(a) A credit union may use, or participate with others
to use, electronic means or facilities to perform any function or
provide any product or service as part of an authorized activity.
Electronic means or facilities include, but are not limited to, automated
teller machines, automated loan machines, mobile applications, personal
computers, the Internet, telephones, and other similar electronic
devices.
(b) To optimize the use of its resources, a credit
union may market and sell, or participate with others to market and
sell, electronic capacities and by-products to others, provided the
credit union acquired or developed these capacities and by-products
in good faith as part of providing financial services to its members.
(c) If a credit union uses electronic means and facilities
authorized by this rule, the credit union's board of directors must
require staff to:
(1) Identify, assess, and mitigate potential risks
and establish prudent internal controls, and system backup procedures;
(2) Implement security measures designed to ensure
secure operations. Such measures should take into consideration:
(A) the prevention of unauthorized access to credit
union records and credit union members' records;
(B) the prevention of financial fraud through the use
of electronic means or facilities; and
(C) compliance with applicable security device requirements
for teller machines contained elsewhere in Chapter 91; and
(3) Employ an incident response plan, which has been
subjected to reasonable testing, to minimize the impact of a data
breach or other electronic incident while quickly restoring operations,
credibility, and security.
(d) All credit unions engaging in such electronic activities
must comply with all applicable state and federal laws and regulations
as well as address all safety and soundness concerns.
(e) A credit union shall review, on at least an annual
basis, its system backup procedures for all electronic activities.
(f) A credit union shall not be considered doing business
in this State solely because it physically maintains technology, such
as a server, in this State, or because the credit union's product
or services are accessed through electronic means by members located
in this State.
(g) A credit union that shares electronic space, including
a co-branded web site, with a credit union affiliate, or another third-party
must take reasonable steps to clearly and conspicuously distinguish
between products and services offered by the credit union and those
offered by the credit union's affiliate, or the third-party.
|
Source Note: The provisions of this §91.4001 adopted to be effective May 13, 1999, 24 TexReg 3475; amended to be effective May 11, 2000, 25 TexReg 3953; amended to be effective December 8, 2002, 27 TexReg 11074; amended to be effective March 13, 2006, 31 TexReg 1648; amended to be effective March 29, 2018, 43 TexReg 1837 |