Risk management in electronic banking concepts and best practices

1.1 Common e-banking services 4 1.2 Examples of e-banking components 8 1.3 Information sought by regulators for licensing 9 2.1 Factors infl uencing strategic risk 11 2.2 Examples of oper

Concepts and Best Practices

Concepts and Best Practices

Jayaram Kondabagil

John Wiley & Sons (Asia) Pte Ltd.

2 Clementi Loop, #02-01, Singapore 129809

All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment

of the appropriate photocopy fee to the Copyright Clearance Center Requests for permission should be addressed to the Publisher, John Wiley & Sons (Asia) Pte Ltd,

2 Clementi Loop, #02-01, Singapore 129809, tel: 65-64632400, fax: 65-64646912, e-mail: enquiry@wiley.com.sg.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered It is sold with the understanding that the pub- lisher is not engaged in rendering professional services If professional advice or other expert assistance is required, the services of a competent professional person should be sought.

Other Wiley Editorial Offi ces

John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

John Wiley & Sons Ltd, The Atrium Southern Gate, Chichester P019 8SQ, England John Wiley & Sons (Canada) Ltd, 5353 Dundas Street West, Suite 400, Toronto, Ontario, M9B 6HB, Canada

John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany

Library of Congress Cataloging-in-Publication Data

ISBN: 978-0-470-82243-2

Wiley Bicentennial Logo: Richard J Pacifi co

Typeset in 10.5 on 13 points, Palatino by SNP Best-set Typesetter Ltd., Hong Kong Printed in Singapore by Mainland Press Pte Ltd

10 9 8 7 6 5 4 3 2 1

List of Figures xiii

Acknowledgments xxiii

PART I: INTRODUCTION TO E-BANKING

Other risks 14

Chapter 3 Product and Service-specifi c Risks 19

PART II: RISK MANAGEMENT

Chapter 4 Risk Management Framework 33

Governance and internal controls 40Chapter 5 Risk Management Organization 43

Basel Committee on banking supervision 56

COSO – enterprise risk management 60

Corporate governance codes 63

Part III: INFORMATION SECURITY

Chapter 7 Information Security Management 69

Information security incidents 111

PART IV: OUTSOURCING

Chapter 10 Outsourcing in E-Banking 117

Supervisory approach 120

Board and senior management responsibility 123

Confi dentiality and security clauses 142

Business continuity clauses 144

PART V: BUSINESS CONTINUITY

Chapter 13 Business Continuity Management 147

Board and senior management responsibility 149

Plan maintenance 167

Chapter 15 Data Centers and Alternate Sites 175

Mitigating concentration risk 177

Business continuity in real life 186

PART VI: LEGAL AND REGULATORY COMPLIANCE

Organization of the compliance function 194Board and senior management responsibility 195

2.1 The fi ve-pillar approach 18

5.1 Risk management organization structure 44 7.1 Information security objectives 71

1.1 Common e-banking services 4 1.2 Examples of e-banking components 8 1.3 Information sought by regulators for licensing 9 2.1 Factors infl uencing strategic risk 11 2.2 Examples of operational risk 12 2.3 Factors affecting a bank’s reputation 14 4.1 Key requirements in the risk management process 37 5.1 Responsibility of key players in risk management 45 5.2 Responsibilities of the Board and senior management 46 5.3 Responsibilities of board committees 48 7.1 Information security challenges 70 7.2 Security objectives and control measures 74 7.3 Outline of information security policy 75

10.2 Factors to determine the materiality of an outsourced

activity 11910.3 Outline of an outsourcing policy 12511.1 Due diligence parameters for outsourcing 13012.1 Confi dentiality and security clauses in outsourcing

contracts 14313.1 Potential threats to business continuity 15213.2 Illustrative questionnaire for impact analysis 15413.3 Illustrative list of critical functions 15514.1 Intensity levels of disruption 159

14.3 Triggers for unscheduled maintenance of the BCP 169

17.1 Broad objectives of anti-money-laundering measures 199

17.2 Security-related instructions to customers 206

Banking has traditionally been built on the branch-banking model The unprecedented speed of technological changes over the last two decades has changed the way banking has been done over centuries Technology has offered tremendous opportunities to banks to surmount geographical, commercial, and demographic barriers; and to deliver products and services at virtually zero marginal cost combined with unbounded reach.

The success of a bank is now determined by its ability to deliver vative products and services, and to provide remote access in a techno-logically advanced way that meets the changing needs of the customer

inno-We now have a variety of delivery channels from ATMs and the Internet

to mobile banking – collectively termed “electronic banking.”

However, this has carried risks as well as benefi ts Some of the tional risks associated with banking activities such as strategic, opera-tional, legal, and reputational risks have been modifi ed and heightened for banks providing electronic banking services This has infl uenced the overall risk profi le of banking

tradi-It has become all the more critical now for banks to have fl exible and responsive operating processes, as well as sound and robust risk man-agement systems that recognize, address and manage these risks in a prudent manner according to the basic characteristics and challenges of e-banking services

WHY THIS BOOK?

Risk management is not a new concept or challenge for banks Banks have traditionally adopted risk mitigation measures, but the focus has

generally been on fi nancial risks such as credit, market, interest rates, and liquidity Non-fi nancial risks such as strategic, operational, compli-ance, and reputational risks have received only a cursory treatment, more

as a need to meet legal and regulatory requirements

The increased share of e-banking activities as a percentage of revenue and volume of business, and the consequent demands, especially on ICT infrastructure, has forced many a bank management to wake up and have another look at its risk management practices The Basel Committee

on Banking Supervision has been working on this aspect for more than

a decade, and its latest report, Risk Management Principles for Electronic

Banking, issued in July 2003, is a signifi cant step in activating regulators

around the world to take notice of the need to treat e-banking risks on a separate platform A fl ood of regulatory guidelines has supplemented this in the last two years

This book is a pioneering effort to provide a conceptual framework for the management of risks in an electronic banking environment, sup-plemented by an overview of sound practices based on international standards and guidelines on risk management

Basel II has introduced explicit capital adequacy requirements for operating risk in the new accord With Basel II capital adequacy norms due for implementation across the world (different countries have set different deadlines starting from this year), there is an increasing interest and regulatory focus on operational risk management As

electronic banking forms a major component of operational risk, Risk Management in Electronic Banking is presented at the most appropriate

time

ORGANIZATION OF THE BOOK

This publication follows and recommends a fi ve-pillar approach for the management of risks in an electronic banking environment:

Pillar I Risk management framework

Pillar II Information security management

Pillar III Outsourcing management

Pillar IV Business continuity management

Pillar V Legal and regulatory compliance

Part I Introduction to E-Banking

The introductory part provides an overview of e-banking and associated risks, and lays the foundation for the rest of the book Chapter 1 traces the evolution of electronic banking and its impact on traditional banking, followed by an overview of e-banking components and the regulatory approval process Chapter 2 contains a discussion on strategic, opera-tional, compliance, reputational, and other risks in an e-banking environ-ment The product and service-specifi c risks, such as those relating to Internet banking, aggregation services, bill presentment and payment, mobile banking, and cross-border transactions are covered in Chapter 3

Part II Risk Management

The conceptual framework for the management of electronic banking risks is covered in this part Chapter 4 details the adaptation of the generic risk management model to an electronic banking environment Chapter 5 provides a detailed analysis of the risk management organiza-tion with associated roles and responsibilities Chapter 6 gives an over-view of the international standards, guidelines, and sound practices

Part III Information Security

Trust and security has always been an essential feature of the banking system Information security management is today an essential business requirement in view of the capture, transmission, processing, and storage

of data in digitized forms over open networks Recent regulatory ments related to information security and internal control magnify these concerns The different components of information security management are discussed in Chapter 7, while chapters 8 and 9 deal with the opera-tional and technical controls to be built under the security management framework

require-Part IV Outsourcing

Outsourcing and third-party dependencies have become an integral part and the most critical component of the electronic banking schematics of banks The range and the relative complexity of these outsourced activi-ties are increasing and so are the risks The key risks in outsourcing, Board and management responsibility, sound practices for managing

outsourced services, and outsourcing contracts are dealt with in this part.

Part V Business Continuity

This part provides a conceptual framework for the business continuity management (BCM) function and each component of BCM is discussed

in detail Chapter 14 gives a detailed method to develop a business tinuity plan (BCP) Chapter 15 is devoted to data centers in view of the critical role they are playing in e-banking schematics

con-Part VI Legal and Regulatory Compliance

This part deals with the legal and regulatory compliance requirements applicable for an electronic banking environment Chapter 16 deals with the organization of the compliance function, the roles of the Board and senior management, and the regulators in the compliance function The last chapter discusses major compliance issues, including measures

to ensure privacy of customer information and anti-money ing, and the importance of information disclosures and customer education

launder-To increase the practical utility of Risk Management in Electronic Banking,

case studies based on some of the most recently reported events have been included The high-level review checklist provided at the end of the book will facilitate a quick management review of the status of risk man-agement in banks providing electronic banking services The glossary and acronyms of the relevant terms used, and a list of references, are also appended

INTENDED AUDIENCE

Risk management has moved up the organizational ladder and is more

of a management than technical issue It is a multidisciplinary function with roles and responsibilities associated with all sections of personnel

in a bank Keeping this in mind, the technical jargon has been kept to the bare minimum

Risk Management in Electronic Banking is aimed at central bankers,

Board members, the senior management of banks, senior managers with risk management responsibilities, operational risk managers, IT manage-

ment in banks, senior operations staff, auditors and compliance offi cers, technology service providers, and risk management consultants Researchers and academics working in the risk management area and students of banking-related courses will fi nd this an informative refer-ence book.

-AN EXPL-ANATORY NOTE

There are signifi cant differences with regard to the functions of the Board

of Directors and senior management across countries dependent on the corporate governance codes and regulations applicable for the particular legal or regulatory jurisdiction For example, the US “board of directors” has functional similarities with the “supervisory boards” in Germany, whereas the functions of a German “management board” are akin to senior management functions

Owing to these differences, without going into the legalities, the terms Board of Directors and senior management are used in this book only to identify the two distinct decision-making functions within a bank: the former with the main function of supervising the executive body com-prising of senior management and general management, and the latter with executive functions

Likewise there are differences in the supervisory structure across dictions Some central banks perform both regulatory and supervisory functions In some countries the regulatory and supervisory functions are divided among two or more agencies For the sake of consistency the term regulator is used throughout the book

juris-I would like to acknowledge the contribution of my professional leagues U.M Kamath, B.M Tambakad, and B.K Bhat for their valuable suggestions I would also like to thank the Basel Committee on Banking Supervision for granting permission to use text from their publications.The publication of this book would not have been possible without the interest shown in my proposal and the assistance rendered by Nick Wallwork and his able team at Wiley My special thanks are due to Fiona Wong, Janis Soo, and Edward Caruso.

col-Finally, I would like to note the support of my family: my wife Saroja and our twin daughters Kavya and Kruthi Thanks also to our son Karthik who prepared the diagrams used in the book

Any comments, suggestions, and inadvertent inaccuracies that are tirely my responsibility can be sent to me at jayaram.kondabagil@gmail.com

en-Risk Management in Electronic Banking is a comprehensive study

of the concepts and best practices in electronic banking It fi lls a badly needed global requirement for not only bankers but also all users

of electronic banking The book gives an excellent review of the wide scope of electronic banking on traditional banking and business methods

It then delves into the risks inherent in e-banking, including strategic, operational, compliance, reputational, and others

The author’s fi ve-pillar approach used to manage risks gives tioners a structured foundation with each of the fi ve pillars covered in book Of particular interest are the sections on outsourcing management and business continuity management In the chapter on product and service-specifi c risks, the sections on transactional websites and aggrega-tion services cover those new and unique e-banking requirements Top management will be particularly interested in reading the section on business continuity IT managers will want to study the section on data centers and alternate sites Compliance managers will want to read the Compliance Function section The High-level Review Checklist and Glossary at the end of the book are also particularly useful

practi-Jayaram Kondabagil has produced an excellent work that will be the key reference for anyone involved in electronic banking

Mark Mobius

Managing Director Templeton Asset Management Ltd

Part I

Introduction to E-Banking

Copyright © 2007 John Wiley & Sons (Asia) Pte Ltd.

EVOLUTION OF E-BANKING

Banks are deemed to be the early users of technology and the main drivers of technological revolution The fi rst applications of the computer age within banking were the use of mainframes, and later minicomput-ers, to process data such as customer accounts, bank inventories, person-nel records, and accounting packages that ultimately evolved into spreadsheets The use of technology was as a support tool for banking operations, helping staff to do their work faster, more conveniently, and with less human errors

The idea of direct customer services was less clear, but the fi rst ATM (automated teller machine) came into commercial use in 1968 ATMs were the fi rst visible face of electronic banking From being mere cur-rency dispensers they have now evolved into multifunctional devices enabling customers to conduct a whole range of transactions from account management, funds transfer, to bill payments It took nearly 16 years for the fi rst 100,000 ATMs to be operational, whereas the next 100,000 were

in place in a mere four years The day of smart ATMs that use biometrics

to recognize customers and cross-sell fi nancial products with a fair knowledge of the investment and purchasing preferences of customers

is not far off

The next step in providing direct customer service came with the extended use of debit and credit cards in merchants’ shops through EPOS (electronic point of sale) technology Electronic fund transfers was another application where technology was used extensively, mainly to cut down

on costs and to speed up payments This led to the development of cialized products like corporate cash management systems

spe-1 E-Banking Basics

CHAPTER

3

Copyright © 2007 John Wiley & Sons (Asia) Pte Ltd.

The proliferation of the Internet gave a real boost to electronic banking

and moved banking services from back-end applications to

customer-centric front ends The open networked environment provided instant

global access to information, products, and services, so now the

custom-ers could bank from the comfort of their homes It is estimated that as at

March 2007 about 16.9% of the world’s population are Internet users

Globally, the number of broadband subscribers by the end of 2006 was

estimated to be about 281 million and is expected to cross 400 million by

2010, underlining the potential The developments in Internet technology

have led to the development of new products such as aggregation

services, bill presentment and payment, and personalized fi nancial

portals

The advances in telecommunication technology have helped the

development of a new facet of electronic banking; namely, mobile

banking Wireless is estimated to be growing at more than three times

the rate of landlines globally With the number of connections estimated

at 2.6 billion as at the end of 2006, and expected to cross 4 billion by 2010,

mobile banking is set to become a major delivery channel

An indicative list of common e-banking services is provided in

Table 1.1 below

TABLE 1.1 Common e-banking services

Financial information news Person-to-person payments

Product and service information Interest rates and currency rates

Branch and ATM locators Promotions and cross-selling

Account management Helpline information

Cash management Bill payment and presentment

Business-to-business payments Funds transfer to different accounts

New account opening Consumer/commercial wire transfers

Employee benefi ts administration Investment/brokerage services

Pension administration Loan application and approval

Insurance Account aggregation Depository services Credit cards

This is only an indicative list, and the services and products are of varied complexity.

IMPACT ON TRADITIONAL BANKING

Banking has traditionally been built on the branch-banking model

with two basic competitive advantages; namely, a brand name and

customer relationships The speed of change and advancements in information technology (IT) have brought changes to the way banking has been done for centuries and will continue to infl uence future banking trends.

The nature of distribution channels has changed dramatically Today the competition in the banking sector is determining the success of a bank

by its ability to deliver innovative products and services in a cally advanced way that meets the changing needs of the customer.Some of the perceptible changes are as follows

technologi-Changing Customer Profi le

Previously customers changed banks only in extreme circumstances Now they can do so at the click of a mouse A comparison by customers

of the products and services offered by the different banks is facilitated

by the easy availability of information on the Internet This enables tomers to shop around for the best offer Further, the costs of switching are lower in the case of electronic banking, which could reduce customer loyalty and compel them to buy the most attractive product from each bank On the darker side there is information overload Many a time, customers are confused as to whom they are dealing with and on what terms They have also become more vulnerable to scams and frauds

cus-Market Transparency

The market has become more transparent due to easy availability of information This means that banks are obtaining more information about the product ranges of the competitors as soon as they are launched New innovative products are being copied more rapidly, thereby accel-erating product standardization and commoditization

Cross-selling

The availability of information about customer banking trends and erences gives banks the potential to cross-sell other fi nancial products and services Many major banks have for some time now recognized this and they are in fact no longer in the business of banking, defi ned to be the provision of loans and advances, deposits, and transaction payment services They are instead in the business of fi nancial services, providing

pref-an integrated pref-and one-stop package of services comprising life pref-and

general insurance, mutual funds, stock-broking, depository services, housing fi nance, and the like.

Brand Names

The importance of banking brand names is increasing In an e-banking environment where personal contact is limited and where products and services can be copied rapidly, the brand name is an instrument with which banks can distinguish themselves from their competitors A number of banks have already set up subsidiaries for providing e-banking services under a new brand name or under the name of the parent bank

Transaction Costs

E-banking transactions are much cheaper than transactions conducted at the branch Recent estimates indicate direct costs of a banking transaction effected through branch, ATM, and the Internet to be $1.27, $0.27, and

$0.01 respectively This has turned yesterday’s competitive advantage of

a large branch network into a comparative disadvantage to many banks

of a professional bank manager and are better handled at the local branch level

Internet-only Banks

Pure Internet banks created a lot of euphoria a couple of years back Their market share is still very small and many have been forced out of the market The main reasons are the online privacy and security fears of consumers, the lack of human interaction, and the lack of trust due to the dotcom debacle

The advent of the electronic banking era was set to be the most damental transformation ever faced by the industry In days to come technology will be used to maximize revenues rather than to minimize costs, and electronic banking services will be complementary to, rather

fun-than a substitute for, branches In the long run, traditional elements such

as branding, customer loyalty, physical locations, people, and cultures will continue to matter in determining which banks succeed in the elec-tronic age

E-BANKING COMPONENTS

The role of technology in supporting the e-banking function has become increasingly complex IT operations traditionally housed in a computer data center with user connections through terminals have become more dynamic and include distributed environments, integrated applications, telecommunication options, Internet connectivity, and an array of com-puter operating platforms As the complexity of technology has grown, banks have increased their reliance on vendors, partners, and other third parties for a variety of technology solutions and services

Normally the two alternatives are:

• One or more technology service providers host the e-banking application and numerous network components, including the institution’s website, Internet banking server, and fi rewall and intrusion detection system While the institution does not have to manage the daily administration of these component systems, its Board and senior management remain responsible for the content, performance, and security of the e-banking system

• The institution hosts all or a larger portion of its e-banking system internally The core processing system of the institution is directly linked to the Internet through the components mentioned above The system administration responsibility rests with the institution.The overall system confi guration adopted for the various components

of an e-banking system is a combination of internal and outsourced solutions The potential components and processes seen in a typical institution, which work together to deliver e-banking services, are given

in Table 1.2 on page 8 The fi nal confi guration depends on a number of factors:

• the strategic objectives of e-banking

• the scope, scale, and complexity of equipment, systems, and activities

• technology expertise

• security and internal control requirements

Technical confi gurations become more complex in tune with the ments in technology, and many specialized service providers enter the market catering to specifi c aspects of e-banking operations.

advance-REGULATORY APPROVAL

Banks wishing to provide or enhance existing transactional electronic banking services should normally seek prior approval from the regula-tors in the countries where they intend to provide such services

The Basel Committee on Banking Supervision report, Core Principles Methodology, issued in October 2006, has enunciated the following prin-

ciple with regard to licensing criteria

Principle 3.9: Licensing criteria

The licensing authority reviews the proposed strategic and operating plans of the bank This includes determining that an appropriate system

of corporate governance, risk management and internal controls, ing those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place The operational structure is required to refl ect the scope and degree of sophistication of the proposed activities of the bank

includ-TABLE 1.2 Examples of e-banking components

Operational processes For different products and services offered; for example,

net-banking and aggregation services

ICT infrastructure Servers for net-banking, email, and internal networks Communication systems

Storage area networks (SAN) Item processing equipment such as MICR coders ATMs

Operating systems

Applications Core banking processing system

E-banking applications such as bill pay Automated decision-support systems System performance monitoring Intrusion detection systems

Operational aspects Programming support

Network administration

Security management

Firewall confi guration and management

Confi guration management

Service providers Website design and hosting

Disaster recovery services

Though the principle has a generic application for banking services, the statement has a signifi cant implication on e-banking activities in view of the sophistication and complexity of an e-banking environment The requirements with regard to corporate governance, risk management and internal controls, detection and prevention of criminal activities, oversight of proposed outsourced functions, and the operational struc-ture are dealt with in the latter parts of this book.

For the exact approval process applicable to a particular jurisdiction, the regulatory approval guidelines relevant to that jurisdiction need to

be referred to

TABLE 1.3 Information sought by regulators for licensing

A copy of the resolution of the Board approving the decision to provide e-banking services Description of the services to be offered/enhanced and how it fi ts into the bank’s overall business strategy

The schedule of proposed charges/fees and the fi nancial projections factoring in the proposed activities

Overview of risk management processes in place to assess, control, monitor, and respond

to potential risks arising from the proposed electronic banking activities

Confi rmation that corporate security policy and procedures that address all security issues affecting the e-banking system are as per the regulatory guidelines

Confi rmation that the appropriate systems testing and user acceptance process has been conducted and that the results are satisfactory

Confi rmation that an adequate business continuity management (BCM) process has been adopted, including a brief description of the contingency and disaster recovery plans for electronic banking facilities

Copies of the draft contract and maintenance agreements with the technical partners/ hardware and software vendors/service providers for critical equipment and services Technical details such as transaction and data fl ows, and remote access capabilities

The Basel Committee had earlier inventoried and assessed major risks associated with banking under eight main categories; namely, credit, market, interest rate, liquidity, operational, reputation, legal, and strategic.

The fundamental characteristics of traditional banking have been changed by the introduction of electronic banking Some of the percep-tible changes include:

• unprecedented speed of technological change

• product and service innovation due to changing customer expectations

• the ubiquitous and global nature of open electronic networks

• proliferation of threats and vulnerabilities in publicly accessible networks

• integration of e-banking applications with legacy computer systems

• increasing dependence of banks on third-party service providers.These developments led the Basel Committee on Banking Supervision to conduct a preliminary study of the risk management implications of e-banking and e-money in 1998 This early study demonstrated a clear need for more work in the area of e-banking risk management, and that mission was entrusted to a working group comprised of bank supervi-sors and central banks, the Electronic Banking Group (EBG), which was formed in November 1999

The Electronic Banking Group studied the traditional banking risks in light of e-banking capabilities, and noted that while not creating any

2 E-Banking Risks

CHAPTER

10

Copyright © 2007 John Wiley & Sons (Asia) Pte Ltd.

inherently new risks, e-banking increased and modifi ed some of these traditional risks The impact is more profound in strategic, operational, legal, and reputational risks, thereby infl uencing the overall risk profi le

of the banking institution

The following sections provide an overview of these major risks

STRATEGIC RISK

Strategic risks are mainly associated with Board and management sions In the e-banking context, use of technology can create strategic risk when management does not adequately plan for, manage, and monitor the performance of technology-related products, services, processes, and delivery channels To give an example, the IT management may recom-mend delaying an infrastructure upgrade to increase bandwidth to cut costs, which could result in a business line losing market share due to an inability to compete Factors infl uencing strategic risk are listed in Table 2.1 below

deci-Strategic risks can be minimized by aligning the technology-related plans and decisions to strategic business planning An effective IT gov-ernance process will help the banks in the formulation of IT strategies, management of IT processes to deliver value, performance measurement, and the management of IT-related risks This will improve competitive advantage, customer satisfaction, cost effi ciency, and the ability to grow and innovate

Periodic evaluation of new technologies and appropriate ation for the costs of technological upgrades are key elements Another

consider-TABLE 2.1 Factors infl uencing strategic risk

E-banking planning and investment decisions

Design, delivery, and pricing of services

Technology to handle the complex nature of e-banking transactions

Competitors with an advantage over cost, pricing of services, innovation, and/or expertise in new products

Changes in demographic and customer profi le

Adequacy and quality of personnel with the necessary expertise

Adequacy of technical, operational, compliance, and marketing support

Adequacy of management information systems

Retention of data in a legally enforceable format

Increased dependence on outsourcing and third parties

critical planning parameter would be to decide which geographical markets and customer segments the bank wants to serve, with which products and services, and how the bank intends to promote them.

OPERATIONAL RISK

The Basel Committee has now redefi ned operational risk in an affi tive way, differing from the previous “neither credit risk, nor market risk” approach It is now defi ned as the risk of loss resulting from inad-equate or failed processes, people, and systems, or from external events This defi nition includes legal risk, but excludes strategic and reputational risk Some analysts call it a transaction risk, security risk, or IT risk Examples of operational risk are listed in Table 2.2 below

rma-Operational risk manifestation affects the institution’s ability to deliver products or services, and has a direct impact on customer service It can result in substantial fi nancial losses and also has an infl uence on the strategic, reputational, market, and credit risks of the institution It also compromises the confi dentiality and integrity of customer data due to loss, theft, or tampering of customer information

The structure and complexity of the bank’s processing environment, types of services offered, and the complexity of supporting technology also affect the level of operational risk The risk is heightened when the institution offers innovative services that have not been standardized.Two factors have greatly infl uenced the recent upsurge of interest in operational risk First, the banking environment is becoming more complex by the day due to technology developments Second, Basel II has introduced explicit capital adequacy requirements for operating risk

in the new accord

TABLE 2.2 Examples of operational risk

Internal and external fraud

Technological inadequacies

Human factors such as lack of training

Negligence by customers and employees

Product and service liability

Misuse of confi dential information

Damage to physical assets

Business disruption and system failures

Failed or erroneous transaction processing

Failed outsourced processes

While management processes are commonly established in banks to manage credit risk, market risk, and security risk, lack of frameworks for quantifi cation and management of operational risks in an electronic banking environment is a cause for concern Deliberate and active risk control is needed to actually reduce operational risk.

COMPLIANCE RISK

Compliance risk arises from violations of, or non-conformance with, laws, rules, regulations, prescribed practices, or ethical standards It also arises when the legal rights and obligations of parties to a transaction are not well established Banks providing e-banking products and services assume a higher level of compliance risk because of the changing nature of technology, which is leading to frequent changes in regulatory requirements

Non-compliance results in serious consequences, including rating downgrades, regulatory enforcement actions and monetary fi nes, enforced suspension of operations, reputational damage, and, in extreme cases, withdrawal of authorization to operate It may also lead to civil or criminal liability if, for example, an institution discloses confi dential information

or provides inaccurate or untimely consumer compliance disclosures.E-banking is a new delivery channel where the laws and rules govern-ing the electronic delivery of certain banking products or services may

be ambiguous or still evolving It is not always clear how laws, rules, and regulations designed for a “brick and mortar” institution should be implemented in the changing technological environment Thus, the risk associated with compliance with the myriad statutes, rules, and regula-tions to which all banks are subjected is heightened In case of cross-border transactions the compliance function becomes more complicated due to the lack of jurisdictional clarity

A well-managed compliance function staffed by knowledgeable sonnel and the strengthening of risk mitigation measures for other related risks would reduce legal and compliance risks

per-REPUTATIONAL RISK

Reputational risk is the risk of signifi cant negative public opinion, which may involve actions that create a lasting negative public image of overall

bank operations, such that the bank’s ability to establish and maintain customer relationships is signifi cantly impaired Increased reputational risk can be a direct corollary of heightened risk exposure or problems in other risk categories, particularly operational risk It may lead to expen-sive litigation, and impair earnings and capital.

The risk to a bank’s reputation is not only signifi cant for the concerned institution but may also have systemic implications Under extreme cir-cumstances, such a situation might lead to systemic disruptions in the banking system as a whole Factors affecting a bank’s reputation are listed in Table 2.3 above

Customer education, along with formal incident response and agement procedures, can help lessen reputation risk It is important that customers understand what they can reasonably expect from an e-banking product or service, and what special risks and benefi ts they incur when using the system

man-OTHER RISKS

In some circumstances, due to the more savvy nature of the e-banking consumer, other traditional banking risks such as credit, market, liquid-ity, and interest rate risks are also elevated However, their practical consequences may be of a different magnitude for banks than strategic, operational, legal, and reputational risks This may be particularly true for banks that engage in a variety of banking activities, as compared

to banks or bank subsidiaries that specialize exclusively in electronic banking activities

For example, e-banking systems may present credit risk if a bank offers lending services over the Internet Requirements such as “Know

TABLE 2.3 Factors affecting a bank’s reputation

Loss of trust due to unauthorized activity on customer accounts

Disclosure or theft of confi dential customer information to unauthorized parties

Failure to deliver on marketing claims

Failure to provide reliable service due to the frequency or duration of service disruptions Customer complaints about the diffi culty in using e-banking services and the inability of the institution’s help desk to resolve problems

Confusion between services provided by the fi nancial institution and services provided by other businesses linked to the website

Hacking/modifying of an institution’s website

your customer” may require the use of different identifi cation, cation, and transaction verifi cation methods than those used with tradi-tional delivery channels Liquidity, interest rate, market, price, and foreign exchange risks may also result from poor data integrity or unreli-able systems.

authenti-It should be noted here that some of the specifi c problems cut across risk categories For example, a breach of security allowing unauthorized access to customer information can be classifi ed as an operational risk, but such an event also exposes the bank to legal and reputational risks Even though these different types of risks may result from a single problem, appropriate risk management may require several remedies to address each of these different risks The categorization is only to provide clarity

RISK MANAGEMENT CHALLENGES

The structural and operational differences between e-banking and tional branch banking has increased and modifi ed banking risks, espe-cially strategic, operational, legal, and reputation risks This has marked implications on risk management The major challenges faced are listed below

tradi-The Speed of Change

Previously, new banking applications were implemented over relatively long periods of time and after thorough testing Today the competitive pressures, customer expectations, and speed of technological change have compressed time frames This intensifi es the management challenge

to ensure that adequate strategic assessment, risk analysis, and security reviews are conducted prior to implementing new electronic banking applications

Legacy Systems

Traditional and existing banks have many legacy systems into which new applications have to be integrated to allow for the more straight-through processing of electronic transactions, thereby reducing opportunities for human error and fraud inherent in manual pro-cesses But it also increases dependence on sound systems design

and architecture, as well as system interoperability and operational scalability.

