By now, most national banks and others with agressive websites have read OCC Bulletin 2001-31. (See http://www.occ.treas.gov/ftp/bulletin/2001%2D31.txt)

It's great advice, but speaks in sweeping generalities. Experience has taught that the "devil's in the details", so the real meaning and impact of 2001-31 will come slowly, as banks apply it to their unique situation.

I'm interested in everyone's assessment of 2001-31's scope and impact, and any exam experience to date. Specifically:

1. What activities are covered? (portals, virtual malls and banner ads for sure, but what else?)

2. How much due diligence on the third parties is "sufficient", and has anyone developed a checklist?

3. What needs to be included in (or excluded from) formal agreements with third parties? (and which "third parties" should be covered by agreements?)

4. What types of consumer disclosures and disclaimers are appropriate? We've witnessed the futility of over-disclosure many times (as recently as this year's Privacy implementation), but what, when, where & how do you disclose to ACTUALLY prevent consumer confusion?

5. What's the early experience with exams--are NBs being reviewed under 2001-31?

[This message has been edited by Richard Insley (edited 08-19-2001).]

Richard

We are carrying out this audit for a number of institutions. We have found the most difficult problem to be the links which lead on from links.

We are making sure that all liknks from our clients sites have to be signed through, ie: the user has to actually acknowledge that they know they are moving from our website to that of another unrelated body and that niether our encryption nor our control is guaranteed in the new area.

Due diligence means what any reasonable person might expect so we are checking civil filings at Federal and County level, making sure we know -and have documented who the owners/directors/officers of the third parties are, checking for adverse press coverage and/or proffesional stricture (where appropriate). We have, on accaision, checked companies previously owned by current owners where adverse press coverage for another business has been identified. This is a BIG job and needs resource to get it right. You may want to consider outsourcing all or part of it. We can handle all or if you just want to outsource Due Diligence we have found Commercial Business Systems -we have used them on a number of occaisions - efficient.

The agreements need to cover making sure that customers are not mislead into thinking they are looking at the same site, posting an adequate privacy policy that discloses all the ways in which information gleaned from your customers can or cannot be used.

Precluding the knowledge that, from the link to the new site, this is, or maybe, one of your cusomers, preclude the building of lists identifying this as a customer or probable customer of XBank and the sale of that knowledge.

Total Compliance 805-642-6250 Matthew Read.

Commercial Business Intelligence 888-740-0747 Mike Adams.