Electronic Banking

1
Electronic Banking
CARTAC Caribbean Group of Banking
Supervisors IT Workshop for Regional Bank
Examiners June 23 25, 2009 Georgetown, Guyana

• Kirk Tyrell, CISA
• Assistant Director
• Financial Institutions Supervisory Division
• Bank of Jamaica
• www.boj.org.jm

2
Objectives

• Identify the risks and risk management practices
  associated with e-banking activities
• Provide standardized guidance to examiners on
  e-banking reviews

3
Definition

• e-banking is defined as
• the automated delivery of new and traditional
  banking products and services directly to
  customers through electronic, interactive
  communication channels.

4
Definition

• This definition includes delivering services and
  products such as
• Account information
• Access to funds
• Business transactions and transfers

5
Electronic Delivery How it can help

• Increases customer satisfaction and retention
• Provides focused cross-selling opportunities
• Shift costs
• Levels the playing field
• Increases brand value
• Provides real time access (i.e. convenience)

6
Shift Costs
7
Specific Perspective

• Services and products delivered to customers
• Supporting technology.

8
E-Banking Devices

• Personal computers (PCs)
• Personal digital assistants (PDAs)
• Automated teller machines (ATMs)
• Kiosks
• Touch tone telephones
• Cellular and smart phones

9
Internet-Based Services

• Although there is risk in using any of these
  remote access devices (e.g. PCs, PDAs, Kiosks,
  mobile phones) for financial services, those that
  involve Internet access typically pose the
  greatest risk. This is because the Internet is
  such a widely accessible and public network

10
Internet Banking Primary Types

• Informational
• General information about the financial
  institution
• Products or services offered
• Transactional
• Initiating banking transactions
• Buying products and services

11
Transactional Websites

• Provide two separate types of services
• Retail services
• Wholesale services

12
Retail Services

• Account management
• Bill presentment and bill payment
• New account initiation
• Wire transfers
• Investment and brokerage services,
• Loan applications and approval
• Account aggregation for individual consumers

13
Wholesale Services

• Account management
• Corporate cash management
• Small business loan applications, approvals, and
  advances
• Wire transfers
• Business-to-business payments
• Employee benefits and pension administration for
  business customers

14
Issues Impacting E-Banking

• Informational Website
• Potential liability and consumer violations
• The insider threat if the website is not
  properly isolated
• Avenue for spreading viruses and other malicious
  code
• Reputational risk for service disruption and
  defacing

15
Issues Impacting E-Banking

• Transactional websites
• Safeguarding customer information
• Authentication processes (e.g. ID theft)
• Liability for unauthorized transactions
• Losses from fraud

16
Issues Impacting E-Banking

• Transactional websites (contd)
• violations of laws or regulations (e.g. consumer
  privacy, etc.)
• Reputational risk from failure to process
  third-party payments

17
E-Banking Risks
Source Symantec Global Internet Security Threat
Report 2009, Table 16. Unique brands phished, by
sector
18
E-Banking Risks
Data breaches
Identities exposed
Fig. 4 Data breaches that could lead to identity
theft by sector and identity exposure by
sector Source Based on data provided by OSF
Dataloss DB.
19
E-Banking Risks

• The types of e-banking risks include
• Transaction or operations risk
• Credit risk
• Liquidity, interest rate, price, and market risks
• Compliance or legal risk
• Strategic risk

20
Operational (Technology) Risk Elements
21
Transaction or Operations Risk

• May arises from
• Fraud
• Processing errors
• System disruptions
• Other unanticipated events

• May be mitigated by
• Adapting effective polices, procedures, and
  controls
• Sufficient capacity and redundancy

22
Credit Risk

• Verifying the customers identity
• Monitoring and controlling the growth, pricing,
  underwriting standards, and ongoing credit quality

23
Credit Risk

• Monitoring and oversight of third-parties
• Monitoring out-of-area lending (e.g.
  concentration and volume)
• Valuing collateral and perfecting liens

24
Market Risk

• Dependence on brokered funds or other highly
  rated sensitive deposits
• Geographic restrictions
• Impact of loans and deposit growth (e.g. on
  capital ratios)
• Volatility of funds

25
Compliance and LegalRisks

• Uncertainty over legal jurisdictions
• Delivery of credit and deposit-related
  disclosures/notices as required by law
• Establishment of legally binding electronic
  agreements

26
Compliance and LegalRisks

• Solicitation, collection and reporting of
  government monitoring information on applications
  and loans (e.g. AML requirements)
• Delivery of privacy and opt-out notices
• Record retention requirements

27
Strategic Risk

• Risk management costs against the potential
  return on investment
• MIS to track e-banking costs, usage and
  profitability
• Generation of sufficient customer demand
• Adequacy of technical, operational, compliance or
  marketing support
• Competition

28
Reputation Risk

• Customer complaints
• e.g. difficulty of use, poor help desk service,
  etc.
• Failure to provide reliable service
• Disclosure or theft of confidential customer
  information to unauthorized parties (e.g.
  hackers)
• Loss of trust due to unauthorized activity on
  customer accounts
• Failure to deliver on marketing claims

29
Planning Considerations

• Strategic objectives for e-banking
• Scope, scale, and complexity of equipment,
  systems, and activities
• Technology expertise
• Security and internal control requirements
• Hosting options (in-sourcing vs. outsourcing)

30
Outsourcing Options

• Another financial institution
• Internet service provider
• Internet banking software vendor or processor
• Core banking vendor or processor
• Managed security service provider
• Others

