February 20, 2000
FYI - FDIC Year 2000 - As a result of the banking industry's comprehensive Year 2000-readiness preparations, no substantive problems occurred during the date change period. However, while the industry can generally claim success, some associated risks remain. They involve certain critical dates, the expiration of temporary remediation techniques, records retention and customer risk.
FYI - OCC Year 2000 - This OCC advisory reminds management of banks, service providers, and software vendors of potential Year 2000-related risks subsequent to the century date change.
INTERNET RISKS - According to the OCC, Internet banking creates new risk control challenges. Last week we shared the OCC's comments on Interest Rate Risk. This week we will cover Liquidity Risk.
Liquidity Risk is the risk to earnings or capital arising from a bank's inability to meet its obligations when they come due, without incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned changes in funding sources. Liquidity risk also arises from the failure to recognize or address changes in market conditions affecting the ability of the bank to liquidate assets quickly and with minimal loss in value.
Internet banking can increase deposit volatility from customers who maintain accounts solely on the basis of rate or terms. Asset/liability and loan portfolio management systems should be appropriate for products offered through Internet banking. Increased monitoring of liquidity and changes in deposits and loans may be warranted depending on the volume and nature of Internet account activities.
INTERNET SECURITY - Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Banks should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.
When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. If relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include:
1) Identifying mission-critical information systems, and determining the effectiveness of current information security programs. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem. Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process.
2) Assessing the importance and sensitivity of information, and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information. For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings.
3) Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank's system. Another example involves vendors that may be allowed to access the bank's system without proper security safeguards, such as firewalls. This could result in open access to critical information that the vendor may have "no need to know."
4) Determining legal implications and contingent liability concerns associated with any of the above. For example, if hackers successfully access a bank's system and use it to subsequently attack others, the bank may be liable for damages incurred by the party that is attacked.
INTERNET COMPLIANCE - The withdrawal and transfer restrictions imposed on savings deposits in Regulation D electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.
If an institution makes credit application forms available on the Internet, the credit application forms must satisfy the requirements of Regulation B. If an applicant applies over the Internet, without video capability that allows employees of the institution to see the applicant, Your Bank may treat the application as if it were received by mail.
IN CLOSING - Jack, I want to thank you for taking time from your busy day to read the "Internet Banking News," which is read by more than 400 bankers in 40 states and nine overseas countries. The newsletter's purpose is to bring Your Bank the latest Internet banking issues and to keep you informed on regulatory matters. If you have an Internet banking issue you would like to see covered in the newsletter, please send me an e-mail.