My bank is about to offer online applications for credit cards, deposit accounts, etc? Can you share any info on what I need to know to be in compliance?

CIP/Patriot Act, E-sign (depending on how you're going to offer disclosures), fraud concerns to name a few.

I'm in the middle of researching this also. I can't get past the idea that a customer can submit an application without signing it. Am I missing something? Is it OK to just have a statement that is similar to what the bottom of the application currently states (this information is correct, authorization to pull a credit report etc.)?

Thanks.

I understand why you would want a signed application (prudent that they attest to the accuracy), but a signature is not the only way to do that. Having them mark a box online and click "yes, this is true . . .." serves the same purpose. No regulation requires a signed application. In fact, when Reg B does require a written application, it still doesn't require a signed application. The Commentary to §202.4(c) #1 states:

Model application forms are provided in Appendix B to the regulation, although use of a printed form of any kind is not required. A creditor will satisfy the requirement by writing down the information that it normally considers in making a credit decision. The creditor may complete the application on behalf of an applicant and need not require the applicant to sign the application.

Most of the online platforms will include steps to ensure CIP compliance (and for double checking for ID theft). They will include out of wallet questions based on info obtained from credit reports. Are you trying to put this together in-house (OMG if yes!!) or do you expect to use a product designed for this purpose?

OMG is true even though our website designer is creating the application forms, they do not know much about banking. And I don't know much about on-line application forms!

That is E-Sign. E-Sign doesn't have to be some big 128 bit encrypted signature.

As to having a non-banker develop your online pages, break out a compliance checklist, look for GMI as required, and really, really look at the security of your data. Next you have to look at your infrastructure and how you'll handle the apps that come in. If any of these trigger early disclosures remember that you didn't receive the app when you opened it, you received it when you received it.

You might find my upcoming e-Compliance webinar of interest.

http://calendar.bollearningconnect.com/main.php?view=event&eventid=1170342757393