From Bud Genovese, Chairman
This advisory details proactive steps to help reduce your liability related to website compliance with the American with Disabilities Act (ADA). Financial institution websites remain a target for ADA lawsuits. Kevin Tsuei, Technology Practice Director, AuditOne LLC, has listed risk reducing solutions to consider – including an audit for compliance vulnerabilities and how to remediate them. I hope you find this article useful and please share with your colleagues having responsibilities related to technology compliance, thank you, — Bud
ADA Website Access Lawsuits Proliferating: What to Do About It
Many of you may have been hit with a lawsuit or other notification regarding Americans with Disabilities Act (ADA) deficiencies in your website access. If not, you certainly would be aware of others who have. The number of such lawsuits tripled in 2018 and continues to surge this year. Banks, by providing customers with internet access to information and services, have been a major (though certainly not the only) target. The trend has been fueled by significant penalties coming out of some recent rulings.
Title III of the ADA obliges banks to ensure website access to those impaired in terms of sight (e.g., font size), hearing (e.g., audio messages) or mobility (e.g., keyboard versus mouse). While the Department of Justice (DOJ) is charged with ADA enforcement, it has yet to issue formal guidelines and has refused to get involved in recent lawsuits, referring such matters to state bar associations. The lack of DOJ guidance has been a concern (e.g., a high-profile California case brought by Domino’s where the court ruled that the company must meet ADA requirements even in the absence of DOJ specifications). However, it is notable that the both the ADA and DOJ have endorsed the 2017 Website Accessibility Standards based on the World Wide Web Consortium’s (WC3’s) Web Content Accessibility Guidelines (WCAG) 2.0; level AA of WCAG 2.0 applies to banks.
So what’s a banker to do? Settling may be easier in the short term, but it’s not a permanent solution and can leave the bank vulnerable to further actions. Review your contracts with your core system and other online service providers, to verify their obligations as regards ADA compliance. And take action – hopefully ahead of any legal entanglements. Software is available to test for access concerns, though the subjectivity involved in such determinations means that combining software and human testing is generally recommended.
This is the approach we have taken at AuditOne, in our work with various clients to help them both assess and address accessibility issues. The first step is to establish internal processes and procedures in this area, which should include:
- Ensuring that design changes and new content are not added to your website until they are made (and confirmed to be) accessible.
- Establish periodic website accessibility training for in-house staff and contractors.
- Conduct periodic testing to ensure that your website is/remains accessible.
- Create a tracking log that includes a plan and timeframe on making your existing web content accessible.
- Establish procedures to assure, among other things, a quick response from visitors who provide website accessibility feedback.
The second step is to post a website accessibility policy on your informational website, to include the following topics:
- The Bank’s plans or commitments to ensure your website is accessible by a screen reader – for example, by complying with WC3 WCAG 2.0 Level AA guidelines and conducting periodic testing to ensure compliance.
- Invite website visitors to suggest improvements.
- Add easily locatable information, such as telephone number or contact form, to report website accessibility problems or request accessible services and information.
- Offer alternate ways for people with disabilities who cannot access information or services through the Bank’s website – for example, an invitation to visit a local ADA-compliant branch or ATM, or to contact the Bank by telephone, e-mail or snail mail.
While it is not required by financial regulators to conduct periodic testing in this area, such testing can help enhance the Bank’s controls over website accessibilities. During the review that we perform for our clients, not only do we audit the controls listed above but we also conduct both an automated compliance scan and a manual review. The key goals of these reviews are to:
- Identify common and specific website accessibility issues on the Bank’s informational website, down to the actual line of codes that are causing the accessibility issue. This allows the institution to work with its in-house or outsourced developers to improve the site so as to make the content more accessible.
- Identity navigational feedback and feature problems for those who are visually impaired and use a screen reader. The manual review is conducted by a non-profit group that supports people who are visually impaired and are users of assistive technologies. The manual review has provided valuable feedback for our clients who do not themselves use or have access to such technologies on a day-to-day basis.
AuditOne LLC – Company Overview
AuditOne LLC’s is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising ADA Website Compliance Audits, IT/Information Security, Network Tests, Credit Review/ALLL, BSA/Compliance, ACH rules Compliance, Operations, Trust and Asset/Liability Management (ALM) audits, SOX/FDICIA Testing, and many specialty areas within each of these.
Our deep expertise is your edge. For more information on this article, or to receive a proposal for an ADA Website Compliance Audit, please contact Kevin Tsuei, Technology Practices Director, AuditOne LLC, at: Contact Us For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us. Also, for more information about AuditOne LLC and all of our audit services see AuditOneLLC.com.