Electronic Banking

CARTAC & Caribbean Group of Banking Supervisors

IT Workshop for Regional Bank Examiners

June 23 – 25, 2009

Georgetown, Guyana

Kirk Tyrell, CISA

Assistant Director
Financial Institutions Supervisory Division
Bank of Jamaica
www.boj.org.jm
Objectives
 Identify the risks and risk
management practices associated
with e-banking activities
 Provide standardized guidance to
examiners on e-banking reviews
Definition

e-banking is defined as:

 …the automated delivery of new
and traditional banking products
and services directly to customers
through electronic, interactive
communication channels.
Definition

This definition includes delivering

services and products such as:
 Account information
 Access to funds
 Business transactions and transfers
Electronic Delivery – How it can
help
 Increases customer satisfaction and
retention
 Provides focused cross-selling
opportunities
 Shift costs
 Levels the playing field
 Increases brand value
 Provides real time access (i.e.
convenience)
 Shift Costs
Shift Costs - Tranaction Distribution
September 2007

140

120

100
U S $ 'B il

80

60

40

20

0 EPIN TOP-UP BILL PAYMENTS TRANSFERS CASH WDL DEPOSITS

Branch 0 3,526,891,674.26 131,468,529,187.96 10,155,127,584.95 9,803,591,028.47
E-Channels 21,988,080.00 345,362,174.91 347,368,142.83 2,742,174,300.00 74,080,308.79

Services

Source: PRINCETON SURVEY RESEARCH ASSOCIATES INTL. SEPTEMBER 2007

Specific Perspective
 Services and products delivered to
customers
 Supporting technology.
E-Banking Devices
 Personal computers (PCs)
 Personal digital assistants (PDAs)
 Automated teller machines (ATMs)
 Kiosks
 Touch tone telephones
 Cellular and smart phones
Internet-Based Services

Although there is risk in using any of

these remote access devices (e.g.
PCs, PDAs, Kiosks, mobile phones) for
financial services, those that involve
Internet access typically pose the
greatest risk. This is because the
Internet is such a widely accessible
and public network
Internet Banking Primary Types

1. Informational
 General information about the
financial institution
 Products or services offered
2. Transactional
 Initiating banking transactions
 Buying products and services
Transactional Websites

Provide two separate types of

services:
1. Retail services

2. Wholesale services
Retail Services
 Account management
 Bill presentment and bill payment
 New account initiation
 Wire transfers
 Investment and brokerage services,
 Loan applications and approval
 Account aggregation for individual
consumers
Wholesale Services
 Account management
 Corporate cash management
 Small business loan applications,
approvals, and advances
 Wire transfers
 Business-to-business payments
 Employee benefits and pension
administration for business customers
Issues Impacting E-Banking
Informational Website:
 Potential liability and consumer
violations
 “The insider threat” if the website is
not properly isolated
 Avenue for spreading viruses and
other malicious code
 Reputational risk for service
disruption and defacing
……
Issues Impacting E-Banking

Transactional websites:
 Safeguarding customer information

 Authentication processes (e.g. ID

theft)
 Liability for unauthorized
transactions
 Losses from fraud

……
Issues Impacting E-Banking

Transactional websites (cont’d):

 violations of laws or regulations
(e.g. consumer privacy, etc.)
 Reputational risk from failure to
process third-party payments
 E-Banking Risks
Sectors 2008 2007
Percentages Percentages
Financial 79% 83%
ISP 8% 7%
Retail 4% 4%
Insurance 2% 2%
Internet community 2% 2%
Telecom 2% <1%
Computer hardware 1% 1%
Government 1% 1%
Computer software <1% 1%
Transportation <1% 1%
Source: Symantec Global Internet Security Threat Report 2009, Table 16. Unique brands phished, by sector
E-Banking Risks

Data breaches Identities exposed

Fig. 4 Data breaches that could lead to identity theft by sector and identity exposure by sector
Source: Based on data provided by OSF Dataloss DB.
E-Banking Risks

The types of e-banking risks include:

 Transaction or operations risk

 Credit risk

 Liquidity, interest rate, price, and

market risks
 Compliance or legal risk

 Strategic risk
 Operational (Technology) Risk
Elements
Technology Risks
Element
1) Management  Management oversight
processes  Inadequate audit coverage
 New products process
2) Architecture  Poor development standards
 Mis-configuration of hardware/software
 Datacenter burns
3) Integrity  Back officer mistake
 Errors of judgment
4) Security  Inadequate password administration
 Breach of policy
 Viruses, malware, phishing, etc
5) Availability  Natural disaster
 Failure to backup
Transaction or Operations Risk
May arises from: May be mitigated by:
 Fraud  Adapting effective

 Processing errors polices, procedures,

 System disruptions and controls
 Sufficient capacity
 Other
unanticipated and redundancy
events
Credit Risk
 Verifying the customer’s identity
 Monitoring and controlling the
growth, pricing, underwriting
standards, and ongoing credit
quality
Credit Risk
 Monitoring and oversight of third-
parties
 Monitoring out-of-area lending
(e.g. concentration and volume)
 Valuing collateral and perfecting
liens
Market Risk
 Dependence on brokered funds or
other highly rated sensitive deposits
 Geographic restrictions
 Impact of loans and deposit growth
(e.g. on capital ratios)
 Volatility of funds
Compliance and Legal
Risks
 Uncertainty over legal jurisdictions
 Delivery of credit and deposit-
related disclosures/notices as
required by law
 Establishment of legally binding
electronic agreements
Compliance and Legal
Risks
 Solicitation, collection and reporting
of government monitoring
information on applications and
loans (e.g. AML requirements)
 Delivery of privacy and opt-out
notices
 Record retention requirements
Strategic Risk
 Risk management costs against the
potential return on investment
 MIS to track e-banking costs, usage
and profitability
 Generation of sufficient customer
demand
 Adequacy of technical, operational,
compliance or marketing support
 Competition
 Reputation Risk
 Customer complaints
 e.g. difficulty of use, poor help desk service,
etc.
 Failure to provide reliable service
 Disclosure or theft of confidential
customer information to unauthorized
parties (e.g. hackers)
 Loss of trust due to unauthorized activity
on customer accounts
 Failure to deliver on marketing claims
Planning Considerations
 Strategic objectives for e-banking
 Scope, scale, and complexity of
equipment, systems, and activities
 Technology expertise
 Security and internal control
requirements
 Hosting options (in-sourcing vs.
outsourcing)
Outsourcing Options
 Another financial institution
 Internet service provider
 Internet banking software vendor or
processor
 Core banking vendor or processor
 Managed security service provider
 Others
E-Banking Configuration
Examination Areas

Discussion of risk-management issues

related to e-banking include:
 Board and management oversight
 Managing outsourcing relationships
 Information security programmes
 Administrative controls
 Legal and compliance issues
Board and Management
Developing the institution’s e-banking
business strategy
 Level/Type of e-service
 Anticipated customer demand
 Thorough analysis of the costs and benefits
(reduced costs, new revenue, etc.)
 Ongoing evaluation of the strategy’s
effectiveness
 expanded audit coverage to include e-
banking activities
Examination Procedures
Examiners should:
 Determine the adequacy of e-
banking activities with respect to
strategy, planning, management
reporting, and audit.
 Determine whether e-banking
guidance and risk considerations
have been incorporated into the
institution’s operating policies

……
Examination Procedures
 Assess the level of oversight by the
board and management in ensuring
that:
 Planning and monitoring are sufficiently
robust to address
 Evaluate adequacy of key MIS reports
Managing Outsourcing
Relationships
Provide effective oversight of third-party
vendors providing e-banking services
and support:
 Perform appropriate due diligence
 Consider sourcing options using cost-
benefit analysis (in-source, outsource, off-
shore)
 Adequate contractual coverage
 Ongoing monitoring and oversight of
relationship (e.g. SLA, vendor stability,
etc.)
Examination Procedures

Examiners should:
 Assess the adequacy of
management’s due diligence activities
 Assess vendor contract to verify that
the responsibilities of each party are
appropriately identified
 Assess the adequacy of ongoing
vendor oversight
Information Security Programme
 Compliance with laws, regulations
and guidelines (e.g. e-commerce
legislations, supervisory guidance,
industry-specific requirements, etc.)
 Establish layers of various security
control, monitoring, and testing
methods
 Customer authentication, access
control and education
Examination Procedures
Examiners should:
 Determine if the institution’s
information security programme
sufficiently addresses e-banking
risks
 Determine whether the security
programme includes monitoring of
systems and transactions and
whether exceptions are analyzed

……
Examination Procedures
Examiners should (cont’d):
 Evaluate access control associated
with employee’s administrative
access
 Assess whether the information
security programme includes
independent security testing
Administrative Controls
 Maximize the availability and
integrity of e-banking systems
 Implement sound internal controls
(e.g. segregation of duties, dual
control, fraud detection controls,
etc.)
 Institute sound business continuity
processes
Examination Procedures
Examiners should:
 Determine whether employee
authorization levels and access
privileges are commensurate with
their assigned duties and reinforce
segregation of duties
 Determine whether audit trails for
e-banking activities are sufficient to
identify the source of transactions

……
Examination Procedures
Examiners should (cont’d):
 Determine whether business
continuity plans appropriately
address the business impact of e-
banking products and services
Legal and Compliance Issues
 Disclose clearly and conspicuously the
name of the financial institution and the
website’s content
 Other possible disclosure requirements:
 Full name, geographic address, website
address, email address and telephone
numbers of bank
 Bank’s geographic address for the service
of legal documents
 Details of the bank’s corporation status

……
Legal and Compliance Issues
 Other possible disclosure requirements
(cont’d):
 Bank’s membership in any regulatory or
accredited bodies (e.g. licensing and
supervisory body, deposit insurance
membership, etc.)
 Maintain the privacy and confidentiality
of customer information
 Transaction monitoring and consumer
disclosures
Legal Framework

Legal framework that facilitates and

makes specific provisions for availability,
reliability and security. Provisions may
include:
a) facilitate electronic transactions by means of
reliable electronic documents
b) promote the development of the legal and
business infrastructure necessary to implement
secure electronic commerce
c) eliminate barriers to electronic commerce
resulting from uncertainties over writing and
signature requirements
……
Legal and Compliance Issues

Provisions may include (cont’d):

d) promote public confidence in the integrity
and reliability of electronic documents
and electronic transactions, in particular
through the use of encrypted signatures
to ensure the authenticity and integrity of
electronic documents;
e) establish uniformity of legal rules and
standards regarding the authentication
and integrity of electronic documents;
Examination Procedures

Examiners should:
 Review the website content for
inclusion of legal and regulatory
requirements and disclosures
 As applicable, determine whether the
financial institution has considered
the applicability of various laws and
regulations to its e-banking activities
E-Banking Trends
 Account aggregation
 Wireless Banking
Account Aggregation
 Service unique to Internet banking
 Service includes a financial
institution:
 gathering information from multiple
websites
 Presents that information in consolidated
form to customers (e.g. providing
financial advice and shopping services
that scan the web for particular products)
Wireless Banking
 Occurs when a customer accesses a
financial institution's networks via
telecommunication companies’
wireless networks
 Devices:
 Cellular phones
 Pagers

 personal digital assistants (or similar

devices)
Wireless Banking Risks
 Heightened level of potential
operations risk
 Early stages of adoption by the
market (strategic risk)
New Challenges
 Financial institutions continue to face
traditional challenges, but e-banking
poses a new set of risks
 While offering customers
convenience and easy access to
information, e-banking also
potentially increases institutional
exposure to identity theft and
unauthorized access to information
Requires Vigilance
 Institutions offering e-banking
products and services must be:
 vigilant in identifying new and
emerging threats
 continually adjust their systems to
protect the integrity, confidentiality,
and availability of automated
information
Questions