"Friday Fun: Regulatory Requirements for Online Account Openings"
Greetings, Compliance Friends! Opening accounts online is a major convenience for members. However, for compliance officers, the online account opening process is riddled with potential pitfalls. For example, when and how does the credit union provide the account opening disclosures. Today's blog is meant to be a high-level review of some of the relevant requirements credit unions may want to consider when establishing online account opening policies and procedures.
Bank Secrecy Act
From a BSA standpoint, opening accounts online can represent risks related to a credit union's Customer Identification Program (CIP) and Know Your Customer requirements. Generally, a credit union's CIP program is based on its own risk assessment and not prescriptive requirements. Although, from a CIP perspective, members opening accounts online is generally considered higher risk. From NAFCU's understanding, many financial institutions utilize complex vendor software in order to ensure the CIP requirements are met when individuals seek to open accounts online.
The FFIEC BSA/AML exam manual discusses "non documentary" methods of verifying identity that may also be helpful to the credit union. Note, the BSA requires that the credit union know the member's identity with reasonable certainty and have the member's name, address, date of birth and identification number so that guides what needs to be verified.
However, a consumer must fall within the field of membership before they can be admitted as a member in the credit union. This determination will depend on the credit union's statement of its field of membership, the clause of the statement relied on by the potential member, and the credit union's policies and procedures.
Note, Article II, Section 2 of NCUA's FCU Bylaws requires a member to sign an application for membership. The credit union might verify this language in its own bylaws, and if it does appear, consider electronic signatures under the E-SIGN Act or whether it will require a member to come in and provide a wet signature for the signature card and to establish insurance under Part 745.
As an additional reference, NCUA Opinion Letter 2004-0543 discusses electronic signatures in the membership context.
The E-Sign Act requires credit unions to receive the member's affirmative consent to receive electronic records. See, 15 U.S.C. § 7001(c). . As an industry standard, it seems many credit unions require members to comply with the E-SIGN consent and procedures when registered for online banking to give legal effect to the disclosures transmitted to the members through the online banking platform.
For more information, NCUA issued a Risk Alert soon after the E-SIGN Act became effective in March 2001. Here is an additional link for your reference: Consumer Compliance Outlook 4Q Article on ESIGN .
The determination whether a credit union is required to provide additional disclosures when a member establishes an account online depends on what other types of products or services the member is requesting. For example, if the member requests a debit card to execute electronic fund transfers, then the credit union would need to comply with Regulation E.
Regulation E requires initial disclosures be provided "at the time a consumer contracts for an electronic fund transfer service or before the electronic fund transfer is made involving the consumer's account." Below are some Regulation E links of interest:
- Section 1005.4 contains general disclosure requirements and references providing disclosures electronically (E-SIGN)
- Section 1005.7 contains requirements for initial account disclosures
- Supplement I to Part 1005 contains commentary to both sections that clarify requirements
- Appendix A contains Model Forms for Regulation E – Model Form A-2 applies to initial account disclosures
Truth in Savings
NCUA's Truth in Savings Rule has a similar requirement that specifies that credit union must provide account opening disclosures before the account is opened or a service is provide din connection with the account. See, 12 C.F.R. § 707.4(a)(1)(ii).
Here are some Truth in Savings links of interest:
- Section 707.4 contains the requirements for delivery or initial account disclosures
- Section 707.3 describes how disclosures can be provided electronically (i.e., following E-SIGN) and the relationship to Regulation E
- Appendix C contains commentary to both sections that clarify requirements
- Appendix B contains Model Forms for TIS – Model Form B-1 applies to initial account disclosures
Under the GLBA, Initial Privacy Notices and Opt-Out Notices can be provided electronically. The notieces can be delivered pursuant to the E-SIGN Act, or in certain circumstances, the notices can be delivered when the consumer is conducting transactions electronically. Under section 1016.9(b)(1)(iii), it is considered valid delivery to post the privacy notice on a website and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service.
Another privacy consideration for online banking is the Children’s Online Privacy Protection Act (COPPA). COPPA imposes certain requirements on operators of websites or online services directed to children. Credit unions are subject to COPPA if they operate a website or online service directed to children, or have actual knowledge that they are collecting or maintaining personal information from a child online. Making COPPA determinations generally requires an analysis of the specific facts and circumstances surrounding a credit union’s online activities against the requirements of COPPA. Thus, a credit union may want to work with local counsel to see if COPPA applies. The FTC’s website has an excellent overview of COPPA.
Lastly, there may be state law considerations. An online banking agreement establishes contractual obligations between the credit union and the member. The credit union may consider consulting with local counsel to develop a comprehensive agreement that includes, but is not limited to: balance and transaction information; password creation and maintenance; access authorization; and technical assistance.
Below are a few resources on authentication, cybersecurity, and other issues related to online banking:
- NCUA Official Sign is required on a webpage where a credit union accepts deposits or opens accounts under section 740.4(a). Downloadable graphics of the sign are available here.
- Regulation CC requires the credit union to provide disclosures relating to funds availability “before opening a new account,” under section 229.17.
- NCUA Letter to Credit Unions 2011-CU-09 discusses Online Member Authentication Guidance
- FFIEC IT Booklets provides guidance on cybersecurity considerations.