Lecture 2: E-Banking Risks

BSc (Hons) Banking and International Finance MMIS 2301: E-Banking and E-Trading

Lecture 2: E-BANKING RISKS

Continuing technological innovation and competition among existing banking

organisations and new market entrants has allowed for a much wider array of electronic
banking products and services for retail and wholesale banking customers. These include
traditional activities such as accessing financial information, obtaining loans and opening
deposit accounts, as well as relatively new products and services such as electronic bill
payment services, personalised financial “portals,” account aggregation and business-to-
business market places and exchanges. Notwithstanding the significant benefits of
technological innovation, the rapid development of e-banking capabilities carries risks as
well as benefits and it is important that these risks are recognised and managed by
banking institutions in a prudent manner

Generally we appreciate that there are three levels of e-banking business:

Basic information e-banking/web sites that just disseminate information on

banking products and services offered to bank customers and the general public;

Simple transactional e-banking/web sites that allow bank customers to submit

applications for different services, make queries on their account balances, and
submit instructions to the bank, but do no permit any account transfers;

Advanced transactional e-banking/web sites that allow bank customers to

electronically transfer funds to/from their accounts pay bills, and conduct other
banking transaction online.

In the past several years, many economists have considered the impact of the digital
revolution on the money and banking system, and by extension the macroeconomy.

1
 Lecture 2: E-Banking Risks

Although many of the papers on e-money and e-banking have contained useful insights
into these developments, they have also tended to paint an incomplete and even confusing
picture. The application of information technology to money and banking raises many
interesting questions. But to make further progress in understanding the economic effects,
we need to advance in a very important area: what is the risk management for e-banking?

In many ways, e-banking is not unlike traditional payment, inquiry, and information
processing systems, differing only in that it utilises a different delivery channel. Any
decision to adopt e-banking is normally influenced by a number of factors. These include
customer service enhancement and competitive costs, all of which motivate banks to
assess their electronic commerce strategies.

E-banking can improve a bank’s efficiency and competitiveness, so that existing and
potential customers can benefit from a greater degree of convenience in effecting
transactions. This increased level of convenience offered by the bank, when combined
with new services, can expand the bank’s target customers beyond those in traditional
markets. Consequently, financial institutions are therefore becoming more aggressive in
adopting electronic banking capabilities that include sophisticated marketing systems,
remote-banking capabilities, and stored value programs. Internationally, familiar
examples include telephone banking, automated teller networks, and automated
clearinghouse systems. Such technological advances have brought greater sophistication
to all users, commercial and “the man in the street”.

A bank may be faced with different levels of risks and expectations arising from
electronic banking as opposed to traditional banking. Furthermore, customers who rely
on ebanking services may have greater intolerance for a system that is unreliable or one
that does not provide accurate and current information. Clearly, the longevity of ebanking
depends on its accuracy, reliability and accountability. The challenge for many banks is
to ensure that savings from the electronic banking technology more than offset the costs
and risks involved in such changes to their systems.

2
 Lecture 2: E-Banking Risks

While financial institutions have faced difficulties over the years for a multitude of
reasons, the major cause of serious banking problems continues to be directly related to
lax credit standards for borrowers and counterparties, poor portfolio risk management or
a lack of attention to changes in economic or other circumstances that can lead to a
deterioration in the credit standing of a bank’s counterparties.

There are always two sides to a coin. Similarly Internet banking too has a ‘bane’ side to
it. The bane lies in its inexorable slide towards higher risk from various facets of bank
operations. Risk is the potential that unexpected events may have an adverse impact on
the banks earnings. Internet banking risks consists of risk associated with credit, interest
rate, transaction, etc. These risks are not mutually exclusive but invariably all of these are
associated with Internet banking.

Risks associated with e-banking can be classified as follows:

1. Transaction/Operations risk
2. Credit risk
3. Liquidity, interest rate, price/market risks
4. Compliance/Legal risk
5. Strategic risk
6. Reputation risk

1. TRANSACTION/OPERATIONS RISK
The most important category of risk management for e-banking services is operational
risk. Operational risk is the risk of direct or indirect loss resulting from inadequate or
failed internal processes, people and systems or from external events. The main causes
for operational risk can be:

Inadequate Information Systems

Breaches in internal controls

Fraud

Processing Errors

Unforeseen catastrophes

3
 Lecture 2: E-Banking Risks

The inadequate information system can result from general risks or from application
oriented risks. The general risks can include physical access to the hardware, logical
access to the information and communication technology systems, emergency
management or from an insufficient backup recovery measures-mitigate the
consequences of system failures.

