Weblinking: Identifying Risks and Risk Management Techniques
A. RISK DISCUSSION
See Also: Case Study: The Road to Zero Trust
A significant number of financial institutions1 regulated by the financial institution regulatory agencies (Agencies)2 maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party websites3, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.
Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:
customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
customer dissatisfaction with the quality of products or services obtained from a third party; and
customer confusion as to whether certain regulatory protections apply to third-party products or services.
Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties.4 The amount of risk exposure depends on several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.
Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:
- nature of the third-party product or service;
- trade name of the third party; and
- website appearance.
- Nature of Product or Service
When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.
The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.
When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.
Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.
If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.
The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.
The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).5
The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.6
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.7
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include: due diligence with respect to third parties to which the financial institution is considering links; and written agreements with significant third parties.
A financial institution should conduct sufficient due diligence to determine whether it wishes to be associated with the quality of products, services, and overall content provided by third-party sites. A financial institution should consider more product-focused due diligence if the third parties are providing financial products, services, or other financial website content. In this case, customers may be more likely to assume the institution reviewed and approved such products and services. In addition to reviewing the linked third-party's financial statements and its customer service performance levels, a financial institution should consider a review of the privacy and security policies and procedures of the third party.8 Also, the financial institution should consider the character of the linked party by considering its past compliance with laws and regulations and whether the linked advertisements might by viewed as deceptive advertising in violation of Section 5 of the Federal Trade Commission Act.
If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:
dissatisfied purchasers of third-party products or services;
patent or trademark holders for infringement by the third party; and
persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.
The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.
In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.
Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.9 For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.
Implementing Weblinking Relationships
The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.
In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.
A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.
Customer Service Complaints
Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.
Monitoring Weblinking Relationships
The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.10 Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.
Managing Service Providers
When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.
Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.
1 The Agencies intend this guidance to apply to the following institutions: insured state non-member banks, national banks, insured state branches of foreign banks, federal branches of foreign banks, federal and state chartered credit unions insured by the NCUA, savings associations, and any subsidiaries of such entities (except functionally regulated subsidiaries including SEC regulated securities brokers/dealers, investment companies and investment advisors and state insurance regulated entities).
2 Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
3 This guidance applies to links to third parties that offer products, services, or information directly to financial institution customers. It does not apply to operational links from a financial institution's website to a third party service provider that is providing services on behalf of the financial institution, e.g., a link to the institution's Internet banking service provider.
4 The Agencies' categories of risk include credit, market, liquidity, operational, legal, reputational, interest rate, price, foreign exchange, transaction, compliance, and strategic.
5 Section 8 of RESPA (12 USC 2607). The Department of Housing and Urban Development (HUD) issued a policy statement on June 7, 1996 entitled "Computer Loan Origination Systems" that addresses some issues that may arise in a weblinking arrangement. 61 Fed. Reg. 29,255. At this time, however, HUD has not provided guidance on how section 8 of RESPA applies to weblinking arrangements.
6 Title V of the Gramm-Leach-Bliley Act (Pub. L. 106-102) and the agencies' implementing regulations (12 CFR Parts 40, 332, 573, and 716, hereinafter referred to as the "Privacy Regulations") govern the disclosure of nonpublic personal information by financial institutions to nonaffiliated third parties. The Agencies have also adopted the Guidelines Establishing Standards for Safeguarding Customer Information (12 CFR Parts 30, app. B; 364, app. B; 570, app. B; and 748, app. A).
7 See Risk Management of Outsourced Technology, FFIEC, (November 28, 2000); http://www.ffiec.gov/exam/InfoBase/documents/02-ffi-risk_mang_outsourced_tech_services-001128.pdf
8 Useful information on the customer service performance of a potential linking party may be available in a number of ways. For example, the financial institution may ask the party directly for information on its level of customer complaints or it can check with organizations such as the Better Business Bureau or any functional regulator of the linking party.
9 Under the Privacy Regulations, generally, financial institutions may not disclose non-public personal information about a customer to non-affiliated third parties without notifying the affected consumer about the disclosure and must provide him or her with an opportunity to exercise his or her opt-out right. However, there are certain exceptions to the notice and opt-out requirements, such as circumstances in which a financial institution discloses information in connection with the servicing or processing of a financial product that a consumer has requested (12 CFR Â§Â§40.14, 332.14, 573.14 and 716.14) and the disclosing of information to an unrelated financial institution under a "joint marketing agreement." (12 Â§Â§CFR 40.13, 332.13, 573.13 and 716.13).
