Docstoc

Internet Banking

Document Sample
Internet Banking Powered By Docstoc
					Comptroller of the Currency
Administrator of National Banks


                  Electronic Banking: Industry
                 Developments, Risks and OCC
                      Regulatory Activities
         Prepared for ABA USBanking 2002 by the
         Bank Technology Division of the Office of
             the Comptroller of the Currency

                                  January 2002

      The OCC is an independent bureau of the Department of Treasury and
      is the federal regulator of approximately 2,200 national banks.
                          Technology Developments
Comptroller of the Currency
Administrator of National Banks



            Advances in communications provide networked
              global access to information and delivery of
              products/services
                 Internet has reached critical mass (60% of U.S.
                     households)
                    Some banks have 25 percent of customers banking
                     online
            Increased competition from other industries and
             abroad
            Greater reliance on third party providers
            Advances in technology make the component
             functions of banking more easily divisible
Growth in Number of National Banks that
     Have Transactional Websites
           50%

                                                                               44%
           40%                                                   41%
                                                   37%
                                  32%
           30%

                    21%
           20%



           10%
                    Sep-99        Jul-00     Dec-00 YTD       Mar-01      01-Jun


   Source: Office of the Comptroller of the Currency. “Transactional web sites” are defined as
   bank web sites that allow customers to transact business. This may include accessing
   accounts, transferring funds, applying for a loan, establishing an account, or performing
   more advanced activities.
                                  Technology-based Banking
Comptroller of the Currency             Products & Services
Administrator of National Banks




               Balance inquiry            Aggregation
               Transaction                Electronic Finder
                  information              Automated
                 Funds transfer              clearinghouse (ACH)
                 Cash Management             transactions
                 Bill payment               Internet Payments
                 Bill presentment           Wireless Banking
                 Loan applications          Certification Authority
                 Stored Value               Data Storage
Comptroller of the Currency
                                  Key Technology Risks
Administrator of National Banks




                Vendor Risk Issues
                Security, Data Integrity, and
                    Confidentiality
                   Authentication, Identity Verification, and
                    Authorization
                   Strategic and Business Risks
                   Business Continuity Planning
                   Permissibility, Compliance, Legal Issues,
                    and Computer Crimes
                   Cross Border and International Banking
Comptroller of the Currency       Outsourcing Trends
Administrator of National Banks




              TowerGroup estimates banks outsource
               over 85% of their information technology
              Rapid pace straining ability to oversee
               third parties
              Consolidation of tech. companies and core
               processors
              Weak or negative earnings of new tech
               providers
              Banks are postponing new technology
               investments, but still investing in proven
               technologies
                                  Outsourcing Guidance
Comptroller of the Currency
Administrator of National Banks


               FFIEC Guidance on Risk Management of
                  Outsourced Technology Services
                  (November 2000)
               Key elements of the risk management
                  process:
                   – Risk assessment
                   – Due diligence in selecting service provider
                   – Contract requirements
                   – Oversight of service provider
                    Regardless of the decision to outsource,
                    the bank remains ultimately responsible.
                                  Security and Privacy
Comptroller of the Currency
Administrator of National Banks




               Increases in security events and
                   vulnerabilities
                  According to 2001 FBI/CSI survey, 70%
                   reported that the Internet is the point
                   of cyber attacks, up from 59% in 2000
                  Gramm-Leach-Bliley Act of 1999
                   requires banks to establish
                   administrative, technical & physical
                   safeguards to protect the privacy of
                   customers’ nonpublic customer records
                   and information
      Reported Security Incidences & Vulnerabilities
                                          Unauthorized Activity Incidents Increasing
                                 60,000                                                             52,658

                                 50,000
                                 40,000                                                 21,756

                                 30,000                                       9,859
                                 20,000
                                          2,412    2,573    2,134    3,734
                                 10,000
                                     0
                                      1995         1996     1997      1998     1999       2000       2001

                                                Number of New Systems Vulnerabilities
                                                   (2001 is 3Q 2001 annualized)
                                 2,500                                                           2,275
                                 2,000                                                1,090
                                 1,500
                                                                             417
                                 1,000
                                          171      345     311      262
                                   500
Source: CERT/CC -- statistics
are not limited to the banking       0
industry and include all
                                      1995        1996     1997     1998     1999     2000       2001
reported incidents
       Key Elements of Security Program
Comptroller of the Currency
Administrator of National Banks



             Reviewing physical and logical security:
                Review intrusion detection and response
                       capabilities to ensure that intrusions will be
                       detected and controlled
                      Seek necessary expertise and training, as
                       needed, to protect physical locations and
                       networks from unauthorized access
                      Maintain knowledge of current threats facing
                       the bank and the vulnerabilities to systems
                      Assess firewalls and intrusion detection
                       programs at both primary and back-up sites
                       to make sure they are maintained at current
                       industry best practice levels
       Key Elements of Security Program
Comptroller of the Currency
Administrator of National Banks



             Reviewing physical and logical security (cont’d):
                Verify the identity of new employees,
                       contractors, or third parties accessing your
                       systems or facilities. If warranted, perform
                       background checks.
                      Evaluate whether physical access to all
                       facilities is adequate.
                      Work with service provider(s) and other
                       relevant customers to ensure effective logical
                       and physical security controls.
                                   Authentication
Comptroller of the Currency
Administrator of National Banks



             Reliable customer authentication is imperative
              for E-banking
             Effective authentication can help banks reduce
              fraud, reputation risk, disclosure of customer
              information, and promote the legal
              enforceability of their electronic agreements
             Methods to authenticate customers:
                Passwords & PINS
                Digital certificates & PKI
                Physical devices such as tokens
                Biometric identifiers
          Strategic and Reputation Risks
Comptroller of the Currency
Administrator of National Banks



               Uncertain pace of change and evolving
                   standards (e.g., “bricks and clicks”
                   more successful than internet-only
                   model)
                  First mover (“bleeding edge”) vs. wait
                   and see (permanently lose market
                   share)
                  Struggle to retain customers in face of
                   intense competition
                  Inadequate oversight of third party
                   providers
              Business Continuity Planning
Comptroller of the Currency
Administrator of National Banks




            The 9/11 events, anthrax-laced mail, and
                NIMDA virus underscore the importance
                of robust business continuity planning.
            Steps to consider when reviewing business
                continuity plans:
                  Identify primary and secondary facilities in high profile
                   or vulnerable locations and develop plans to mitigate
                   undue risk exposure.
                  Ensure business continuity plans are coordinated and
                   communicated on a corporate-wide basis with clear
                   expectations.
              Business Continuity Planning
                                   (cont’d)
Comptroller of the Currency
Administrator of National Banks


               Strengthen data backup and recovery site arrangements,
                  as warranted, to ensure adequate off-site storage of
                  back-up records and sufficient distance from primary
                  operations.
                 Review succession plans for key employees and
                  delegations of authority in the event of a crisis.
                 Review community’s incident response plans and work
                  with local governments to identify enhancements
                 Analyze key customers and service providers for
                  exposure to terrorist activities including high profile
                  industries or facilities (e.g., power companies, refineries,
                  airlines, telecommunications providers), then assess the
                  adequacy of their business continuity planning process.
                 Test plans on a regular basis, evaluate results and
                  update plans.
                                  Permissibility, Legal, and
Comptroller of the Currency
Administrator of National Banks
                                       Compliance Issues

            Technology raises legal issues
               Permissible?
               Applicability of state and foreign laws?
               Validity of electronic agreements?
            Technology creates consumer compliance
             issues
               Electronic disclosures delivery
               Weblinking, customer confusion, and liability
               RESPA and fee income from weblinking
               CRA and fair lending issues
               Reg. E application to aggregation services
Comptroller of the Currency
                                           Computer Crime
Administrator of National Banks




               Internet banking and payment systems
                   may allow for new ways to conduct
                   illegal and fraudulent activities
                     Unauthorized access to deny service or
                       re-direct a website
                      Identity theft resulting in unauthorized or
                       illegal use of account information
                      Money laundering
                      Phony Internet banks
                                         Cross Border and
Comptroller of the Currency
                                   International E-Banking
Administrator of National Banks




                Information revolution around the globe
                    and borderless reach of the Internet
                Increase in global partnerships/alliances
                Risks to U.S banks from cross border E-
                    banking without adequate due diligence
                       Unlicensed activities?
                       Understanding application of local prudential and
                        customer protection laws & regulations?
                       Expertise?
                Risks to U.S. consumers of dealing with
                    foreign Internet banks
                                          Cross Border and
Comptroller of the Currency
                                    International E-Banking
Administrator of National Banks



                EBG sponsored by the Basel Committee’s
                 Electronic Banking Group
                   Chaired by Comptroller Hawke
                Published studies on e-banking risk and risk
                 management issues 1998, 2000 & 2001
                   available at www.bis.org or www.occ.treas.gov
                   Developing guidance on cross border, e-banking risks
                          and aggregation
                Coordinate international e-banking supervision
                 efforts
                Information sharing and training
                OCC developing guidance on cross border
                 Internet banking risks
                                  Key Findings of Successful
Comptroller of the Currency
                                           E-banking Exams
Administrator of National Banks


                 Active vendor management
                 Ongoing board involvement
                 Sufficient technical expertise
                 Proactive network security that effectively
                  prevents, detects, and responds to
                  intrusions
                 Strong authentication practices
                 Encrypted communications
                 Periodic compliance and legal reviews
                 Appropriate backup and recovery
                                  OCC Technology Risks
Comptroller of the Currency
                                   Supervision Program
Administrator of National Banks


              Guidance -- Focus on risk analysis, measurement,
                  controls, and monitoring
              Risk-based examinations of banks and third party
                  service providers (as authorized by the Bank Service
                  Company Act of 1962)
                    On site and Quarterly reviews
                    Focus on safety and soundness
                    Reviews of banks with transactional web sites and E-
                     banking service providers
              Training and Technology Integration Project
              External outreach and co-ordination
              Licensing process for Internet-primary banks and
                  novel activities
Comptroller of the Currency
Administrator of National Banks



                 Questions?
                 Please contact John Carlson, Senior
                 Advisor for Bank Technology, OCC
                 E-mail:John.Carlson@occ.treas.gov
                 Telephone: (202) 874-5013


                 Additional Information is available on
                 the OCC Website: www.occ.treas.gov
Comptroller of the Currency
Administrator of National Banks

				
DOCUMENT INFO