Internet Banking

1
Electronic Banking Industry Developments, Risks
and OCC Regulatory Activities Prepared for ABA
USBanking 2002 by the Bank Technology Division of
the Office of the Comptroller of the Currency
January 2002 The OCC is an independent bureau of
the Department of Treasury and is the federal
regulator of approximately 2,200 national banks.
2
Technology Developments

• Advances in communications provide networked
  global access to information and delivery of
  products/services
• Internet has reached critical mass (60 of U.S.
  households)
• Some banks have 25 percent of customers banking
  online
• Increased competition from other industries and
  abroad
• Greater reliance on third party providers
• Advances in technology make the component
  functions of banking more easily divisible

3
Growth in Number of National Banks that Have
Transactional Websites
Source Office of the Comptroller of the
Currency. Transactional web sites are defined
as bank web sites that allow customers to
transact business. This may include accessing
accounts, transferring funds, applying for a
loan, establishing an account, or performing more
advanced activities.
4
Technology-based BankingProducts Services

• Aggregation
• Electronic Finder
• Automated clearinghouse (ACH) transactions
• Internet Payments
• Wireless Banking
• Certification Authority
• Data Storage

• Balance inquiry
• Transaction information
• Funds transfer
• Cash Management
• Bill payment
• Bill presentment
• Loan applications
• Stored Value

5
Key Technology Risks

• Vendor Risk Issues
• Security, Data Integrity, and Confidentiality
• Authentication, Identity Verification, and
  Authorization
• Strategic and Business Risks
• Business Continuity Planning
• Permissibility, Compliance, Legal Issues, and
  Computer Crimes
• Cross Border and International Banking

6
Outsourcing Trends

• TowerGroup estimates banks outsource over 85 of
  their information technology
• Rapid pace straining ability to oversee third
  parties
• Consolidation of tech. companies and core
  processors
• Weak or negative earnings of new tech providers
• Banks are postponing new technology investments,
  but still investing in proven technologies

7
Outsourcing Guidance

• FFIEC Guidance on Risk Management of Outsourced
  Technology Services (November 2000)
• Key elements of the risk management process
• Risk assessment
• Due diligence in selecting service provider
• Contract requirements
• Oversight of service provider

Regardless of the decision to outsource, the bank
remains ultimately responsible.
8
Security and Privacy

• Increases in security events and vulnerabilities
• According to 2001 FBI/CSI survey, 70 reported
  that the Internet is the point of cyber attacks,
  up from 59 in 2000
• Gramm-Leach-Bliley Act of 1999 requires banks to
  establish administrative, technical physical
  safeguards to protect the privacy of customers
  nonpublic customer records and information

9
Reported Security Incidences Vulnerabilities
Source CERT/CC -- statistics are not limited to
the banking industry and include all reported
incidents
10
Key Elements of Security Program

• Reviewing physical and logical security
• Review intrusion detection and response
  capabilities to ensure that intrusions will be
  detected and controlled
• Seek necessary expertise and training, as needed,
  to protect physical locations and networks from
  unauthorized access
• Maintain knowledge of current threats facing the
  bank and the vulnerabilities to systems
• Assess firewalls and intrusion detection programs
  at both primary and back-up sites to make sure
  they are maintained at current industry best
  practice levels

11
Key Elements of Security Program

• Reviewing physical and logical security (contd)
  
• Verify the identity of new employees,
  contractors, or third parties accessing your
  systems or facilities. If warranted, perform
  background checks.
• Evaluate whether physical access to all
  facilities is adequate.
• Work with service provider(s) and other relevant
  customers to ensure effective logical and
  physical security controls.

12
Authentication

• Reliable customer authentication is imperative
  for E-banking
• Effective authentication can help banks reduce
  fraud, reputation risk, disclosure of customer
  information, and promote the legal enforceability
  of their electronic agreements
• Methods to authenticate customers
• Passwords PINS
• Digital certificates PKI
• Physical devices such as tokens
• Biometric identifiers

13
Strategic and Reputation Risks

• Uncertain pace of change and evolving standards
  (e.g., bricks and clicks more successful than
  internet-only model)
• First mover (bleeding edge) vs. wait and see
  (permanently lose market share)
• Struggle to retain customers in face of intense
  competition
• Inadequate oversight of third party providers

14
Business Continuity Planning

• The 9/11 events, anthrax-laced mail, and NIMDA
  virus underscore the importance of robust
  business continuity planning.
• Steps to consider when reviewing business
  continuity plans
• Identify primary and secondary facilities in high
  profile or vulnerable locations and develop plans
  to mitigate undue risk exposure.
• Ensure business continuity plans are coordinated
  and communicated on a corporate-wide basis with
  clear expectations.

15
Business Continuity Planning (contd)

• Strengthen data backup and recovery site
  arrangements, as warranted, to ensure adequate
  off-site storage of back-up records and
  sufficient distance from primary operations.
• Review succession plans for key employees and
  delegations of authority in the event of a
  crisis.
• Review communitys incident response plans and
  work with local governments to identify
  enhancements
• Analyze key customers and service providers for
  exposure to terrorist activities including high
  profile industries or facilities (e.g., power
  companies, refineries, airlines,
  telecommunications providers), then assess the
  adequacy of their business continuity planning
  process.
• Test plans on a regular basis, evaluate results
  and update plans.

16
Permissibility, Legal, and Compliance Issues

• Technology raises legal issues
• Permissible?
• Applicability of state and foreign laws?
• Validity of electronic agreements?
• Technology creates consumer compliance issues
• Electronic disclosures delivery
• Weblinking, customer confusion, and liability
• RESPA and fee income from weblinking
• CRA and fair lending issues
• Reg. E application to aggregation services

17
Computer Crime

• Internet banking and payment systems may allow
  for new ways to conduct illegal and fraudulent
  activities
• Unauthorized access to deny service or
  re-direct a website
• Identity theft resulting in unauthorized or
  illegal use of account information
• Money laundering
• Phony Internet banks

18
Cross Border and International E-Banking

• Information revolution around the globe and
  borderless reach of the Internet
• Increase in global partnerships/alliances
• Risks to U.S banks from cross border E-banking
  without adequate due diligence
• Unlicensed activities?
• Understanding application of local prudential and
  customer protection laws regulations?
• Expertise?
• Risks to U.S. consumers of dealing with foreign
  Internet banks

19
Cross Border and International E-Banking

• EBG sponsored by the Basel Committees Electronic
  Banking Group
• Chaired by Comptroller Hawke
• Published studies on e-banking risk and risk
  management issues 1998, 2000 2001
• available at www.bis.org or www.occ.treas.gov
• Developing guidance on cross border, e-banking
  risks and aggregation
• Coordinate international e-banking supervision
  efforts
• Information sharing and training
• OCC developing guidance on cross border Internet
  banking risks

20
Key Findings of Successful E-banking Exams

• Active vendor management
• Ongoing board involvement
• Sufficient technical expertise
• Proactive network security that effectively
  prevents, detects, and responds to intrusions
• Strong authentication practices
• Encrypted communications
• Periodic compliance and legal reviews
• Appropriate backup and recovery

21
OCC Technology Risks Supervision Program

• Guidance -- Focus on risk analysis, measurement,
  controls, and monitoring
• Risk-based examinations of banks and third party
  service providers (as authorized by the Bank
  Service Company Act of 1962)
• On site and Quarterly reviews
• Focus on safety and soundness
• Reviews of banks with transactional web sites and
  E-banking service providers
• Training and Technology Integration Project
• External outreach and co-ordination
• Licensing process for Internet-primary banks and
  novel activities

22
Questions? Please contact John Carlson, Senior
Advisor for Bank Technology, OCC E-mail
John.Carlson_at_occ.treas.gov Telephone (202)
874-5013 Additional Information is available on
the OCC Website www.occ.treas.gov
23
(No Transcript)