[Federal Register Volume 63, Number 229 (Monday, November 30, 1998)]
[Rules and Regulations]
[Pages 65673-65683]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-31746]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 545, 555, and 559
[No. 98-119]
RIN 1550-AB00
Electronic Operations
AGENCY: Office of Thrift Supervision, Treasury.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Office of Thrift Supervision (OTS) is issuing a final rule
that streamlines and updates its regulations relating to electronic
operations. Under this rule, Federal savings associations may engage in
prudent innovation through the use of emerging technology. The rule
permits Federal savings associations to use, or participate with others
to use, electronic means or facilities to perform any function, or
provide any product or service, as part of an authorized activity. The
rule also requires each savings association (state- or federally-
chartered) to notify OTS 30 days before it establishes a transactional
web site. Savings associations that present supervisory or compliance
concerns may be subject to additional procedural requirements. Finally,
the rule includes a conforming change to OTS's service corporation
regulation, reflecting a recent statutory change.
EFFECTIVE DATE: January 1, 1999.
FOR FURTHER INFORMATION CONTACT: Richard Bennett, Counsel (Banking and
Finance), (202) 906-7409; Karen A. Osterloh, Assistant Chief Counsel,
(202) 906-6639; Paul D. Glenn, Special Counsel, Chief Counsel's Office,
(202) 906-6203; Paul J. Robin, Program Analyst, Compliance Policy,
(202) 906-6648; or Paul R. Reymann, Senior Policy Analyst, Supervision
Policy, (202) 906-5645, Office of Thrift Supervision, 1700 G Street
NW., Washington, DC 20552.
SUPPLEMENTARY INFORMATION:
I. Background
A. Advance Notice of Proposed Rulemaking
On April 2, 1997, OTS published an advance notice of proposed
rulemaking (ANPR) seeking comment on all aspects of banking affected by
electronic operations.1 The ANPR was designed to elicit
information to enhance OTS's understanding of new electronic banking
technologies and the impact of these technologies on the regulation of
Federal savings associations.2 The ANPR asked a series of
questions concerning the types of restrictions or requirements OTS
should impose on electronic operations, including Internet banking.
---------------------------------------------------------------------------
\1\ 62 FR 15626 (April 2, 1997).
\2\ See 62 FR at 15631 and 15633.
---------------------------------------------------------------------------
B. Notice of Proposed Rulemaking
Based on the comments received on the ANPR, on October 3, 1997, OTS
published a notice of proposed rulemaking (NPR) to streamline and
update its regulations relating to electronic operations.3
The NPR proposed to amend OTS's electronic-related regulations to
address advances in technology and to permit prudent innovation through
the use of emerging technology by Federal savings associations. In
crafting the proposed rule, OTS was guided by two broad principles
suggested by commenters on the ANPR:
---------------------------------------------------------------------------
\3\ 62 FR 51817 (October 3, 1997). The NPR contains a summary of
the comments received on the ANPR.
---------------------------------------------------------------------------
The public and insured depository institutions will be
best served if statutory and regulatory restrictions are kept to a
minimum. The premature imposition of restrictive operational standards
could impede the development of improved financial services.
Federal savings associations should be permitted to
compete effectively with other regulated financial institutions and
unregulated firms offering financial and related services.
Consistent with these principles, OTS proposed a broad enabling
regulation designed to allow Federal savings associations to engage in
any activity through electronic means that they may conduct through
more traditional delivery mechanisms. OTS proposed to eliminate three
existing regulations: Sec. 545.138 (Data-Processing Services),
Sec. 545.141 (Remote Services Units), and Sec. 545.142 (Home Banking
Services). The elimination of these sections would not take away the
authority to engage in any activities described in these sections.
OTS made the proposal to enhance the ability of Federal savings
associations to serve as financial intermediaries and to permit Federal
savings associations to utilize fully their capacities and by-products
generated in providing financial services. The proposal was consistent
with the principles established in the Administration's electronic
commerce policy statement.4 The NPR noted, however, that OTS
would continue to gain additional experience with electronic technology
and might issue more specific guidance regulating particular elements
of electronic operations.5
---------------------------------------------------------------------------
\4\ See ``Framework for Global Electronic Commerce'' (July 1,
1997).
\5\ 62 FR at 51820.
---------------------------------------------------------------------------
C. Comments on NPR--General Discussion
The comment period on the NPR closed on December 2, 1997. OTS
received nine comment letters on the NPR from five Federal savings
associations, two trade associations, and two technology firms.
All of the commenters recognized the need for the agency to revise
or remove its existing regulations in this area. Seven commenters
supported the proposal's overall flexible regulatory approach, while
suggesting modifications or clarifications to particular aspects of the
rule. Two commenters argued that for even greater flexibility the
agency should not issue any new electronic banking regulations. These
two commenters suggested the agency rely entirely on flexible
guidelines and advisories as technology evolves. OTS has addressed
specific comments on the NPR below.
D. Supplemental Notice of Proposed Rulemaking
One commenter on the NPR argued that OTS should establish a
procedure to review and approve new products or services, in order to
protect the safety and soundness of the industry. Another urged OTS not
to require a Federal savings association to obtain OTS's prior approval
before adopting new technologies ``unless absolutely necessary to
ensure industry-wide safety and soundness.'' After considering these
comments, OTS concluded that safety and soundness and compliance
considerations warranted the agency receiving advance notice of
industry use of one developing technology--transactional web sites.
Such web sites allow savings association customers to use the Internet
to conduct a wide variety of financial transactions. They may, however,
also pose particular security, compliance, and privacy risks.
Accordingly, on August 13, 1998, OTS issued a supplemental notice
of proposed rulemaking (Supplemental NPR) seeking comment on additional
proposed rules that would require each savings association to notify
OTS before
[[Page 65674]]
it establishes a transactional web site.6 OTS also proposed
to give the Regional Offices discretion to impose additional
requirements in appropriate circumstances.
---------------------------------------------------------------------------
\6\ 63 FR 43327 (August 13, 1998).
---------------------------------------------------------------------------
Safety and soundness and compliance considerations are similar for
state-chartered and federally-chartered institutions. Thus, the
Supplemental NPR proposed to require every savings association to
notify OTS before it established a transactional web site and to comply
with additional requirements that the Regional Offices may impose in
appropriate circumstances. Since the ANPR and NPR did not specifically
discuss these requirements and applied only to Federal savings
associations, OTS concluded that additional public comment would assist
in the development of a final rule.
E. Comments on Supplemental NPR--General Discussion
The comment period on the Supplemental NPR closed on September 14,
1998. OTS received nine comment letters from six Federal savings
associations, two trade associations, and one public interest
organization.
Two commenters supported the notice requirement. Four commenters
opposed the requirement. The other three commenters did not
specifically support or oppose the requirement. OTS has addressed the
specific comments on the Supplemental NPR below.
II. Today's Final Rule
Today's final rule incorporates the same broad principles and
reflects the same supervisory concerns articulated in the NPR and
Supplemental NPR. OTS continues to believe that it is important to have
enabling regulations in this area. These regulations will help ensure
that OTS has sufficient information to understand developing
technologies, to provide appropriate guidance on these technologies,
and to supervise electronic operations effectively. The proposed
approach in the NPR and Supplemental NPR, with some modifications as
discussed below, will provide both the industry and the agency with the
appropriate amount of flexibility to adapt to changing conditions.
Today's final rule is meant to provide authority for Federal
savings associations' electronic operations and a structure for all
savings associations' use of electronic means and
facilities.7 Standing alone, it cannot, and does not purport
to, answer all questions in this rapidly changing area. These
operations, by their very nature, are evolving, presenting the industry
and the agency with both old issues in a new form (e.g., the
appropriate documentation to open an account) and new issues unique to
electronic operations (e.g., treatment of stored value cards). The
agency has issued, and will continue to issue, guidance as electronic
operations evolve. This guidance has taken the form of letters to chief
executive officers of savings associations, interagency examiner
guidelines, revisions to the Thrift Activities Handbooks, conditions on
the approval of applications, and responses to requests for legal
interpretations.8 The agency expects to continually update
its guidance and to continue to make it available on OTS's web site at
www.ots.treas.gov.
