II.C.16(a) Customer Awareness
The institution's customer awareness and education efforts should consider both retail and commercial account holders and include the following elements:
- An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts accessible online.
- An explanation that while the institution may contact a customer regarding his or her account or suspicious activities related to his or her account, the institution should never ask the customer to provide his or her log-in credentials over the phone or via e-mail.
- A list of recommended controls and prudent practices that the customer should implement when using the institution's remote financial services.
- A suggestion that commercial online customers perform a related risk assessment and controls evaluation periodically.
- Recommendations of technical and business controls to commercial customers that can be implemented to mitigate the risks from fraud schemes such as Business Email Compromise.See Federal Bureau of Investigation, Alert I-012215-PSA.
- A method to contact the institution if customers notice suspicious account activity.
II.C.16 Customer Remote Access to Financial Services
II.C.17 Application Security