Skip to content
BOL Conferences
Page 3 of 3 1 2 3
Thread Options
#13937 - 05/14/03 02:51 PM Re: ESIGN or UETA?
Richard Insley Offline
10K Club
Richard Insley
Joined: Oct 2000
Posts: 10,178
Toano, VA
I don't necessarily agree that previously demonstrated capability satisfies the ESIGN requirement that the customer must "consent electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent."

"Consent" is used exclusively in the present tense. What manner of consent do you use? How does this act demonstrate success with the medium? Do you test both the statement delivery system and also the "alert message" that must be sent by ordinary email?
_________________________
...gone fishing.

Return to Top
eBanking / Technology
#13938 - 05/14/03 05:33 PM Re: ESIGN or UETA?
Lawrence T. Levine Offline
Junior Member
Lawrence T. Levine
Joined: May 2003
Posts: 37
Troy, VA
Regarding the encryption side of things -

I would think that the normal 128bit SSL encryption (DO NOT ALLOW users to use 40bit!) used in the web session for download would be enough. I think sending an actual document (rather than just getting people to a 128bit SSL website) would be a mistake on several fronts.

Also - as a matter of principle and because I always feel like ranting - there are MANY good companies that will sell you SSL certificates. I personally like Thawte but there are a bunch of good ones. If you decide to use Verisign's I'd be very carefull about knowing what you are buying and what you need. For example on their website they charge a $400-500 price difference for a 40bit vs 128bit cert. In reality if you dig deep enough you learn that for domestic purposes the cheaper one does do 128bit. I'd disable 40bit on any servers as a matter principle (since it's compromised). Which leads me to some usefull advice at the end of the rant - Just because something is 'encrypted' doesn't mean that it's encrypted well. There could be ramification to using 'weak' cryptography - that's why the ATM networks are being upgraded... ok... I'm rambling.. back to work!
_________________________
Lawrence T. Levine Managing Director SecurePipe, Inc. Direct: 4342932454 www.SecurePipe.com

Return to Top
#13939 - 05/14/03 06:19 PM Re: ESIGN or UETA?
Lawrence T. Levine Offline
Junior Member
Lawrence T. Levine
Joined: May 2003
Posts: 37
Troy, VA
Ok.. so I'm not done!

Regarding the delivery side of things.

1) Use a web based delivery with email notification. I don't believe consumers or banks are served well by using email attachments. The cryptographic side of things is historically weak and it adds complexity.
2) Be very carefull about the look and feel of the email. A large bank (with ~10% of the US depository - go figure that one out) got hit by criminals who emailed their customers with something that looked like email from them... It's incredibly easy to send email that is from someone other than the apparent sender. The email pushed them to a website that 'looked' like the bank. The users then logged in and were 'pushed' to the 'real' bank site. With their login information captured in the process.

Dangerous stuff...

I'd be very carefull about keeping emails you send them uncluttered and clear as to their origination and where you are linking them to. A link to www.yourbank.com is much less likely to be easily confused than a link to http://www.notreallyyourbank.com/blah/blah/yourbank/%blah/%blah/%%%Imtryingtohackyou.html
see what I mean.

On the same note - the same institution I referenced above sent out emails of a marketing nature but used a 3rd party. The emails went out from: Bank Name <BankName#1.8722.92873456173829.1@email.bankname1.com>

Not very clear is it? This is BAD FORM. Not only was it very unclear as to who the email was really from, but the domain name wasn't even that of the banks. In short - the bank didn't learn the lessons of the activity that took place earlier in the year. They were (are) TEACHING their customers not to pay attention.
_________________________
Lawrence T. Levine Managing Director SecurePipe, Inc. Direct: 4342932454 www.SecurePipe.com

Return to Top
#13940 - 05/14/03 07:51 PM Re: ESIGN or UETA?
etm614 Offline
Platinum Poster
etm614
Joined: Jan 2003
Posts: 695
Massachusetts
Okay - I have a dumb question. How would I know if my state adopted a "conforming" UETA?

Return to Top
#13941 - 05/14/03 07:56 PM Re: ESIGN or UETA?
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
Call one of your state banking associations. They should know if you don't find the answer here.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#13942 - 05/15/03 04:05 PM Re: ESIGN or UETA?
Angel Eyes Offline
Power Poster
Angel Eyes
Joined: May 2001
Posts: 4,599
Our E-Stmts are going to be a part of our Internet Banking. We will not but pushing encrypted statements but rather sending a link to our log in screen letting them know that the statement is available for them to view.

I understand that we will have to have some sort of e-mail regarding disclosures and consent. My main point of concern is ensuring that they have demonstrated that they can use the system. It seems that the OCC feels that requiring them to change their password demonstrates their ability to use the system. However, I must say that I am not confident that changing a password six months ago demonstrates the ability to use the system. Just wanted to see what other thoughts were out there.

Thanks for the input!

Return to Top
#13943 - 05/15/03 05:56 PM Re: ESIGN or UETA?
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
If they will download the statement, I would see that as a separate act than just entering the system and changing a password.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#13944 - 05/15/03 06:56 PM Re: ESIGN or UETA?
Richard Insley Offline
10K Club
Richard Insley
Joined: Oct 2000
Posts: 10,178
Toano, VA
You need to get "affirmative consent" PRIOR to making the switch to e-delivery, and the consent must be given in a manner that demonstrates success with the medium to be used for e-delivery. Changing a password 6 months ago might be acceptable, but if you guess wrong and a court or OCC later concludes that you have not done enough, then your permission to substitute electrons for paper vaporizes, retroactively. Do you want to run the risk that you will be liable for months of "failure to provide disclosures" violations? Imagine the penalties under Regs. Z or E--not to mention the reopened error resolution time window!
_________________________
...gone fishing.

Return to Top
#13945 - 05/16/03 02:42 PM Re: ESIGN or UETA?
Angel Eyes Offline
Power Poster
Angel Eyes
Joined: May 2001
Posts: 4,599
Thanks for the help! I appreciate all the guidance

Return to Top
Page 3 of 3 1 2 3

Moderator:  Andy_Z