---------------------------------------------------------------------------
\7\ New Sec. 555.200 is similar to the Office of the Comptroller
of the Currency's (OCC) rule on furnishing of products and services
by electronic means and facilities. See 12 CFR 7.1019 (1998).
\8\ See, e.g., Memorandum from Richard M. Riccobono, Deputy
Director, for Chief Executive Officers (November 3, 1998) (Policy
Statement on Privacy and Accuracy of Personal Customer Information);
Memorandum from Richard M. Riccobono, Deputy Director, for Chief
Executive Officers (July 23, 1998) (Interagency Guidance on
Electronic Financial Services and Consumer Compliance); Memorandum
from John Downey, Executive Director, Supervision, for Chief
Executive Officers (June 23, 1997) (Statement on Retail On-Line
Personal Computer Banking); Thrift Activities Regulatory Handbook,
Section 341, Information Technology (October 1997) (Regulatory
Bulletin 32-6, October 15, 1997); Federal Financial Institutions
Examinations Council (FFIEC) Information Systems Examination
Handbook (1996); OTS Order No. 95-88 (May 8, 1995) (application
approval of Internet bank); OTS Op. Chief Counsel (September 19,
1997) (establishment of automated loan machines).
---------------------------------------------------------------------------
Further, while today's final rule removes Secs. 545.138, 545.141,
and 545.142, OTS emphasizes that the new rules continue to authorize
all activities formerly authorized under these provisions.
III. Section-by-Section Discussion
Today's final rule creates a new part 555 to address electronic
operations. In the NPR, OTS originally proposed to place the electronic
operations regulations in a new subpart B to part 545. However, part
545 only applies to Federal savings associations. The notice
requirements proposed in the Supplemental NPR and incorporated into
this final rule, however, apply to all savings associations. Thus, as
proposed in the Supplemental NPR, OTS is placing the electronic
operations regulations in a new part 555.
A. What Does This Part Do? (Sec. 555.100)
Section 555.100 explains the purpose of part 555. Subpart A
explains how a Federal savings association may provide products and
services through electronic means and facilities. Subpart B contains
the advance notice and other requirements applicable to all savings
associations.
OTS received no specific comments on Sec. 555.100 of the
Supplemental NPR (or on Sec. 545.140 of the NPR, which served a similar
function). The section is unchanged from the Supplemental NPR.
B. Authority of Federal Savings Associations to Conduct Electronic
Operations (Subpart A to Part 555)
1. How May I Use or Participate With Others to use Electronic Means and
Facilities? (Proposed Sec. Sec. 545.141, 545.142, and 545.143, Final
Sec. 555.200)
Final Sec. 555.200 combines, with changes, proposed Sec. 545.141,
545.142, and 545.143. Section 555.200(a) corresponds to proposed
Sec. 545.141, but merges part of proposed Sec. 545.143. Section
555.200(b) corresponds to proposed Sec. 545.142 and also merges part of
proposed Sec. 545.143. Sections 555.200(a) and 555.200(b) are discussed
separately below.
Section 555.200(a)
Consistent with OTS's goal of minimizing regulatory restrictions on
electronic operations, proposed Sec. 545.141 would have specifically
permitted Federal savings associations to use electronic means or
facilities to perform any authorized function or provide any authorized
product or service. Electronic means or facilities would include, but
would not be limited to, automated teller machines (ATMs), automated
loan machines, personal computers, the Internet, the World Wide Web,
telephones, and other similar electronic devices. The preamble
explained that this authority would include the opening of savings or
demand accounts and the establishment of loan accounts--functions
previously excluded from the definition of remote service unit--because
performing these functions electronically may enhance the operating
flexibility of Federal savings associations.
Commenters generally supported this section. One commenter,
however, a trade association, argued that proposed Sec. 545.141 was too
broad and did not sufficiently protect the safety and soundness of the
industry. Instead, the commenter emphasized the need for a thorough
risk assessment of any new delivery system to protect safety and
soundness. The commenter urged OTS to establish a procedure whereby OTS
would issue an approval or interpretation before a product or service
was first offered electronically. Once one institution was approved to
use an electronic delivery system,
[[Page 65675]]
approval for subsequent institutions would not be required. Presumably,
subsequent institutions would be required to provide the same
protections and safeguards.
While OTS does not believe that a new procedure is necessary for
most types of electronic operations, OTS has added subpart B to part
555, to deal with the special risks associated with transactional web
sites. As discussed in Section III.C. below, subpart B will enhance
OTS's ability to supervise electronic operations, particularly Internet
banking activities.
Three Federal savings associations asked OTS to clarify whether the
new regulation would permit specific products or services. As noted in
the preamble to the proposed rule, by revising its rules, OTS intends
to allow Federal savings associations to engage in any authorized
activity through electronic means that they may conduct through more
traditional delivery mechanisms.9 To clarify this point, OTS
has revised the language of Sec. 555.200(a) to provide that a Federal
savings association may use electronic means or facilities ``to perform
any function, or provide any product or service, as part of an
authorized activity.''
---------------------------------------------------------------------------
\9\ 62 FR at 51818.
---------------------------------------------------------------------------
As with all activities of Federal savings associations, OTS's
position, like that of its predecessor agency, the Federal Home Loan
Bank Board (FHLBB), has been that if the Home Owners' Loan Act (HOLA)
10 authorizes an activity, a specific authorizing regulation
is not necessary.11 In some cases, the HOLA speaks clearly
on an activity and institutions generally choose to act without
obtaining agency concurrence. In other cases, where the authority is
less clear or specific facts are more determinative, an application or
an interpretive legal opinion may be the best route for resolving
issues of first impression.
---------------------------------------------------------------------------
\10\ 12 U.S.C. 1461-1468c.
\11\ See, e.g., 60 FR 44442, 44444 (August 28, 1995); 48 FR
23032 (May 23, 1983).
---------------------------------------------------------------------------
To assist the industry further, OTS will continue to provide both
formal and informal guidance on authorized activities for Federal
savings associations. If applicable statutes, regulations, court cases,
and OTS opinions do not provide a sufficient basis for a Federal
savings association to determine whether a product or service is
authorized under the HOLA or the use of electronic means or facilities
is appropriate, it may request an interpretive opinion 12 or
consult with OTS's Regional Director for the Region in which its home
office is located.
---------------------------------------------------------------------------
\12\ See OTS Customer Service Plan--Interpretive Opinions
(January 1996). Such questions may also be addressed in the context
of an application process (e.g., de novo applications).
---------------------------------------------------------------------------
OTS has previously provided explicit guidance on several of the
questions about specific products or services raised. For example, the
preamble to the proposed rule stated that Federal savings associations
could establish loan accounts and open savings or demand accounts
through electronic means.13 Similarly, the ANPR indicated
that the term ``electronic means and facilities'' would clearly
encompass new technologies that enable a depository institution to make
risk-based judgments electronically.14 This would include,
for example, automated credit scoring and other forms of automated
underwriting.
---------------------------------------------------------------------------
\13\ 62 FR at 51818. However, all statutory and regulatory
restrictions associated with offering a product or service continue
to apply where electronic means and facilities are used.
One commenter asked whether a signed deposit application would
have to be executed and transmitted with the initial deposit in hard
copy. At one time, FHLBB regulations specifically imposed this type
of signature card requirement. See 12 CFR 545.2(a) (1983). In May
1983, the FHLBB eliminated this specific requirement. 48 FR 23032
(May 23, 1983).
\14\ 62 FR at 15632.
