slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Electronic Banking: Industry Developments, Risks and OCC Regulatory Activities PowerPoint Presentation
Download Presentation
Electronic Banking: Industry Developments, Risks and OCC Regulatory Activities

Loading in 2 Seconds...

play fullscreen
1 / 23

Electronic Banking: Industry Developments, Risks and OCC Regulatory Activities - PowerPoint PPT Presentation

  • Uploaded on

Electronic Banking: Industry Developments, Risks and OCC Regulatory Activities Prepared for ABA USBanking 2002 by the Bank Technology Division of the Office of the Comptroller of the Currency January 2002

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Electronic Banking: Industry Developments, Risks and OCC Regulatory Activities' - andrew

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Electronic Banking: Industry Developments, Risks and OCC Regulatory Activities

Prepared for ABA USBanking 2002 by the Bank Technology Division of the Office of the Comptroller of the Currency

January 2002

The OCC is an independent bureau of the Department of Treasury and is the federal regulator of approximately 2,200 national banks.


Technology Developments

  • Advances in communications provide networked global access to information and delivery of products/services
    • Internet has reached critical mass (60% of U.S. households)
    • Some banks have 25 percent of customers banking online
  • Increased competition from other industries and abroad
  • Greater reliance on third party providers
  • Advances in technology make the component functions of banking more easily divisible
growth in number of national banks that have transactional websites
Growth in Number of National Banks that Have Transactional Websites

Source: Office of the Comptroller of the Currency. “Transactional web sites” are defined as bank web sites that allow customers to transact business. This may include accessing accounts, transferring funds, applying for a loan, establishing an account, or performing more advanced activities.

technology based banking products services
Balance inquiry

Transaction information

Funds transfer

Cash Management

Bill payment

Bill presentment

Loan applications

Stored Value


Electronic Finder

Automated clearinghouse (ACH) transactions

Internet Payments

Wireless Banking

Certification Authority

Data Storage

Technology-based BankingProducts & Services

Key Technology Risks

  • Vendor Risk Issues
  • Security, Data Integrity, and Confidentiality
  • Authentication, Identity Verification, and Authorization
  • Strategic and Business Risks
  • Business Continuity Planning
  • Permissibility, Compliance, Legal Issues, and Computer Crimes
  • Cross Border and International Banking
outsourcing trends
Outsourcing Trends
  • TowerGroup estimates banks outsource over 85% of their information technology
  • Rapid pace straining ability to oversee third parties
  • Consolidation of tech. companies and core processors
  • Weak or negative earnings of new tech providers
  • Banks are postponing new technology investments, but still investing in proven technologies
outsourcing guidance
Outsourcing Guidance
  • FFIEC Guidance on Risk Management of Outsourced Technology Services (November 2000)
  • Key elements of the risk management process:
    • Risk assessment
    • Due diligence in selecting service provider
    • Contract requirements
    • Oversight of service provider

Regardless of the decision to outsource, the bank remains ultimately responsible.

security and privacy
Security and Privacy
  • Increases in security events and vulnerabilities
  • According to 2001 FBI/CSI survey, 70% reported that the Internet is the point of cyber attacks, up from 59% in 2000
  • Gramm-Leach-Bliley Act of 1999 requires banks to establish administrative, technical & physical safeguards to protect the privacy of customers’ nonpublic customer records and information
reported security incidences vulnerabilities
Reported Security Incidences & Vulnerabilities

Source: CERT/CC -- statistics are not limited to the banking industry and include all reported incidents

