Electronic Banking

CARTAC & Caribbean Group of Banking Supervisors IT Workshop for Regional Bank Examiners
June 23 25, 2009 Georgetown, Guyana

Kirk Tyrell, CISA Assistant Director Financial Institutions Supervisory Division Bank of Jamaica www.boj.org.jm

Objectives


Identify the risks and risk management practices associated with e-banking activities Provide standardized guidance to examiners on e-banking reviews

Definition
e-banking is defined as:  the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels.

Definition
This definition includes delivering services and products such as:
  

Account information Access to funds Business transactions and transfers

Electronic Delivery How it can help

     

Increases customer satisfaction and retention Provides focused cross-selling opportunities Shift costs Levels the playing field Increases brand value Provides real time access (i.e. convenience)

Shift Costs
Shift Costs - Tranaction Distribution September 2007
140 120 100
U S$'B il

80 60 40 20 0
Branch E-Channels

EPIN TOP-UP 0 21,988,080.00

BILL PAYMENTS 3,526,891,674.26 345,362,174.91

TRANSFERS 131,468,529,187.96 347,368,142.83

CASH WDL 10,155,127,584.95 2,742,174,300.00

DEPOSITS 9,803,591,028.47 74,080,308.79

Services
Source: PRINCETON SURVEY RESEARCH ASSOCIATES INTL. SEPTEMBER 2007

Specific Perspective


Services and products delivered to customers Supporting technology.

E-Banking Devices
     

Personal computers (PCs) Personal digital assistants (PDAs) Automated teller machines (ATMs) Kiosks Touch tone telephones Cellular and smart phones

Internet-Based Services
Although there is risk in using any of these remote access devices (e.g. PCs, PDAs, Kiosks, mobile phones) for financial services, those that involve Internet access typically pose the greatest risk. This is because the Internet is such a widely accessible and public network

Internet Banking Primary Types

1.

Informational


General information about the financial institution Products or services offered Initiating banking transactions Buying products and services

2.

Transactional
 

Transactional Websites
Provide two separate types of services: 1. Retail services 2. Wholesale services

Retail Services
      

Account management Bill presentment and bill payment New account initiation Wire transfers Investment and brokerage services, Loan applications and approval Account aggregation for individual consumers

Wholesale Services
  

  

Account management Corporate cash management Small business loan applications, approvals, and advances Wire transfers Business-to-business payments Employee benefits and pension administration for business customers

Issues Impacting E-Banking

Informational Website:  Potential liability and consumer violations  The insider threat if the website is not properly isolated  Avenue for spreading viruses and other malicious code  Reputational risk for service disruption and defacing

Issues Impacting E-Banking

Transactional websites:  Safeguarding customer information  Authentication processes (e.g. ID theft)  Liability for unauthorized transactions  Losses from fraud

Issues Impacting E-Banking

Transactional websites (contd):  violations of laws or regulations (e.g. consumer privacy, etc.)  Reputational risk from failure to process third-party payments

E-Banking Risks
Sectors Financial ISP Retail Insurance Internet community Telecom Computer hardware Government Computer software Transportation 2008 Percentages 79% 8% 4% 2% 2% 2% 1% 1% <1% <1% 2007 Percentages 83% 7% 4% 2% 2% <1% 1% 1% 1% 1%

Source: Symantec Global Internet Security Threat Report 2009, Table 16. Unique brands phished, by sector

E-Banking Risks

Data breaches

Identities exposed

Fig. 4 Data breaches that could lead to identity theft by sector and identity exposure by sector Source: Based on data provided by OSF Dataloss DB.

E-Banking Risks
The types of e-banking risks include:  Transaction or operations risk  Credit risk  Liquidity, interest rate, price, and market risks  Compliance or legal risk  Strategic risk

Operational (Technology) Risk Elements

Technology Element
1)

Risks
  

Management processes Architecture

Management oversight Inadequate audit coverage New products process Poor development standards Mis-configuration of hardware/software Datacenter burns Back officer mistake Errors of judgment Inadequate password administration Breach of policy Viruses, malware, phishing, etc Natural disaster Failure to backup

2)

  

3)

Integrity Security

 

4)

  

5)

Availability

 

Transaction or Operations Risk

May arises from:  Fraud  Processing errors  System disruptions  Other unanticipated events May be mitigated by:  Adapting effective polices, procedures, and controls  Sufficient capacity and redundancy

Credit Risk
Verifying the customers identity  Monitoring and controlling the growth, pricing, underwriting standards, and ongoing credit quality


Credit Risk
Monitoring and oversight of thirdparties  Monitoring out-of-area lending (e.g. concentration and volume)  Valuing collateral and perfecting liens


Market Risk


 

Dependence on brokered funds or other highly rated sensitive deposits Geographic restrictions Impact of loans and deposit growth (e.g. on capital ratios) Volatility of funds

Compliance and Legal Risks

 

Uncertainty over legal jurisdictions Delivery of credit and depositrelated disclosures/notices as required by law Establishment of legally binding electronic agreements

Compliance and Legal Risks



Solicitation, collection and reporting of government monitoring information on applications and loans (e.g. AML requirements) Delivery of privacy and opt-out notices Record retention requirements

Strategic Risk
    

Risk management costs against the potential return on investment MIS to track e-banking costs, usage and profitability Generation of sufficient customer demand Adequacy of technical, operational, compliance or marketing support Competition

Reputation Risk


Customer complaints


e.g. difficulty of use, poor help desk service, etc.

