Answer by Andy Zavoina: I've seen no rule for this. It comes down to your appetite for risk and what is acceptable. Personally if the business has the authority to add and delete users, that is a weakness to me because any hacker can more easily take over the account. I would want the bank to do it. If it is a problem due to the frequency of "CIP-like" verifications and administrative duties, impose a fee for each change or each change over X. And emphasize to the customer that logon credentials are not to be shared. You don't charge a fee to charge a fee, you want to maintain the integrity of the security procedures. Access online should be very limited.
Answer by Sonja Kriegsmann:I've seen it done successfully both ways. If the business appoints an administrator to maintain online banking access, etc., your agreement should shift more responsibility and liability to the business. A sound agreement is not a substitute, however, for customer education and a good monitoring program.
First published on BankersOnline.com 4/15/13.