As a financial institution, you’re no stranger to the federal laws and regulations you must follow to remain in compliance. This involves how you host and the way you design your bank or credit union website.
This is the first of a two-part series covering what you need to address to ensure your website is compliant with federal examiners. In this blog, we’ll focus on data privacy and security and how your web hosting service can help your website meet regulation standards.
- Customer Identification and Data Privacy
- Your Information Security Program
- Web Hosting Provider Checklist
- Final Words
In a CSI survey to determine banking priorities, four out of five bankers declared data privacy as the most important regulatory issue for 2020. Of highest concern are amendments to the Gramm-Leach-Bliley Act of 1999 (GLBA).
The GLBA holds a financial institution accountable for informing customers of its policies for protecting and sharing their personal information. In 2019, the Federal Trade Commission proposed changes to the Safeguards and Privacy Rules of the GLBA to meet current marketing and technological principles.
Under the updated Safeguards Rule, a financial institution must encrypt all customer data, enforce controls to prevent unauthorized access of customer information, and utilize multifactor authentication to access data. The amendment to the Privacy Rule would allow customers to opt-out of having their information shared with your institution’s third-party partners or vendors.
Because of the level of privacy and security requirements of financial institutions, you need a web hosting service with expertise and experience working with banks and credit unions.
The Federal Financial Institutions Examination Council (FFIEC) suggests that financial institutions develop an information security program to address data integrity and protection of customer information. Your institution’s directors and senior management team would oversee the program. However, your web hosting provider can ultimately help safeguard your website to meet program guidelines.
Your program should include the following security controls:
- Ongoing knowledge of recent cyberattacks and sources
- An up-to-date inventory of equipment and network schema
- Ability to access and control your network offsite
- Removal or deletion of vulnerable services or files
- Installation of intrusion detection tools and development of a response plan
- Physical security of all e-banking computer equipment and media
- Standard security guidelines and usage policies for employees with access to the e-banking system
- Customer notification processes for security breaches that may affect their confidential information
- Regular monitoring and testing of your security program
You’ll develop internal procedures for your employees to follow, but your web hosting service can protect your website and system from other cybersecurity risks. For example, daily scanning for malware, viruses, SQL injections, or cross-site attacks will prevent cyberthieves from stealing customer information and data. They should also install an SSL/TLS certificate and employ hypertext transfer protocol secure (HTTPS) to encrypt your website with an additional layer of protection.
Should your website become compromised, your web hosting provider should be able to restore it with a backup so that your customers can remain confident that their information remains secure.
The Office of Comptroller Currency (OCC) dictates that financial institutions practice proper risk management when conducting business through information technology providers. This includes your web hosting service.
Once you find a web hosting service you trust, you need to agree to expected duties and responsibilities. For regulatory purposes, a written contract should specify these expectations.
Your web hosting contract should include the following FFIEC recommendations:
- Restrictions on using private customer information collected or stored on the web host
- Appropriate controls for safeguarding customer data
- Expected standards for website uptime and performance and customer service response time to remedy issues
- Response plan for website outages and security breaches
- Contingency plan for backup servers and emergency operating procedures
- Reports on and access to vulnerability assessments and financial and operation audits
Be sure to read the fine print when you sign the contract with your web hosting provider to confirm your website will be compliant with federal examiners.
Annual compliance examinations can be stressful, and you don’t want to overlook your website. Hosting your website with a company that is familiar with the regulations and laws banks and credit unions must follow will remove some of the burden off of you.
BankSITE® Services has been working with community banks and credit unions for more than two decades. We understand the importance of compliance and have established web hosting standards to deliver the privacy and security guidelines you need to meet. Don’t trust just any web hosting provider if you want to make sure your website meets regulatory compliance.