Internet Banking

1
(No Transcript)
2
Wireless Banking April 1, 2003
Clifford A. Wilke Director of Bank
Technology Office of the Comptroller of the
Currency Washington, DC
3

• The views and opinions expressed in this
  presentation do not necessarily represent the
  views and directives of the Office of the
  Comptroller of the Currency or the Office of the
  Director of the Bank Technology Division.

4
Wireless Banking Motivations

• Banks and financial service companies are
  offering wireless account access
• Extension of internet applications
• Delivery to highly portable cell phones
  personal digital assistants
• More people getting devices
• Features improving as technologies advance
• Improve customer retention rates, especially
  technology oriented customer

5
Wireless Banking Methods

• Retail Delivery
• PCs relying on non-bank owned wireless LANs or
  cell phone dial-in to access internet banking
  products
• Mobile devices (e.g., cell phones, PDAs)
  accessing banking products customized to smaller
  form factors
• Application support outsourced
• Services range from full internet banking
  services to limited balance inquiry, funds
  transfer, bill pay brokerage

6
Wireless Link

• Retail Delivery
• Wireless LANs rely on unlicensed radio
  frequencies and IEEE 802.11 standards
• Cell phone delivery rely on licensed radio
  frequencies and evolving voice to data focused
  delivery standards

7
Challenges

• Security
• Systems Development and Life Cycle Management
• Performance
• Return on investment

8
Reported DataSecurity Incidents
Source CERT/CC -- statistics are not limited to
the banking industory and include all reported
incidents
9
Identity Theft

• 86,200 identity theft incidents last year, up
  from 31,000 the prior year
• The cost to consumers averaged 1,200 per crime
• Some incidences required victims to spend up to
  three years communicating with lenders and credit
  bureaus to straighten out records.
• Source - Issue 771, Sept. 2002, of The Nilson
  Report, p.9 FTC Data

10
Banking Risks

• Same inherent risk and issues as Internet
  Banking, primary risks affected
• Strategic
• Transaction
• Reputation
• Compliance

11
Strategic Risk

• Determining wireless banking role in delivering
  products and services
• Defining risk versus reward goals and objectives
• Is the reward added revenue, saving lost
  revenues, and/or increased efficiency?
• Are capital expenditures (at purchase and
  retirement), maintenance and operating costs less
  than the reward (i.e., income)?

12
Strategic Risk

• Implementing emerging e-banking strategies
• First Mover (bleeding edge) vs. wait and see
  (permanently lose market share)
• Ease of implementing outsourced solution to keep
  up with the competition
• Financial stability of vendors
• Uncertain customer acceptance
• Using standards not designed for secure banking
  environment needs
• Rapidly changing technology standards
• Expertise

13
Transaction Risk

• Security Issues
• Wireless transmission encryption
• Standards retro-fitted once security became an
  issue
• Designed to protect transmitted data from
  unauthorized access/use
• Early standards 802.11 and Wireless Access
  Protocols (i.e., WAP) have known vulnerabilities
• Potential need to upgrade equipment as standards
  change

14
Transaction Risk

• Security Issues
• Access codes stored on device may allow account
  access if device lost or accessed
• User names and passwords may be entered in clear
  view on the screen
• Customer acceptance of alphanumeric PINs
• Mobile phones require pressing a number key
  multiple times for certain letters, which may be
  challenging even if display is not asterisked out
  (i,.e., )

15
Transaction Risk

• Security Lessons Reinforced
• Unproven standards can have security weaknesses
• Risk of external attacks increases as services
  expand to allow greater access to systems
• Companies need to maintain knowledge of attack
  techniques, known and newly identified
• End-to-end security is key
• Do not rely on wireless transport layer security
  for banking application security
• Need effective change management processes
• Encourage customers to use good PIN/Password
  management practices

16
Transaction and Reputation Risk

• Outsourcing
• Access to expertise
• Knowledge of wireless communication standards and
  encryption methods
• Developing and converting existing products and
  services for wireless transmission and use
• Effect of device characteristics
• Smaller screens
• Button or stylus commands

17
Reputation Risk

• Reliability of delivery network
• Customer acceptance of no-service due to
  telecommunications issues when they are in areas
  they expect service - Consumer Expectations
• Processing and handling of interrupted
  transactions
• Integration of wireless applications with
  existing products and services

18
Compliance Issues

• Disclosures
• Wireless banking devices are easier to lose and
  may increase potential of unauthorized usage
• Types of services offered affects level of risk
  (e.g., P2P payments increase risk)
• Privacy concerns from location based services

19
GLBA Compliance

• Primary Elements of Information Security Program
• Involve Board of Directors
• Assess Risk
• Manage and Control Risk (including testing)
• Oversee Service Providers
• Adjust Program

20
Characteristics of Good Risk Management

• Sound definitions of acceptable risk
• Ownership of the risk assessment
• Explicitly accept risks
• Identify key controls
• Create a test plan and follow up of results
• Ongoing Board involvement
• Active Vendor Management
• Sufficient Technical Expertise
• Appropriate Business Continuity Planning

21
Industry Initiatives

• Many companies have strong policies in place to
  maintain their position of trust
• The reputational risk of the company and loss of
  market share is at stake
• Financial exposure is real

22
Best Practices

• Secure architecture
• Vulnerability management
• Intrusion detection
• Information sharing
• Training and awareness
• Regular testing, reporting, improving

23
Whats Next - We Need to Focus On

• Security
• Authentication and Verification
• Proper Due Diligence and Complete Understanding
  of the Issues
• Prepare now for what is ahead
• New Entrants into the Marketplace
• International Perspective in the New World

24
OCC Technology Issuances

• FFIEC Information Security Booklet (February
  2003)
• Electronic Banking Final Rule (May 2002)
• Bank Use of Foreign-Based Service Providers (May
  2002)
• ACH Transactions Involving the Internet (January
  2002)
• Authentication in an E-Banking Environment (July
  2001)
• Weblinking - (July 2001)
• Alert - Network Security (April 2001)
• GLBA Guidelines to Safeguard Customer Information
  (Feb 2001)
• Risk Management of Outsourced Technology Services
  (Nov 2000)
• Infrastructure Threats--Intrusion Detection (May
  2000)
• Alert - Distributed Denial of Service (February
  2000)
• Alert - Internet Domain Names (July 2000)
• Infrastructure Threats from Cyber-Terrorists
  (99-9)
• Technology Risk Management PC Banking (98-38)
• Technology Risk Management (98-3)

25
(No Transcript)
26
Summary

• Safety, Soundness and Responsibility will remain
  the primary driver