Electronic Banking

CARTAC & Caribbean Group of Banking Supervisors IT Workshop for Regional Bank Examiners
June 23 ± 25, 2009 Georgetown, Guyana

Kirk Tyrell, CISA Assistant Director Financial Institutions Supervisory Division Bank of Jamaica www.boj.org.jm


Identify the risks and risk management practices associated with e-banking activities Provide standardized guidance to examiners on e-banking reviews

e-banking is defined as:  «the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels.

This definition includes delivering services and products such as: 

Account information Access to funds Business transactions and transfers

Electronic Delivery ± How it can help 

Increases customer satisfaction and retention Provides focused cross-selling opportunities Shift costs Levels the playing field Increases brand value Provides real time access (i.e. convenience)

468.988. SEPTEMBER 2007 ¡ ¡ EPIN TOP-UP BILL PAYMENT TRAN FER CA H W L EPO IT             0 .174.526.591.00 345.308.96 347.368.95 2.83 10.803.Shift Costs Shift Costs .300.155.00 3.674.47 74.142.91 131.742.891.028.529.080.Tranaction Distribution September 2007 140 120 100 US$'Bil 80 60 40 20 Branch E-Channels 0 21.79 Services Source: PRINCETON SURVEY RESEARCH ASSOCIATES INTL.584.127.362.187.

Specific Perspective   Services and products delivered to customers Supporting technology. .

E-Banking Devices       Personal computers (PCs) Personal digital assistants (PDAs) Automated teller machines (ATMs) Kiosks Touch tone telephones Cellular and smart phones .

those that involve Internet access typically pose the greatest risk. mobile phones) for financial services.g. PCs. Kiosks.Internet-Based Services Although there is risk in using any of these remote access devices (e. PDAs. This is because the Internet is such a widely accessible and public network .

Internet Banking Primary Types 1. Transactional   . Informational   General information about the financial institution Products or services offered Initiating banking transactions Buying products and services 2.

Retail services 2. Wholesale services .Transactional Websites Provide two separate types of services: 1.

Retail Services        Account management Bill presentment and bill payment New account initiation Wire transfers Investment and brokerage services. Loan applications and approval Account aggregation for individual consumers .

and advances Wire transfers Business-to-business payments Employee benefits and pension administration for business customers .Wholesale Services       Account management Corporate cash management Small business loan applications. approvals.

Issues Impacting E-Banking Informational Website:  Potential liability and consumer violations  ³The insider threat´ if the website is not properly isolated  Avenue for spreading viruses and other malicious code  Reputational risk for service disruption and defacing «« .

ID theft)  Liability for unauthorized transactions  Losses from fraud «« .Issues Impacting E-Banking Transactional websites:  Safeguarding customer information  Authentication processes (e.g.

g. consumer privacy. etc.Issues Impacting E-Banking Transactional websites (cont¶d):  violations of laws or regulations (e.)  Reputational risk from failure to process third-party payments .

E-Banking Risks Sectors Financial ISP Retail Insurance Internet community Telecom Computer hardware Government Computer software Transportation 2008 Percentages 79% 8% 4% 2% 2% 2% 1% 1% <1% <1% 2007 Percentages 83% 7% 4% 2% 2% <1% 1% 1% 1% 1% Source: Symantec Global Internet Security Threat Report 2009. by sector . Table 16. Unique brands phished.

.E-Banking Risks Data breaches Identities exposed Fig. 4 Data breaches that could lead to identity theft by sector and identity exposure by sector Source: Based on data provided by OSF Dataloss DB.

interest rate.E-Banking Risks The types of e-banking risks include:  Transaction or operations risk  Credit risk  Liquidity. and market risks  Compliance or legal risk  Strategic risk . price.

etc Natural disaster Failure to backup 2)    3) Integrity Security   4)    5) Availability   . phishing. malware.Operational (Technology) Risk Elements Technology Element 1) Risks    Management processes Architecture Management oversight Inadequate audit coverage New products process Poor development standards Mis-configuration of hardware/software Datacenter burns Back officer mistake Errors of judgment Inadequate password administration Breach of policy Viruses.

procedures.Transaction or Operations Risk May arises from:  Fraud  Processing errors  System disruptions  Other unanticipated events May be mitigated by:  Adapting effective polices. and controls  Sufficient capacity and redundancy .

Credit Risk Verifying the customer¶s identity  Monitoring and controlling the growth. underwriting standards. pricing. and ongoing credit quality  .

concentration and volume)  Valuing collateral and perfecting liens  .g.Credit Risk Monitoring and oversight of thirdparties  Monitoring out-of-area lending (e.

g. on capital ratios) Volatility of funds .Market Risk     Dependence on brokered funds or other highly rated sensitive deposits Geographic restrictions Impact of loans and deposit growth (e.

Compliance and Legal Risks    Uncertainty over legal jurisdictions Delivery of credit and depositrelated disclosures/notices as required by law Establishment of legally binding electronic agreements .

collection and reporting of government monitoring information on applications and loans (e. AML requirements) Delivery of privacy and opt-out notices Record retention requirements .Compliance and Legal Risks    Solicitation.g.

Strategic Risk      Risk management costs against the potential return on investment MIS to track e-banking costs. usage and profitability Generation of sufficient customer demand Adequacy of technical. compliance or marketing support Competition . operational.

difficulty of use. hackers) Loss of trust due to unauthorized activity on customer accounts Failure to deliver on marketing claims .Reputation Risk  Customer complaints  e.g.     Failure to provide reliable service Disclosure or theft of confidential customer information to unauthorized parties (e. etc.g. poor help desk service.

and activities Technology expertise Security and internal control requirements Hosting options (in-sourcing vs. outsourcing) .Planning Considerations      Strategic objectives for e-banking Scope. and complexity of equipment. scale. systems.

Outsourcing Options       Another financial institution Internet service provider Internet banking software vendor or processor Core banking vendor or processor Managed security service provider Others .

E-Banking Configuration .

Examination Areas Discussion of risk-management issues related to e-banking include:      Board and management oversight Managing outsourcing relationships Information security programmes Administrative controls Legal and compliance issues .

) Ongoing evaluation of the strategy¶s effectiveness expanded audit coverage to include ebanking activities .Board and Management Developing the institution¶s e-banking business strategy      Level/Type of e-service Anticipated customer demand Thorough analysis of the costs and benefits (reduced costs. etc. new revenue.

planning. and audit.Examination Procedures Examiners should:  Determine the adequacy of ebanking activities with respect to strategy. management reporting.  Determine whether e-banking guidance and risk considerations have been incorporated into the institution¶s operating policies «« .

Examination Procedures  Assess the level of oversight by the board and management in ensuring that:   Planning and monitoring are sufficiently robust to address Evaluate adequacy of key MIS reports .

outsource.) .g. etc. vendor stability.Managing Outsourcing Relationships Provide effective oversight of thirdparty vendors providing e-banking services and support: Perform appropriate due diligence Consider sourcing options using costbenefit analysis (in-source. off-shore) Adequate contractual coverage Ongoing monitoring and oversight of relationship (e. SLA.

Examination Procedures Examiners should:  Assess the adequacy of management¶s due diligence activities  Assess vendor contract to verify that the responsibilities of each party are appropriately identified  Assess the adequacy of ongoing vendor oversight .

and testing methods Customer authentication. access control and education .g. etc. industry-specific requirements.Information Security Programme    Compliance with laws. regulations and guidelines (e.) Establish layers of various security control. supervisory guidance. monitoring. e-commerce legislations.

Examination Procedures Examiners should:  Determine if the institution¶s information security programme sufficiently addresses e-banking risks  Determine whether the security programme includes monitoring of systems and transactions and whether exceptions are analyzed «« .

Examination Procedures Examiners should (cont¶d):  Evaluate access control associated with employee¶s administrative access  Assess whether the information security programme includes independent security testing .

) Institute sound business continuity processes . segregation of duties.g. dual control. fraud detection controls.Administrative Controls    Maximize the availability and integrity of e-banking systems Implement sound internal controls (e. etc.

Examination Procedures Examiners should:  Determine whether employee authorization levels and access privileges are commensurate with their assigned duties and reinforce segregation of duties  Determine whether audit trails for e-banking activities are sufficient to identify the source of transactions «« .

Examination Procedures Examiners should (cont¶d):  Determine whether business continuity plans appropriately address the business impact of ebanking products and services .

website address. email address and telephone numbers of bank Bank¶s geographic address for the service of legal documents Details of the bank¶s corporation status «« . geographic address.Legal and Compliance Issues   Disclose clearly and conspicuously the name of the financial institution and the website¶s content Other possible disclosure requirements:    Full name.

deposit insurance membership. licensing and supervisory body. etc.)   Maintain the privacy and confidentiality of customer information Transaction monitoring and consumer disclosures .g.Legal and Compliance Issues  Other possible disclosure requirements (cont¶d):  Bank¶s membership in any regulatory or accredited bodies (e.

Provisions may include: a) b) c) facilitate electronic transactions by means of reliable electronic documents promote the development of the legal and business infrastructure necessary to implement secure electronic commerce eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements «« .Legal Framework Legal framework that facilitates and makes specific provisions for availability. reliability and security.

in particular through the use of encrypted signatures to ensure the authenticity and integrity of electronic documents.Legal and Compliance Issues Provisions may include (cont¶d): d) e) promote public confidence in the integrity and reliability of electronic documents and electronic transactions. establish uniformity of legal rules and standards regarding the authentication and integrity of electronic documents. .

Examination Procedures Examiners should:  Review the website content for inclusion of legal and regulatory requirements and disclosures  As applicable. determine whether the financial institution has considered the applicability of various laws and regulations to its e-banking activities .

E-Banking Trends   Account aggregation Wireless Banking .

g. providing financial advice and shopping services that scan the web for particular products) .Account Aggregation   Service unique to Internet banking Service includes a financial institution:   gathering information from multiple websites Presents that information in consolidated form to customers (e.

Wireless Banking  Occurs when a customer accesses a financial institution's networks via telecommunication companies¶ wireless networks  Devices: Cellular phones  Pagers  personal digital assistants (or similar devices)  .

Wireless Banking Risks   Heightened level of potential operations risk Early stages of adoption by the market (strategic risk) .

e-banking also potentially increases institutional exposure to identity theft and unauthorized access to information . but ebanking poses a new set of risks While offering customers convenience and easy access to information.New Challenges   Financial institutions continue to face traditional challenges.

confidentiality.Requires Vigilance  Institutions offering e-banking products and services must be:   vigilant in identifying new and emerging threats continually adjust their systems to protect the integrity. and availability of automated information .

Questions .