Third-party Dependencies

The technical complexity of many operational and security issues has furthered a trend toward more partnerships, alliances, and outsourcing arrangements with third parties New business models are being created These involve banks and non-bank entities such as Internet service pro-viders, telecommunication companies, and other technology fi rms As many of these entities are unregulated, the risk management challenge for banks increases

Open Networks

The Internet is an open network accessible from anywhere in the world

by unknown parties, with the routing of messages through unknown locations and via fast-evolving wireless devices The introduction of phone and mobile banking enables the use of telecom infrastructure, which is primarily a voice transmission medium This magnifi es the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards

Recent Trends

The last two decades have seen a dramatic change in risk management practices as technology has made the modeling of risks more feasible, and innovation has helped to fi nd better ways to mitigate risk The entire risk management process has become more quantitative, refl ecting not only the enhanced ability and lower costs of collecting and processing data, but also the improved techniques for measuring and managing risk

All e-banking risks have fi nancial implications, but from the angle of ease of quantifi cation they can be broadly categorized as:

• fi nancial risks: credit, market, interest rate, and liquidity

• non-fi nancial risks: strategic, operational, compliance, and reputational

Financial risk management has evolved further over the years because of the transparency of markets, frequency of transactions,

and fi nancial engineering The treasury functions of corporations routinely use models to assess and manage price, interest rate, liquidity, and foreign exchange risk Another major category of risk is credit risk, which has also become much more quantifi ed The greater use of credit models today provides a stronger framework to assess credit risks.

Non-fi nancial risks are further along in the evolutionary process They cannot be hedged by using fi nancial instruments or by setting exposure limits, but need alternate strategies to mitigate these risks The risk challenges in a technology-intensive, innovative, and evolving e-banking environment can come in many new forms It is relatively straightforward to model those for which there is a suffi cient run of data, and a store of case studies; but what is much harder to quantify and control are those new forms of risk that emerge from unexpected quarters

The committee recognises that each bank’s risk profi le is different and requires a tailored risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks This implies that a “one size fi ts all” approach to e-banking risk management issues may not be appropriate

Risk Management Principles for Electronic Banking,

Basel Committee on Banking Supervision, July 2003

THE FIVE-PILLAR APPROACH

This book follows and recommends a fi ve-pillar approach for the agement of risks in an electronic banking environment:

man-Pillar I Risk management framework

Pillar II Information security management

Pillar III Outsourcing management

Pillar IV Business continuity management

Pillar V Legal and regulatory compliance

The e-banking risk management objectives are met by a structured approach built on a strong foundation of Board and senior management oversight, and they are supported by the above-mentioned fi ve pillars

as depicted in Figure 2.1 above Each pillar is discussed in detail in the subsequent fi ve parts of this book, supplemented by an overview of the Board and senior management oversight function in the relevant sections

FIGURE 2.1 The fi ve-pillar approach

We have seen earlier that the advances in information and ication technologies have led to innovative products and services being developed Each new product or service heightens associated risks due to the lack of standards and knowledge about peer experience We shall now see the risks associated with some of the major e-banking products and services.

commun-INTERNET BANKING

Existing banks with physical offi ces, ordinarily termed as mortar banks, are establishing websites and offering Internet banking to their customers as an addition to their traditional delivery channels.Then there are virtual banks, which offer branchless “Internet-only” banking with the data centre or some other location serving as the legal address Virtual banks provide customers with the ability to make depos-its and withdrawals via ATMs, or through other remote delivery chan-nels owned by other institutions The main communication with the Internet banking customer is through the bank website accessed through

brick-and-a browser in the customer’s PC, PDA, or similbrick-and-ar mobile device

The presence of banks on the Internet can be classifi ed into two categories:

Informational Websites

In this basic level of Internet banking, the bank typically has marketing information about the bank’s products and services; and information on

3 Product and Service-specifi c Risks

CHAPTER

19

Copyright © 2007 John Wiley & Sons (Asia) Pte Ltd.

interest rates, foreign exchange rates, the branch network, ATM locations, and so on, on a standalone server This may include unsecured email contact, with no customer identifi cation or verifi cation required, and it may also allow bank customers to submit applications for different ser-vices The risk associated with these operations is low, as there is no direct path to the bank’s internal network, but the data on the server or website is vulnerable to alteration.

However, the bank may be exposed to legal and reputational risks that arise from:

• potential liability and consumer violations due to inaccurate or incomplete information about products, services, and pricing pre-sented on the website

• potential access to confi dential bank or customer information if the website is not properly isolated from the bank’s internal network

• potential liability for spreading viruses and other malicious code

to computers communicating with the bank’s website

• negative public perceptions if the institution’s online services are disrupted, or if its website is defaced or otherwise presents inap-propriate or offensive material

Transactional Websites

Transactional websites allow the customer to directly execute tions with fi nancial implications online Banking transactions can range from something as basic as a retail account balance inquiry to statement downloads Customers are permitted to execute the electronic transfer of funds to or from their accounts and to effect the payment of bills Strong customer authentication will be required in transactional websites.Transactional websites expose a bank to a higher risk than basic infor-mational websites, since they enable the electronic exchange of confi den-tial customer information and the transfer of funds Because these servers ordinarily have a direct path to the bank’s internal networks, the opera-tional risk is higher with this confi guration

transac-Since a communication path is typically complex and may include passing through several public servers, lines, or devices between the customer’s PC and the bank’s internal networks, this is the highest risk architecture and must have the strongest controls Unauthorized access

in this environment can also lead to or give rise to fraud

The bank may be exposed to operational, legal, and reputational risks arising from:

• liability for unauthorized transactions and losses from fraud

• unauthorized access to confi dential customer information during transmission or storage

• possible violations of laws or regulations pertaining to anti-money laundering and terrorist fi nancing

• content, timing, or delivery of required consumer disclosures

• negative public perception, customer dissatisfaction, and potential liability resulting from the failure to process third-party payments

as directed or within specifi ed time frames

• lack of availability of online services

The Internet was not originally designed to handle commercial and

fi nancial transactions, only to ensure the survival of information A major driving force behind the rapid spread of Internet banking all over the world is accessibility and cost-effectiveness Along with a reduction in transaction costs, it has also brought about a new orientation toward risks and even new forms of risks The risks associated with Internet banking can only be minimized by an effective risk and security manage-ment framework

AGGREGATION SERVICES

Account aggregation services allow customers to obtain consolidated information about their fi nancial and non-fi nancial accounts across several fi nancial institutions in one place The main benefi t is that the customer can manage multiple accounts with multiple fi nancial service providers through a single point of contact and user interface

An aggregator essentially acts as an agent for customers Customers provide the aggregator with the necessary authentication information like user IDs, passwords, and personal identifi cation numbers to access the various accounts, collect and manipulate account data, perform transactions, and present a consolidated view of fi nances This is done either through screen scraping, a process that involves culling data from the other institutions’ websites often without their knowledge,

or through contractually arranged direct data feeds between fi nancial institutions

Aggregation services typically involve three different entities:

• the aggregator that offers the aggregation service and maintains information on the customer’s relationships/accounts with other online providers

• the aggregation target or website/entity from which the tion is gathered or extracted by means of direct data feeds or screen scraping

informa-• the aggregation customer who subscribes to aggregation services and provides customer IDs and passwords for the account rela-tionships to be aggregated

Banks are involved in account aggregation both as aggregators and as aggregation targets Simple consolidation services are moving toward more sophisticated models like offering advanced fi nancial advisory services based on a consumer’s consolidated portfolio, enabling inter-company fund transfers and the like, thereby introducing more risk into the process

Risks in Aggregation

Aggregation services can improve customer convenience by avoiding multiple logins and providing access to tools that help customers to analyze and manage their various account portfolios But they require the sharing of authentication secrets among multiple parties, thereby heightening the security, legal, operational, and reputational risks of the banks Further, aggregators can be domiciled in any country and may not be subject to any legislation or fi nancial regulation, thereby present-ing a very privileged attacking point

In most instances, the customer unilaterally employs an aggregator without the knowledge of the bank The electronic banking contracts entered into by a customer with the bank normally prohibits the cus-tomer from either entering into aggregation agreements or from divulg-ing the authentication data necessary to perform the aggregation Nevertheless, a contract can never guarantee that it will not be unilater-ally broken

Some aggregators do not require the customer to divulge their tication data, but require the customer to download and install software provided by the aggregator, which acts as a proxy, and provide the necessary authentication data whenever required by the aggregation

authen-service The security afforded to the authentication data in such a scheme relies on the trustworthiness of the software provided by the aggregator

In both cases, the security of the banking information handled by the aggregators within their systems is unknown to the customer or the bank Although the customer bears all responsibilities, the reputation of the bank may still be affected if a high number of its customers are exposed to fraud

Generally, direct data feeds under contractual arrangements are thought to provide greater legal protection to the aggregator than screen scraping A coordinated effort among the aggregators, banks, and other

fi nancial institutions and technology vendors toward secure and erable direct data-feed standards can mitigate the risks

interop-BILL PRESENTMENT AND PAYMENT

As a medium for bill payment, electronic bill presentment and payment (EBPP) systems offer a direct alternative to paper checks EBPP entails the delivery of bills and the placement of bill payment orders over the Internet or through a proprietary electronic network In a typical transac-tion, a customer receives a bill electronically, together with a hyperlink

to payment options After reviewing the bill, the customer clicks on the link, selecting a method of payment and initiating the transfer of funds Electronic bill presentment can also be conducted separately from elec-tronic bill payment Some providers offer only presentment or payment services

This technology is used in business-to-consumer transactions such as the payment of utility and credit card bills, or business-to-business trans-actions such as the payment of procurement bills and invoices Internet-based cash management is the commercial version of retail bill payment Business customers use the system to initiate third-party payments or to transfer money between company accounts

Bill presentment arrangements permit a business, say a utility vider, to submit a customer’s bill in electronic form to the customer’s bank Customers can view their bills by clicking on links on their account’s e-banking screen or menu After viewing a bill, the customer can initiate bill payment instructions or elect to pay the bill through a different payment channel

pro-Some businesses offer electronic bill presentment directly from their own websites Under such arrangements, customers log on to the