This action might not be possible to undo. Are you sure you want to continue?
ELECTRONIC BANKING QUESTIONNAIRE (02/03)
This document is to be viewed as a learning tool. Constructive commentary is welcome. If you are already doing everything described in the questionnaire, you probably have a sound e-banking platform. If not, you should take into consideration the items not covered.
Please complete and sign the following questionnaire. These pages may be handwritten, typewritten, or completed electronically. For banks with telephone banking only, complete questions 1 - 2. For an informational web site complete questions 1 - 43. An informational site that allows emails with sensitive information complete questions 79 and 80 also. For a transactional web site complete questions 1 - 93. If you have started offering electronic banking services within the last two years also answer questions 94 - 97. Refer to the last page for some terminology explanations.
Name of Bank under examination: Bank's web site address:
How does the customer access it? c.Who is the host (name and location)? 8. Yes No Reasonable assurances for continuation of service through back up arrangements in the event of a problem situation. does it include the following: Yes No Liability for data and confidential treatment of information. Is the bank's web site reviewed internally? Yes No If yes. Where is the bank's web site hosted? In house Off site . Do you offer? Yes No 4. How does the bank connect to the Internet? DSL cable T1 line frame relay 56k dial up 28.TELEPHONE BANKING 2. how often is it reviewed? Who reviews it? What do they look at? 2 . Is the web site address reported on the bank's quarterly call reports? Yes No 7. 10. How many customers utilize it? WEB SITE 5. Who is responsible for maintaining (updating and/or changing information) the bank's web site? 9. Yes No Regular back up of web site information. Yes No Security precautions on the part of the service provider. When did the bank’s web site become active? 6. What is the customer able to do once they have accessed their accounts? PC BANKING 3. If yes. Who is it offered through? b. Does the bank have a contract with the web site host? Yes No If yes.8 dial up ISDN other (describe) 11. When did the bank begin offering telephone banking? 2 a. Yes No Procedures to notify the bank of any unauthorized alteration and malicious attacks. provide a copy.
If yes. a. Yes No Has the bank taken steps to ensure that the customer understands they are leaving the bank's web site? Yes No Does the bank provide some type of disclaimer of the bank’s liability for transactions or information provided at these linked sites? 15. what are they? 16. provide a copy.12. Are procedures in place for receipt of software updates/patches? Yes No If yes. Does the web site undergo periodic review by any of the following? Yes No Legal Counsel. Are controls or procedures in place for any of the following? Yes No Prevention of hackers from accessing the system Yes No Prevention of line tapping Yes No Discovered intrusion attacks Yes No Attacks after hours If any are yes. how frequently is it tested? Who is responsible for testing it? Who is responsible for reviewing it and monitoring the activity? 19. If links are included on the web page. 20. Is penetration testing done? Yes No If yes. Yes No CPA . Is an intrusion detection system in place? Yes No If yes. who checks them and how frequently? 14. Are links and interactive programs checked for accuracy and functionality? Yes No If yes.If yes. please explain. Does management keep up-to-date on addressing newly disclosed security threats to the computer operating system and application software? Yes No 3 . what are the procedures? Who is responsible for implementing the updates? c. How often is virus protection software updated on servers and workstations? How often is it run? Who is responsible for doing the updates? b. how frequently is it done? Who does it? Are they bonded? Yes No Who is responsible for reviewing the results? 18. Who is responsible for doing the implementation of the updates/patches? Are they tested before putting into production? Yes No 17. provide a copy. describe the procedures. Are security measures in place to prevent the web site information from being altered? Yes No If yes. Are procedures in place for operating system updates? Yes No If yes. 13.
