Bank Websites Revisited, Part II
by Scott H. Kimpel
Akin, Gump, Strauss, Hauer & Feld, L.L.P.
Dallas, Texas
This continues an article which began last week.
Security Issues
Effective July 1, 2001, the federal bank regulators adopted joint guidelines for safeguarding customer information. These guidelines establish standards relating to administrative, technical and physical safeguards for customer records and information. They are intended to ensure the security and confidentiality of customer records and information, protect against anticipated threats to the security of these records, and protect against unauthorized access to or use of information. The guidelines are by no means the only source of law in this area, but do present a threshold compliance standard.
The guidelines require financial institutions to establish an information security program to: (1) assess the risks that may threaten customer information; (2) develop a written plan containing policies and procedures to manage these risks; (3) implement and test the plan, and (4) adjust the plan on an ongoing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to security. Each institution may implement a security program appropriate to its size and the nature of its operations. The guidelines also outline specific security measures that institutions should consider in implementing a security program. A financial institution must adopt those security measures it determines to be appropriate. The guidelines will clearly come into play in the design of a bank website, particularly one that allows consumers to access accounts or supply other sensitive information. The guidelines, for example, require financial institutions to oversee their web designers and other service providers in order to protect the security of customer information. Each institution must exercise diligence in selecting its service providers and require them to implement security measures that safeguard customer information. Where indicated by an institution’s risk assessment, the institution must also monitor its service providers by reviewing audits and summaries of test results to confirm that service providers have satisfied their contractual obligations to the institution.
Regulatory Disclosures
Like any other medium involving bank advertising, a bank website is required to contain appropriate regulatory disclosures. The Truth in Savings disclosure, FDIC membership statement and equal housing lender logotype and legend are just a few that come to mind. The disclosures must be clear and conspicuous on every web page where a product is advertised; a simple statement on the home page is not sufficient. Banks that offer other financial products (such as stocks, bonds, mutual funds, annuities or insurance products) through their websites should also include the disclosure required by the Interagency Statement on Retail Sales of Nondeposit Investment Products. This Interagency Statement requires a disclaimer that the nondeposit financial products are not insured by the FDIC, not obligations of the bank, subject to risks, and may lose value.
Securities Law Considerations
The state and federal securities laws impose additional restraints on the type of information appearing on a bank web- site. During periods when privately-held banks are seeking capital from outside investors, avoid placing a general solicitation for funds on the web- site as this kind of advertisement may impair the bank’s ability to rely on private placement exemptions. Publicly -held banks and bank holding companies are subject to additional considerations and websites should be scrutinized during periods in which securities are being sold to the public so as to avoid inferences of illegal “gun-jumping.” Websites of public banks and holding companies must also navigate the requirements of the SEC’s Regulation FD on fair disclosure to investors, and links to or descriptions of analyst information may run a heightened risk of liability. On a positive note, economic projections and estimates of future performance on a website are generally not actionable if they are accompanied by specific cautionary language describing risks to investors and an appropriately crafted and properly placed “forward looking statements disclaimer,” which can be a powerful defense against shareholder lawsuits not only for public banks and holding companies but private ones too.
Privacy Policies
Gramm-Leach-Bliley has drawn significant attention to privacy policies, and financial institutions have recently completed a mammoth effort on preparing these policies and circulating them to customers. Consumers continue to express their uneasiness over the use of their personal information, and a bank website is an excellent place for consumers to learn more about their banks’ privacy policies, including the terms under which information is shared with third parties and procedures for opting out of this sharing. As with other kinds of consumer information, links to the bank privacy policy should be available on all pages of the website, not just the home page.
Use of Third Party Intellectual Property
In designing flashy web pages, web designers liberally add logos and other marks of a bank’s customers and business partners. Many of these logos are covered by trademarks held by third parties or are subject to other intellectual property protections. Before using a third party’s insignia, the bank should be sure that it has permission to do so, either by a license or some other kind of written agreement.
Additional Considerations
There are a host of additional legal considerations in establishing a website that effectively complies with all applicable laws. Even innocuous features, such as links to third party sites or the invitation to submit customer requests by e-mail, for example, can raise potential problems. Remember that although the Internet can be an effective marketing tool, it can also be the source of significant civil and regulatory liability for banks and thrifts. On July 20, 2001, the OCC released a notice of proposed rulemaking concerning electronic banking, which included a requirement that co-branded websites take reasonable steps to enable customers to distinguish between products and services offered by the bank and those offered by the third party. Bank websites are clearly a source of high regulatory scrutiny.
Conclusion
Proper use of a bank website involves common sense, not rocket science. The Internet is like any other medium of communication, and well-established regulatory standards continue to apply. Engage a compliance officer or counsel actively during the web design process, not as an afterthought. All that is required to maximize the effectiveness of a website for consumer and investor relations, without incurring heightened litigation or regulatory exposure, is an awareness of its unique characteristics and a sensitivity to well-established legal principles.
