One-Click Violations and Other Cyber-Risks
Cocheo, Steve, ABA Banking Journal
Some bankers grow weary of multiple "hats." But not Andy Zavoina.
In fact, in some ways, this makes life a easier for the Texas banker.
Zavoina is a veteran compliance officer who is familiar to many in the bank compliance fraternity as an early advocate of using the world wide web to improve compliance. His personal web site www.vvm.com/[sim]zavoina) is a trove of compliance aids.
At the two institutions he works for, First National Bank Texas, Killeen, and Fort Hood National Bank, Zavoina is senior vice-president and compliance officer. But he is also webmaster for both bank's sites.
This suits him fine, because Zavoina believes successful website compliance is the product of a meeting of minds between webmaster and compliance guru. Webmasters that ignore compliance put the bank on the express route to violations, and compliance officers who don't develop a detailed understanding of how their sites work can't ensure compliance.
"If you are not your site's webmaster, you want to get involved with your webmaster to find out how that site works," says Zavoina told bankers listening in on an ABA audio teleconference presented earlier this year.
Cute, but is it legal?
There are many items on a web page that are just "graphics" to a webmaster, for instance, but that are essential compliance details to a compliance officer. Such things can't be tampered with in the name of "art" or "style."
Bolded or italicized type, borders, boxes, and more may be critical elements when "clear and conspicuous" standards are included in this reg or that, for instance.
Similarly, in an age when privacy concerns are rampant among customers -- and the days for complying with the new federal rules are ticking down--understanding how the bank's site uses "cookies" is likewise an essential for the compliance officer.
And Zavoina says Compliance will find the web to represent an ongoing commitment.
"The compliance professional must stay involved in web site construction," one way or the other, said Zavoina. Even if a site starts out in compliance, he said, webmasters tend to go off the reservation in the absence of a compliance officer's informed background.
A webmaster with new electronic survey software, for instance, may choose to design a customer poii that helps a prospect find what the webmaster considers to be the loan type that best matches his or her needs. While the aim of customer convenience may be commendable, the results may be horrendous, in compliance terms, said Zavoina. To an examiner, such a survey can be shown to be "steering" certain types of customers towards certain types of products--possibly triggering a fair-lending issue.
Moving on, Zavoina said that there is a flip side to the challenge of the "look" and structure of the bank's website. This is how the absence of graphics, for customers who use their web browser with graphics turned off or minimized, will affect the utility and compliance of your bank's site. If there is a feature to an application or a product page that is required for compliance, the bank must find a way to make it appear in all modes or, alternatively, offer a text label that will definitely appear in place of the graphic.
"You can't force a web site user to look at a picture," said Zavoina, "but you can provide a bit more information."
Beginning at the beginnings
Zavoina believes the key to building web compliance is starting with the fundamentals.
"You have to remember the spirit and intent of the regulations," the Texan explained. "As you keep that in mind, the more likely you'll be able to keep compliance on track and not have violations." (See the box, "You've got violations," on the opening page, for the most common ones that the agencies see.)
Besides the regulations themselves, there are two documents that compliance officers getting involved in the web need to be familiar with. …