvious visual clues" and techniques such as icons and logos to make these messages clear.

In addition to disclosing to the customer where they are in cyberspace, the bank should include disclaimers about their responsibility for third parties' products. Banks should make clear to customers using these links that the bank does not endorse or guarantee the product, information, or service. In other words, the link is there for customer convenience, but the consumer is on his or her own when they make the link.

ACTION STEPS

If you don't have one already, develop a policy governing the bank's presence and activities on the Web. Designate a responsible person and establish clear responsibilities and a schedule for monitoring the web activities.
Establish a protocol - in the policy or elsewhere - for development of web relationships. Someone, somewhere, must be in charge of this.
Review contracts with third parties for activities and links on the Web. Be sure that the bank has adequate protections in these contracts.
Be prepared to deal with change - by the bank and by the linked third party.