March 12, 2000
FYI - The FFIEC has announced that it will host its 2000 Risk Management Planning Seminar on June 1 and 2 in Chicago, IL. One of the topics is "Emerging Technology and Internet Banking Risks"
FYI - Banking organizations are increasingly relying on services provided by other entities to support a range of banking operations. Outsourcing of information and transaction processing activities, either to affiliated institutions or third-party service providers, may help banking organizations manage data processing and related personnel costs, improve services, and obtain expertise not available internally. At the same time, the reduced operational control over outsourced activities may expose an institution to additional risks.
FYI - In order to facilitate the integration of information technology supervision within the overall risk-focused supervisory process, the separate frequency guidelines for information technology examinations are being eliminated. Instead, all safety and soundness examinations (or examination cycles) of banking organizations conducted by the Federal Reserve should include an assessment and evaluation of information technology risks and risk management.
FYI - Letter describes how a national bank using multiple trade names over the Internet can comply with the Interagency Statement on Branch Names (which provides guidance for banks using multiple trade names and suggests certain steps to prevent customer confusion and to reduce transaction and compliance risk).
FYI - Application by EFS National Bank, Memphis, Tennessee to acquire Virtual Cyber Systems, Inc., as a wholly -owned operating subsidiary approved.
INTERNET SECURITY - Some considerations Your Bank needs to evaluate before deciding to perform penetration testing of your Network/Internet computer system.
1) Penetration analysis is only a snapshot of the security at a point in time and does not provide a complete guaranty that the system being tested is secure.
2) If using outside testers, the reputation of the firm or consultants hired is very important. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contract with the evaluators, which at a minimum should address the above items.
3) If using internal testers, the independence of the testers from system administrators.
4) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.
5) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.
PENETRATION TESTING - We now offer penetration and vulnerability testing. Our associate is Cisco certified and has a Cisco Certified Internetwork Expert on staff. If you would like more information about penetration and vulnerability testing, send me an e-mail. I will have our associate call you to discuss how testing will benefit your Internet security program .
INTERNET COMPLIANCE - A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy. In other words, if the web page mentions residential real estate loans, then the equal housing logo and "Equal Housing Lender" is required on the web page.
INTERNET RISKS - According to the OCC, Internet banking creates new risk control challenges. Over the past few weeks, we covered the OCC's comments on Credit Risk, Interest Rate Risk, Liquidity Risk, Price Risk, Foreign Exchange Risk. This week we will cover Transactional Risk.
Transaction risk is the current and prospective risk to earnings and capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Transaction risk is evident in each product and service offered and encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services, and the internal control environment.
A high level of transaction risk may exist with Internet banking products, particularly if those lines of business are not adequately planned, implemented, and monitored. Banks that offer financial products and services through the Internet must be able to meet their customers' expectations. Banks must also ensure they have the right product mix and capacity to deliver accurate, timely, and reliable services to develop a high level of confidence in their brand name.
Customers who do business over the Internet are likely to have little tolerance for errors or omissions from financial institutions that do not have sophisticated internal controls to manage their Internet banking business. Likewise, customers will expect continuous availability of the product and Web pages that are easy to navigate.
Software to support various Internet banking functions is provided to the customer from a variety of sources. Banks may support customers using customer-acquired or bank-supplied browsers or personal financial manager (PFM) software. Good communications between banks and their customers will help manage expectations on the compatibility of various PFM software products.
Attacks or intrusion attempts on banks' computer and network systems are a major concern. Studies show that systems are more vulnerable to internal attacks than external, because internal system users have knowledge of the system and access. Banks should have sound preventive and detective controls to protect their Internet banking systems from exploitation both internally and externally.
Contingency and business resumption planning is necessary for banks to be sure that they can deliver products and services in the event of adverse circumstances. Internet banking products connected to a robust network may actually make this easier because back up capabilities can be spread over a wide geographic area. For example, if the main server is inoperable, the network could automatically reroute traffic to a back up server in a different geographical location. Security issues should be considered when the institution develops its contingency and business resumption plans. In such situations, security and internal controls at the back-up location should be as sophisticated as those at the primary processing site. High levels of system availability will be a key expectation of customers and will likely differentiate success levels among financial institutions on the Internet.
National banks that offer bill presentment and payment will need a process to settle transactions between the bank, its customers, and external parties. In addition to transaction risk, settlement failures could adversely affect reputation, liquidity, and credit risk.
IN CLOSING - I will attempt to clarify a misunderstanding some bankers and ISPs are having concerning the requirement that a SAS 70 audit is the only external audit required by the regulators. This week I spoke with regulators in Washington, DC about SAS 70 audits. They stated that the SAS 70 audit is not the only acceptable IS audit. The regulators stated that the SAS 70 audit is only an "example of the types of reports that are often available to financial institutions regarding their service providers. The intention was definitely not to exclude other types of reports like the ones that you mention (e.g., independent assessments by information systems audit professionals)." They further stated that what is most important is the IS audit scope and the qualifications of the IS auditor.