A high level of transaction risk may exist with Internet banking products, particularly if
those lines of business are not adequately planned, implemented, and monitored. Banks
that offer financial products and services through the Internet must be able to meet their
customer’s expectations. Banks must also ensure they have the right product mix and
capacity to deliver accurate, timely, and reliable services to develop a high level of
confidence in their brand name. Customers who conduct business over the Internet are
likely to have little tolerance for errors or omissions from financial institutions that do not
have sophisticated internal controls to manage their Internet banking business. Likewise,
customers will expect continuous availability of the product and Web pages that are easy
to navigate

Most Internet banking platforms are based on new platforms which use complex
interfaces to link with legacy systems, thereby increasing risk of transaction errors. There
is also a need to ensure data integrity and non-repudiation of transactions. Third-party
providers also increase transaction risks, since the organization does not have full control
over a third party. Without seamless process and system connections between the bank
and the third party, there is a higher risk of transaction errors.

In most instances, e-banking activities will increase the complexity of the institution’s
activities and the quantity of its transaction/operations risk, especially if the institution is
offering innovative services that have not been standardized. Since customers expect e-
banking services to be available 24 hours a day, 7 days a week, financial institutions
should ensure their e-banking infrastructures contain sufficient capacity and redundancy
to ensure reliable service availability. Even institutions that do not consider e-banking a

4
 Lecture 2: E-Banking Risks

critical financial service due to the availability of alternate processing channels, should
carefully consider customer expectations and the potential impact of service disruptions
on customer satisfaction and loyalty

* Redundancy: The ability of a system to keep functioning normally in the event of a component
failure, by having backup components that perform duplicate functions

The level of transaction risk is affected by the following:

The structure of the institution’s processing environment, including the types of services
offered and the complexity of the processes and supporting technology

CONTROL OF TRANSACTION RISKS

Controlling transaction risk lies in adapting effective polices, procedures, and controls to
meet the new risk exposures introduced by e-banking

− Basic internal controls including segregation of duties, dual controls, and

reconcilements

− Information security controls become more significant requiring additional

processes, tools, expertise, and testing.

− Institutions should determine the appropriate level of security controls

abased on their assessment of the sensitivity of the information to the
customer and to the institution and on the institution’s established risk
tolerance level.

5
 Lecture 2: E-Banking Risks

2. CREDIT RISK

Credit risk is the risk to earning and eventually capital, arising from a borrower’s failure
to meet the terms of a credit contract with the bank or otherwise to perform as agreed. It
is found in all activities where success depends on counterparty, issuer, or borrower
performance. It arises any time bank findings are extended, committed, invested, or
otherwise exposed through actual or implied contractual agreements, whether on or off
the bank’s balance sheet.

Internet banking provides the opportunity for banks to expand their geographic range.
Customers can reach a given institution from literally anywhere in the world. In dealing
with customers over the Internet, absent of any personal contact, it is challenging for
institutions to verify the bona fide of their customers, which is an important element in
making sound credit decisions. Verifying collateral and perfecting security agreements
can also be challenging with out-of-area borrowers.

Unless properly managed, Internet banking could lead to a concentration in out-of-area

credits. Moreover, the question of which state’s or country’s laws control an Internet
relationship is still very much at an infancy stage of development

NOTE: Generally, a financial institution’s credit risk is not increased by the mere fact
that a loan is originated through an e-banking channel.

• When originating and approving loans electronically, additional precautions should

be considered. These precautions include:

Assuring management information systems effectively track the performance of

portfolios originated through e-banking channels.

6
 Lecture 2: E-Banking Risks

• In finance, a portfolio is a collection of investments held by an institution or a private

individual. Holding a portfolio is part of an investment and risk-limiting strategy called
diversification. By owning several assets, certain types of risk (in particular specific
risk) can be reduced. The assets in the portfolio could include stocks, bonds, options,
warrants, gold certificates, real estate, futures contracts, production facilities, or any
other item that is expected to retain its value

The following aspects of on-line loan origination and approval tend to make risk
management of the lending process more challenging. If not properly managed, these
aspects can significantly increase credit risk.

• Verifying the customer’s identity for on-line credit applications and executing an
enforceable contract
• Monitoring and controlling the growth, pricing, underwriting standards, and
ongoing credit quality of loans originated through e-banking channels
• Monitoring and oversight of third-parties doing business as agents or on behalf of
the financial institution (for example, an Internet loan origination site or electronic
payments processor).

• Collecting loans from individuals over a potentially wider geographic area.

• Monitoring any increased volume of, and possible concentration in, out-of-area
lending.

3. LIQUIDITY, INTEREST RATE, PRICE/MARKET RISKS

Liquidity risk is the uncertainty arising from a bank’s inability to meet its obligations
when they are due, without incurring unacceptable losses. Liquidity risk includes the
inability to manage unplanned changes in market conditions affecting the ability of the
bank to liquidate assets quickly and with minimal loss in value.

Internet banking increases deposit volatility from customers who maintain accounts
solely on the basis of rates or terms. Increased monitoring of liquidity and changes in

7
 Lecture 2: E-Banking Risks

deposits and loans maybe warranted depending on the volume and nature of Internet
account activities. In a nutshell, the Internet allows all transactions to occur in real time.
The management must therefore be prepared for immediate changes and consequently
immediate solutions.

An institution can control this potential volatility and expanded geographic reach through
its deposit contract and account opening practices, which might involve face-to-face
meetings or the exchange of paper correspondence. The institution should modify its
policies as necessary to address the following e-banking funding issues:

1. Potential increase in dependence on brokered funds or other highly rate-sensitive

deposits.

2. Potential acquisition of funds from markets where the institution is not licensed
to engage in banking, particularly if the institution does not establish, disclose,
and enforce geographic restrictions.

3. Potential impact of loan or deposit growth from an expanded Internet market,

including the impact of such growth on capital ratios.

4. Potential increase in volatility of funds if e-banking security problems

negatively impact customer confidence or the market’s perception of the
institution.

4. COMPLIANCE/LEGAL RISK

This is the risk to earnings or capital arising from violations of, or nonconformance with,
laws, regulations and ethical standards. Compliance risk may lead to diminished
reputation, actual monetary losses and reduced business opportunities. Banks need to
carefully understand and interpret existing laws as they apply to Internet banking and
ensure consistency with other channels such as branch banking. This risk is amplified
when the customer, the bank and the transaction are in more than one country.
Conflicting laws, tax procedures and reporting requirements across different jurisdictions

8
 Lecture 2: E-Banking Risks

add to the risk. The need to keep customer data private and seek customers' consent
before sharing the data also adds to compliance risk. Customers are very concerned about
the privacy of their data and banks need to be seen as reliable guardians of such data.
Finally, the need to consummate transactions immediately (straight-through processing)
may lead to banks relaxing traditional controls, which aim to reduce compliance risk.

• Compliance and legal issues arise out of the rapid growth in usage of e-banking
and the differences between electronic and paper-based processes

Specific regulatory and legal challenges include the following:

Uncertainty over legal jurisdictions and which state’s or country’s laws
govern a specific e-banking transaction. (international hacker v/s local
hacker)
Delivery of credit and deposit-related disclosures/notices as required by law or
regulation.
Retention of required compliance documentation for on-line advertising,
applications, statements, disclosures and notices.
Establishment of legally binding electronic agreements

Institutions that offer e-banking services, both informational and transactional, assume a
higher level of compliance risk because of the changing nature of the technology, the
speed at which errors can be replicated, and the frequency of regulatory changes to
address e-banking issues. The potential for violations is further heightened by the need to
ensure consistency between paper and electronic advertisements, disclosures, and notices

9
 Lecture 2: E-Banking Risks

5. STRATEGIC RISK

This is the current and prospective risk to earnings and capital arising from adverse
business decisions or improper implementation of business decisions. Many senior
managers do not fully understand the strategic and technical aspects of Internet banking.
Spurred by competitive and peer pressures, banks may seek to introduce or expand
Internet banking without an adequate cost-benefit analysis. The organization structure
and resources may not have the skills to manage Internet banking.

In other words, will the bank get it right? Will it make the right choices when it comes to
investing in e-banking or will it waste money by going down a technological blind alley?
Should it attempt to take the lead in new technology ahead of its competitors, or should it
be a follower and adopt a "wait and see" approach? The latter may be the safer course of
action for smaller banks, though it does create the risk of being left behind.

A financial institution’s board and management should understand the risks associated
with e-banking services and evaluate the resulting risk management costs against the
potential return on investment prior to offering e-banking services.

Poor e-banking planning and investment decisions can increase a financial institution’s
strategic risk. Early adopters of new e-banking services can establish themselves as
innovators who anticipate the needs of their customers, but may do so by incurring higher
costs and increased complexity in their operations.

