How’s a banker supposed to think about the regulatory expectation that banks educate their customers about online banking’s inherent risk?
The regulators have definite expectations for banks who offer “eBanking” services. These expectations include a specific program to inform customers about the risks of electronic banking, risks of which many customers, particularly, small businesses, are unaware. Banks who are lackadaisical about this are taking a pretty big risk. How so? When one of their customers takes a big hit from an account hijacking (think PATCO), the bank may be on the hook for thousands, if not hundreds of thousands, of dollars.
The good news is that a satisfactory education program isn’t expensive, either to prepare or to implement. If you want to talk it over, give me a call at 800-544-8269, or email me with EDUCATOR in the subject line. (Remember, there’s never a charge to do some brainstorming.)
Here’s the FFIEC’s narrative that describes the regulatory expectations of a bank’s educational program for eBanking.
FFIEC’s Guidance on Customer Awareness and Education Program for eBanking
A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements:
An explanation of protections provided, and not provided, to account holders relative to electronic funds transfer under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;
An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;
A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
A listing of alternative risk control mechanisms that customer may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,
A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information.