Skip to content

Common Website Violations

by Andy Zavoina, CRCM

Websites may be reviewed for compliance at any time. When your regulatory agency wants to complete a typical safety and soundness, information systems or compliance audit, they tell you in advance and send a request letter which helps you understand what they will review. Because your website is made available to the world at large 24/7, it is also available to any regulator at any time. One agency I spoke with indicated 57% of website reviews were done during a safety and soundness exam, 20% were targeted to looking at the website, 6% were done with technology reviews and the remainder were done with compliance. So your site should always be compliant and ready for a review.

Banks commonly have websites nowadays. And just as there are common violations made on consumer loan contracts we have been doing for many years, there are now common violations being seen on websites.

Consider your website an extension of your bank, a virtual branch. With that virtual branch comes disclosure and advertising requirements. And just as you audit your real branches and the ads they run, you must do the same here for many of the same regulatory requirements. To assist you, BankersOnline.com offers various tools specifically designed to review websites. These should prove helpful in your auditing endeavors.

The best mistakes are the ones others make because you can learn from them at no cost. In no particular order, lets review today's common violations, practices you should encourage for your website and past errors that used to be on this "watch list". We include the "oldies" because the only thing preventing those older citations from appearing again is awareness that they exist.

1) Use of a loan rate without the corresponding Annual Percentage Rate. Regulation Z (??226.16(b)(2) & 226.24(b)) requires that periodic rates and the rate of a finance charge must be disclosed as an "annual percentage rate". If another rate is shown, it may not be more conspicuous than the APR. Some sites will quote "Prime + 3%" as a rate which the consumer should recognize. While this may represent a rate, it is not a compliant disclosure.

2) Advertising retention. While Regulation Z does not address or require advertising retention (?226.25), your compliance program likely includes these anyway. After all, you review them, the marketing department keeps them as an archive and your examiners want to see your demonstration of compliance when they review your bank. Retaining your website screens, which is generally a large advertisement for your loan and deposit products, is no different. Regulation DD (?230.9(c)) does require retention for a two-year period. There are a number of ways you may want to retain your website. Depending on the complexity you may have them on a zip disk, CD, DVD, tape or even a backup hard drive or hard copy. Hard copy, printed documents, will not evidence animated ads, rotating banner type pictures, sound or video clips or pop-up warning windows. While printouts may convey the look of your site, it will not do justice to the "feel" or navigability as well as the number of times it takes to scroll to the bottom to see the disclosures or where various links were actually directed. While there is no prescribed retention method, this an issue you should discuss with your IT area if you have not already. You should also be familiar with what is practical and functional for your site as content is often "called" from other parts of the website.

3) Member FDIC. Your bank's homepage and most of the other pages are advertisements. The FDIC regulation (?328.3) requires most of bank advertisements to state that the deposits are FDIC insured by stating one of the following:

  • Member of the Federal Deposit Insurance Corporation.
  • Member of Federal Deposit Insurance Corporation.
  • Member Federal Deposit Insurance Corporation.
  • This bank is a Member of the Federal Deposit Insurance Corporation.
  • Ths institution is a Member of the Federal Deposit Insurance Corporation
  • The name of the insured bank is a member of the Federal Deposit Insurance Corporation.
  • The most commonly used "Member of FDIC" or "Member FDIC".
  • The FDIC "symbol" may also be used within certain guidelines

The regulation does define exceptions as to when this is not required. (?328.3(c)) Most of the listed exceptions will not apply to your site except for ?328.3(c)(12) which exempts loan advertisements. Another area where you definitely do not want this is any advertisement/information pertaining to non-deposit investment products. It is simplest to separate these, period. Anything else requires you to demonstrate that anyone looking at that ad is not going to be confused as to what is and is not insured. 4) Display of the Equal Housing Lender Logo and Legend. The Equal Housing lender logo and legend should be displayed when you are advertising housing related loans. (OTS regulated banks may disclose this on all pages.) For these purposes think of your web page as a written advertisement. The FDIC, FRB and OTS regulated banks want the Equal Housing Lender logo and legend present. The OCC doesn't require this because they referenced a HUD citation for their requirement to display this. HUD removed that citation in a regulatory update and the OCC has not replaced it. There is no harm or reason OCC regulated banks should not use this as well. In fact, including it is simply a good idea.

5) Loan, deposit and lease advertisements and trigger terms. (??226.16(b), 226.24(c), 230.8(c), 213.7(d)) Web pages often contain "triggering terms", the same as print advertising does. When any of these are stated, just as in traditional print ads, additional disclosures are required but are not always displayed as they should be. Do not rely on the fact that the additional disclosures are on another page within your site. Reg. Z does have a "multiple-page" exception under ??226.16 and 226.24 but you must ensure you have met defined requirements to qualify for this.

6) Use of a deposit rate without the corresponding Annual Percentage Yield. Similar to Regulation Z above, Regulation DD requires that if a rate is stated the corresponding APY must be stated too. (?230.8(b)) Regulation DD allows the use of the abbreviation "APY", but you must use the words "Annual Percentage Yield" in the ad or in this case, on that web page too. Similar to the requirements of Regulation Z, if another rate is stated, it cannot be more conspicuous than the APY.

Best Practices
1) Provide Road Signs for Web linking. The OCC issued bulletin 2003-15 (04-23-03) as an interagency release on web linking. This document describes many of the risks associated with your website, in addition to web linking. In this context it discusses the use of "speedbumps" to inform a customer that they are leaving your site. This can be important as privacy policies and information gathering policies may differ on the linked-to site. This can apply even if the sites are owned by affiliates.

2) Advise your customers that email is not secure. Time and again I have seen customers who wanted information, list their name, address, telephone, SSN, mothers maiden name and anything else that would identify them so that they could get the data they wanted as quickly as possible. Tell them how to contact you and what not to put in an email. If you respond to their email and quote the original message, be sure to delete the confidential information so it isn't exposed a second time.

3) Make your bank address easy to find. As a courtesy, place your bank's address on the page so that it is conspicuous and the viewer knows which "First National Bank" they are reviewing. You may opt to list all your branches or not, but the main address is important.

Older Issues Still Requiring Attention
1) Design your website so that disclosures that must be made at the time of application for credit cards, HELOCs and ARM loans are provided on your website following the same timing rules. (??226.5a, 226.5b)

2) If you advertise rates on your site, you must have a system to maintain current rates. Failure to update advertised rates can cause the appearance of "bait and switch" tactics. (??226.16, 226.24, 213.7)

3) Government monitoring information collection is especially difficult. Test your website to see that monitoring data is captured correctly, not collected when it is not needed and not collected when it is needed. (??202.13, 203.4)

4) Failure to disclose the alimony notice on applications. (?202.5(d)(2))

ACTION STEPS

  • Review regulatory materials pertaining to websites.
  • Download the website audit workpapers.
  • Review your site with emphasis on the above issues.
  • Coordinate with your technology group on resolving issues and understanding methods employed on your site to include certain data and disclosures. Also discuss retention methods and test those methods to ensure they work.

Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 5, 3/04

First published on 03/01/2004

Search Topics