2nd National ISACA Sri Lanka Chapter Conference, Colombo, Sri Lanka - 2006

Managing Risks of Internet Banking

Priam Kasturiratna
MBA (Sri J), AIB (Sri Lanka), PG DIP in Business & Financial Administration (ICASL) Email: kasturi@itsys.sampath.lk

Abstract Internet Banking is one of the fastest growing delivery channels in Banking Industry. While providing customers with a long list of benefits; Internet Banks work hard to manage Risk. Todays banks adopt various techniques to identify and manage Internet Banking Risks. This paper discuss the range of Risks applicable to Internet Banking services, illustrates and guides how the Risk Mitigation is achieved in Internet Banking environments.

I. Introduction
Internet Banking expanded rapidly among banking customers during the recent years. Penetration of Information Communication Technology into financial and commercial fields, and then into daily lifestyles, has created a need and liking for Internet Banking in both Retail and Commercial customer segments. Today, in 2006 AD, Internet Banking is only a ten-year-old product that has attracted vast number of Banking Customers, and has become a vital topic in industry forums. Looking back at the history of centuries old traditional Banking industry, Internet Banking is perhaps the most sought after offering. While the benefits of Internet Banking are so many, Bankers make substantial efforts behind the scene to manage Risks of Internet Banking.

II. What is Internet Banking, and the Risks in it

Internet Banking is defined as Use of Internet as a remote Delivery channel for Banking Services. Services could be limited to Inquiries to Banking accounts, traditional Banking services like Transfer of Funds, Ordering Cheque Books, Stop Payments, Account Opening with or without new Types of Services like Electronic Bill Payment and Presentments. Three broad categories of Internet Banking services are, A. Inquiry Only Services B. Transactional Services with Inquiries C. Fully Fledged Internet Only Banking with Online Account Opening, Transactions and Inquiries Risk in Internet Banking is defined as an act or an event that would have an adverse impact on the Internet Banking Customer, Bank or any Banking System.

III. Different Categories of Internet Banking Risks

Risk Categories of Internet Banking are almost similar to Risks faced by traditional, automated Financial Institutions. A. Strategic Risk B. Legal and Regulatory Compliance Risk C. Transactional Risk D. Marketing and Reputational Risk E. Credit Risk F. Exchange Risk G. Internet Rate Risk H. Liquidity Risk I. Information Security Risk Although the Risk categories are same, the applicability and the magnitude of Risk could vary depending on the degree of Automation and Services offered by a specific Bank. A. STRATEGIC RISK Strategic Risk is current and prospective effect on earnings or capital arising from, 1. Adverse business decisions 2. Improper implementation of decisions 3. Lack of responsiveness to Industry/environmental changes Majority, if not all of strategic business decisions linked to Internet Banking will create at least a minimal Strategic Risk. Typical business decisions could be, 1. Whether to offer Internet Banking or not 2. Which Category of Internet Banking to offer (Inquiry, Transactional or Fullfledged ) 3. What Risk Limiting Controls to implement 4. Product Positioning 5. Fee Structures 6. Emphasis and Investment on Business Continuity 7. Reaction to Competition 8. Reaction to changes affecting the Industry or environment B. LEGAL AND REGULATORY COMPLIANCE RISK Risk to earnings or capital arising from violations or non-conformity to 1. Laws 2. Regulations 3. Rules 4. Prescribed Practices 5. Ethical Standards 6. Contractual Terms Assets can become less worthy, liabilities could increase, or existing laws may fail to address issues faced by the Bank.

Legal and Compliance Risks can arise from inadequate or incorrect legal advise, documentation, and on amendments to existing Laws or Rules/Regulations. Legal Risk is sometimes difficult to assess and therefore to mitigate successfully. This happens specially in jurisdictions with under developed legal structures governing electronic transactions and commerce. Sri Lanka, for an example has a under developed legal structure applicable to Internet Banking. Manual Signatures are still mandatory to Contracts, and both Internet Banking and Traditional Banking activities are governed under the same sections of Law. Therefore, Banks use a combination of Banking Law, Contract Law and Banking Practices to cover Legal Risks. Dependable Legal Advice on Internet Banking could be scarce resource in situations where the countrys Electronic Transactions Law and related Legal Expertise develops at a slower pace than Internet Banking. Banks must keep an open eye and appropriately manage Legal Risks under changing Legal frameworks. Introducing new types of services or transactions on Internet is quite a challenging task. Establishing legal/regulatory rights of parties is very important in designing documentation such as agreements or contracts. Proper completion of documentation is equally important in every contract, including Service Level Agreements and Internet Banking Service related applications completed at operational level. Documentation procedures should be comprehensive with signature verifications, establishing a customers rights to access or transact on accounts, multi currency transaction capabilities, safe custody and preservation of documents throughout the period of services and up to the prescribed number of years for preserving documents. Regulations and Rules imposed by Regulatory Bodies to be taken into account when the services are designed, and such should be adequately covered in contractual documents. If an amendment to existing Rules/Regulations requires an amendment to the existing contracts, such changes should be duly incorporated immediately. C. TRANSACTIONAL RISK Transactional Risk is current or future effect on earnings or capital due to errors, frauds or failure to maintain service levels of transaction/s. Transactions are defined as Business events or information grouped together due to having similar or single business purpose. Transactional Risk can arise from a financial transaction or a non financial transaction like a Stop Payment, or a Change of Customer Address. In hypothetical situations, a Cheque Stopped via Internet Banking gets paid later due to a delay in updating the Banking System. Confirmation of a Bill Payment during the night may fail to reach the Billing Company due to a faulty communication link, and as a result, the Utility Service (could be Electricity, Telephone etc.) gets disconnected. Both fall into Transactional Risk conditions created via Internet Banking. Transactional Risk can vary with the obvious Business value of the particular transaction to the customer. In case, if the customer proves the Bank has not taken Reasonable Efforts in performing its duties or negligent, resulting loss (Risk) to the Bank could be even more than the monetary value of the transaction. Mitigating Transactional Risk can become a strenuous task due to dependencies to third party service providers, 24X7 services and complexity of system structures. Preventive measures in a couple of areas would not be effective due to many possible avenues that could originate a

Transactional Risk. Effective way to mitigate Transactional Risk is to develop an Information Security Governance Framework so that the entire range of possibilities is covered. D. MARKETING AND REPUTATIONAL RISK Marketing/Reputational Risk can be defined as current or prospective effect on earnings or capital arising out of Negative Public Opinion. Marketing/Reputational Risk affects the organisations ability to establish new business/services, could hamper continuity of present business/services, and could even result in litigation. Poor Service Quality can Marketing/Reputational Risk. make a Internet Bank especially vulnerable to

Internet Banking customers get less opportunity to personally discuss their problems compared to traditional Banking , hence making it more likely to get frustrated and go to a competitor. When a Bank shifts is emphasis more towards Internet Banking, it could result in gradual alienation from longstanding customers /general public, and the Bank tends to loose their hearts over time. Possibility that is far more dangerous is that the Bank itself failing to recognise the pulse of the customer due to loss of personal contact. A Bank having lost touch will find its Marketing activities increasingly ineffective over time, resulting in deterioration of image and eventually earnings. E. CREDIT RISK Credit Risk is defined as Risk to earnings or capital due to obligors failure to honour terms or repayments of a credit facility. Credit Risk in Internet Banking Lending is higher than traditional Bank lending due to limitless geographical coverage, absence of a personal contact making it impractical to establish the borrowers identity and physical existence. The usual good faith of a borrower cannot be established as in traditional Banking. Hence, Internet Banks could either perform a serious evaluation, or decide not to lend solely on the Internet. Credit Risk Mitigation in Internet Banking can be handled more successfully with Hybrid Model Internet Banking. Hybrid Internet Banking is where the Internet Banking Services are offered by a Traditional Brick and Mortar Bank, thereby facilitating physical contact with the customer. Many Banks in the region, including Sri Lankan Banks that offer Hybrid Internet Banking are capable of lending to Internet Banking Customers after an assessment of Credit Risk. F. EXCHANGE RISK Exchange Risk creates due to assets in one currency are backed by liabilities in another currency, and the value of assets/liabilities change due to Exchange Rate fluctuations. Availability of non-domestic currency deposits and unrestricted transfers among those deposits could land the Bank in high Exchange Risk. Inter-currency transactions by Internet Banking customers can create an Exchange Risk when the exchange rates are volatile. For an example, if a customer exchanges deposits from one currency to another during the night (when the bank is closed for business), and if the

currency of the new deposit has appreciated by the next day, the bank faces a loss due to increased value of new Deposit Liability. Exchange Risks could be mitigated by maintaining exchange rates up to date, and/or by imposing inter-currency transaction restrictions, the more practical method being restrictions. Value based daily transaction limits; effecting transactions subject to Banks screening; exception reporting and restricting credits to third parties are some of the common measures. G. INTEREST RATE RISK Interest Rate Risk is defined as the Risk to earnings or capital due to moving Interest Rates. Banks look at sensitivity of assets, liabilities and revenue value to changes in Interest Rates. Internet Banks attracts deposits, loans from a wider number of BEST deal-seeking customers than a traditional Bank. Deposit owners have high level of freedom with their funds. Hence the number of controls and manpower needed to maintain the appropriate asset/liability management and fast reaction to changing market conditions is higher in Internet Banking. H. LIQUIDITY RISK Liquidity Risk is defined as Risk to earnings or capital due to the Banks inability to meet its obligations as and when they fall due, without incurring unacceptable losses. Firstly, Interest Rates/Terms are key reasons for customers to maintain Internet Banking accounts, secondly they get access to deposits and retain their ability to transact at any time of the day or from anywhere. Therefore, Internet Banking increases likelihood of deposit mobility, increasing the Liquidity Risk to the Bank. Unlike in Exchange Risk, Liquidity is applicable even to domestic currency. Value based daily transaction limits, subjecting transactions to an approval process, exception reporting and restricting third party credits, limiting fund movement only within the bank are some of the commonly used controls. I. INFORMATION SECURITY RISK Information Security Risk could be defined as the Risk arising due to improper or inadequate Information Security Processes. Information Security Risk makes the organisation vulnerable to hacker attacks, viruses, data theft, social engineering attacks, data destruction and fraud. Lack of awareness and commitment of Senior Level Management is a common cause for non-existence or slackness of Information Security Governance framework in Internet Banks. Weak Information Security can open-up loopholes in multiple areas. For an example, an unmanaged Firewall Policies could create easy targets for hacker attacks, data theft and data destruction. Similarly, front office employees unaware of Social Engineering could divulge sensitive information to 3rd parties, making the Bank liable for breach of Secrecy between the Bank and Customer, in extreme cases even leading to hacker attacks and Reputational Risk.

IV. Practical Risk Mitigation in Internet Banking

Successful Risk Mitigation in an Internet Banking environment is net result of many task areas covered in an Information Security Governance Framework, each task individually and jointly supporting and supplementing others. A. Strategies B. Security Implementations C. Contractual Relationships D. Internal Policies, Standards, Processes and Procedures E. Restrictions and Controls F. Training and User Education G. Transferring Risk H. Business Continuity Planning A. STRATEGIES Business Strategies of Internet Bank can be fine tuned or adjusted to minimise Risks of Internet Banking. For an example, if the Bank considers safe only to provide Internet Banking services within the country, it can focus only to the local market.

B. SECURITY IMPLEMENTATIONS Covers Systems Security Implementations like Firewalls, Secure ID, Secure Socket Layer (SSL) Encryption, Intruder Detection, Virus Guards etc., and maintaining each of them up to date with periodic updates and patches. Security implementations act as deterrents to prospective security violators, improves Customer Confidence and reduces or prevent Security Incidents, thereby minimising System Downtime and related costs. C. CONTRACTUAL RELATIONSHIPS Includes Service Level Agreements, Customer Applications for Internet Banking. Welldefined Contractual Relationships safeguard the Bank from Legal, Regulatory and Transactional Risks. Employee Contract Management is equally vital to ensure protection against employee theft and malpractices. D. INTERNAL POLICIES, STANDARDS, PROCESSES AND PROCEDURES Internal Policies, Standards and Procedures ensure a specific way of action in conducting business. Some of those actions include 1. Responding to New Internet Banking Customer enrolment requests 2. Adhering to Know Your Customer (KYC) Rules 3. Maintaining existing customer activities 4. Customer requests and issues Management 5. Periodic Activity, Trends and Exception Monitoring/ follow-up 6. Auditing Processes 7. Legal Issues and disputes Management 8. Regulatory Reporting

E. RESTRICTIONS AND CONTROLS Risk Limiting Controls used for Internet Banking System Customer Operations. 1. User Authentication, Password management 2. Daily/Weekly/Monthly cumulative transaction limits 3. Per transaction Limits 4. Restrictions applied based on the transaction currency 5. Restrictions placed on Fund Transfers to 3rd Parties 6. Anti Money Laundering Controls 7. Entry and Authorising of Transactions F. TRAINING, USER EDUCATION AND USER MANAGEMENT Humans are a vital component in Risk management. Systems Administrator Training/Education helps administrators understand their role and responsibilities in ensuring safety, Incident Response rehearsals, which create and maintain human capabilities to identify and respond to threats promptly and appropriately. Internet Banking Customer Education is an equally important element in managing Internet Banking Risks. Customers with good Password Management, safe sign-on practices and vigilance are extremely helpful in minimising Risks. G. TRANSFERRING RISK Insurance can be used to Transfer Internet Banking Risks to an Insurer. Though this type of Insurance is rare in Sri Lanka, this is a global practise in Risk Mitigation. H. BUSINESS CONTINUITY PLANNING Business Continuity Plan is a complete (including Disaster Recovery) set of actions to ensure uninterrupted continuity of the business. Such a plan needs to be rehearsed once or twice a year depending on business requirements, and value of business assets that the Business Continuity Plan intends to safeguard.

V. Conclusions
Risk Management in Internet Banking covers a number of traditional and non-traditional Risk Categories, and is of vital importance in any Internet Bank. Purpose of Internet Banking Risk management is to safeguard interests of both the Internet Bank and its Customers. Establishing and Maintaining an Information Security Governance Framework with appropriate mixture of technological and organizational adjustments as outlined above provide a practical and successful way to manage Internet Banking Risk.

VI. References
1. BITS Financial Services Roundtable, Fraud Prevention Strategies for Internet Banking, 2003 2. Katos. V, Dealing with Internet Risks, Journal of Internet Security

3. Ramakrishnan G., Risk Management for Internet Banking, Information Systems Control Journal, Information Systems Audit and Control Association, 2001 4. Reuters Limited, Banks yield to Microsoft flaw, 2002