New challenges for regulators

This changing financial landscape brings with it new challenges for bank
management and regulatory and supervisory authorities. The major ones stem from
increased cross-border transactions resulting from drastically lower transaction
costs and the greater ease of banking activities, and from the reliance on
technology to provide banking services with the necessary security.

Regulatory risk. Because the Internet allows services to be provided from

anywhere in the world, there is a danger that banks will try to avoid regulation and
supervision. What can regulators do? They can require even banks that provide
their services from a remote location through the Internet to be licensed. Licensing
would be particularly appropriate where supervision is weak and cooperation
between a virtual bank and the home supervisor is not adequate. Licensing is the
norm, for example, in the United States and most of the countries of the European
Union. A virtual bank licensed outside these jurisdictions that wishes to offer
electronic banking services and take deposits in these countries must first establish
a licensed branch.

Determining when a bank's electronic services trigger the need for a license can be
difficult, but indicators showing where banking services originate and where they
are provided can help. For example, a virtual bank licensed in country X is not
seen as taking deposits in country Y if customers make their deposits by posting
checks to an address in country X. If a customer makes a deposit at an automatic
teller machine in country Y, however, that transaction would most likely be
considered deposit taking in country Y. Regulators need to establish guidelines to
clarify the gray areas between these two cases.

Legal risk. Electronic banking carries heightened legal risks for banks. Banks can
potentially expand the geographical scope of their services faster through
electronic banking than through traditional banks. In some cases, however, they
might not be fully versed in a jurisdiction's local laws and regulations before they
begin to offer services there, either with a license or without a license if one is not
required. When a license is not required, a virtual bank—lacking contact with its
host country supervisor—may find it even more difficult to stay abreast of
regulatory changes. As a consequence, virtual banks could unknowingly violate
customer protection laws, including on data collection and privacy, and regulations
on soliciting. In doing so, they expose themselves to losses through lawsuits or
crimes that are not prosecuted because of jurisdictional disputes.

Money laundering is an age-old criminal activity that has been greatly facilitated
by electronic banking because of the anonymity it affords. Once a customer opens
an account, it is impossible for banks to identify whether the nominal account
holder is conducting a transaction or even where the transaction is taking place. To
combat money laundering, many countries have issued specific guidelines on
identifying customers. They typically comprise recommendations for verifying an
individual's identity and address before a customer account is opened and for
monitoring online transactions, which requires great vigilance.

In a report issued in 2000, the Organization for Economic Cooperation and

Development's Financial Action Task Force raised another concern. With
electronic banking crossing national boundaries, whose regulatory authorities will
investigate and pursue money laundering violations? The answer, according to the
task force, lies in coordinating legislation and regulation internationally to avoid
the creation of safe havens for criminal activities.

Operational risk. The reliance on new technology to provide services makes

security and system availability the central operational risk of electronic banking.
Security threats can come from inside or outside the system, so banking regulators
and supervisors must ensure that banks have appropriate practices in place to
guarantee the confidentiality of data, as well as the integrity of the system and the
data. Banks' security practices should be regularly tested and reviewed by outside
experts to analyze network vulnerabilities and recovery preparedness. Capacity
planning to address increasing transaction volumes and new technological
developments should take account of the budgetary impact of new investments, the
ability to attract staff with the necessary expertise, and potential dependence on
external service providers. Managing heightened operational risks needs to become
an integral part of banks' overall management of risk, and supervisors need to
include operational risks in their safety and soundness evaluations.

Reputational risk. Breaches of security and disruptions to the system's availability

can damage a bank's reputation. The more a bank relies on electronic delivery
channels, the greater the potential for reputational risks. If one electronic bank
encounters problems that cause customers to lose confidence in electronic delivery
channels as a whole or to view bank failures as systemwide supervisory
deficiencies, these problems can potentially affect other providers of electronic
banking services. In many countries where electronic banking is becoming the
trend, bank supervisors have put in place internal guidance notes for examiners,
and many have released risk-management guidelines for banks.

