Many Bank Websites Not in Compliance

by Andy Zavoina
Guru Bios

Your examiners tell you when they will be in your bank for a Safety and Soundness, IT or Compliance exam, and you present materials to them, which were listed on a request letter. But your Web site is not one of the items they need to request. It is always available to them since you make it available "to the world" on a 24x7 basis. This means it has to be "audit-ready" 24x7.

Most banks are now accustomed to having a Web site and should have all the compliance checks and balances built into the authoring process. But this isn't always the case. As Web sites are reviewed, there are common violations seen. This may be because compliance views these bits and bytes of data as a misunderstood challenge or compliance was bypassed in the process of creating or updating the site. Regardless of the cause, these issues need work. Regulators also publish "recommendations" offered truly as sound practices, which should be followed. If you choose not to follow them, it is not a violation but may indicate a lack of attention to detail or to practice safe computing, depending on the recommendation. Compliance should discuss these variances with the technology group to understand why certain choices are made.

One thing that can be done is audit your Web site as you do other advertisements, forms and procedures. This is an extension of existing regulatory requirements we deal with on a daily basis including Truth in Lending, Truth in Savings, FDIC advertising rules similar requirements brought over from paper, radio and TV to the Internet. To assist you, BankersOnline.com offers various tools specifically designed to review Web sites . These should prove helpful in your auditing endeavors.

Some areas to focus on are those others have erred on. After all, the best part of a mistake is learning from someone else's. In no particular order, let's review first some common violations, and then practices you should encourage for your website.

1. Advertising retention. In large part your Web site is your advertisement for your bank's loan and deposit products. While Regulation Z excludes advertising retention at ?226.25, your examiners anticipate it will be retained and, as a compliance auditor, you do too. By retaining this evidence of compliance you have your track record and know that you have few worries from anyone seeing this differently than it was intended. At least if they make that claim, you'll have a copy of the ad to show it as it really was. Regardless of these rules, Regulation DD does require retention for a two-year period (?230.9(c)). You may retain your Web site content in simple backup (electronic media) files or in hard copy. Hard copy, printed documents will not evidence animated ads, rotating banner type pictures, sound or video clips or pop-up warning windows. Nor will these convey the ease of use built into your site, the number of times a page is scrolled to see the disclosures at the bottom of the page or where various links were actually directed. While there is no prescribed manner, this is another issue to discuss with your IT area to be familiar with what is practical and functional for your site.
   
   
2. Use of a loan rate without the corresponding Annual Percentage Rate. Regulation Z (??226.16(b)(2) & 226.24(b)) requires that periodic rates and the rate of a finance charge, must be disclosed as an "annual percentage rate". Also, if another rate is shown, it may not be more conspicuous than the APR. Some sites provide a description such as "Prime + 3%" which may represent a rate, but it is not a compliant disclosure.
   
   
3. Use of a deposit rate without the corresponding Annual Percentage Yield. Similar to Regulation Z above, Regulation DD (?230.8(b)) requires that if a rate is stated the corresponding APY must be stated too. In the case of the newer Reg. DD, to use the abbreviation "APY" you must use the words "Annual Percentage Yield" in the ad or in this case, on that webpage. And if another rate is stated, it cannot be more conspicuous than the APY.
   
   
4. Member FDIC. Your bank's homepage is an advertisement. Most of the other pages are as well. The FDIC regulation (?328.3) requires most of your bank advertisements to state that the deposits are FDIC insured by stating one of the following methods:
   1. Member of the Federal Deposit Insurance Corporation.
   2. Member of Federal Deposit Insurance Corporation.
   3. Member Federal Deposit Insurance Corporation.
   4. This bank is a Member of the Federal Deposit Insurance Corporation.
   5. This institution is a Member of the Federal Deposit Insurance Corporation
   6. The name of the insured bank followed by the words "is a" may be added before the words "member of the Federal Deposit Insurance Corporation".
   7. The short title "Member of FDIC" or "Member FDIC". (most commonly used).
   8. A reproduction of the "symbol" may be used by insured banks at their option as the official advertising statement. The official advertising statement shall be of such size and print to be clearly legible.

   ?328.3(c) defines exceptions to when this is required. Most of the listed exceptions will not apply to your site, less (c)(12) which says that loan advertisements do not require this. Another area where you definitely do not want this is any advertisement which is for non-deposit investment products. It is simplest to separate these, period. Anything else requires you to demonstrate that anyone looking at that ad is not going to be confused as to what is and is not insured.
   
   

5. Display of the Equal Housing Lender Logo and Legend. The Equal Housing lender logo and legend should be displayed when you are advertising housing related loans. Think of your webpage as a written advertisement. The FDIC, FRB and OTS regulated banks want the Equal Housing Lender logo and legend present. The OTS may require it on all advertisements except those for savings accounts. The OCC doesn't require this, but you are certainly encouraged to use it and it will not hurt.
6. Loan, deposit and lease advertisements and trigger terms. (??226.16(b), 226.24(c), 230.8(c), 213.7(d)) Often a page will have trigger terms, the same as print advertising. When any of these are stated, additional disclosures are required but are not displayed. Do not rely on the fact that the additional disclosures are on another page within your site. Reg. Z does have a "multiple-page" exception under ??226.16 and 226.24 but you must ensure you have met defined requirements to qualify for this.

Best Practices:

1. Weblinking. The OCC released Bulletin 2001.31 (07-03-01) on weblinking and 2003-15 (04-23-03) which was an interagency release also on weblinking. This interagency document describes many of the risks associated with your website. It also discusses the use of "speedbumps" to inform a customer that they are leaving your site. This can be important as privacy policies and information gathering policies may differ on the linked-to site. This can apply even if the sites are owned by affiliates.
2. Bank address. As a courtesy, place your bank's address on the page so that it is conspicuous and the viewer knows which "First National Bank" they are reviewing. You may opt to list all your branches or not, but the main address is important.
3. Advise your customers that email is not secure. Time and again I have seen customers who wanted information,list their name, address, telephone, SSN, mother's maiden name and anything else that would identify them so that they could get the data they wanted as quickly as possible. Tell them how to contact you and what not to put in an email. If you respond to their email and quote the original message, be sure to delete the confidential information so it is not exposed a second time.

Action Plan:

• Review regulatory materials pertaining to Web sites.
• Download the Web site audit workpapers.
• Review your site with emphasis on the above issues.
• Coordinate with your technology group on resolving issues and understanding methods employed on your site to include certain data and disclosures. Also discuss retention methods and test those methods to ensure they work.

The original version appeared in the April/May 2004 edition of the Oklahoma Bankers Association Compliance Informer.

First published on BankersOnline.com 10/11/04