---------------------------------------------------------------------------
In addition, OTS and the FHLBB have long recognized that Federal
savings associations may open accounts and transfer funds for persons
overseas. For example, the FHLBB opined that Federal savings
associations may solicit deposits and open accounts for individuals who
are not citizens or residents of the United States by mail or
electronic means.15 Since this is an authorized activity
under the HOLA, this final rule permits a Federal savings association
to engage in this activity through electronic operations. However,
Federal savings associations engaging in such electronic activities
must comply with all applicable requirements, including addressing
safety and soundness concerns and ensuring compliance with other
federal laws and requirements.16
---------------------------------------------------------------------------
\15\ See Memorandum from Jack D. Smith, Deputy General Counsel,
FHLBB, to Alvin Smuzynski, Deputy Director, Supervisory Activities
(December 7, 1987). Pursuant to that opinion, the institution was
permitted to undertake the activity where the institution maintained
the deposits in United States dollar denominations, offered standard
money market and term certificate of accounts with interest rates
and other terms and conditions that were the same as those offered
by the institution to those residing in the United States, and
complied with the requirements applicable to the type of accounts.
See also FHLBB Op. General Counsel (May 10, 1984).
\16\ OTS anticipates that it will shortly publish a proposed
``Know Your Customer'' rule, as part of an interagency rulemaking
effort.
---------------------------------------------------------------------------
OTS has not opined on whether certain activities cited by
commenters are authorized for Federal savings associations.
Specifically, one commenter asked whether a Federal savings association
may issue, use, and deal in all forms of electronic monetary value,
including stored value and smart-card technologies. Another commenter
asked whether a Federal savings association may use and participate in
digital authentication and certification, including serving as a
certificate authority (an entity certifying electronic signatures for
use in electronic commerce).
OTS has not opined on whether every activity that could involve the
use of electronic money or participation in digital authentication
regimes is an authorized activity for Federal savings
associations.17 With any new activity, the factual context
and the accompanying safeguards are often critical to determining
whether and how an activity may be conducted, whether or not electronic
means are involved. Thus, OTS believes that it is important that
savings associations continue to consult with their Regional Offices to
obtain up-to-date guidance as they move forward in the use of
electronic means and facilities.
---------------------------------------------------------------------------
\17\ With regard to electronic monetary value, OTS has opined
that a Federal savings association has authority to market and sell
prepaid telephone cards as agent for a telephone company. OTS Op.
Chief Counsel (August 29, 1996). We also note that the other federal
banking agencies have indicated that financial institutions may deal
in other types of electronic monetary value. See OCC Interpretive
Letter No. 718 (March 14, 1996) (national banks may dispense
alternate media such as public transportation tickets, event and
attraction tickets, gift certificates, prepaid phone cards,
promotional and advertising materials, electronic benefits transfer
scripts, and credit and debit cards) and Federal Deposit Insurance
Corporation General Counsel's Op. No. 8, published in, 61 FR 40490
(Aug. 2, 1996) (discussing whether, and under what circumstances,
funds underlying stored value cards may be considered deposits under
the Federal Deposit Insurance Act, 12 U.S.C. 1811-1835a).
With regard to digital authentication and certification, Federal
savings associations have incidental authority under the HOLA to
guarantee customer signatures for documentary transactions in which
an association has an interest as part of its deposit taking,
lending, or trust business, as well as guarantees executed as a
separate customer service with respect to stock transfers and
similar transactions in which the association has no direct
interest. FHLBB Op. General Counsel (August 11, 1981). In addition,
the OCC has authorized a national bank operating subsidiary to act
as a certification authority and repository for certificates that
verify digital signatures. The authority was not limited to
transactions in which the subsidiary had a direct interest. OCC Op.
Chief Counsel (January 12, 1998) (Operating Subsidiary Application
by Zions First National Bank, Salt Lake City, Utah).
OTS believes the reasoning of the other regulators appears
persuasive. OTS will consider these opinions when it reviews a
Federal savings association's authority to conduct such activities
as these issues are presented to the agency.
---------------------------------------------------------------------------
Another Federal savings association asked OTS to adopt an expansive
[[Page 65676]]
interpretation of the phrase ``authorized product or service.'' The
commenter's proposed interpretation would clarify that as long as the
primary electronic product or activity is permitted, the Federal
savings association may provide a minor ancillary application, even
though the ancillary application is not specifically authorized by the
HOLA. Federal savings associations possess powers that are incident to
the express powers of Federal savings associations, as set forth in the
HOLA.18 Today's final rule allows Federal savings
associations to use electronic means or facilities to perform any
function, or provide any product or service, as part of an authorized
activity, including activities authorized under the incidental powers
doctrine. OTS will review whether particular activities are authorized
as incidental powers on a case-by-case basis as these issues are
presented to the agency.
---------------------------------------------------------------------------
\18\ See OTS Op. Chief Counsel (August 29, 1996) at 2.
---------------------------------------------------------------------------
As noted above, Sec. 555.200(a) continues to permit Federal savings
associations to perform all data processing and transmission services
formerly authorized under Sec. 545.138(a) and (b). When Sec. 545.138
was promulgated in 1983, the FHLBB imposed certain data and customer
restrictions designed to ensure that a Federal savings association
would conduct data processing and transmission services consistent with
the authority provided in HOLA.19 OTS recognizes that the
HOLA may authorize the provision of data processing services in
additional circumstances. Accordingly, the final rule, like the OCC's
rule, does not impose specific data or customer restrictions. Rather,
final Sec. 555.200(a) merely requires that services provided through
electronic means and facilities must be a ``part of an authorized
activity.'' This restriction means that data processing and
transmission services provided must be authorized under the HOLA,
either expressly or as an incidental power.
---------------------------------------------------------------------------
\19\ See 48 FR 7428, 7429-7430 (February 22, 1983).
---------------------------------------------------------------------------
Final Sec. 555.200(a) has also been revised to incorporate
provisions in proposed Sec. 545.143, entitled ``How may I participate
with others in the use of electronic means and facilities?'' Proposed
Sec. 545.143 would have permitted a Federal savings association to
participate with others to perform, provide, or deliver activities,
functions, products, or services described in the proposed rule. A
Federal savings association could have participated with an entity that
is not subject to examination by a Federal agency regulating financial
institutions only if that entity agreed, in writing, to permit OTS to
examine its electronic means or facilities, to pay for any related OTS
examination fees, and to make all relevant records in its possession,
written or electronic, available to OTS for examination. OTS also
indicated that if the participation by a Federal savings association
was through a service corporation, OTS's service corporation rules
would apply.20
---------------------------------------------------------------------------
\20\ See 12 CFR 559.4 (1998).
---------------------------------------------------------------------------
The Examination Parity and Year 2000 Readiness for Financial
Institutions Act,21 has obviated the need for proposed
Sec. 545.143 as a separate section of the rule. Section 3 of this
legislation provides:
---------------------------------------------------------------------------
\21\ Pub. L. No. 105-164 (enacted March 20, 1998).
[I]f a savings association, a subsidiary thereof, or any savings
and loan affiliate or entity, as identified by section 8(b)(9) of
the Federal Deposit Insurance Act [12 U.S.C. 1818(b)(9)], that is
regularly examined or subject to examination by the Director [of
OTS], causes to be performed for itself, by contract or otherwise,
any service authorized under [HOLA] * * *, such performance shall be
subject to regulation and examination by the Director to the same
extent as if such services were being performed by the savings
---------------------------------------------------------------------------
association on its own premises.
In light of this legislation, today's final rule simply clarifies
the authority of a Federal savings association to participate with
others to perform any function, or provide any product or service, as
part of an authorized activity, through electronic means and
facilities. This language has been merged into final Sec. 555.200(a).
OTS is making a similar conforming change to Sec. 555.200(b), discussed
below.
In making these changes, OTS is removing the proposed requirement
concerning record availability since this requirement is implicit in
examinations authorized by the legislation. OTS is also removing the
proposed requirement concerning examination fees. The other banking
agencies do not charge fees specifically for examinations of service
providers. OTS does not intend to impose fees for the examination of
service providers, except as otherwise provided for under OTS's
assessment rule and Thrift Bulletins.
While the relevance of many of the comments on proposed
Sec. 545.143 has been negated by this intervening legislation, it is
useful to respond to some of the points raised by commenters on the
NPR. Two commenters criticized the third party examination, fee, and
record requirements as burdensome and unnecessary. In implementing the
new legislation, OTS will focus its service provider examinations on
those whose activities could have a direct impact on the safety and
soundness of savings associations.\22\ Data processing servicers and
ATM servicers are among the types of service providers OTS examines
because they provide functions critical to financial operations.
---------------------------------------------------------------------------
\22\ See Statement of Ellen Seidman, Director, Office of Thrift
Supervision, concerning Examination Parity and Year 2000 Readiness
for Financial Institutions Act, before the Committee on Banking and
Financial Services, United States House of Representatives, February
5, 1998, at 8-10.
---------------------------------------------------------------------------
Another Federal savings association explained that the software
industry is wary of providing unrestricted access to their information
without explicit assurances of confidentiality to protect proprietary
trade secrets. The commenter stated that, at a minimum, the final rule
should provide that any information reviewed or gathered during an
examination of a service provider will be treated as ``unpublished OTS
information'' under 12 CFR 510.5 (1998), which provides confidentiality
safeguards.
OTS treats service provider examination reports as confidential
unpublished OTS information.\23\ Consistent with this regulation, these
reports are not publicly available, but OTS does share the examination
reports of service providers with the Federal banking agencies. It also
shares relevant portions of the examination reports with Federal and
State savings associations that use the services of those service
providers.
---------------------------------------------------------------------------
\23\ See 12 CFR 510.5(a)(2)(ii) (1998).
---------------------------------------------------------------------------
Section 555.200(b)
Former Sec. 545.138(c) subjected marketing by-products and excess
capacity of data processing and transmission services to significant
restrictions. In contrast, under proposed Sec. 545.142, a Federal
savings association could market and sell electronic capacities and by-
products to third parties if it acquired or developed the capacities
and by-products in good faith as part of providing financial services.
The proposed rule was substantially identical to the OCC rule on
marketing and selling such capacities.\24\
---------------------------------------------------------------------------
\24\ See 12 CFR 7.1019 (1998).
---------------------------------------------------------------------------
Two commenters expressly supported the proposed section. Upon
further review, OTS believes it is necessary to make two minor
clarifications to Sec. 555.200(b).
First, the final rule indicates that the marketing and selling of
electronic capacities and by-products to third-parties is to enable
Federal savings
[[Page 65677]]
associations to optimize their resources. This language conforms the
OTS rule more closely to the OCC's rule.
Second, the final rule indicates that a Federal savings association
may also participate with others to market and sell electronic
capacities and by-products to third-parties. Like the revision to
Sec. 555.200(a) discussed above, this change incorporates part of
Sec. 555.143 of the proposed rule.
One Federal savings association asked OTS to define the phrase
``electronic capacities and by-products'' to clarify that Federal
savings associations may provide ``fully integrated solutions to a
range of business needs.'' These solutions may involve a combination of
software development, computer systems design and construction,
electronic communication (including sending electronic mail), and data
processing and storage.
OTS does not believe it is appropriate to make the clarification
requested by the commenter. As long as a Federal savings association
acquired or developed its electronic capacities and by-products in good
faith as part of providing financial services, the Federal savings
association may market and sell them to third-parties. OTS cautions,
however, that to the extent a Federal savings association may wish to
engage in additional activities in connection with the marketing and
sale of such capacities and by-products, the additional activities must
be authorized under the HOLA, either expressly or as an incidental
power.
2. What Precautions Must I Take? (Proposed Sec. 545.144, Final
Sec. 555.210)
Although OTS believes that it is vital that Federal savings
associations establish appropriate internal controls for risks and
security measures when they engage in electronic operations, it did not
propose to codify static risk or security requirements. Because methods
of electronic commerce and their attendant security measures are
continually evolving, OTS's proposed rule reflected the view that it is
impracticable to prescribe security measures that would remain useful
for the indefinite future.
Instead, proposed Sec. 545.144 would have required a Federal
savings association to adopt standards and policies designed to ensure
secure operations. In addition, the proposed rule would have required a
Federal savings association to implement security measures adequate to
prevent unauthorized access to its records and its customers' records,
and to prevent financial fraud through the use of electronic means or
facilities. The proposed rule also stated that a Federal savings
association must comply with the current security devices requirements
of part 568, if it provides an ATM, an automated loan machine, or
another similar electronic device.
One Federal savings association noted that the banking industry has
not yet embraced any particular standards with respect to encryption,
authentication, digital signatures, and other technical matters
affecting transmission over the Internet. Accordingly, the commenter
urged OTS to avoid imposing unnecessary regulatory impediments or
micro-managing system implementation or maintenance. While the
commenter was not critical of proposed Sec. 545.144, the commenter
criticized OTS's imposition of certain security-related conditions on
approvals of recent applications, such as requiring an applicant to
have its delivery of services over the Internet tested and reviewed by
independent computer security specialists before commencing operation.
The commenter urged OTS to reconsider whether there is a need to impose
such conditions.
In approving applications to commence operations, OTS requires
proof that adequate security measures are in place for safe, sound, and
secure operations. To date, these requirements routinely have included
testing and review by independent computer security specialists. OTS
tailors specific conditions on a case-by-case basis. It may be possible
that future applications may not raise these security concerns.
However, currently OTS believes such a condition in application
approval orders remains essential to safe and sound internal
operations. Similarly, under the notice procedures in subpart B to part
555 of this final rule (including the 30-day advance notice
requirement), OTS will have an opportunity to consider, before any
savings association establishes a transactional web site, whether the
savings association will be able to conduct such operations in a safe,
sound, secure, and compliant manner.
In the preamble to the proposed rule, OTS indicated that it
``expects Federal savings associations to establish security measures
that are consistent with current industry standards, and to continually
monitor and regularly update these security procedures to keep pace
with changes to industry standards.'' 25 One trade
association urged OTS to incorporate this statement in the final rule.
---------------------------------------------------------------------------
\25\ 62 FR at 51819.
---------------------------------------------------------------------------
OTS believes that such interpretive statements are best contained
in OTS policy statements, advisories, and other explanatory materials,
rather than the regulation. For similar reasons, OTS has deleted from
the final rule the proposed statement indicating that Federal savings
associations should adopt standards and policies on security issues.
Instead, the rule requires Federal savings associations to implement
security measures designed to ensure secure operations.
Another trade association urged OTS to provide guidelines alerting
Federal savings associations to security issues that should be
addressed before a new electronic delivery mechanism is implemented. As
summarized in Section II above, OTS has issued such guidelines and
advisories to Federal savings associations, both on its own and as part
of FFIEC.
OTS has made clarifying revisions to the section. These revisions
require that the management of Federal savings associations identify,
assess, and mitigate potential risks and establish prudent internal
controls, in addition to implementing security measures that are
designed to ensure secure operations.26 These risks may be
strategic, legal, regulatory, or operational.27
---------------------------------------------------------------------------
\26\ Further guidance on these requirements is provided in
Appendix A to Part 570, section 341 of the Thrift Activities
Regulatory Handbook, and Statement on Retail On-Line Personal
Computer Banking.
\27\ See Statement on Retail On-Line Personal Computer Banking.
---------------------------------------------------------------------------
C. Requirements Applicable to All Savings Associations
1. Must I Inform OTS Before I Use Electronic Means or Facilities?
(Sec. 555.300)
Proposed Sec. 555.300(a) of the Supplemental NPR sets forth the
general rule that a savings association does not have to inform OTS
before it uses electronic means and facilities. However, two exceptions
apply. First, proposed Sec. 555.300(b) would require a savings
association to file a written notice with OTS before it establishes a
transactional web site. Second, proposed Sec. 555.300(c) would provide
that if the OTS Regional Office has informed a savings association of
any supervisory or compliance concerns that may affect the savings
association's use of electronic means or facilities, the savings
association must follow any additional procedures the Regional Office
has imposed in writing. Proposed Sec. 555.300(a) also would encourage
savings associations to consult with OTS even in circumstances not
covered by the notice requirement or other procedures in
Sec. 555.300(b) or (c).
[[Page 65678]]
Four commenters indicated that the proposed notice requirement
would help OTS to monitor adequately savings associations'
technological innovations and to assess security, compliance, and
privacy risks. Some commenters, however, expressed concerns.
Four commenters argued that the notice requirement would place
savings associations at a competitive disadvantage, since other banking
regulators do not impose a similar notice requirement. OTS does not
anticipate that the notification requirement will place savings
associations at a significant competitive disadvantage. As discussed
below, in general, once an association has addressed any follow-up
questions from the Regional Office and the 30-day period has expired,
the association will be free to bring its transactional web site on-
line. No affirmative authorization from OTS is necessary except where
the Regional Office may otherwise indicate.
While providing this information will impose a minimal burden on
savings associations, the process will allow individual associations,
and the industry as a whole, to reap important benefits. The notice
will make it easier for OTS to obtain information on the industry's use
of transactional web sites. As a result, OTS will be better able to
assist associations that are contemplating or already conducting
Internet operations to identify and address the risks that accompany
such activities. The information will also broaden OTS's awareness of
trends in Internet banking operations, which OTS can share with
institutions. It will also efficiently allow OTS to keep abreast of
significant changes in the way particular savings associations interact
with their existing or potential customers to enable OTS to issue
appropriate guidance. Finally, the procedure responds to the concern
raised by the commenter on the NPR who indicated that OTS should be
vigilant about new electronic operations raising safety and soundness
concerns, since the procedure will assist OTS to supervise effectively
the electronic operations of savings associations.28
---------------------------------------------------------------------------
\28\ A September 30, 1998 report prepared, at OTS's request, by
the Office of Inspector General (OIG), United States Department of
the Treasury, made several suggestions. Among these were that OTS:
(1) develop a complete list of savings associations providing on-
line and Internet banking services; (2) enhance monitoring of
savings associations' web sites for compliance with federal
disclosure regulations and laws, and (3) begin to focus more on the
operational risks presented by on-line and Internet banking. The OIG
recommended these steps to help OTS determine risks, plan strategic
examination coverage, identify staff development needs, and foster
examination uniformity and consistency. See Office of Inspector
General, U.S. Dep't of the Treasury, Consultative Report on the
Office of Thrift Supervision Examination of On-Line and Internet
Banking Risks, (OIG-CA-98-003, 1998).
---------------------------------------------------------------------------
One commenter asserted that transactions conducted over the
Internet pose no more risk than transactions performed using other
technologies for which no prior notice is required. This commenter also
asserted that the notice was unnecessary since the industry already
fully understands the risks associated with the Internet.
OTS does not agree that transactions conducted over the Internet
pose no more risk than transactions performed through other more
established technologies.29 While it is true that risks are
inherent in all electronic capabilities, the use of an electronic
channel such as the Internet to deliver products and services
introduces unique risks due to the increased speed at which systems
operate, user anonymity, and broad access in terms of geography, user
groups, applications, databases, and peripheral systems.
---------------------------------------------------------------------------
\29\ See 63 FR at 43328.
---------------------------------------------------------------------------
As explained in the preamble to the Supplemental NPR, OTS has been,
and continues to be, concerned with the adequacy of firewalls to
prevent hackers from breaking into an association's computer systems
and thereby jeopardizing the association's security.30 OTS
is also concerned about other operational and compliance risks
presented by Internet banking and intends to increase its monitoring of
web sites for compliance with disclosure laws and
regulations.31 Additionally, OTS is concerned about
protecting the privacy of individuals submitting information (or about
whom information has been submitted).32
---------------------------------------------------------------------------
\30\ Id.
\31\ As noted in the preamble to the Supplemental NPR, OTS is
aware that advertising and disclosure problems may apply equally to
transactional and informational web sites. OTS believes, however,
that the need for advance notice is greater where such concerns are
combined with the other compliance, security, and privacy issues
related to transactional web sites. To minimize regulatory burden,
OTS is limiting the advance notice requirement to transactional web
sites. However, OTS will continue to examine both types of web sites
for operational and compliance problems. See 63 FR at 43329 n. 11.
\32\ 63 FR at 43328.
---------------------------------------------------------------------------
Even traditional risks that are similar to those in customary
banking activities must be considered in a new light. For example, if
an association conducts lending or deposit gathering activities over an
electronic channel, credit risks must be considered in the context of
the high-speed, wide-access electronic environment. The collection of
baseline information on transactional web sites is an important and
integral part of OTS efforts to enhance its supervision of Internet
banking activities.
Another commenter noted that the costs of developing a web site are
substantial and would be incurred before the savings association files
the notice. Consistent with Sec. 555.300(a), OTS encourages
associations concerned about expending resources to develop a
transactional web site to consult with their Regional Office in the
early stages of development, even before filing a notice.
In lieu of the notice requirement, several commenters urged OTS to
continue to rely on existing supervisory guidance, examination
oversight, and application processes to ensure that Internet activities
are conducted in a safe, sound, secure, and compliant manner. One
commenter encouraged OTS to address transactional web sites in the
Statement on Retail On-Line Personal Computer Banking and in additional
questions in the Pre-Examination Response Kit. Another commenter
suggested that the additional guidance should address such issues as
development costs, security and privacy issues, and compliance matters.
OTS has provided and will continue to provide important guidance to
the industry. OTS has addressed development costs, security, privacy,
and compliance matters in its Statement on Retail On-Line Personal
Computer Banking and in section 341 of the Thrift Activities Regulatory
Handbook. OTS will update and supplement this guidance as necessary.
However, this guidance is not a substitute for OTS's obtaining
information necessary for proper supervision.
OTS proposed to define a transactional web site as ``an Internet
site that enables users to conduct financial transactions such as
accessing an account, obtaining an account balance, transferring funds,
processing bill payments, opening an account, applying for or obtaining
a loan, or purchasing other products or services.'' 33 Four
commenters supported OTS's proposed definition. Two commenters
indicated that the Supplemental NPR adequately distinguished between
transactional and informational web sites.
---------------------------------------------------------------------------
\33\ 63 FR at 43330 (proposed Sec. 555.300(b)).
---------------------------------------------------------------------------
In light of the generally favorable comments, OTS does not believe
significant changes to the definition are necessary. However, OTS is
making one clarifying change to the definition of transactional web
site in response to a comment. The commenter recommended clarifying the
meaning of the phrase ``purchasing other products
[[Page 65679]]
or services'' used in the definition. The final rule clarifies that the
phrase refers to any authorized products or services.
Another commenter asked OTS whether a new notice would be required
when the type and level of activities conducted on a transactional web
site are increased or substantially modified. A new notice will not be
required in such circumstances. Once the savings association alerts OTS
about its transactional web site, the agency will be able to monitor
and examine the web site without a need for subsequent notices when
changes are made.34
---------------------------------------------------------------------------
\34\ However, as noted in the preamble to the Supplemental NPR,
before a savings association may change an informational web site to
a transactional web site, the savings association must file a notice
with OTS. 63 FR at 43329 n. 9.
---------------------------------------------------------------------------
Other commenters, however, suggested further revisions or
clarifications that OTS believes would be too limiting. One commenter
indicated that the covered web sites should be those that transact
business equivalent to a branch through which money passes. Another
argued that a web site is not transactional if an applicant may only
complete and return a loan application electronically, but would be
transactional if the web site also permits the application to be
processed through an automated credit scoring system and is used to
notify the customer of an approval or denial.
OTS does not agree that transactional web sites subject to the
notice requirement should be limited to those that are used for
monetary transactions or are used to notify the customer of an
application approval or denial. The same concerns about providing a
secure environment apply where confidential information is exchanged in
other circumstances that are transactional, but do not necessarily
constitute a monetary transaction or notification on an application.
However, it is appropriate to clarify a related matter. OTS will
not consider a web site to be transactional simply because it allows
the sending of e-mail messages. For an association simply to include an
e-mail address on its web site does not necessarily invite the public
to attempt to conduct transactions with the association over the
Internet or to submit confidential information. For example, the public
may use the e-mail address for a variety of tasks (e.g., inquiring
about products or services offered, requesting that a customer service
representative call, or asking that forms or information be mailed). In
contrast, a web site that provides an electronic application form for
transmission to the association by e-mail would be considered
transactional. Such an application, by its nature, is designed to
conduct a transaction and will likely actively elicit the submission of
confidential information to the association over the Internet through
the questions contained in the application.
One commenter recommended that OTS define an ``informational web
site.'' OTS does not believe that a separate definition of this term is
necessary. As noted in the preamble to the Supplemental NPR, an
informational web site is a non-transactional web site, such as one
limited to advertising and fee and rate posting.35
---------------------------------------------------------------------------
\35\ 63 FR at 43329.
---------------------------------------------------------------------------
Six commenters opposed a notice requirement for electronic
activities other than a transactional web site. Three commenters
explained that OTS already has sufficient authority to examine any
activity that raises safety and soundness concerns.
OTS is not requiring a notice under Sec. 555.300(b) for any
activities using electronic means or facilities other than
transactional web sites. For example, a savings association would not
be required to notify OTS before it establishes an informational web
site.36 As with other activities, OTS will continue to rely
on its existing supervisory examinations and application processes to
ensure the savings association's ability to engage in new activities in
a safe, sound, secure, and compliant manner.37
---------------------------------------------------------------------------
\36\ However, OTS has implemented a change to the Thrift
Financial Report (TFR). The electronic filing software now collects
information on all savings associations' Internet web site
addresses. This change was effective for the third quarter 1998 TFR.
\37\ OTS reviews the safety and soundness of new activities, the
appropriateness of the internal controls and security precautions,
and compliance with applicable laws and regulations on a case-by-
case and institution-by-institution basis in connection with
applications and through the examination process. For institutions
subject to an application process (e.g., de novo applications),
these initial safety and soundness and compliance determinations
will be made in the application review. After application approval
or where no application is required, safety and soundness and
compliance will generally be assessed as a part of the examination
process. This process will review and assess the institution's
identification of risks of the activity, the steps it has taken to
mitigate these risks, the testing it has undertaken to ensure safety
and soundness, and its compliance monitoring process.
---------------------------------------------------------------------------
As technologies emerge, OTS may revise the rule to require notice
of activities other than establishing a transactional web site.
Similarly, as technologies mature and the industry and OTS gain
additional experience, OTS may revise the rule to no longer require
notice before establishing a transactional web site.
OTS is also making an editorial change to Sec. 555.300(a). The
change clarifies that OTS encourages consultations with the Regional
Office regardless of whether the notice requirement in Sec. 555.300(b)
or the additional procedures in Sec. 555.300(c) apply.
2. How do I Notify OTS? (Sec. 555.310)
Proposed Sec. 555.310 of the Supplemental NPR described the advance
notice procedures. Proposed Sec. 555.310(a) would require a savings
association to provide a written notice to the appropriate Regional
Office at least 30 days before establishing a transactional web site.
Proposed Sec. 555.310(b) contained a transition provision applicable to
transactional web sites established after the date of the association's
last regular onsite OTS safety and soundness examination but before the
effective date of the rule.
Two commenters supported the 30-day advance notice period. Another
commenter argued that the 30-day notice period would be too long and
suggested a 10-day notice period. Another commenter urged OTS to permit
a savings association to apprise OTS within 30 days after establishing
a transactional web site. This notice would permit OTS to review the
web site in an examination.
OTS has decided to retain the 30-day advance notice procedure as
proposed. As discussed above, OTS does not anticipate this procedure
will be burdensome. Thirty days is an appropriate time period to allow
OTS to consider the notice and ask any follow-up questions that may be
necessary.
In the Supplemental NPR, OTS did not propose to prescribe any
particular form for the notice. Proposed Sec. 555.310(a) would simply
require that a savings association describe the transactional web site,
indicate the date the transactional web site will become operational,
and list a contact familiar with the deployment, operation, and
security of the transactional web site. The preamble to the
Supplemental NPR indicated that, upon receipt of the notice, the
Regional Office may require additional information to ensure that the
savings association will operate the transactional web site in a safe,
sound, secure, and compliant manner.38 The preamble further
indicated that OTS contemplated that the notice may be brief. It
contained sample language that read:
---------------------------------------------------------------------------
\38\ 63 FR at 43329.
[Name of savings association] plans to establish a transactional
web site on the Internet at [URL]. It will be operational on [Date].
The site will contain mortgage loan applications that can be
transmitted securely
[[Page 65680]]
to our loan processing office. For further information contact:
[Name at telephone number, e-mail].39
---------------------------------------------------------------------------
\39\Id.
Four commenters stated that OTS should not require any information
in the notice beyond that described in the Supplemental NPR. One
commenter specifically endorsed OTS's sample statement in the preamble
as sufficient. One commenter, however, recommended that institutions
describe how they will conduct the activity, the type of security they
will use, the internal controls they will follow, and the program they
will follow to ensure compliance with all applicable laws and
regulations. Another commenter observed that an overview of controls
and safeguards designed to preserve privacy and security and protect
against financial fraud would be sufficient. 40
One commenter suggested that if OTS discovers that new information is
necessary following this rulemaking, it should require this information
in guidance, rather than in a revised rule.
---------------------------------------------------------------------------
\40\ One commenter, however, noted that security information may
be difficult to obtain when the web site is maintained by a service
bureau. This commenter noted that service bureaus often claim that
the release of such information will compromise their systems.
---------------------------------------------------------------------------
OTS is adopting the requirements concerning the contents of the
notice as proposed. It believes these requirements will provide
sufficient information to the Regional Offices without being burdensome
or inflexible. The guidance contained in the preamble to the
Supplemental NPR, including the sample language set forth above,
remains valid.
Several commenters sought clarification of the review procedures.
One commenter sought assurance that the notice process was
informational only. Two commenters sought clarification whether OTS
would approve or disapprove notices (e.g., where there are supervisory
or compliance concerns). One noted that if prior OTS approval is
required, the notice process would impose substantial financial,
strategic, and compliance risks on institutions. Another commenter
urged OTS to review all notices within the notice period and quickly
act to prevent a savings association from establishing a transactional
web site that could threaten its safety and soundness.
The procedure will work as follows: The savings association will
file a written notice with the Regional Office. The Regional Office
will review the notice and may ask follow-up questions. In general,
once an association has addressed those follow-up questions from the
Regional Office and the 30-day period has expired, the association will
be free to bring its transactional web site on-line. No affirmative
authorization from OTS is necessary except where the Regional Office
may otherwise indicate. If, however, by the end of the 30-day period,
the Regional Office informs the association that there are supervisory
or compliance concerns that may affect the association's establishment
of a transactional web site, the association must follow any procedures
that the Regional Office imposes in writing. The procedures the
Regional Office may impose could include, for example, requiring
further information to be submitted or precautions to be taken before
the savings association may establish the transactional web site,
limiting in some fashion the ways in which the association may use the
transactional web site, or prohibiting the association from
establishing a transactional web site.
One commenter opposing notice procedures observed that the advance
notice only made sense if the Regional Office would review the notice
before the roll-out of the web site. This commenter, however, predicted
that OTS Regional Offices may apply inconsistent standards and that
this inconsistency could be problematic since web sites provide
services nationwide. The commenter suggested that the final rule should
require the Regional Office to notify the thrift of any conditions it
would impose on web site operations. OTS will issue industry guidance
to help a savings association deploy a transactional web site in a
safe, sound, secure, and compliant manner. OTS will also issue uniform
guidance to its Regional Offices to verify that transactional web sites
are in compliance with the industry guidance and this regulation and
that savings associations have established an adequate infrastructure
for operating safe, sound, secure, and compliant transactional web
sites.
One commenter urged OTS to require public notice and comment before
a savings association may establish a transactional web site. This
commenter indicated that, in some states, financial institutions must
provide public notice and comment before opening a deposit-collecting
branch or deposit-taking ATM.
OTS does not believe it is appropriate to require a public comment
procedure. Moreover, OTS posts notices on its web site upon filing. The
same policy will apply to notices for transactional web sites. This
procedure will provide adequate information to the public.
IV. Other Rule Provisions
A. Conforming Amendment to Branch Offices Regulation
The proposed rule would revise OTS's branch office regulation to
clarify that electronic facilities (such as automated loan machines)
are not branch offices. Three commenters specifically supported this
section, although two requested clarifications. One Federal savings
association argued that the final rule should indicate that all
electronic facilities and the Internet are excluded from the definition
of ``branch office.'' The proposed rule would have excluded an
``electronic facility'' from the definition of ``branch office,'' but
did not indicate that an ``electronic means'' was also excluded.
For consistency in terminology, the final rule has been revised to
exclude all ``electronic means or facilities'' from the definition of
``branch office.'' Under Sec. 555.200(a), the Internet continues to be
an electronic means or facility and is not considered to be a branch.
Another Federal savings association asked whether a ``hybrid
office'' would be treated as a branch office. This commenter defined a
hybrid office as an office in which a Federal savings association
conducts the majority of its operations electronically, but conducts
some functions in person by appointment. The type of office the
commenter has described may be either a branch office \41\ or an agency
\42\ depending upon the types of services provided. A Federal savings
association may request an OTS opinion if it requires further guidance
on this topic.\43\
---------------------------------------------------------------------------
\41\ 12 CFR 545.92 (1998).
\42\ 12 CFR 545.96 (1998).
\43\ OTS will shortly undertake another rulemaking to clarify
the regulations governing various types of offices.
---------------------------------------------------------------------------
B. Conforming Amendment to Subordinate Organizations Rule
The Examination Parity and Year 2000 Readiness for Financial
Institutions Act, discussed above, applies to Federal and State savings
associations and provides OTS with the authority to examine service
corporations. Accordingly, OTS is conforming the service corporation
examination provision of its Subordinate Organizations regulation, 12
CFR 559.3(o)(2), to reflect this authority.
V. Other Issues Raised by Commenters
A. Preemption
One Federal savings association commenting on both the NPR and the
[[Page 65681]]
Supplemental NPR urged OTS to add specific preemption provisions
stating that OTS's electronic operations regulations preempt state laws
purporting to restrict or govern the electronic operations of federal
savings associations. The commenter noted that various states have
enacted such laws. The commenter argued that preemption would encourage
Federal savings associations to participate in various electronic
banking activities, facilitate the development of best industry
practices, and prevent the development of a patchwork of conflicting
state and local rules.
Electronic operations and related state and federal laws are still
evolving. Thus, OTS believes it is premature to craft specific
preemption regulations in the area of electronic operations. OTS
intends to address specific state laws on a case-by-case basis as they
are raised to the agency.
The commenter may have raised this matter, in part, because the
electronic operations provisions will not be placed in part 545, but
rather in a new part 555. Part 545 currently contains regulations
pertaining to electronic operations \44\ and also contains a general
provision preempting state laws affecting ``Operations.'' \45\ However,
the movement of the electronic operation provisions to a new part 555
does not indicate a substantive change. OTS will apply principles of
preemption consistently with its prior interpretations of OTS's
authority under the HOLA.\46\ Accordingly, the regulations in subpart A
to part 555 will have preemptive effect where appropriate to: (1)
facilitate the safe and sound operations of a Federal savings
association, (2) enable a Federal savings association to operate
according to the best thrift institution practices in the United
States, or (3) further other purposes of the HOLA.\47\
---------------------------------------------------------------------------
\44\ 12 CFR 545.138, 545.141, and 545.142 (1998).
\45\ 12 CFR 545.2 (1998).
\46\ See 12 CFR 545.2 (Operations), 557.11-557.13 (Deposits),
and 560.2 (Lending and Investment) (1998).
\47\ Accord 12 CFR 557.11(a) and 560.2(a) (1998).
---------------------------------------------------------------------------
When evaluating preemption of a state law, OTS will focus first on
the underlying activity affected by the state law. For example, if a
state law affects a Federal savings association's ability to take
deposits or lend using electronic means and facilities, OTS will apply
the part 557 or part 560 preemption analysis for deposit or lending
activities, respectively. OTS will evaluate other activities that may
be conducted electronically, on a case-by-case basis.
While OTS intends to give Federal savings associations maximum
flexibility to operate electronically according to a uniform federal
scheme of regulation, OTS has recognized that some types of state laws,
under certain circumstances, generally will not be preempted.\48\
Consistent with this approach, OTS will determine that a state law
regulating electronic operations is not preempted if it furthers a
vital state interest, and either has only an incidental effect on
Federal savings associations' ability to provide financial services
electronically or is not otherwise contrary to the purposes of OTS's
rule.
---------------------------------------------------------------------------
\48\ See 12 CFR 557.13 and 560.2(c) (1998).
---------------------------------------------------------------------------
B. Community Reinvestment Act
Several commenters on the NPR addressed the impact of emerging
electronic technologies on Community Reinvestment Act (CRA)
requirements. The comments generally argued that the current CRA
requirements do not: (1) provide adequate recognition of loans,
investments and services generated outside of a Federal savings
association's traditional assessment area (i.e. the area surrounding
its branch network), or (2) permit Federal savings associations with
Internet operations to define their CRA assessment areas more broadly
than the branch network concept allows. Some commenters offered options
intended to address these types of concerns. These included allowing
Federal savings associations that engage in alternate delivery systems
to be treated as limited purpose institutions or to define an
assessment area in a manner that is tied to the customer base rather
than a particular geography. One commenter on the Supplemental NPR
expressed concern that financial institutions may use web sites to
conduct business nationwide, but would be required to include only
certain geographical areas in their CRA assessment areas.
Currently, OTS is working on an interagency basis to resolve these
concerns and other CRA issues arising from the use of alternative
methods of delivering financial products and services. The interagency
effort involves revisiting the definition of an assessment area for
institutions that use alternative delivery systems. Until this
interagency effort is completed, OTS intends to allow the new
electronic technologies to develop within the existing CRA regulatory
framework. Specific CRA issues that arise in connection with an
application will continue to be handled on a case-by-case basis in an
effort to adapt existing laws to modern technologies and innovations.
49 An institution, of course, always has the option of
taking advantage of the flexibility in the existing CRA regulation by
developing and seeking approval of a strategic plan that would link CRA
performance to its particular business strategy. 50
---------------------------------------------------------------------------
\49\ While not specifically involving electronic operations, the
1997 application from the Travelers Group is illustrative of an
institution's efforts to develop a new approach on CRA. The
Travelers Group filed an application to convert a state-chartered
bank to a Federal savings association charter. The converted Federal
savings association was to engage in consumer lending and trust
services nationwide. In its application, Travelers stated that its
CRA obligation extended throughout all the communities where it does
business and made an initial pledge to make at least $430 million of
home equity loans to low- and moderate-income borrowers over three
years. OTS approved Travelers' application. See Order No. 97-120
(November 24, 1997).
\50\ See 12 CFR 563e.27 (1998).
---------------------------------------------------------------------------
C. Other Interagency Issues
Both trade association commenters on the NPR urged OTS, other
Federal bank regulators, and the Treasury Department to coordinate
their activities to ensure the development of consistent approaches to
electronic operations issues, to minimize regulatory burdens, and to
avoid potential conflicts. One commenter on the Supplemental NPR
indicated it would only support the notice requirement for
transactional web sites if all banking regulators imposed the same
requirement on their regulated institutions.
As OTS issues rules and guidance on electronic operations, it
continually strives for consistency with other Federal banking
regulators. Accordingly, OTS will continue to participate in all
interagency efforts to establish consistent regulatory approaches to
electronic operations issues.
One Federal savings association noted that when the Federal banking
agencies and the Department of Justice review a merger or acquisition
for its impact on competition, the analysis focuses on the relevant
product and geographic markets. These concepts generally require an
analysis of deposits taken, loans made, and services provided in the
geographic areas served by the combining institutions. The commenter
urged the Federal banking agencies to view Internet banking activities
as outside the scope of the traditional antitrust analysis and
recognize that current technology gives Federal savings associations
and banks the ability to conduct business with customers all over the
country.
