SAFEGUARDING CUSTOMER INFORMATION AND INFORMATION SECURITY POLICY
FOR BANNER CAPITAL BANK
The Institution recognizes that an effective Online banking authentication system is necessary in order for the Institution to comply with requirements for safeguarding of customer information, preventing money laundering and terrorist financing, reducing fraud, inhibiting identity theft, and promoting the legal enforceability of the Institution’s electronic agreements and transactions. It shall be the policy of the Institution to implement appropriate authentication methodologies appropriate to the risk posed by the Institution’s Internet and electronic banking systems in accordance with the Federal Financial Institutions Examination Council’s guidance “Authentication in an Internet Banking Environment”, October 12, 2005.
In implementing appropriate authentication methodologies, the Institution will assess the risk posed by its Internet and electronic banking systems in light of the following factors:
- The type of customer (e.g., retail or commercial);
- The customer transactional capabilities (e.g., bill payment, wire transfer, loan origination);
- The sensitivity of customer information being communicated to both the Institution and the customer;
- The ease of using the communication method; and
- The volume of transactions.
The Institution’s authentication program will use controls and authentication tools that are appropriate for all of its Internet-based and electronic banking products and services, maximize interoperability, and are consistent with the Institution’s overall strategy for Internet banking and electronic commerce customer services. The level of authentication in particular applications will be appropriate to the level of risk in those applications and single-factor authentication will not be used as the only control mechanism for high-risk transactions involving access to customer information or the movement of funds to other parties with respect to which the Institution’s risk assessment indicates that single-factor authentication is inadequate. The Institution will monitor and evaluate its authentication methodologies on an ongoing basis and implement the applicable Audit Procedures in order to review compliance with this policy.
The bank will install, maintain, and manage a security system that can protect the bank’s computer systems, both internal and those provided by outside vendors, from any unauthorized intruders, such as hackers, who may attempt to compromise the system by intercepting data during transmission or by wire tapping. The risks involved in these scenarios will be seriously considered and appropriate systems such as firewalls and filtering routers will be used whenever practical.
In addition, the bank will have an appropriate level of program management procedures and oversight in place in order to detect and respond to any event that may compromise the security of the service or related systems. This will include daily recording and monthly evaluation of reports and/or other information, either internal or provided by vendors, which can provide monitoring of activities conducted either through the bank’s Internet Banking Services, or Web Site. Examples of what may be used for security monitoring and management purposes are as follows:
- Unauthorized users accessing information
- Loss of data integrity
- Lack of transaction completeness
- Inability to transmit transactions
- Ledger of New Accounts, Closed Accounts, or merged accounts
- Daily volume, size of transaction ranges
- Error resolution and complaints log analysis
- Systems maintenance
- Audit and compliance reports