What customers need to be told

According to the Federal Financial Institutions Examination Council’s (FFIEC), a financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements:

• An explanation of protections provided and not provided to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;
• An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;
• A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
• A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,
• A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.