In short, Yes. You have Reg. E responsibilities and liabilities regardless of who chooses passwords to enter your system. With the customer choosing the passwords you are better off than if you did this, for security reasons. If your employees have no access, you have removed that security risk in the event there is an unauthorized withdrawal claim.
As to security of the system itself, you simply cannot do enough. You have to ensure your systems are secure and those of your vendors. Testing should be done and documented. Check your IT exam procedures to determine what in particular should be done and how often. The OCC has combined much of their Net Banking information in one place. http://www.occ.treas.gov/netbank/netbank.htm is a good reference, although it is not exclusive; look around on the Web and you'll find plenty of information on securing sites and transactions.
First published on BankersOnline.com 3/5/01
Copyright, 2001, BankersOnline.com.
Customer Selected Passwords: Are We Liable?
Answered by:
Question:
Our customers select their own passwords in order to access their confidential information and transact business on our Web site. Do we have any liability if an unauthorized party obtains the password from our customer without our customer's consent? What if a hacker got into our system or our customer's?
Answer: