Embed Size (px)
Citation preview
Risk Management
Risk Categories
Strategic CreditMarketLiquidityOperationalCompliance/legal/regulatoryReputation
Operational Risk
Inadequate Information Systems
Breaches in internal controls
Fraud
Unforeseen catastrophes
The risk of direct of indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.
Inadequate Information Systems
General RisksPhysical access to the hardware
Logical access to the IT systems
Capacity management - prevents bottlenecks in all relevant systems component
Emergency management
Insufficient backup recovery measures-mitigate the consequences of system failures
Inadequate Information Systems
Application-oriented risks
1. Data not correctly recorded due to system errors
2. Data not correctly stored during period of validity
3. Relevant data are not correctly included
4. Calculations which are basis for information are not correct
5. Due to systems failures the information processed by the application is not available in time.
Fraud Management
Categories1. Check Fraud
2. Debit card Fraud
3. Electronic Payment Fraud
4. ATM Deposit Fraud
5. Account Take-over/Identity Theft
From: http://www.newarchitectmag.com
Fraud Management Systems
JAM (Java Agents for Meta Learning)
Obstacles in detecting Fraud
Financial or Human resource shortage
High volumes of claims, transactions or other information to be analyzed
Cookie-cutter detection methods that miss new or unusual instances
Lack of in-house expertise or training
Risk Management in E-Banking
Technology Developments
Advances in communications provide networked global access to information and delivery of products/services
Internet has reached critical mass (60% of U.S. households)
Some banks have 25 percent of customers banking online
Increased competition from other industries and abroad
Greater reliance on third party providers
Advances in technology make the component functions of banking more easily divisible
www.occ.treas.gov
Growth in Number of National Banks that Have Transactional Websites
41%44%
37%
21%
32%
10%
20%
30%
40%
50%
Sep-99 Jul-00 Dec-00 YTD Mar-01 1-Jun
Source: Office of the Comptroller of the Currency. “Transactional web sites” are defined as bank web sites that allow customers to transact business. This may include accessing accounts, transferring funds, applying for a loan, establishing an account, or performing more advanced activities.
Technology-based BankingProducts & ServicesBalance inquiryTransaction informationFunds transferCash ManagementBill paymentBill presentment Loan applicationsStored Value-application: Stored-value cards are a substitute for cash, gift certificates and check payments. Monetary value is added to the stored-value account before the card is used, with the value either being funded by the cardholder directly, or by the card program operator in commercial applications
www.occ.treas.gov
Technology-based BankingProducts & Services
AggregationElectronic FinderAutomated clearinghouse (ACH) TransactionsInternet PaymentsWireless BankingCertification AuthorityData Storage-Digital Data Storage (DDS) is a format for storing and backing up computer data on tape that evolved from the Digital Audio Tape (DAT) technology.
Key Technology Risks
Vendor Risk IssuesSecurity, Data Integrity, and ConfidentialityAuthentication, Identity Verification, and AuthorizationStrategic and Business RisksBusiness Continuity PlanningPermissibility, Compliance, Legal Issues, and Computer CrimesCross Border and International Banking
www.occ.treas.gov
Security and Privacy
Increases in security events and vulnerabilities
According to 2001 FBI/CSI survey, 70% reported that the Internet is the point of cyber attacks, up from 59% in 2000
Gramm-Leach-Bliley Act of 1999 requires banks to establish administrative, technical & physical safeguards to protect the privacy of customers’ nonpublic customer records and information
www.occ.treas.gov
Key Elements of Security Program
Reviewing physical and logical security: Review intrusion detection and response capabilities to ensure that intrusions will be detected and controlledSeek necessary expertise and training, as needed, to protect physical locations and networks from unauthorized accessMaintain knowledge of current threats facing the bank and the vulnerabilities to systemsAssess firewalls and intrusion detection programs at both primary and back-up sites to make sure they are maintained at current industry best practice levels
www.occ.treas.gov
Key Elements of Security Program
Reviewing physical and logical security (cont’d):
Verify the identity of new employees, contractors, or third parties accessing your systems or facilities. If warranted, perform background checks.
Evaluate whether physical access to all facilities is adequate.
Work with service provider(s) and other relevant customers to ensure effective logical and physical security controls.
www.occ.treas.gov
Authentication
Reliable customer authentication is imperative for E-banking Effective authentication can help banks reduce fraud, reputation risk, disclosure of customer information, and promote the legal enforceability of their electronic agreements Methods to authenticate customers:
Passwords & PINSDigital certificates & PKI (Public Key Infrastructure)Physical devices such as tokensBiometric identifiers
www.occ.treas.gov
OCC Technology Risks Supervision Program
The Office of the Comptroller of the Currency charters, regulates, and supervises national banks to ensure a safe, sound, and competitive banking system that supports the citizens, communities, and economy of the United States. Guidance -- Focus on risk analysis, measurement, controls, and monitoring Risk-based examinations of banks and third party service providers (as authorized by the Bank Service Company Act of 1962)Training and Technology Integration ProjectExternal outreach and co-ordinationLicensing process for Internet-primary banks and novel activities
www.occ.treas.gov
References
www.occ.treas.gov
www.newarchitectmag.com
http://www.cs.columbia.edu/~sal/JAM/PROJECT/
Gerrit Jan van den Brink (2002), Operational Risk: The challenge for banks.
http://dinkla.net/fraud/products.html