) Yes No At the bank . 25. how does the customer submit them? Fax Online Mail In-person Other (explain) 28. List all personnel involved with electronic banking and their duties. Are any application forms available on the web site? Yes No If yes. How often do they meet? 32.21. Are loan and certificate of deposit rates posted to the bank's web site? Yes No If yes. If accepting customers over the Internet are OFAC restrictions being considered? (OFAC stands for Office of Foreign Asset Control) Yes No 30. Does the bank verify the legitimacy of the customer who has submitted the application? Yes No If yes. Who is responsible for installing. e. What incentives does the bank provide for obtaining and retaining key IT personnel? 4 . Yes No At the outsource vendor . 27. what ports are left open at the firewall? 24. explain.) Indicate the individual(s) responsible for the electronic banking area. Are firewalls in place? (For any that are yes. Does the bank have an Electronic Banking Committee (or something similar)? Yes No If yes. 31. list the members and their responsibilities. d. provide copies. and communication equipment? Yes No If yes. 22. how is it verified? 29. Are all unused services blocked at the firewall? Yes No If yes. software. f. provide an organizational chart. c. configuring. Are controls in place restricting physical access to computer hardware. and updating the firewalls? b. Who is responsible for monitoring firewall activity? How frequently are the firewalls being monitored? What type of activity is being monitored? Are reports available on the activity? If someone other than the bank is monitoring the firewalls are there monitoring and maintenance agreements in place? Yes No 23. please list what type of firewall is in place at that location. Firewalls a. Yes No At the web host . (If available. how often are they updated and who is responsible for updating? 26. If applications are available on the web site.
Yes No 43. hardware. software.e. What is the deductible amount? g. Is the Board fully informed of the risks involved with electronic banking and do they understand those risks? (strategic. reputation.? Yes No If yes. officers. compliance) Yes No Yes No Is it noted in the minutes? 35. What company is it with? a b. What is the expiration date? h. describe and provide an attorney's letter indicating the bank's liability and potential for loss. Is it approved by the board of directors? Yes No 39.) 5 . Are there any pending lawsuits/contingent liabilities relating to electronic banking activities? Yes No If yes. Please provide a copy of the bank's topology map (schematic diagram) 38. lightning strikes. What is discussed with the Board of Directors regarding the bank's web site and services offered? (Provide copies if not already provided for the examination. IT personnel.33. What future plans. or employees are covered? e. How many occurrences does it stipulate must take place before coverage applies? c d. additional services. Has the bank checked into similar domain names? (web addresses that are similar or could be mistaken for the banks) Refer to FDIC Bank Technology Bulletin dated November 8. 2000. 41. what was the nature of the crime and was a suspicious activity report filed? 42. new or change in vendors. etc. Does the bank have legal counsel review literature distributed to the public? Yes No If yes. how? 40. Has the bank encountered any computer-related crime? Yes No If yes. What directors.provide copy if separate from financial institution crime bond a. provide a copy of any opinion received. What type of occurrence does the policy cover? b c. changes or other services are you contemplating offering on your web site within the next twelve months? (i. 37. Are the bank's hardware and phone lines protected from power surges.) 34. Electronic banking insurance policy . What is the dollar amount of coverage? d f. Does it adequately cover the bank's capital? i. or operating procedures. 36. transaction. Is a review of electronic banking included in the annual Directors’ exam (or a separate exam)? Yes No Yes No Were any exceptions found? Yes No Have they been addressed? Provide a copy of exceptions noted and management’s response.
What is included on your transactional web site? Internet banking Insurance services Brokerage services Small business services Commercial business services Portal services Aggregation services 45.purpose and amount? 49.TRANSACTIONAL WEB SITE 44. What ongoing expenses are incurred . (SAS 70) Yes No Security precautions on the part of the service provider.218 of the Code of Iowa? Yes No 50. Does the bank have a written contract with the vendor? Yes No At a minimum. does it include the following: Yes No Access. Yes No Opportunities to review financial information. Yes No Reasonable control and update of content and capabilities in a timely manner. What options are available to the customer once they have accessed Internet banking? Viewing of account balances Transfer of funds between accounts Bill payment Bill presentment 24/7 customer service by phone or email Online application for checking and savings accounts Online mortgage and CD applications Viewing of loan status and credit card account information IRA and brokerage account information Checkbook reconciliation access Viewing of account history Viewing of digital checks online Ordering checks online Issuing stop payment orders online Other 47. Yes No Subcontractors and other supporting vendors. Have letters of assurance been obtained as required by Section 524. including their roles and responsibilities. Yes No Liability for data and confidential treatment of information. What services (if any) are customers being charged for and how much? 52. if applicable. Has the FDIC been notified in relation to Section 7(c)(2) of the Bank Service Company Act? (this form is not required if the bank is a Federal Reserve member) Yes No 51. Yes No Reasonable assurances for continuation of service through back up arrangements in the event of a problem situation. ownership and control of customer data and other confidential information. Yes No Privacy of information with subcontractors. independent annual audits and similar reports. Yes No Does it prohibit assignment? Yes No Hardware and software upgrades Trust services Bill payment Other (explain) 6 . What vendor is used for Internet banking? 48. When did you start offering Internet banking? 46.
