Can you imagine how different the Internet would be if there were no hyperlinks from one Web site to another and you had to type in each new Net address you wanted to jump to? It's unthinkable! On the other hand, when you visit a site and it features links to other Web pages, it's natural to assume that the sites being linked to have been checked out, to a certain extent. When the site is your bank's site, and you're including links to external sites, the regulators want you to carefully consider and manage the risks involved.
In OCC 2001-31, OCC becomes the first of the financial institution regulators to offer comprehensive guidance on the subject of weblinking. Previously, OCC had addressed some linking issues in individual opinion letters.
At first glance, it may appear that the Bulletin applies only in a context where a bank engaged in electronic banking wishes to expand its activities to offer various electronic commerce activities to its retail customers through a virtual mall type arrangement. The scope of the guidance is actually much broader, however, and could apply in any context where a bank's Web page contains hyperlinks.
Prior to the latest guidance, OCC had already established:
A national bank may, as part of the finder authority, establish links from the bank's Web site allowing its retail customers to acccess third party, service provider Web sites;
National banks may establish hyperlinks between their homepages and the Internet pages of third party provides so bank customers will be access to access those nonbank Web pages from the bank site, under the finder authority;
National banks may operate a "virtual mall," i.e., a bank-hosted set of Web pages within a collection of links to third party Web sites organized by product type and made available to bank customers for shopping;
Weblinking arrangements between banks and third parties may provide for frees and other compensation to the bank;
Under certain circumstances, banks may select third parties to link to based upon their ability and willingness to provide favorable terms to the bank's Web site customer.
Risks
The Bulletin mentions reputation risk, transaction risk, compliance risk, and strategic risk. The main risk that weblinking poses is reputation risk. If a bank links the customer to a third party that offers shoddy merchandise or poor service or that doesn't fulfill its end of the bargain, customers may seek to hold the bank accountable under an "implied endorsement" theory, or, at the very least, may have negative feelings toward the bank because the bank helped the customer "find" the third party. The privacy policies and practices of the third parties linked to are also a consideration. OCC mentions that if the third party, through security holes or lax privacy standards, allows the release of confidential customer information, customers may blame the bank.
In addition, the bank's reputation could be harmed by the third party Web site's technical and design standards. If the third party's site is inaccessible or poorly designed, the bank customer may not be able to fully access or use the site and that could reflect negatively on the bank. A frustrated customer is not what you want.
Web sites the bank links to may also change over time. What was at one time a squeaky clean online retailer could tomorrow be a purveyor of cyber-porn. Imagine what your customers would think if they clicked on a link on your bank's Web site and ended up in "Hilda's House of Discipline"! Periodically monitor all sites you link to in order to ensure the content is still appropriate.
Transaction risk is also an issue. If the customer clicks over to an online merchant which does not have stringent security standards, the customer could be harmed.
Strategic risk exposure looks like a real stretch to me. The Bulletin talks about bank management failing "to plan adequately for the implementation of hyperlinks on the bank website…" Wisely choosing linking partners is certainly important, but OCC even recommends having a contingency plan to address failures of the third party service to provide agreed upon products and services, failures in the bank's or third party servicers' security controls, and remedies for inappropriate or unwanted Web links.
Compliance Risk
If your bank is establishing Web links to a third party based upon the finder authority in 12 CFR 7.1002, you must make sure your actions are consistent with the limitations of that authority. Links emanating from true joint marketing relationships, however, are not limited by the finder authority.
Consider the impact of the various compliance requirements. For example, RESPA prohibits kickbacks and unearned fees for the referral of a settlement service. If you provide a link to a settlement service provider for RESPA-covered loans and you receive something of value in return that could be considered a kickback or unearned fee, you could be in violation of RESPA.
If the link involves securities transactions, study the applicable federal securities laws and regulations. This is one area that is undergoing change right now with new final rules from the SEC that aren't finding much favor with banks.
Does the link involve sharing of nonpublic customer information between your bank and a third party - either an affiliate, or a nonaffiliated third party? Consider whether the sharing is permissible under the FCRA (if an affiliate) or the GLB privacy statutes and rules (if a nonaffiliated third party). If your bank was required to provide an opt out right, is the link arrangement that involves information sharing constructed in such a way as to allow you to properly enforce a customer's opt out right?
Managing the Risks
To manage the risks:
Your board, or a board designee should effectively plan, implement, and supervise the monitoring of the bank's weblinking arrangement;
Sufficient due diligence should be conduct to minimize the bank's strategic risk and reputation risk;
If you subcontract the weblinking arrangements to a third party (such as the provider of a portal), you must perform due diligence on them, as well as the firms they will link your customers to and the agreement you have with the subcontractor should have appropriate provisions to control risk;
Use appropriate disclosures that are clearly written and prominently displayed and placed on appropriate pages within your Web site so customers are not confused about which entity is providing a product or service;
Monitor your links;
OCC even recommends reviewing the third party's financials and its customer service stands, as well as the privacy and security policies and procedures of the third party Web site;
Check the third party Web site to make sure it doesn't contain offensive content;
If you have a weblinking agreement with third parties, make sure the obligations, liabilities, and recourse arrangements are understandable and enforceable;
Explicitly state that the parties are not forming a partnership or entering into a joint venture;
The agreements should not obligate the bank to engage in activities that are inconsistent with the scope of permissible finder activities or that are otherwise impermissible for the bank to conduct directly;
Review compensation arrangements in light of RESPA and other compliance provisions;
Build in a provision that covers conditions for ending or terminating the link. You want to have the authority and flexibility to terminate the link immediately if necessary to limit your risks;
When you establish passive links with third parties, including reciprocal linking rights, consider whether the links are in the bank's best interest;
Employ appropriate disclaimers and disclosures and conspicuously place them on your Web site. Do not bury them in a Web site user agreement or customer agreement;
Specifically, you should state explicitly and conspicuously that you are not endorsing or guaranteeing the products, information, or recommendations provided by linked sites and that you are not liable for any failure of products or services advertised on those sites. Customers should also be informed that each third party site may have a privacy policy that is different that the bank's and any of the linked third party Web sites may provide less security than the bank Web site.
If your bank's Web site design utilizes "frames" and the linked sites will load inside the frame, the disclosures and disclaimers are especially important. Don't know if your site uses frames? Ask your techie.
If your Web pages display links to bank products and services along with links to nonbank products and services, a mere disclosure may not be sufficient to eliminate customer confusion. You will need to carefully differentiate between the two, perhaps by some visual cue, such as the use of your bank's distinctive logo.
Continue monitoring your hyperlink strategy and its impact on your operations, and get ready for the examiners' scrutiny to be applied to this area!
BankersOnline is a free service made possible by the generous support of our
advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all
banking professionals. Support our advertisers and sponsors by clicking
through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