Conversely, late adopters may be able to avoid the higher expense and added complexity,
but do so at the risk of not meeting customer demand for additional products and
services. In managing the strategic risk associated with e-banking services, financial
institutions should develop clearly defined e-banking objectives by which the institution
can evaluate the success of its e-banking strategy.

10
 Lecture 2: E-Banking Risks

• To manage the strategic risk financial institutions should pay attention to the
following:

− Adequacy of management information systems (MIS) to track e-banking usage

and profitability.

− Costs involved in monitoring e-banking activities or costs involved in

overseeing e-banking vendors and technology service providers.

− Design, delivery, and pricing of services adequate to generate sufficient

customer demand.

− Retention of electronic loan agreements and other electronic contracts in a

format that will be admissible and enforceable in litigation. (court case / legal
action

− Costs and availability of staff to provide technical support for interchanges

involving multiple operating systems, web browsers, and communication
devices.

− Competition from other e-banking providers.

− Adequacy of technical, operational, compliance, or marketing support for e-

banking products and services.

6. REPUTATION RISK

This is the current and prospective risk to earnings and capital arising from negative
public opinion. A bank's reputation can be damaged by Internet banking services that are
poorly executed (e.g., limited availability, buggy software, poor response). Customers are
less forgiving of any problems and thus there are more stringent performance
expectations from the Internet channel. Hypertext links could link a bank's site to other
sites and may reflect an implicit endorsement of the other sites

11
 Lecture 2: E-Banking Risks

Risk of damage to the bank's reputation goes along with the other risks I have mentioned.
It can arise, for example, from operational risk even if customers suffer no actual
damage. If a hacker successfully breaks into a bank's website and makes alterations, the
bank concerned can suffer substantial damage to its reputation although customers'
balances are safe and the hacker has not obtained any financial benefit.

This does not only affect the individual bank concerned but may also undermine
confidence in the security of e-banking more generally and therefore slow down
development in this area.

Systems breakdown, even if only temporary, is another example of how banks may be
affected by bad publicity. Given the fact that the element of trust is so fundamental to
banks' business, banks will find it increasing important to adopt measures to manage
reputational risk and incorporate public relations strategies into their overall risk
management framework.

Some of the ways in which e-banking can influence an institution’s reputation include
the following:

1. Loss of trust due to unauthorized activity on customer accounts.

2. Disclosure or theft of confidential customer information to unauthorised
parties (e.g., hackers).
3. Failure to provide reliable service due to the frequency or duration of service
disruptions.
4. Customer complaints about the difficulty in using e-banking services and the
inability of the institution’s help desk to resolve problems.
5. Confusion between services provided by the financial institution and services
provided by other businesses linked from the website.

12
 Lecture 2: E-Banking Risks

RISK MANAGEMENT OF E-BANKING ACTIVITIES

As noted in the prior section, e-banking has unique characteristics that may increase an
institution’s overall risk profile and the level of risks associated with traditional financial
services, particularly strategic, operational, legal, and reputation risks. These unique
ebanking characteristics include

The speed of change relating to technological and customer service innovation in

ebanking is unprecedented. Historically, new banking applications were
implemented over relatively long periods of time and only after in-depth testing.
Today, however, banks are experiencing competitive pressure to roll out new
business applications in very compressed time frames – often only a few months
from concept to production. This competition intensifies the management
challenge to ensure that adequate strategic assessment, risk analysis and security
reviews are conducted prior to implementing new e-banking applications.

Transactional e-banking web sites and associated retail and wholesale business
applications are typically integrated as much as possible with legacy computer
systems to allow more straight-through processing of electronic transactions. Such
straight-through automated processing reduces opportunities for human error and
fraud inherent in manual processes, but it also increases dependence on sound
systems design and architecture as well as system interoperability and operational
scalability.

E-banking increases banks’ dependence on information technology, thereby

increasing the technical complexity of many operational and security issues and
furthering a trend towards more partnerships, alliances and outsourcing
arrangements with third parties, many of whom are unregulated. This
development has been leading to the creation of new business models involving
banks and nonblank entities, such as Internet service providers,
telecommunication companies and other technology firms.

13
 Lecture 2: E-Banking Risks

The Internet is ubiquitous and global by nature. It is an open network accessible

from anywhere in the world by unknown parties, with routing of messages
through unknown locations and via fast evolving wireless devices. Therefore, it
significantly magnifies the importance of security controls, customer
authentication techniques, data protection, audit trail procedures, and customer
privacy standards.

Management should review each of the processes discussed in this section to adapt and
expand the institution’s risk management practices as necessary to address the risks posed
by e-banking activities.

14