store and retrieve electronic transmissions (including messages and data) between the bank and its customers. give details. 53. 60. No Description of the work to be performed or service to be provided.Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Price changes. Does the expiration date of the contract coincide with that of any subcontractors? Yes No 55. give details. Has the bank reviewed the vendor's contingency plan and procedures? Yes No If yes. 62. Do you obtain financial information on the vendor? Yes No If yes. Have you checked what insurance coverage the vendor has? Yes No If yes. What type of environment does the Internet banking site operate in? real time (is the main frame updated immediately?) batch processing memo post 7 . No Problem resolution. How is the bank's internal network connected to the outsourcing vendor? DSL Cable 56k dial up ISDN T1 line Frame relay 28. Have you had any problems with the vendor? Yes No If yes. are you comfortable with the plan and/or procedures? Yes No 58. No Provisions for handling disputes. please provide a copy. No Protection if the vendor exits the business No Specify insurance is to be maintained by the vendor. Are there stress (volume) testing procedures in place to determine the capacity of the vendor's system? Yes No If yes. No The bank’s ability to monitor.8 dial up Other (describe) 64. No Training. Yes No Was the management letter also requested and received? If yes. Did you receive a copy of the most recent audit report on the vendor (SAS 70)? Yes No If yes. 59. Does the bank belong to any vendor user groups? Yes No 63. including down payments. Did legal counsel review the vendor contract? Yes No 54. Has management received assurance that the vendor has conducted due diligence reviews of any subcontractors? Yes No 56. No Reasonable penalty and cancellation provisions. No Initial pricing. and continuing costs. what do they have? 57. please provide the report. how frequently do you receive it and when did you last get it? Who reviews it? 61.
has the bank contracted with any other vendors for services on the web site? (list vendor name. Frequency of password change and is it required e. Initially issuing password h d. Other than Internet banking or bill payment. describe the procedures. 73. provide procedures followed. What vendor(s) is utilized for the bill payment function? 74. what is the guarantee or warranty? Yes No NA Has it been reviewed by legal counsel? 76. and service) 8 . location. Authentication of user f b. Requirement for make-up of password e. How many customers are signed up for Internet banking and/or bill payment? 75. Any other procedure not listed above: l m n o p INTERNAL (bank personnel) a. Do employees have access to customer passwords? Yes No 69. If using batch processing. Are safeguards in place to detect and prevent duplicate transactions? Yes No If yes. Other than applications. Provide password procedures on the following: EXTERNAL (customers) e a. describe. Customer locked out of account g c. 71. Do excessive failed access attempts disable access and how many failed attempts is excessive d. Log off procedure when leaving station c. describe procedures. List personnel authorized to access the management side of the bank's Internet banking system and their levels of access. 70. Requirement for make-up of password k h. Do excessive failed access attempts disable access and how many failed attempts is excessive j g.65. how and when is information transferred between the vendor and the bank? 66. Automatic log-off controls for user inactivity i f. Who reviews this for appropriateness and how often is it reviewed? 67. 72. Frequency of password change and is it required? b. Are procedures in place to prevent transfers of uncollected funds? Yes No If yes. Customer loses or forgets password i. Any other procedure not listed above: 68. Are there procedures for verifying the legitimacy of customer requests for changes to their accounts or customer information? Yes No If yes. are any types of lending or loan advances done over the Internet? Yes No If yes. Does the bank provide a guarantee or warranty when a payment is not properly made through the bill payment system? Yes No NA If yes.
How do the results compare to bank projections? 79. and trends? c.77. Are guidelines for retention of source documents supporting electronic banking activities in place? Yes No 9 . Do IT personnel participate in training programs? Yes No If yes. What exception reports are received for any transactional functions on the bank's web site? (provide a sample of reports received) a. Did the bank do a cost analysis specifically on electronic banking? Yes No If yes. 82. what is it? 86. what are they? 87. human. included in the annual budget? Yes No 89. Does the bank have a target market or trade area for the Internet? Yes No Target market . technological) at the bank level. Are any policies and procedures in place to address activities beyond the traditional trade area? Yes No If yes. what types of programs? 83. How often are they reviewed and by who? 78.If yes. 88. volume. Yes No Due to disaster (natural. Do they track the nature. Are income and expense items. What activity reports are received? (provide a sample of reports received) a. Is electronic banking training provided to other officers and employees of the bank? Yes No 84. related to electronic banking. Is the bank using digital signatures and/or digital certificates? Yes No Digital signatures Yes No Digital certificates (or ID) 80.If yes. Does the bank have procedures in place for when there is an interruption in service of Internet banking for the customer (contingency plan)? Yes No Due to disaster (natural. At what level is sensitive data encrypted? 40-bit 128-bit other (describe) 81. how often is the escrowed software independently verified as being current and complete? 85. How often are they reviewed and by who? b. what is it? Yes No Trade area . human. provide a copy. speed. Does the bank or outsource vendor have a software escrow agreement in place? Yes No If yes. technological) or lack of capacity at the vendor level.
Are you allowing customers to advertise on the bank's web site? Yes No If yes. or guaranteed by the bank Yes No Subject to investment risk. Have steps been taken to safeguard information in regards to Graham-Leach-Bliley (GLBA) 501(b)? Yes No IF THE BANK BEGAN OFFERING ELECTRONIC BANKING SERVICES WITHIN THE LAST TWO YEARS . and education . Yes No Customer demands. problems. and complaints .If yes.PLEASE ANSWER THE QUESTIONS BELOW: 94. Where nondeposit investment products are offered or promoted on the bank's web site are the following disclosures included (at a minimum)? Yes No Not FDIC insured Yes No Not a bank deposit. describe. Was testing done with employees before offering to customers? Yes No If yes.If yes. 91. was approval received from the Superintendent of Banking? 92. How did you choose which vendor to use? 96. what date did testing with employees start? What date did you start offering to customers? Signature of person in charge of electronic banking: ______________________________________________________ Date signed: _________________ 10 . Has management established programs and/or procedures for the following? Yes No Customer service. describe.90. What was the initial set-up cost? 97. bank obligation. what disclosures are included on the page? 93. What was your reasoning for offering Internet banking and/or any other electronic banking services? Profit Convenience Retain customers Competition New customers Customers' request Other (explain) 95. including potential loss of principal Yes No NA If required. support.
Internet banking . such as discontinued product support or financial insolvency by the vendor. primarily the Internet. Adequate programming and system documentation should also be required. 11 . and debit cards.Person directly responsible for the security controls. Software escrow agreement .Individual responsible for managing a multi-user computer system. including facilitating electronic funds transfer and other financial transactions (If you offer Internet banking. LEVEL 3 . In this agreement. the financial institution would be allowed to access source programs under certain conditions.site is informational only and may allow nonsensitive emails (informational). wire transfer. LEVEL 2 .Delivery of banking services through the use of electronic communications. System administrator . This can be done by a third party independently verifying the version number of the software.The bank's home page and other proprietary pages located on the World Wide Web Three types of web sites: LEVEL 1 . you are a transactional site) (transactional) Electronic banking .fully transactional. A third party would retain these programs and documents in "escrow".Banking services available through the bank's web site Security administrator . The application system is installed in object code. Electronic banking may include: Internet banking. EFT.DEFINITIONS: Web site . ATM's. Financial institutions should determine periodically that the source code maintained in escrow is up-to-date. telephone banking. which should be part of the service contract or exist as a separate document. An alternative to receiving the source programs is to establish an escrow agreement.Many vendors do not release the source code to the purchaser.level one with the addition of allowing sensitive information emails (interactive). This is intended to protect their system's integrity and copyright.