key elements of security program
Key Elements of Security Program
  • Reviewing physical and logical security:
    • Review intrusion detection and response capabilities to ensure that intrusions will be detected and controlled
    • Seek necessary expertise and training, as needed, to protect physical locations and networks from unauthorized access
    • Maintain knowledge of current threats facing the bank and the vulnerabilities to systems
    • Assess firewalls and intrusion detection programs at both primary and back-up sites to make sure they are maintained at current industry best practice levels
key elements of security program11
Key Elements of Security Program
  • Reviewing physical and logical security (cont’d):
    • Verify the identity of new employees, contractors, or third parties accessing your systems or facilities. If warranted, perform background checks.
    • Evaluate whether physical access to all facilities is adequate.
    • Work with service provider(s) and other relevant customers to ensure effective logical and physical security controls.
  • Reliable customer authentication is imperative for E-banking
  • Effective authentication can help banks reduce fraud, reputation risk, disclosure of customer information, and promote the legal enforceability of their electronic agreements
  • Methods to authenticate customers:
    • Passwords & PINS
    • Digital certificates & PKI
    • Physical devices such as tokens
    • Biometric identifiers
strategic and reputation risks
Strategic and Reputation Risks
  • Uncertain pace of change and evolving standards (e.g., “bricks and clicks” more successful than internet-only model)
  • First mover (“bleeding edge”) vs. wait and see (permanently lose market share)
  • Struggle to retain customers in face of intense competition
  • Inadequate oversight of third party providers
business continuity planning
Business Continuity Planning
  • The 9/11 events, anthrax-laced mail, and NIMDA virus underscore the importance of robust business continuity planning.
  • Steps to consider when reviewing business continuity plans:
    • Identify primary and secondary facilities in high profile or vulnerable locations and develop plans to mitigate undue risk exposure.
    • Ensure business continuity plans are coordinated and communicated on a corporate-wide basis with clear expectations.
business continuity planning cont d
Business Continuity Planning (cont’d)
  • Strengthen data backup and recovery site arrangements, as warranted, to ensure adequate off-site storage of back-up records and sufficient distance from primary operations.
  • Review succession plans for key employees and delegations of authority in the event of a crisis.
  • Review community’s incident response plans and work with local governments to identify enhancements
  • Analyze key customers and service providers for exposure to terrorist activities including high profile industries or facilities (e.g., power companies, refineries, airlines, telecommunications providers), then assess the adequacy of their business continuity planning process.
  • Test plans on a regular basis, evaluate results and update plans.
permissibility legal and compliance issues
Permissibility, Legal, and Compliance Issues
  • Technology raises legal issues
    • Permissible?
    • Applicability of state and foreign laws?
    • Validity of electronic agreements?
  • Technology creates consumer compliance issues
    • Electronic disclosures delivery
    • Weblinking, customer confusion, and liability
    • RESPA and fee income from weblinking
    • CRA and fair lending issues
    • Reg. E application to aggregation services
computer crime
Computer Crime
  • Internet banking and payment systems may allow for new ways to conduct illegal and fraudulent activities
    • Unauthorized access to deny service or re-direct a website
    • Identity theft resulting in unauthorized or illegal use of account information
    • Money laundering
    • Phony Internet banks
cross border and international e banking
Cross Border and International E-Banking
  • Information revolution around the globe and borderless reach of the Internet
  • Increase in global partnerships/alliances
  • Risks to U.S banks from cross border E-banking without adequate due diligence
    • Unlicensed activities?
    • Understanding application of local prudential and customer protection laws & regulations?
    • Expertise?
  • Risks to U.S. consumers of dealing with foreign Internet banks
cross border and international e banking19
Cross Border and International E-Banking
  • EBG sponsored by the Basel Committee’s Electronic Banking Group
    • Chaired by Comptroller Hawke
  • Published studies on e-banking risk and risk management issues 1998, 2000 & 2001
    • available at
    • Developing guidance on cross border, e-banking risks and aggregation
  • Coordinate international e-banking supervision efforts
  • Information sharing and training
  • OCC developing guidance on cross border Internet banking risks
key findings of successful e banking exams
Key Findings of Successful E-banking Exams
  • Active vendor management
  • Ongoing board involvement
  • Sufficient technical expertise
  • Proactive network security that effectively prevents, detects, and responds to intrusions
  • Strong authentication practices
  • Encrypted communications
  • Periodic compliance and legal reviews
  • Appropriate backup and recovery
occ technology risks supervision program
OCC Technology Risks Supervision Program
  • Guidance -- Focus on risk analysis, measurement, controls, and monitoring
  • Risk-based examinations of banks and third party service providers (as authorized by the Bank Service Company Act of 1962)
    • On site and Quarterly reviews
    • Focus on safety and soundness
    • Reviews of banks with transactional web sites and E-banking service providers
  • Training and Technology Integration Project
  • External outreach and co-ordination
  • Licensing process for Internet-primary banks and novel activities


Please contact John Carlson, Senior Advisor for Bank Technology, OCC


Telephone: (202) 874-5013

Additional Information is available on the OCC Website: