Comptroller of the Currency Administrator of National Banks Electronic Banking: Industry Developments, Risks and OCC Regulatory Activities Prepared for

Comptroller of the CurrencyAdministrator of National Banks

Electronic Banking: Industry Developments, Risks and OCC

Regulatory Activities

Prepared for ABA USBanking 2002 by the Bank Technology Division of the Office of

the Comptroller of the Currency

January 2002

The OCC is an independent bureau of the Department of Treasury and

is the federal regulator of approximately 2,200 national banks.


Technology Developments

Advances in communications provide networked global access to information and delivery of products/services

Internet has reached critical mass (60% of U.S. households)

Some banks have 25 percent of customers banking online

Increased competition from other industries and abroad

Greater reliance on third party providersAdvances in technology make the component functions of banking more easily divisible

Growth in Number of National Banks that Have Transactional Websites

41%44%

37%

21%

32%

10%

20%

30%

40%

50%

Sep-99 Jul-00 Dec-00 YTD Mar-01 01-Jun

Source: Office of the Comptroller of the Currency. “Transactional web sites” are defined as bank web sites that allow customers to transact business. This may include accessing accounts, transferring funds, applying for a loan, establishing an account, or performing more advanced activities.


Technology-based BankingProducts & Services

Balance inquiry Transaction

information Funds transfer Cash Management Bill payment Bill presentment Loan applications Stored Value

Aggregation Electronic Finder Automated

clearinghouse (ACH) transactions

Internet Payments Wireless Banking Certification Authority Data Storage


Vendor Risk Issues Security, Data Integrity, and

Confidentiality Authentication, Identity Verification, and

Authorization Strategic and Business Risks Business Continuity Planning Permissibility, Compliance, Legal Issues,

and Computer Crimes Cross Border and International Banking

Key Technology Risks


Outsourcing Trends

TowerGroup estimates banks outsource over 85% of their information technology

Rapid pace straining ability to oversee third parties

Consolidation of tech. companies and core processors

Weak or negative earnings of new tech providers Banks are postponing new technology investments, but still investing in proven technologies


Outsourcing Guidance

FFIEC Guidance on Risk Management of Outsourced Technology Services (November 2000)

Key elements of the risk management process:– Risk assessment

– Due diligence in selecting service provider

– Contract requirements

– Oversight of service provider

Regardless of the decision to outsource, the bank remains ultimately responsible.


Security and Privacy

Increases in security events and vulnerabilities

According to 2001 FBI/CSI survey, 70% reported that the Internet is the point of cyber attacks, up from 59% in 2000

Gramm-Leach-Bliley Act of 1999 requires banks to establish administrative, technical & physical safeguards to protect the privacy of customers’ nonpublic customer records and information

Reported Security Incidences & Vulnerabilities

Unauthorized Activity Incidents Increasing

2,412 2,573 2,134 3,734

9,859

21,756

52,658

0

10,000

20,000

30,000

40,000

50,000

60,000

1995 1996 1997 1998 1999 2000 2001

Source: CERT/CC -- statistics are not limited to the banking industry and include all reported incidents

Number of New Systems Vulnerabilities(2001 is 3Q 2001 annualized)

171 345 311 262

417

1,090

2,275

0

500

1,000

1,500

2,000

2,500

1995 1996 1997 1998 1999 2000 2001


Key Elements of Security Program

Reviewing physical and logical security: Review intrusion detection and response

capabilities to ensure that intrusions will be detected and controlled

Seek necessary expertise and training, as needed, to protect physical locations and networks from unauthorized access

Maintain knowledge of current threats facing the bank and the vulnerabilities to systems

Assess firewalls and intrusion detection programs at both primary and back-up sites to make sure they are maintained at current industry best practice levels


Key Elements of Security Program

Reviewing physical and logical security (cont’d): Verify the identity of new employees,

contractors, or third parties accessing your systems or facilities. If warranted, perform background checks.

Evaluate whether physical access to all facilities is adequate.

Work with service provider(s) and other relevant customers to ensure effective logical and physical security controls.


Authentication

Reliable customer authentication is imperative for E-banking

Effective authentication can help banks reduce fraud, reputation risk, disclosure of customer information, and promote the legal enforceability of their electronic agreements

Methods to authenticate customers: Passwords & PINS Digital certificates & PKI Physical devices such as tokens Biometric identifiers


Strategic and Reputation Risks

Uncertain pace of change and evolving standards (e.g., “bricks and clicks” more successful than internet-only model)

First mover (“bleeding edge”) vs. wait and see (permanently lose market share)

Struggle to retain customers in face of intense competition

Inadequate oversight of third party providers


Business Continuity Planning

The 9/11 events, anthrax-laced mail, and NIMDA virus underscore the importance of robust business continuity planning.

Steps to consider when reviewing business continuity plans: Identify primary and secondary facilities in high

profile or vulnerable locations and develop plans to mitigate undue risk exposure.

Ensure business continuity plans are coordinated and communicated on a corporate-wide basis with clear expectations.


Business Continuity Planning (cont’d)

Strengthen data backup and recovery site arrangements, as warranted, to ensure adequate off-site storage of back-up records and sufficient distance from primary operations.

Review succession plans for key employees and delegations of authority in the event of a crisis.

Review community’s incident response plans and work with local governments to identify enhancements

Analyze key customers and service providers for exposure to terrorist activities including high profile industries or facilities (e.g., power companies, refineries, airlines, telecommunications providers), then assess the adequacy of their business continuity planning process.

Test plans on a regular basis, evaluate results and update plans.


Permissibility, Legal, and Compliance Issues

Technology raises legal issues Permissible? Applicability of state and foreign laws? Validity of electronic agreements?

Technology creates consumer compliance issues Electronic disclosures delivery Weblinking, customer confusion, and liability RESPA and fee income from weblinking CRA and fair lending issues Reg. E application to aggregation services


Computer Crime

Internet banking and payment systems may allow for new ways to conduct illegal and fraudulent activities Unauthorized access to deny service

or re-direct a website Identity theft resulting in unauthorized

or illegal use of account information Money laundering Phony Internet banks


Cross Border and International E-Banking

Information revolution around the globe and borderless reach of the Internet

Increase in global partnerships/alliances Risks to U.S banks from cross border E-

banking without adequate due diligence Unlicensed activities? Understanding application of local prudential and

customer protection laws & regulations? Expertise?

Risks to U.S. consumers of dealing with foreign Internet banks


Cross Border and International E-Banking

EBG sponsored by the Basel Committee’s Electronic Banking Group Chaired by Comptroller Hawke

Published studies on e-banking risk and risk management issues 1998, 2000 & 2001 available at www.bis.org or www.occ.treas.gov Developing guidance on cross border, e-banking

risks and aggregation

Coordinate international e-banking supervision efforts

Information sharing and training OCC developing guidance on cross border

Internet banking risks


Key Findings of Successful E-banking Exams

Active vendor management Ongoing board involvement Sufficient technical expertise Proactive network security that effectively

prevents, detects, and responds to intrusions

Strong authentication practices Encrypted communications Periodic compliance and legal reviews Appropriate backup and recovery


OCC Technology Risks Supervision Program

Guidance -- Focus on risk analysis, measurement, controls, and monitoring

Risk-based examinations of banks and third party service providers (as authorized by the Bank Service Company Act of 1962) On site and Quarterly reviews Focus on safety and soundness Reviews of banks with transactional web sites and E-

banking service providers

Training and Technology Integration Project External outreach and co-ordination Licensing process for Internet-primary banks

and novel activities


Questions?

Please contact John Carlson, Senior Advisor for Bank Technology, OCCE-mail: [email protected]: (202) 874-5013

Additional Information is available on the OCC Website: www.occ.treas.gov


Documents

Comptroller of the Currency Administrator of National Banks Electronic Banking: Industry Developments, Risks and OCC Regulatory Activities Prepared for