The entry of financial institutions into electronic operations
raises a host of new issues. OTS has attempted through
[[Page 65682]]
this rulemaking and guidelines to address issues that have arisen. To
date, the antitrust issue cited by the commenter has not been a
critical issue in an application. Currently, financial business through
electronic operations constitutes a very small portion of financial
services offered by Federal savings associations. OTS will consider
providing guidance on this issue and other issues in the future should
they emerge as prominent issues.
VI. Executive Order 12866
The Director of OTS has determined that this final rule does not
constitute a ``significant regulatory action'' for the purposes of
Executive Order 12866.
VII. Paperwork Reduction Act of 1995
The collection of information requirements in this rule have been
submitted to and approved by the Office of Management and Budget in
accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d))
under OMB control number 1550-0095.
Comments on all aspects of this information collection should be
sent to the Office of Management and Budget, Paperwork Reduction
Project (1550-0095), Washington, DC 20503, with copies to the
Regulations and Legislation Division, Chief Counsel's Office, Office of
Thrift Supervision, 1700 G Street, NW., Washington, DC 20552.
Under the Paperwork Reduction Act of 1995, no persons are required
to respond to a collection of information unless it displays a
currently valid OMB control number. The valid OMB control number
assigned to the collection of information in this final rule is
displayed at 12 CFR 506.1.
The collection of information requirements are found in 12 CFR
555.300 and 555.310. OTS requires this information for the proper
supervision of electronic operations by savings associations. The
likely respondents/recordkeepers are savings associations.
VIII. Regulatory Flexibility Act Analysis
Pursuant to section 605(b) of the Regulatory Flexibility Act, OTS
certifies that this regulation will not have a significant impact on a
substantial number of small entities. This final rule should make it
easier for Federal savings associations, including small institutions,
to engage in electronic operations. While it imposes a notice
requirement on savings associations using one particular type of
electronic means or facility (i.e., a transactional web site) and
allows Regional Offices to impose case-by-case restrictions for
supervisory or compliance reasons, these requirements are the minimum
necessary for proper supervision and should not have a significant
impact on a substantial number of small institutions.
IX. Unfunded Mandates Act of 1995
Section 202 of the Unfunded Mandates Reform Act of 1995, Pub. L.
104-4 (Unfunded Mandates Act), requires that an agency prepare a
budgetary impact statement before promulgating a rule that includes a
Federal mandate that may result in expenditure by state, local, and
tribal governments, in the aggregate, or by the private sector, of $100
million or more in any one year. If a budgetary impact statement is
required, section 205 of the Unfunded Mandates Act also requires an
agency to identify and consider a reasonable number of regulatory
alternatives before promulgating a rule. OTS has determined that the
rule will not result in expenditures by state, local, or tribal
governments or by the private sector of $100 million or more.
Accordingly, this rulemaking is not subject to section 202 of the
Unfunded Mandates Act.
List of Subjects
12 CFR Part 545
Accounting, Consumer protection, Credit, Electronic funds
transfers, Investments, Reporting and recordkeeping requirements,
Savings associations.
12 CFR Part 555
Accounting, Consumer protection, Credit, Electronic funds
transfers, Investments, Reporting and recordkeeping requirements,
Savings associations.
12 CFR Part 559
Reporting and recordkeeping requirements, Savings associations,
Securities.
Accordingly, the Office of Thrift Supervision amends chapter V,
title 12 of the Code of Federal Regulations as set forth below:
PART 545--OPERATIONS
1. The authority citation for part 545 continues to read as
follows:
Authority: 12 U.S.C. 1462a, 1463, 1464, 1828.
2. Section 545.92 is amended by revising paragraph (a) to read as
follows:
Sec. 545.92 Branch offices.
(a) General. A branch office of a Federal savings association is
any office other than its home office, agency office, administrative
office, data processing office, or an electronic means or facility
under part 555 of this chapter.
* * * * *
Secs. 545.138 through 545.142 [Removed]
3. Sections 545.138 through 545.142 are removed.
4. Part 555 is added to read as follows:
PART 555--ELECTRONIC OPERATIONS
Sec.
555.100 What does this part do?
Subpart A--Authority of Federal Savings Associations to Conduct
Electronic Operations
555.200 How may I use or participate with others to use electronic
means and facilities?
555.210 What precautions must I take?
Subpart B--Requirements Applicable to All Savings Associations
555.300 Must I inform OTS before I use electronic means or
facilities?
555.310 How do I notify OTS?
Authority: 12 U.S.C. 1462a, 1463, 1464.
Sec. 555.100 What does this part do?
Subpart A of this part describes how a Federal savings association
may provide products and services through electronic means and
facilities. Subpart B of this part contains requirements applicable to
all savings associations.
Subpart A--Authority of Federal Savings Associations to Conduct
Electronic Operations
Sec. 555.200 How may I use or participate with others to use
electronic means and facilities?
(a) General. A federal savings association (``you'') may use, or
participate with others to use, electronic means or facilities to
perform any function, or provide any product or service, as part of an
authorized activity. Electronic means or facilities include, but are
not limited to, automated teller machines, automated loan machines,
personal computers, the Internet, the World Wide Web, telephones, and
other similar electronic devices.
(b) Other. To optimize the use of your resources, you may market
and sell, or participate with others to market and sell, electronic
capacities and by-products to third-parties, if you acquired or
developed these capacities and by-products in good faith as part of
providing financial services.
Sec. 555.210 What precautions must I take?
If you use electronic means and facilities under this subpart, your
management must:
[[Page 65683]]
(a) Identify, assess, and mitigate potential risks and establish
prudent internal controls; and
(b) Implement security measures designed to ensure secure
operations. Such measures must be adequate to:
(1) Prevent unauthorized access to your records and your customers'
records;
(2) Prevent financial fraud through the use of electronic means or
facilities; and
(3) Comply with applicable security devices requirements of part
568 of this chapter.
Subpart B--Requirements Applicable to All Savings Associations
Sec. 555.300 Must I inform OTS before I use electronic means or
facilities?
(a) General. A savings association (``you'') are not required to
inform OTS before you use electronic means or facilities, except as
provided in paragraphs (b) and (c) of this section. However, OTS
encourages you to consult with your Regional Office before you engage
in any activities using electronic means or facilities.
(b) Activities requiring advance notice. You must file a written
notice as described in Sec. 555.310 before you establish a
transactional web site. A transactional web site is an Internet site
that enables users to conduct financial transactions such as accessing
an account, obtaining an account balance, transferring funds,
processing bill payments, opening an account, applying for or obtaining
a loan, or purchasing other authorized products or services.
(c) Other procedures. If the OTS Regional Office informs you of any
supervisory or compliance concerns that may affect your use of
electronic means or facilities, you must follow any procedures it
imposes in writing.
Sec. 555.310 How do I notify OTS?
(a) Notice requirement. You must file a written notice with the
appropriate Regional Office at least 30 days before you establish a
transactional web site. The notice must do three things:
(1) Describe the transactional web site.
(2) Indicate the date the transactional web site will become
operational.
(3) List a contact familiar with the deployment, operation, and
security of the transactional web site.
(b) Transition provision. If you established a transactional web
site after the date of your last regular onsite OTS safety and
soundness examination but before January 1, 1999, you must file a
notice describing your activity by February 1, 1999.
PART 559--SUBORDINATE ORGANIZATIONS
5. The authority citation for part 559 continues to read as
follows:
Authority: 12 U.S.C. 1462, 1462a, 1463, 1464, 1828.
6. Section 559.3 is amended by revising paragraph (o)(2) to read as
follows:
Sec. 559.3 What are the characteristics of, and what requirements
apply to, subordinate organizations of federal savings associations?
* * * * *
(o) * * *
(2) A service corporation is subject to examination by OTS.
* * * * *
Dated: November 20, 1998.
By the Office of Thrift Supervision.
Ellen Seidman,
Director.
[FR Doc. 98-31746 Filed 11-27-98; 8:45 am]
BILLING CODE 6720-01-P