Reputational risks also stem from customer misuse of security precautions or

ignorance about the need for such precautions. Security risks can be amplified and
may result in a loss of confidence in electronic delivery channels. The solution is
consumer education—a process in which regulators and supervisors can assist. For
example, some bank supervisors provide links on their websites allowing
customers to identify online banks with legitimate charters and deposit insurance.
They also issue tips on Internet banking, offer consumer help lines, and issue
warnings about specific entities that may be conducting unauthorized banking
operations in the country.
Regulatory tools

There are four key tools that regulators need to focus on to address the new
challenges posed by the arrival of e-banking.

Adaptation. In light of how rapidly technology is changing and what the changes
mean for banking activities, keeping regulations up to date has been, and continues
to be, a far-reaching, time-consuming, and complex task. In May 2001, the Bank
for International Settlements issued its "Risk Management Principles for Electronic
Banking," which discusses how to extend, adapt, and tailor the existing risk-
management framework to the electronic banking setting. For example, it
recommends that a bank's board of directors and senior management review and
approve the key aspects of the security control process, which should include
measures to authenticate the identity and authorization of customers, promote
nonrepudiation of transactions, protect data integrity, and ensure segregation of
duties within e-banking systems, databases, and applications. Regulators and
supervisors must also ensure that their staffs have the relevant technological
expertise to assess potential changes in risks, which may require significant
investment in training and in hardware and software.

Legalization. New methods for conducting transactions, new instruments, and new

service providers will require legal definition, recognition, and permission. For
example, it will be essential to define an electronic signature and give it the same
legal status as the handwritten signature. Existing legal definitions and permissions
—such as the legal definition of a bank and the concept of a national border—will
also need to be rethought.

Harmonization. International harmonization of electronic banking regulation must

be a top priority. This means intensifying cross-border cooperation between
supervisors and coordinating laws and regulatory practices internationally and
domestically across different regulatory agencies. The problem of jurisdiction that
arises from "borderless" transactions is, as of this writing, in limbo. For now, each
country must decide who has jurisdiction over electronic banking involving its
citizens. The task of international harmonization and cooperation can be viewed as
the most daunting in addressing the challenges of electronic banking.

Integration. This is the process of including information technology issues and

their accompanying operational risks in bank supervisors' safety and soundness
evaluations. In addition to the issues of privacy and security, for example, bank
examiners will want to know how well the bank's management has elaborated its
business plan for electronic banking. A special challenge for regulators will be
supervising the functions that are outsourced to third-party vendors.

The macroeconomic challenges

But the challenges are not limited to regulators. As the advent of e-banking quickly
changes the financial landscape and increases the potential for quick cross-border
capital movements, macroeconomic policymakers face several difficult questions.

 If electronic banking does make national boundaries irrelevant by

facilitating capital movements, what does this imply for macroeconomic
management?
 How is monetary policy affected when, for example, the use of electronic
means makes it easier for banks to avoid reserve requirements, or when business
can be conducted in foreign currencies as easily as in domestic currency?
 When offshore banking and capital flight are potentially only a few mouse
clicks away, does a government have any leeway for independent monetary or
fiscal policy?
 How will the choice of the exchange rate regime be affected, and how will
e-banking influence the targeted level of international reserves of a central bank?
 Can a government afford to make any mistakes? Will the spread of
electronic banking impose harsh market discipline on governments as well as on
businesses?

The answers to these questions fall into two emerging strands of thought. First, the
technological revolution—particularly the expansion of electronic money but also,
more broadly, electronic advances in banking practices—could result in a
decoupling of households' and firms' decisions from the purely financial operations
of the central bank. Thus, the ability of monetary policy to influence inflation and
economic activity would be threatened.

Second, as electronic banking expands, financial transaction costs can decline

significantly. The result would be tantamount to a reduction in the "sand in the
wheels" of the financial sector machinery, making capital flows even easier to
effect, with a potential erosion of the effectiveness of domestic monetary policy. In
this regard, proponents of the Tobin tax—which would tax short-term capital flows
to increase their cost and, thereby, the sand in the wheels—would feel that
electronic banking makes an even more compelling case for introducing such a tax.

Conclusion

While electronic banking can provide a number of benefits for customers and new
business opportunities for banks, it exacerbates traditional banking risks. Even
though considerable work has been done in some countries in adapting banking
and supervision regulations, continuous vigilance and revisions will be essential as
the scope of e-banking increases. In particular, there is still a need to establish
greater harmonization and coordination at the international level. Moreover, the
ease with which capital can potentially be moved between banks and across
borders in an electronic environment creates a greater sensitivity to economic
policy management. To understand the impact of e-banking on the conduct of
 economic policy, policymakers need a solid analytical foundation. Without one,
the markets will provide the answer, possibly at a high economic cost. Further
research on policy-related issues in the period ahead is therefore critical.

Challenges of Electronic Banking

 Banking practices have undergone significant changes since the advent of the Internet.
Banks provide many services online, which are extremely convenient for banking customers.
However, Internet banking (also known as electronic or e-banking) also poses some risks to the
banks and banking customers who choose to use it. Management companies and individuals
have to weigh these risks against the potential benefits before they decide whether Internet
banking is a good option.

Regulation and Legalities

 Internet banking makes it possible for banks and their customers to do business from
anywhere in the world. This greatly increases the bank's potential client base. Nevertheless,
according to Andrea Schaechter of All Business, the global approach to banking that e-banking
permits makes it extremely difficult for regulatory authorities to enforce finance laws. Additionally,
regulations differ from nation to nation and banks are not always proficient in the financial laws
for every nation in which they have business. Schaechter asserts that this lack of proficiency
opens banks and their clients up to law violations and lawsuits.

Digital and Financial Divide

 Rupa Rege Nitsure, author of "E-banking: Challenges and Opportunities," claims that a
digital divide exists between banks -- i.e., not every bank has access to the hardware and
software necessary to make e-banking possible. A study led by Jiaquin Yang of Georgia College
and State University showed that this problem may be related to size and financial support a
bank has. Smaller banks tend not to use e-banking because it is not cost-effective for them. To
make Internet banking more commercially fair to banks and customers, all banks would need a
sufficient funding source so that banks could eliminate this digital divide.

Security
 E-banking increases convenience, but as Schaechter points out, it also opens a bank to
security issues. For example, a criminal might hack into the bank's server in order to acquire
bank account data, or a software glitch might cause the bank to unwittingly distribute personal
data to the wrong person. To make matters worse, technology is not static. Banks who use
Internet banking have to constantly update their software and hardware to make sure that
compatibility issues and increased knowledge of security systems do not increase their security
risks. This can be expensive over time.

Reputation
 Schaechter asserts that problems such as governance and security have the potential to
make a bank look bad to clients. Additionally, the more a bank relies on Internet banking, the
more the bank may gain an impersonal feel. Both of these problems may discourage clients from
choosing a bank that relies on e-banking, regardless of how convenient e-banking may be.
 abstact

Abstract— The new information technology is becoming an important factor in the future development of
financial services industry, and especially banking industry. Growing international trading and problems
in transferring money have motivated researchers to introduce a new structure. E-banking is such idea.
Most of banks are using the Internet as a new distribution channel. This paper presents a through
survey of e-banking describing definition, barriers, benefits from the customers’, economy, and bank
point of views, and main issues and challenges such as risk management and factors responsible for e-
banking development. Finally, conclusion and future perspective of e-banking development will be
discussed.

Risks and Reponses

So, back to the future – nobody knows what it will look like.

My job is to think about the risks banks, and building societies, whether new or old, are running. And about how
they should respond to these risks.

Allow me to consider them under the following headings:

 strategy

 business

 security

 reputation

 operations.

You will notice that none of these are in themselves new and anyone who is familiar with the risk based approach
to banking supervision (RATE) will know that they are already routinely covered by supervisors, albeit that we
may need to give different weight and emphasis to these factors for E-banking.

