Electronic Banking: Industry Developments,

Risks and OCC Regulatory Activities

Prepared for ABA USBanking 2002 by the
Bank Technology Division of the Office of the
Comptroller of the Currency
January 2002
The OCC is an independent bureau of the
Department of Treasury and is the federal
regulator of approximately 2,200 national
banks.
Advances in communications provide
networked global access to information
and delivery of products/services
Internet has reached critical mass (60% of U.S.
households)
Some banks have 25 percent of customers
banking online
Increased competition from other
industries and abroad
Greater reliance on third party providers
Advances in technology make the
component functions of banking more
easily divisible
Source: Office of the Comptroller of the Currency. “Transactional web
sites” are defined as bank web sites that allow customers to transact
business. This may include accessing accounts, transferring funds,
applying for a loan, establishing an account, or performing more
advanced activities.
Aggregation
Electronic Finder
Automated clearinghouse (ACH)
transactions
Internet Payments
Wireless Banking
Certification Authority
Data Storage
Key Technology Risks
TowerGroup estimates banks
outsource over 85% of their
information technology
Rapid pace straining ability to oversee
third parties
Consolidation of tech. companies and
core processors
Weak or negative earnings of new
tech providers
Banks are postponing new technology
investments, but still investing in
proven technologies
Regardless of the decision to
outsource, the bank remains ultimately
responsible.
Increases in security events and
vulnerabilities
According to 2001 FBI/CSI survey, 70%
reported that the Internet is the point
of cyber attacks, up from 59% in 2000
Gramm-Leach-Bliley Act of 1999
requires banks to establish
administrative, technical & physical
safeguards to protect the privacy of
customers’ nonpublic customer
records and information
Source: CERT/CC -- statistics are not limited to the banking industry and
include all reported incidents
Reviewing physical and logical security:
Review intrusion detection and response
capabilities to ensure that intrusions will be
detected and controlled
Seek necessary expertise and training, as
needed, to protect physical locations and
networks from unauthorized access
Maintain knowledge of current threats
facing the bank and the vulnerabilities to
systems
Assess firewalls and intrusion detection
programs at both primary and back-up sites
to make sure they are maintained at current
industry best practice levels
Reviewing physical and logical security
(cont’d):
Verify the identity of new employees,
contractors, or third parties accessing your
systems or facilities. If warranted, perform
background checks.
Evaluate whether physical access to all
facilities is adequate.
Work with service provider(s) and other
relevant customers to ensure effective
logical and physical security controls.
Reliable customer authentication is
imperative for E-banking
Effective authentication can help banks
reduce fraud, reputation risk, disclosure of
customer information, and promote the
legal enforceability of their electronic
agreements
Methods to authenticate customers:
Passwords & PINS
Digital certificates & PKI
Physical devices such as tokens
Biometric identifiers
Uncertain pace of change and
evolving standards (e.g., “bricks and
clicks” more successful than internet-
only model)
First mover (“bleeding edge”) vs. wait
and see (permanently lose market
share)
Struggle to retain customers in face of
intense competition
Inadequate oversight of third party
providers
The 9/11 events, anthrax-laced mail,
and NIMDA virus underscore the
importance of robust business
continuity planning.
Steps to consider when reviewing business
continuity plans:
Identify primary and secondary facilities in high
profile or vulnerable locations and develop plans to
mitigate undue risk exposure.
Ensure business continuity plans are coordinated and
communicated on a corporate-wide basis with clear
expectations.
Strengthen data backup and recovery site
arrangements, as warranted, to ensure adequate off-
site storage of back-up records and sufficient
distance from primary operations.
Review succession plans for key employees and
delegations of authority in the event of a crisis.
Review community’s incident response plans and
work with local governments to identify
enhancements
Analyze key customers and service providers for
exposure to terrorist activities including high profile
industries or facilities (e.g., power companies,
refineries, airlines, telecommunications providers),
then assess the adequacy of their business continuity
planning process.
Test plans on a regular basis, evaluate results and
update plans.
Technology raises legal issues
Permissible?
Applicability of state and foreign laws?
Validity of electronic agreements?
Technology creates consumer
compliance issues
Electronic disclosures delivery
Weblinking, customer confusion, and
liability
RESPA and fee income from weblinking
CRA and fair lending issues
Reg. E application to aggregation services
Internet banking and payment
systems may allow for new ways to
conduct illegal and fraudulent
activities
Unauthorized access to deny service or re-
direct a website
Identity theft resulting in unauthorized or
illegal use of account information
Money laundering
Phony Internet banks
EBG sponsored by the Basel Committee’s
Electronic Banking Group
Chaired by Comptroller Hawke
Published studies on e-banking risk and risk
management issues 1998, 2000 & 2001
available at www.bis.org or www.occ.treas.gov
Developing guidance on cross border, e-banking risks
and aggregation
Coordinate international e-banking
supervision efforts
Information sharing and training
OCC developing guidance on cross border
Internet banking risks
Active vendor management
Ongoing board involvement
Sufficient technical expertise
Proactive network security that
effectively prevents, detects, and
responds to intrusions
Strong authentication practices
Encrypted communications
Periodic compliance and legal reviews
Appropriate backup and recovery
Guidance -- Focus on risk analysis, measurement,
controls, and monitoring
Risk-based examinations of banks and third
party service providers (as authorized by the
Bank Service Company Act of 1962)
On site and Quarterly reviews
Focus on safety and soundness
Reviews of banks with transactional web sites and E-
banking service providers
Training and Technology Integration Project
External outreach and co-ordination
Licensing process for Internet-primary banks
and novel activities
Questions?
Please contact John Carlson,
Senior Advisor for Bank Technology,
OCC
E-mail:
John.Carlson@occ.treas.gov
Telephone: (202) 874-5013

Additional Information is
available on the OCC Website:
www.occ.treas.gov