Академический Документы
Профессиональный Документы
Культура Документы
CARTAC & Caribbean Group of Banking Supervisors IT Workshop for Regional Bank Examiners
June 23 25, 2009 Georgetown, Guyana
Kirk Tyrell, CISA Assistant Director Financial Institutions Supervisory Division Bank of Jamaica www.boj.org.jm
Objectives
Identify the risks and risk management practices associated with e-banking activities Provide standardized guidance to examiners on e-banking reviews
Definition
e-banking is defined as: the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels.
Definition
This definition includes delivering services and products such as:
Increases customer satisfaction and retention Provides focused cross-selling opportunities Shift costs Levels the playing field Increases brand value Provides real time access (i.e. convenience)
Shift Costs
Shift Costs - Tranaction Distribution September 2007
140 120 100
U S$'B il
80 60 40 20 0
Branch E-Channels
Services
Source: PRINCETON SURVEY RESEARCH ASSOCIATES INTL. SEPTEMBER 2007
Specific Perspective
E-Banking Devices
Personal computers (PCs) Personal digital assistants (PDAs) Automated teller machines (ATMs) Kiosks Touch tone telephones Cellular and smart phones
Internet-Based Services
Although there is risk in using any of these remote access devices (e.g. PCs, PDAs, Kiosks, mobile phones) for financial services, those that involve Internet access typically pose the greatest risk. This is because the Internet is such a widely accessible and public network
Informational
General information about the financial institution Products or services offered Initiating banking transactions Buying products and services
2.
Transactional
Transactional Websites
Provide two separate types of services: 1. Retail services 2. Wholesale services
Retail Services
Account management Bill presentment and bill payment New account initiation Wire transfers Investment and brokerage services, Loan applications and approval Account aggregation for individual consumers
Wholesale Services
Account management Corporate cash management Small business loan applications, approvals, and advances Wire transfers Business-to-business payments Employee benefits and pension administration for business customers
E-Banking Risks
Sectors Financial ISP Retail Insurance Internet community Telecom Computer hardware Government Computer software Transportation 2008 Percentages 79% 8% 4% 2% 2% 2% 1% 1% <1% <1% 2007 Percentages 83% 7% 4% 2% 2% <1% 1% 1% 1% 1%
Source: Symantec Global Internet Security Threat Report 2009, Table 16. Unique brands phished, by sector
E-Banking Risks
Data breaches
Identities exposed
Fig. 4 Data breaches that could lead to identity theft by sector and identity exposure by sector Source: Based on data provided by OSF Dataloss DB.
E-Banking Risks
The types of e-banking risks include: Transaction or operations risk Credit risk Liquidity, interest rate, price, and market risks Compliance or legal risk Strategic risk
Risks
Management oversight Inadequate audit coverage New products process Poor development standards Mis-configuration of hardware/software Datacenter burns Back officer mistake Errors of judgment Inadequate password administration Breach of policy Viruses, malware, phishing, etc Natural disaster Failure to backup
2)
3)
Integrity Security
4)
5)
Availability
Credit Risk
Verifying the customers identity Monitoring and controlling the growth, pricing, underwriting standards, and ongoing credit quality
Credit Risk
Monitoring and oversight of thirdparties Monitoring out-of-area lending (e.g. concentration and volume) Valuing collateral and perfecting liens
Market Risk
Dependence on brokered funds or other highly rated sensitive deposits Geographic restrictions Impact of loans and deposit growth (e.g. on capital ratios) Volatility of funds
Uncertainty over legal jurisdictions Delivery of credit and depositrelated disclosures/notices as required by law Establishment of legally binding electronic agreements
Solicitation, collection and reporting of government monitoring information on applications and loans (e.g. AML requirements) Delivery of privacy and opt-out notices Record retention requirements
Strategic Risk
Risk management costs against the potential return on investment MIS to track e-banking costs, usage and profitability Generation of sufficient customer demand Adequacy of technical, operational, compliance or marketing support Competition
Reputation Risk
Customer complaints
Failure to provide reliable service Disclosure or theft of confidential customer information to unauthorized parties (e.g. hackers) Loss of trust due to unauthorized activity on customer accounts Failure to deliver on marketing claims
Planning Considerations
Strategic objectives for e-banking Scope, scale, and complexity of equipment, systems, and activities Technology expertise Security and internal control requirements Hosting options (in-sourcing vs. outsourcing)
Outsourcing Options
Another financial institution Internet service provider Internet banking software vendor or processor Core banking vendor or processor Managed security service provider Others
E-Banking Configuration
Examination Areas
Discussion of risk-management issues related to e-banking include:
Board and management oversight Managing outsourcing relationships Information security programmes Administrative controls Legal and compliance issues
Level/Type of e-service Anticipated customer demand Thorough analysis of the costs and benefits (reduced costs, new revenue, etc.) Ongoing evaluation of the strategys effectiveness expanded audit coverage to include ebanking activities
Examination Procedures
Examiners should: Determine the adequacy of ebanking activities with respect to strategy, planning, management reporting, and audit. Determine whether e-banking guidance and risk considerations have been incorporated into the institutions operating policies
Examination Procedures
Assess the level of oversight by the board and management in ensuring that:
Planning and monitoring are sufficiently robust to address Evaluate adequacy of key MIS reports
Examination Procedures
Examiners should: Assess the adequacy of managements due diligence activities Assess vendor contract to verify that the responsibilities of each party are appropriately identified Assess the adequacy of ongoing vendor oversight
Compliance with laws, regulations and guidelines (e.g. e-commerce legislations, supervisory guidance, industry-specific requirements, etc.) Establish layers of various security control, monitoring, and testing methods Customer authentication, access control and education
Examination Procedures
Examiners should: Determine if the institutions information security programme sufficiently addresses e-banking risks Determine whether the security programme includes monitoring of systems and transactions and whether exceptions are analyzed
Examination Procedures
Examiners should (contd): Evaluate access control associated with employees administrative access Assess whether the information security programme includes independent security testing
Administrative Controls
Maximize the availability and integrity of e-banking systems Implement sound internal controls (e.g. segregation of duties, dual control, fraud detection controls, etc.) Institute sound business continuity processes
Examination Procedures
Examiners should: Determine whether employee authorization levels and access privileges are commensurate with their assigned duties and reinforce segregation of duties Determine whether audit trails for e-banking activities are sufficient to identify the source of transactions
Examination Procedures
Examiners should (contd): Determine whether business continuity plans appropriately address the business impact of ebanking products and services
Disclose clearly and conspicuously the name of the financial institution and the websites content Other possible disclosure requirements:
Full name, geographic address, website address, email address and telephone numbers of bank Banks geographic address for the service of legal documents Details of the banks corporation status
Banks membership in any regulatory or accredited bodies (e.g. licensing and supervisory body, deposit insurance membership, etc.)
Maintain the privacy and confidentiality of customer information Transaction monitoring and consumer disclosures
Legal Framework
Legal framework that facilitates and makes specific provisions for availability, reliability and security. Provisions may include:
a)
b)
c)
facilitate electronic transactions by means of reliable electronic documents promote the development of the legal and business infrastructure necessary to implement secure electronic commerce eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements
e)
promote public confidence in the integrity and reliability of electronic documents and electronic transactions, in particular through the use of encrypted signatures to ensure the authenticity and integrity of electronic documents; establish uniformity of legal rules and standards regarding the authentication and integrity of electronic documents;
Examination Procedures
Examiners should: Review the website content for inclusion of legal and regulatory requirements and disclosures As applicable, determine whether the financial institution has considered the applicability of various laws and regulations to its e-banking activities
E-Banking Trends
Account Aggregation
gathering information from multiple websites Presents that information in consolidated form to customers (e.g. providing financial advice and shopping services that scan the web for particular products)
Wireless Banking
Occurs when a customer accesses a financial institution's networks via telecommunication companies wireless networks
Devices:
Cellular phones Pagers personal digital assistants (or similar devices)
Heightened level of potential operations risk Early stages of adoption by the market (strategic risk)
New Challenges
Financial institutions continue to face traditional challenges, but ebanking poses a new set of risks While offering customers convenience and easy access to information, e-banking also potentially increases institutional exposure to identity theft and unauthorized access to information
Requires Vigilance
vigilant in identifying new and emerging threats continually adjust their systems to protect the integrity, confidentiality, and availability of automated information
Questions