Strategic Risk
On strategic risk E-banking is relatively new and, as a result, there can be a lack of understanding among senior
management about its potential and implications. People with technological, but not banking, skills can end up
driving the initiatives. E-initiatives can spring up in an incoherent and piecemeal manner in firms. They can be
expensive and can fail to recoup their cost. Furthermore, they are often positioned as loss leaders (to capture
market share), but may not attract the types of customers that banks want or expect and may have unexpected
implications on existing business lines.
 Banks should respond to these risks by having a clear strategy driven from the top and should ensure that this
strategy takes account of the effects of e-banking, wherever relevant. Such a strategy should be clearly
disseminated across the business, and supported by a clear business plan with an effective means of monitoring
performance against it.

Business risks
Business risks are also significant. Given the newness of e-banking, nobody knows much about whether e-
banking customers will have different characteristics from the traditional banking customers. They may well have
different characteristics – eg I want it all and I want it now. This could render existing score card models
inappropriate, thus resulting in either higher rejection rates or inappropriate pricing to cover the risk. Banks may
not be able to assess credit quality at a distance as effectively as they do in face to face circumstances. It could
be more difficult to assess the nature and quality of collateral offered at a distance, especially if it is located in an
area the bank is unfamiliar with (particularly if this is overseas). Furthermore as it is difficult to predict customer
volumes and the stickiness of e-deposits (things which could lead either to rapid flows in or out of the bank) it
could be very difficult to manage liquidity.

Of course, these are old risks with which banks and supervisors have considerable experience but they need to
be watchful of old risks in new guises. In particular risk models and even processes designed for traditional
banking may not be appropriate.

Operations risk
Banks face three main types of operations risk:

 volume forecasts

 management information systems and

 outsourcing.

Accurate volume forecasts have proved difficult - One of the key challenges encountered by banks in the Internet
environment is how to predict and manage the volume of customers that they will obtain. Many banks going on-
line have significantly misjudged volumes. When a bank has inadequate systems to cope with demand it may
suffer reputational and financial damage, and even compromises in security if extra systems that are
inadequately configured or tested are brought on-line to deal with the capacity problems.

As a way of addressing this risk, banks should:

 undertake market research,

 adopt systems with adequate capacity and scalability,

 undertake proportionate advertising campaigns, and

 ensure that they have adequate staff coverage and develop a suitable business continuity plan.

In brief, this is a new area, nobody knows all the answers, and banks need to exercise particular caution.

The second type of operations risk concerns management information systems. Again this is not unique to E-
banking. I have seen many banks venture into new areas without having addressed management information
issues. Banks may have difficulties in obtaining adequate management information to monitor their e-service, as
it can be difficult to establish/configure new systems to ensure that sufficient, meaningful and clear information is
generated. Such information is particularly important in a new field like e-banking. Banks are being encouraged
by the FSA to ensure that management have all the information that they require in a format that they understand
and that does not cloud the key information with superfluous details.

Finally, a significant number of banks offering e-banking services outsource related business functions, e.g.
security, either for reasons of cost reduction or, as is often the case in this field, because they do not have the
relevant expertise in-house. Outsourcing a significant function can create material risks by potentially reducing a
bank’s control over that function. Outsourcing is of course neither new nor unmanageable but banks should be
mindful of the FSA’s guidance on outsourcing, which addresses these risks.

Security
Security issues are a major source of concern for everyone both inside and outside the banking industry. E-
banking increases security risks, potentially exposing hitherto isolated systems to open and risky environments.
Both the FSA and banks need to be proactive in monitoring and managing the security threat.

Security breaches essentially fall into three categories; breaches with serious criminal intent (e.g. fraud, theft of
commercially sensitive or financial information), breaches by ‘casual hackers’ (e.g. defacement of web sites or
‘denial of service’ - causing web sites to crash), and flaws in systems design and/or set up leading to security
breaches (e.g. genuine users seeing / being able to transact on other users’ accounts). All of these threats have
potentially serious financial, legal and reputational implications.

Many banks are finding that their systems are being probed for weaknesses hundreds of times a day but
damage/losses arising from security breaches have so far tended to be minor. However some banks could
develop more sensitive "burglar alarms", so that they are better aware of the nature and frequency of
unsuccessful attempts to break into their system.

The most sensitive computer systems, such as those used for high value payments or those storing highly
confidential information, tend to be the most comprehensively secured. One could therefore imply that the greater
the potential loss to a bank the less likely it is to occur, and in general this is the case. However, while banks tend
to have reasonable perimeter security, there is sometimes insufficient segregation between internal systems and
poor internal security. It may be that someone could breach the lighter security around a low value system, e.g. a
bank’s retail web site, and gain entry to a high value system via the bank’s internal network. We are encouraging
banks to look at the firewalls between their different systems to ensure adequate damage limitation should an
external breach occur. As ever though, the greatest threat so far has been from the enemy within – ie your own
employees, contractors and so on.

It is easy to overemphasise the security risks in e-banking. It must be remembered that the Internet could remove
some errors introduced by manual processing (by increasing the degree of straight through processing from the
customer through banks’ systems). This reduces risks to the integrity of transaction data (although the risk of
customers incorrectly inputting data remains). As e-banking advances, focusing general attention on security
risks, there could be large security gains.

So what should banks be doing? Our view is that to deal with these emerging threats effectively, financial
institutions need as a minimum to have:
a strategic approach to information security, building best practice security controls into systems and networks as
they are developed

a proactive approach to information security, involving active testing of system security controls (e.g. penetration
testing), rapid response to new threats and vulnerabilities and regular review of market place developments

sufficient staff with information security expertise

active use of system based security management and monitoring tools

strong business information security controls

These are the issues line supervisors will be raising with their banks as part of their on-going supervision; or, for
new applicants, will need to be given adequate assurances about.

Reputational risks
Finally, with regard to risks, I would mention reputational risk. This is considerably heightened for banks using the
Internet. For example the Internet allows for the rapid dissemination of information which means that any
incident, either good or bad, is common knowledge within a short space of time. Internet rumours can easily
become self-fulfilling prophecies. The speed of the Internet considerably cuts the optimal response times for both
banks and regulators to any incident. Banks must ensure their crisis management, particularly PR, processes are
able to cope with Internet related incidents (whether they be real or hoaxes).

Any problems encountered by one firm in this new environment may affect the business of another, as it may
affect confidence in the Internet as a whole. There is therefore a risk that one rogue e-bank could cause
significant problems for all banks providing services via the Internet. This is a new type of systemic risk and is
causing concern to e-banking providers. Overall, the Internet puts an emphasis on reputational risks. Never
before has the bank’s shop window (ie its site) been so important.

One last reputational risk will be familiar to us all. That is whether the products being sold over the net are being
marketed in such a way that the bank will be protected against future charges of mis-selling. As in the physical,
so in the virtual world. Banks need to be sure that customers’ rights and information needs are adequately
safeguarded and provided for.

International developments
So, these are some of the particular risks arising in E-banking that we have hitherto identified in the UK domestic
environment – though I suspect that many of my regulator colleagues outside the UK would share many of these
views. I would like to move on to the international side.

Supervision in today’s global environment can only ever be effective if it has an international dimension. This is
especially the case with e-banking because of its non-territorial nature, the ease with which customers outside
the home country can access the site and the opportunity to buy several types of product. Of course, regulators
have long had to deal with the regulatory problems of international banking. They had set up mechanisms for
cross-border supervision; agreements over home/host responsibilities (especially within the Community), bilateral
agreement for information sharing and general standards by which they expect all banks, including those
 offshore territories, to abide. In principle, the expectation is that this general mechanism for international
supervision will be robust enough to work just as well in the e-banking as the physical environment.

Nevertheless, it will not be quite as easy as that! Inevitably the nature of e-banking raises particular issues in the
application of the general approach outlined here. E-banking makes it even more necessary to develop a
cohesive international approach to regulation – not only in the field of prudential regulation where Basel has
made much progress, but also in the areas of conduct of business for consumer protection.

The Basel Committee E-Banking Group believes that Basel "should provide the international supervisory
community with a broad set of advisory guidance with respect to electronic banking," thereby providing a basis
for domestic regulation and supporting consumer and industry education. Globally, such guidance would assist
international co-operation and act as a foundation for a coherent approach to supervising e-banking. It could
facilitate international e-banking by creating consumer confidence in sound banks based in different, possibly
less satisfactory, regimes and might dissuade host supervisors from imposing additional, potentially draconian,
regulation on such banks. The Group identified:

 Authorisation,

 prudential standards,

 transparency,

 privacy,

 money laundering, and

 cross border supervision

as issues on which they felt that there is need for further work, both at the analytical and policy level before any
such guidance could be developed. The FSA is involved in the Basel Group and will be contributing to the work,
participating in the drafting of papers and hosting both the group’s next meeting and a roundtable for its members
and a number of European banks and service providers. We welcome any contributions from the industry to this
debate; and have indeed been actively soliciting them.

Cross-border issues
There are also significant cross-border issues.

We foresee difficulties for depositors identifying the jurisdiction within which e-banks offering services in the UK
are based, given the potential absence of physical presence and the ability for e-banks to move to a new
jurisdiction relatively rapidly. These concerns have prompted a considerable amount of debate and analysis in
the international supervisory community. Within Europe home v host state supervision is a particularly important
issue. Banks may tend to seek authorisation wherever the tax, compliance and costs are lowest, as location will
become less of a critical issue since services may easily be provided on a cross-border basis. E-banking is likely
therefore to significantly increase the usage of the 2BCD passport (that is the Community equivalent of your
passport, but for a bank), thereby making it even more crucial that all European regulators undertake supervision
in a satisfactory (and harmonised) manner and that communication between regulators is adequate.

A number of initiatives with implications for home and host state supervision are being discussed, for example
the draft e-commerce and distance marketing directives and the Rome and Brussels conventions. The debate is
far from being resolved and a considerable degree of uncertainty remains. For example within the e-commerce
Directive ‘home’ and ‘host’ have been replaced with ‘home’ and ‘country of origin’, the implications of which are
as yet unclear. The current drafting (agreed at Council) is sufficiently vague to potentially allow numerous
regulators to assert jurisdiction over an Internet service, thereby nullifying the main advantage of the Directive,
home state regulation. However we would expect that a suitable compromise on the point will be worked out so
as to avoid this outcome. Certainly this is what we at the FSA are working towards.

Conclusion
And so in conclusion e-banking creates issues for banks and regulators alike. For our part we will continue our
work, both national and international, to identify and remove any unnecessary barriers to e-banking. For their
part, banks should:

Have a clear and widely disseminated strategy that is driven from the top and takes into account the effects of e-
banking, together with an effective process for measuring performance against it.

Take into account the effect that e-provision will have upon their business risk exposures and manage these
accordingly.

Undertake market research, adopt systems with adequate capacity and scalability, undertake proportional
advertising campaigns and ensure that they have adequate staff coverage and a suitable business continuity
plan.

Ensure they have adequate management information in a clear and comprehensible format.

Take a strategic and proactive approach to information security, maintaining adequate staff expertise, building in
best practice controls and testing and updating these as the market develops. Make active use of system based
security management and monitoring tools.

Ensure that crisis management processes are able to cope with Internet related incidents.

I started my talk today by noting potential benefits as well as the risks in e-banking. I end in the same way.
Certainly there are risks. But there are also opportunities, and significant potential benefits for consumers, banks
and regulators.

We see no problems in principle with mitigating and managing the risks both for new entrants and existing
players. As regulators we need to ensure that our approaches are adequate to deal with the risks without getting
in the way of the innovations and benefits that E-banking brings to firms and consumers. We are very mindful of
this as we develop our rules and guidance but will be looking also to you in the industry to help us to achieve the
right balance.