 

Failure to provide reliable service Disclosure or theft of confidential customer information to unauthorized parties (e.g. hackers) Loss of trust due to unauthorized activity on customer accounts Failure to deliver on marketing claims

Planning Considerations
 

 

Strategic objectives for e-banking Scope, scale, and complexity of equipment, systems, and activities Technology expertise Security and internal control requirements Hosting options (in-sourcing vs. outsourcing)

Outsourcing Options
  

  

Another financial institution Internet service provider Internet banking software vendor or processor Core banking vendor or processor Managed security service provider Others

E-Banking Configuration

Examination Areas
Discussion of risk-management issues related to e-banking include:
    

Board and management oversight Managing outsourcing relationships Information security programmes Administrative controls Legal and compliance issues

Board and Management

Developing the institutions e-banking business strategy
  

 

Level/Type of e-service Anticipated customer demand Thorough analysis of the costs and benefits (reduced costs, new revenue, etc.) Ongoing evaluation of the strategys effectiveness expanded audit coverage to include ebanking activities

Examination Procedures
Examiners should:  Determine the adequacy of ebanking activities with respect to strategy, planning, management reporting, and audit.  Determine whether e-banking guidance and risk considerations have been incorporated into the institutions operating policies

Examination Procedures


Assess the level of oversight by the board and management in ensuring that:


Planning and monitoring are sufficiently robust to address Evaluate adequacy of key MIS reports

Managing Outsourcing Relationships

Provide effective oversight of thirdparty vendors providing e-banking services and support:
Perform appropriate due diligence Consider sourcing options using costbenefit analysis (in-source, outsource, off-shore) Adequate contractual coverage Ongoing monitoring and oversight of relationship (e.g. SLA, vendor stability, etc.)

Examination Procedures
Examiners should:  Assess the adequacy of managements due diligence activities  Assess vendor contract to verify that the responsibilities of each party are appropriately identified  Assess the adequacy of ongoing vendor oversight

Information Security Programme



Compliance with laws, regulations and guidelines (e.g. e-commerce legislations, supervisory guidance, industry-specific requirements, etc.) Establish layers of various security control, monitoring, and testing methods Customer authentication, access control and education

Examination Procedures
Examiners should:  Determine if the institutions information security programme sufficiently addresses e-banking risks  Determine whether the security programme includes monitoring of systems and transactions and whether exceptions are analyzed

Examination Procedures
Examiners should (contd):  Evaluate access control associated with employees administrative access  Assess whether the information security programme includes independent security testing

Administrative Controls


Maximize the availability and integrity of e-banking systems Implement sound internal controls (e.g. segregation of duties, dual control, fraud detection controls, etc.) Institute sound business continuity processes

Examination Procedures
Examiners should:  Determine whether employee authorization levels and access privileges are commensurate with their assigned duties and reinforce segregation of duties  Determine whether audit trails for e-banking activities are sufficient to identify the source of transactions

Examination Procedures
Examiners should (contd):  Determine whether business continuity plans appropriately address the business impact of ebanking products and services

Legal and Compliance Issues



Disclose clearly and conspicuously the name of the financial institution and the websites content Other possible disclosure requirements:


Full name, geographic address, website address, email address and telephone numbers of bank Banks geographic address for the service of legal documents Details of the banks corporation status

Legal and Compliance Issues



Other possible disclosure requirements (contd):



Banks membership in any regulatory or accredited bodies (e.g. licensing and supervisory body, deposit insurance membership, etc.)

Maintain the privacy and confidentiality of customer information Transaction monitoring and consumer disclosures

Legal Framework
Legal framework that facilitates and makes specific provisions for availability, reliability and security. Provisions may include:
a)

b)

c)

facilitate electronic transactions by means of reliable electronic documents promote the development of the legal and business infrastructure necessary to implement secure electronic commerce eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements

Legal and Compliance Issues

Provisions may include (contd):
d)

e)

promote public confidence in the integrity and reliability of electronic documents and electronic transactions, in particular through the use of encrypted signatures to ensure the authenticity and integrity of electronic documents; establish uniformity of legal rules and standards regarding the authentication and integrity of electronic documents;

Examination Procedures
Examiners should:  Review the website content for inclusion of legal and regulatory requirements and disclosures  As applicable, determine whether the financial institution has considered the applicability of various laws and regulations to its e-banking activities

E-Banking Trends
 

Account aggregation Wireless Banking

Account Aggregation
 

Service unique to Internet banking Service includes a financial institution:



gathering information from multiple websites Presents that information in consolidated form to customers (e.g. providing financial advice and shopping services that scan the web for particular products)

Wireless Banking


Occurs when a customer accesses a financial institution's networks via telecommunication companies wireless networks


Devices:
Cellular phones  Pagers  personal digital assistants (or similar devices)


Wireless Banking Risks



Heightened level of potential operations risk Early stages of adoption by the market (strategic risk)

New Challenges


Financial institutions continue to face traditional challenges, but ebanking poses a new set of risks While offering customers convenience and easy access to information, e-banking also potentially increases institutional exposure to identity theft and unauthorized access to information

Requires Vigilance


Institutions offering e-banking products and services must be:



vigilant in identifying new and emerging threats continually adjust their systems to protect the integrity, confidentiality, and availability of automated information

Questions