10 In monitoring the customer service levels of linked parties, an institution can review its own records of customer complaints received regarding a particular party. The institution might also consider the other sources described above in footnote 8 on due diligence.
When Internet Scam Artists Go "Phishing," Don't Take the Bait
How to avoid being lured into giving out personal information
Law enforcement officials use the word "phishing" to describe a type of identity theft by which scammers use fake Web sites and e-mails to fish for valuable personal information from consumers. The FBI also is calling it the "hottest and most troubling new scam on the Internet." Even the FDIC's good name was used fraudulently in a phishing scheme.
In the typical phishing scam, you receive an e-mail supposedly from a company or financial institution you may do business with or from a government agency. The e-mail describes a reason you must "verify" or "re-submit" confidential information â€” such as bank account and credit card numbers, Social Security numbers, passwords and personal identification numbers (PINs) â€” using a return e-mail, a form on a linked Web site, or a pop-up message with the name and even the logo of the company or government agency. Perhaps you're told that your bank account information has been lost or stolen or that limits may be imposed on your account unless you provide additional details. If you comply, the thieves hiding behind the seemingly legitimate Web site or e-mail can use the information to make unauthorized withdrawals from your bank account, pay for online purchases using your credit card, or even sell your personal information to other thieves.
"These thieves are very good at convincing you that you are receiving a legitimate message or using a Web site from a trusted source," says Michael Benardo, a manager in the FDIC's Technology Supervision Branch.
While federal and state laws and industry practices generally limit dollar losses for unauthorized transfers from accounts, if an ID thief uses your name to commit fraud you are likely to spend a great deal of time and money â€” sometimes hundreds or thousands of dollars â€” correcting your credit files or otherwise defending yourself. Therefore, it's very important to be on guard against phishing scams and other types of Internet fraud.
Never provide your personal information in response to an unsolicited call, fax, letter, e-mail or Internet advertisement.
"If you did not initiate the communication, do not give this information, regardless of how legitimate or genuine these people or entities may appear to be," says William Henley, Jr., an FDIC electronic banking specialist.
If you decide to initiate a transaction with a bank or other entity on the Web, take some simple precautions.
Don't provide personal information to a Web site using a link from an e-mail or an Internet advertisement, no matter how legitimate it may appear. "Clicking on a link in an e-mail or an Internet ad is very risky," says Donald Saxinger, another FDIC electronic banking specialist. "You're always safer typing in the URL (Web address) from scratch, assuming you type it in correctly." The problem with typing a URL incorrectly or guessing about a Web address is that some fraudulent, copycat sites deliberately use URLs that are very similar to, but not the same as, those for well-known companies or government agencies. When contacting your bank, for example, use the phone number or Web address listed on your monthly statements or other literature from the institution.
Quickly report anything suspicious to the proper authorities.
Report any questionable e-mail message or Web site to the real bank, company or government agency, using a phone number or e-mail address from a reliable source. Example: If your bank's Web page looks different or unusual, contact the institution directly to confirm that you haven't landed on a copycat Web site set up by criminals. "Customer inquiries about changes to a Web site are one of the most prevalent ways that banks and other organizations are finding out about unauthorized sites containing the look and feel of a legitimate Web site," says Paul Onischuk, also an FDIC electronic banking specialist. And if you're pretty sure an e-mail or Web site is fraudulent, contact the Internet Crime Complaint Center (www.ifccfbi.gov), a partnership between the FBI and the National White Collar Crime Center.
What if you believe you're already a victim of ID theft, perhaps because you submitted personal information in response to a suspicious, unsolicited e-mail or you spotted unauthorized charges on your credit card? Immediately contact your financial institution and, if necessary, close existing accounts and open new ones. Also contact the police and request a copy of any police report or case number for later reference. In addition, call the three major credit bureaus (Equifax at 800-525-6285, Experian at 888-397-3742 and TransUnion at 800-680-7289) to request that a fraud alert be placed on your credit report.
You also can file a complaint or learn more about ID theft by going to the Federal Trade Commission Web site at www.ftc.gov or calling toll-free 877-382-4357.