Has anyone heard anything about the regulators requiring CRA statement banks' websites??

Do you mean posting your Public File on your Web site? No. I haven't heard that it was a best practice and it isn't a requirement.

There may be some variances for Web only banks.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

According to my co-worker, this came from Jimmie Loyless regional director of the FDIC in Atlanta. Mr. Loyless is to be present for a regulators roundtable discussion in Birmingham this week and I plan to question him.

The Federal Reserve has a simulated website for banks to use as training and I don't see anything pertaining to CRA on it.

The CRA regulation has not been cyberized, so any recommendation to post your CRA statement or public file online is just that--a recommendation. Is it possible that Jimmie's comment was simply a reminder that an electronic copy of your CRA exam report is posted on FDIC's website?

As Richard and Andy have stated, there is no requirement for CRA with relation to your website as of now. I just called Jimmy Loyless and he agrees. The only thing he says he remembers saying about websites is that your PRIVACY notice must be posted on your website, but nothing about your CRA notice or public file. Perhaps your co-worker got something mixed up. Jimmy did say if you or your co-worker wanted to call him, he would be glad to discuss further with you. The number for FDIC in Atlanta is (404) 817-1300.

I will say this - the CRA regulations are up for review by the agencies in 2002. I would expect to see some issues addressed then about what needs to be posted on a bank's website. I would not be surprised to see a recommendation that at least the CRA notice become a requirement, if not the public file itself.

------------------
Jim Bedsole, CRCM, CBA, CFSA

Opinions expressed are my own, and do not necessarily reflect those of my employer.

Interesting, Jim. How do you arrive at a "requirement" that the privacy policy be on the website? I know I can use EC to deliver my Reg P disclosures, but didn't think Reg P requires me to do so.

I didn't arrive at "requirement" - Jimmy Loyless did. I'm not sure about that one either - maybe just a best practice thing.

------------------
Jim Bedsole, CRCM, CBA, CFSA

Opinions expressed are my own, and do not necessarily reflect those of my employer.

Although I plan on having my Web version of our Privacy policy up, I hope examiners are not out there believing it is a requirement.

One could argue that if you are opening accounts (loans or deposits) on the Web you are establishing a relationship at that time, and depending on how you do this a Privacy notice may be required then. But if your site is advertising this shouldn't be "required" as no relationship is being formed as a result of that.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

This is a perfect example of how compliance requirements get invented. Using the website sounds like such a good idea -- reasonable even -- that sooner or later examiners will come to expect it. The moral is tread carefully here.

Also, the CRA review opens the door to cyber requirements, since the assessment area in cyberspace is going to be one of the issues under discussion.

Here is the answer-----I talked with Jimmy Loyless last week. He told me that he mistakenly said CRA when he meant Privacy Policy. At least that is cleared up.

I'd still like to know where it says a bank MUST post its privacy policy on the website. Although Jimmy's opinions always demand respect, he can't make up new regs. Are examiners stating that banks must post their privacy policies?

Here's my best guess at where all of this is coming from. In FIL-86-98 (8/17/98) the FDIC published a document called "Online Privacy of Consumer Personal Information". In this document, FDIC supports efforts at industry self-regulation, including adoption of U.S. Banking Privacy Principles which included disclosure of privacy practices on an institution's website. In the document the FDIC states "In particular, financial institutions should provide meaningful disclosures of privacy policies and information practices, and effectively enforce those policies and practices." This statement was made in relation to online privacy disclosure. Although not rising to the level of a regulatory violation, I would think the FDIC is probably training its examiners to be critical of institutions that fail to include meaningful privacy disclosures on their websites. If financial institutions continue to fail to rise to this level of self-regulation, we will see regulatory requirements to include notices on our websites.

------------------
Jim Bedsole, CRCM, CBA, CFSA

Opinions expressed are my own, and do not necessarily reflect those of my employer.

I understand that there is no requirement to post our privacy policy on the website but isn't everyone doing it anyway?

You are required to provide a privacy notice no later than when you establish a customer relationship. "P" says, "You establish a customer relationship when you and the consumer enter into a continuing relationship." Is that when you make other disclosures such as on your Web site, when you describe your products on your Web site, when you accept an application over your Web site, when you send documents for traditional signatures or when you accept e-sign and actually open new accounts (and relationships) over the Net.

I believe a case can be made that while privacy notices are not required on the Web, they may be depending on what you do on the Web.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

While a Privacy Notice would not be required on a website unless you were opening accounts on line, it is still a recommended practice for two reasons:

1. It makes your Privacy Policy readily available to anyone who would like to read it.

2. Most Net-Consumers are getting savy and proactively LOOK for the Privacy Notice on a web site where they might want to conduct business. Not having the Notice could give people pause to even consider your bank.

Just IMHO.

[This message has been edited by Bonnie M (edited 06-12-2001).]

I certainly agree with Bonnie. It costs very little to put it there and it will certainly cost more to have someone call, ask and for it and for you to mail them one.

I also like being able to add to the Net version so that non-techies are not confused with discussions of cookies and some of those things generally added specifically for the Web.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

I don't disagree with the desirability of posting your privacy policy--I just hate to watch bankers roll over and play dead whenever a bank examiner decides to make up a new rule. Jim has probably nailed the source of these recommendations--FIL-86-98. If FDIC issued it to support efforts at industry self-regulation, it should be willing to withdraw this indorsement of a "best practice" rule on 7/1 when self-regulation hits the trash heap of good intentions.

One has to wonder why the agencies did not include in the GLB privacy regulation any clause about providing a copy of the privacy notice on any website operated by the institution. I didn't go back and look at the preamble information for this - does anyone remember whether their reasoning for omitting this was explained?

------------------
Jim Bedsole, CRCM, CBA, CFSA

Opinions expressed are my own, and do not necessarily reflect those of my employer.