31
E-Banking Configuration
32
Examination Areas

• Discussion of risk-management issues related to
  e-banking include
• Board and management oversight
• Managing outsourcing relationships
• Information security programmes
• Administrative controls
• Legal and compliance issues

33
Board and Management

• Developing the institutions e-banking business
  strategy
• Level/Type of e-service
• Anticipated customer demand
• Thorough analysis of the costs and benefits
  (reduced costs, new revenue, etc.)
• Ongoing evaluation of the strategys
  effectiveness
• expanded audit coverage to include e-banking
  activities

34
Examination Procedures

• Examiners should
• Determine the adequacy of e-banking activities
  with respect to strategy, planning, management
  reporting, and audit.
• Determine whether e-banking guidance and risk
  considerations have been incorporated into the
  institutions operating policies

35
Examination Procedures

• Assess the level of oversight by the board and
  management in ensuring that
• Planning and monitoring are sufficiently robust
  to address
• Evaluate adequacy of key MIS reports

36
Managing Outsourcing Relationships

• Provide effective oversight of third-party
  vendors providing e-banking services and support
• Perform appropriate due diligence
• Consider sourcing options using cost-benefit
  analysis (in-source, outsource, off-shore)
• Adequate contractual coverage
• Ongoing monitoring and oversight of relationship
  (e.g. SLA, vendor stability, etc.)

37
Examination Procedures

• Examiners should
• Assess the adequacy of managements due diligence
  activities
• Assess vendor contract to verify that the
  responsibilities of each party are appropriately
  identified
• Assess the adequacy of ongoing vendor oversight

38
Information Security Programme

• Compliance with laws, regulations and guidelines
  (e.g. e-commerce legislations, supervisory
  guidance, industry-specific requirements, etc.)
• Establish layers of various security control,
  monitoring, and testing methods
• Customer authentication, access control and
  education

39
Examination Procedures

• Examiners should
• Determine if the institutions information
  security programme sufficiently addresses
  e-banking risks
• Determine whether the security programme includes
  monitoring of systems and transactions and
  whether exceptions are analyzed

40
Examination Procedures

• Examiners should (contd)
• Evaluate access control associated with
  employees administrative access
• Assess whether the information security programme
  includes independent security testing

41
Administrative Controls

• Maximize the availability and integrity of
  e-banking systems
• Implement sound internal controls (e.g.
  segregation of duties, dual control, fraud
  detection controls, etc.)
• Institute sound business continuity processes

42
Examination Procedures

• Examiners should
• Determine whether employee authorization levels
  and access privileges are commensurate with their
  assigned duties and reinforce segregation of
  duties
• Determine whether audit trails for e-banking
  activities are sufficient to identify the source
  of transactions

43
Examination Procedures

• Examiners should (contd)
• Determine whether business continuity plans
  appropriately address the business impact of
  e-banking products and services

44
Legal and Compliance Issues

• Disclose clearly and conspicuously the name of
  the financial institution and the websites
  content
• Other possible disclosure requirements
• Full name, geographic address, website address,
  email address and telephone numbers of bank
• Banks geographic address for the service of
  legal documents
• Details of the banks corporation status

45
Legal and Compliance Issues

• Other possible disclosure requirements (contd)
• Banks membership in any regulatory or accredited
  bodies (e.g. licensing and supervisory body,
  deposit insurance membership, etc.)
• Maintain the privacy and confidentiality of
  customer information
• Transaction monitoring and consumer disclosures

46
Legal Framework

• Legal framework that facilitates and makes
  specific provisions for availability, reliability
  and security. Provisions may include
• facilitate electronic transactions by means of
  reliable electronic documents
• promote the development of the legal and business
  infrastructure necessary to implement secure
  electronic commerce
• eliminate barriers to electronic commerce
  resulting from uncertainties over writing and
  signature requirements

47
Legal and Compliance Issues

• Provisions may include (contd)
• promote public confidence in the integrity and
  reliability of electronic documents and
  electronic transactions, in particular through
  the use of encrypted signatures to ensure the
  authenticity and integrity of electronic
  documents
• establish uniformity of legal rules and standards
  regarding the authentication and integrity of
  electronic documents

48
Examination Procedures

• Examiners should
• Review the website content for inclusion of legal
  and regulatory requirements and disclosures
• As applicable, determine whether the financial
  institution has considered the applicability of
  various laws and regulations to its e-banking
  activities

49
E-Banking Trends

• Account aggregation
• Wireless Banking

50
Account Aggregation

• Service unique to Internet banking
• Service includes a financial institution
• gathering information from multiple websites
• Presents that information in consolidated form to
  customers (e.g. providing financial advice and
  shopping services that scan the web for
  particular products)

51
Wireless Banking

• Occurs when a customer accesses a financial
  institution's networks via telecommunication
  companies wireless networks
• Devices
• Cellular phones
• Pagers
• personal digital assistants (or similar devices)

52
Wireless Banking Risks

• Heightened level of potential operations risk
• Early stages of adoption by the market (strategic
  risk)

53
New Challenges

• Financial institutions continue to face
  traditional challenges, but e-banking poses a new
  set of risks
• While offering customers convenience and easy
  access to information, e-banking also potentially
  increases institutional exposure to identity
  theft and unauthorized access to information

54
Requires Vigilance

• Institutions offering e-banking products and
  services must be
• vigilant in identifying new and emerging threats
  
• continually adjust their systems to protect the
  integrity, confidentiality, and availability of
  automated information

55
Questions
?