Professional Documents
Culture Documents
140
120
100
U S $ 'B il
80
60
40
20
Services
1. Informational
General information about the
financial institution
Products or services offered
2. Transactional
Initiating banking transactions
Buying products and services
Transactional Websites
2. Wholesale services
Retail Services
Account management
Bill presentment and bill payment
New account initiation
Wire transfers
Investment and brokerage services,
Loan applications and approval
Account aggregation for individual
consumers
Wholesale Services
Account management
Corporate cash management
Small business loan applications,
approvals, and advances
Wire transfers
Business-to-business payments
Employee benefits and pension
administration for business customers
Issues Impacting E-Banking
Informational Website:
Potential liability and consumer
violations
“The insider threat” if the website is
not properly isolated
Avenue for spreading viruses and
other malicious code
Reputational risk for service
disruption and defacing
……
Issues Impacting E-Banking
Transactional websites:
Safeguarding customer information
……
Issues Impacting E-Banking
Fig. 4 Data breaches that could lead to identity theft by sector and identity exposure by sector
Source: Based on data provided by OSF Dataloss DB.
E-Banking Risks
Credit risk
Strategic risk
Operational (Technology) Risk
Elements
Technology Risks
Element
1) Management Management oversight
processes Inadequate audit coverage
New products process
2) Architecture Poor development standards
Mis-configuration of hardware/software
Datacenter burns
3) Integrity Back officer mistake
Errors of judgment
4) Security Inadequate password administration
Breach of policy
Viruses, malware, phishing, etc
5) Availability Natural disaster
Failure to backup
Transaction or Operations Risk
May arises from: May be mitigated by:
Fraud Adapting effective
……
Examination Procedures
Assess the level of oversight by the
board and management in ensuring
that:
Planning and monitoring are sufficiently
robust to address
Evaluate adequacy of key MIS reports
Managing Outsourcing
Relationships
Provide effective oversight of third-party
vendors providing e-banking services
and support:
Perform appropriate due diligence
Consider sourcing options using cost-
benefit analysis (in-source, outsource, off-
shore)
Adequate contractual coverage
Ongoing monitoring and oversight of
relationship (e.g. SLA, vendor stability,
etc.)
Examination Procedures
Examiners should:
Assess the adequacy of
management’s due diligence activities
Assess vendor contract to verify that
the responsibilities of each party are
appropriately identified
Assess the adequacy of ongoing
vendor oversight
Information Security Programme
Compliance with laws, regulations
and guidelines (e.g. e-commerce
legislations, supervisory guidance,
industry-specific requirements, etc.)
Establish layers of various security
control, monitoring, and testing
methods
Customer authentication, access
control and education
Examination Procedures
Examiners should:
Determine if the institution’s
information security programme
sufficiently addresses e-banking
risks
Determine whether the security
programme includes monitoring of
systems and transactions and
whether exceptions are analyzed
……
Examination Procedures
Examiners should (cont’d):
Evaluate access control associated
with employee’s administrative
access
Assess whether the information
security programme includes
independent security testing
Administrative Controls
Maximize the availability and
integrity of e-banking systems
Implement sound internal controls
(e.g. segregation of duties, dual
control, fraud detection controls,
etc.)
Institute sound business continuity
processes
Examination Procedures
Examiners should:
Determine whether employee
authorization levels and access
privileges are commensurate with
their assigned duties and reinforce
segregation of duties
Determine whether audit trails for
e-banking activities are sufficient to
identify the source of transactions
……
Examination Procedures
Examiners should (cont’d):
Determine whether business
continuity plans appropriately
address the business impact of e-
banking products and services
Legal and Compliance Issues
Disclose clearly and conspicuously the
name of the financial institution and the
website’s content
Other possible disclosure requirements:
Full name, geographic address, website
address, email address and telephone
numbers of bank
Bank’s geographic address for the service
of legal documents
Details of the bank’s corporation status
……
Legal and Compliance Issues
Other possible disclosure requirements
(cont’d):
Bank’s membership in any regulatory or
accredited bodies (e.g. licensing and
supervisory body, deposit insurance
membership, etc.)
Maintain the privacy and confidentiality
of customer information
Transaction monitoring and consumer
disclosures
Legal Framework
Examiners should:
Review the website content for
inclusion of legal and regulatory
requirements and disclosures
As applicable, determine whether the
financial institution has considered
the applicability of various laws and
regulations to its e-banking activities
E-Banking Trends
Account aggregation
Wireless Banking
Account Aggregation
Service unique to Internet banking
Service includes a financial
institution:
gathering information from multiple
websites
Presents that information in consolidated
form to customers (e.g. providing
financial advice and shopping services
that scan the web for particular products)
Wireless Banking
Occurs when a customer accesses a
financial institution's networks via
telecommunication companies’
wireless networks
Devices:
Cellular phones
Pagers
devices)
Wireless Banking Risks
Heightened level of potential
operations risk
Early stages of adoption by the
market (strategic risk)
New Challenges
Financial institutions continue to face
traditional challenges, but e-banking
poses a new set of risks
While offering customers
convenience and easy access to
information, e-banking also
potentially increases institutional
exposure to identity theft and
unauthorized access to information
Requires Vigilance
Institutions offering e-banking
products and services must be:
vigilant in identifying new and
emerging threats
continually adjust their systems to
protect the integrity, confidentiality,
and availability of automated
information
Questions