Comptroller of the Currency

Administrator of National Banks

Electronic Banking: Industry

Developments, Risks and OCC
Regulatory Activities
Prepared for ABA USBanking 2002 by the
Bank Technology Division of the Office of
the Comptroller of the Currency

January 2002

The OCC is an independent bureau of the Department of Treasury and

is the federal regulator of approximately 2,200 national banks.
 Technology Developments
Comptroller of the Currency
Administrator of National Banks

Advances in communications provide networked global

access to information and delivery of products/services
 Internet has reached critical mass (60% of U.S. households)
 Some banks have 25 percent of customers banking online
Increased competition from other industries and abroad
Greater reliance on third party providers
Advances in technology make the component functions
of banking more easily divisible
Growth in Number of National Banks that
Have Transactional Websites
50%

44%
40% 41%
37%
32%
30%

21%
20%

10%
Sep-99 Jul-00 Dec-00 YTD Mar-01 01-Jun

Source: Office of the Comptroller of the Currency. “Transactional web sites” are defined as
bank web sites that allow customers to transact business. This may include accessing
accounts, transferring funds, applying for a loan, establishing an account, or performing
more advanced activities.
 Technology-based Banking
Comptroller of the Currency Products & Services
Administrator of National Banks

 Balance inquiry  Aggregation

  Electronic Finder
Transaction information
 Funds transfer  Automated
clearinghouse (ACH)
 Cash Management
transactions
 Bill payment
 Internet Payments
 Bill presentment
 Wireless Banking
 Loan applications
 Certification Authority
 Stored Value
 Data Storage
Comptroller of the Currency
Key Technology Risks
Administrator of National Banks

 Vendor Risk Issues

 Security, Data Integrity, and Confidentiality
 Authentication, Identity Verification, and
Authorization
 Strategic and Business Risks
 Business Continuity Planning
 Permissibility, Compliance, Legal Issues, and
Computer Crimes
 Cross Border and International Banking
Comptroller of the Currency Outsourcing Trends
Administrator of National Banks

TowerGroup estimates banks outsource over 85%

of their information technology
Rapid pace straining ability to oversee third parties
Consolidation of tech. companies and core
processors
Weak or negative earnings of new tech providers
Banks are postponing new technology investments,
but still investing in proven technologies
 Outsourcing Guidance
Comptroller of the Currency
Administrator of National Banks

 FFIEC Guidance on Risk Management of

Outsourced Technology Services
(November 2000)
 Key elements of the risk management
process:
– Risk assessment
– Due diligence in selecting service provider
– Contract requirements
– Oversight of service provider
Regardless of the decision to outsource,
the bank remains ultimately responsible.
 Security and Privacy
Comptroller of the Currency
Administrator of National Banks

 Increases in security events and

vulnerabilities
 According to 2001 FBI/CSI survey, 70%
reported that the Internet is the point of
cyber attacks, up from 59% in 2000
 Gramm-Leach-Bliley Act of 1999 requires
banks to establish administrative, technical
& physical safeguards to protect the privacy
of customers’ nonpublic customer records
and information
 Reported Security Incidences & Vulnerabilities
Unauthorized Activity Incidents Increasing
60,000 52,658

50,000
40,000 21,756

30,000 9,859
20,000
2,412 2,573 2,134 3,734
10,000
0
1995 1996 1997 1998 1999 2000 2001

Number of New Systems Vulnerabilities

(2001 is 3Q 2001 annualized)
2,500 2,275
2,000 1,090
1,500
417
1,000
171 345 311 262
500
Source: CERT/CC -- statistics
are not limited to the banking 0
industry and include all 1995 1996 1997 1998 1999 2000 2001
reported incidents
 Key Elements of Security Program
Comptroller of the Currency
Administrator of National Banks

 Reviewing physical and logical security:

 Review intrusion detection and response capabilities to
ensure that intrusions will be detected and controlled
 Seek necessary expertise and training, as needed, to
protect physical locations and networks from
unauthorized access
 Maintain knowledge of current threats facing the bank
and the vulnerabilities to systems
 Assess firewalls and intrusion detection programs at
both primary and back-up sites to make sure they are
maintained at current industry best practice levels
 Key Elements of Security Program
Comptroller of the Currency
Administrator of National Banks

 Reviewing physical and logical security (cont’d):

 Verify the identity of new employees,
contractors, or third parties accessing your
systems or facilities. If warranted, perform
background checks.
 Evaluate whether physical access to all
facilities is adequate.
 Work with service provider(s) and other
relevant customers to ensure effective logical
and physical security controls.
 Authentication
Comptroller of the Currency
Administrator of National Banks

 Reliable customer authentication is imperative for E-

banking
 Effective authentication can help banks reduce fraud,
reputation risk, disclosure of customer information,
and promote the legal enforceability of their
electronic agreements
 Methods to authenticate customers:
 Passwords & PINS
 Digital certificates & PKI
 Physical devices such as tokens
 Biometric identifiers
 Strategic and Reputation Risks
Comptroller of the Currency
Administrator of National Banks

 Uncertain pace of change and evolving

standards (e.g., “bricks and clicks” more
successful than internet-only model)
 First mover (“bleeding edge”) vs. wait
and see (permanently lose market share)
 Struggle to retain customers in face of
intense competition
 Inadequate oversight of third party
providers
 Business Continuity Planning
Comptroller of the Currency
Administrator of National Banks

 The 9/11 events, anthrax-laced mail, and

NIMDA virus underscore the importance
of robust business continuity planning.
 Steps to consider when reviewing business
continuity plans:
 Identify primary and secondary facilities in high profile
or vulnerable locations and develop plans to mitigate
undue risk exposure.
 Ensure business continuity plans are coordinated and
communicated on a corporate-wide basis with clear
expectations.
 Business Continuity Planning
(cont’d)
Comptroller of the Currency
Administrator of National Banks

 Strengthen data backup and recovery site arrangements, as

warranted, to ensure adequate off-site storage of back-up
records and sufficient distance from primary operations.
 Review succession plans for key employees and delegations of
authority in the event of a crisis.
 Review community’s incident response plans and work with local
governments to identify enhancements
 Analyze key customers and service providers for exposure to
terrorist activities including high profile industries or facilities
(e.g., power companies, refineries, airlines, telecommunications
providers), then assess the adequacy of their business
continuity planning process.
 Test plans on a regular basis, evaluate results and update plans.
 Permissibility, Legal, and
Comptroller of the Currency
Administrator of National Banks
Compliance Issues

 Technology raises legal issues

 Permissible?
 Applicability of state and foreign laws?
 Validity of electronic agreements?
 Technology creates consumer compliance issues
 Electronic disclosures delivery
 Weblinking, customer confusion, and liability
 RESPA and fee income from weblinking
 CRA and fair lending issues
 Reg. E application to aggregation services
Comptroller of the Currency
Computer Crime
Administrator of National Banks

 Internet banking and payment systems

may allow for new ways to conduct
illegal and fraudulent activities
 Unauthorized access to deny service or
re-direct a website
 Identity theft resulting in unauthorized or
illegal use of account information
 Money laundering
 Phony Internet banks
 Cross Border and
Comptroller of the Currency
International E-Banking
Administrator of National Banks

 Information revolution around the globe and

borderless reach of the Internet
 Increase in global partnerships/alliances
 Risks to U.S banks from cross border E-
banking without adequate due diligence
 Unlicensed activities?
 Understanding application of local prudential and customer
protection laws & regulations?
 Expertise?
 Risks to U.S. consumers of dealing with
foreign Internet banks
 Cross Border and
Comptroller of the Currency
International E-Banking
Administrator of National Banks

 EBG sponsored by the Basel Committee’s Electronic

Banking Group
 Chaired by Comptroller Hawke
 Published studies on e-banking risk and risk
management issues 1998, 2000 & 2001
 available at www.bis.org or www.occ.treas.gov
 Developing guidance on cross border, e-banking risks and
aggregation
 Coordinate international e-banking supervision efforts
 Information sharing and training
 OCC developing guidance on cross border Internet
banking risks
 Key Findings of Successful
Comptroller of the Currency
E-banking Exams
Administrator of National Banks

 Active vendor management

 Ongoing board involvement
 Sufficient technical expertise
 Proactive network security that effectively
prevents, detects, and responds to intrusions
 Strong authentication practices
 Encrypted communications
 Periodic compliance and legal reviews
 Appropriate backup and recovery
 OCC Technology Risks
Comptroller of the Currency
Supervision Program
Administrator of National Banks

 Guidance -- Focus on risk analysis, measurement, controls, and

monitoring
 Risk-based examinations of banks and third party service
providers (as authorized by the Bank Service Company Act of
1962)
 On site and Quarterly reviews
 Focus on safety and soundness
 Reviews of banks with transactional web sites and E-banking
service providers
 Training and Technology Integration Project
 External outreach and co-ordination
 Licensing process for Internet-primary banks and novel
activities
Comptroller of the Currency
Administrator of National Banks

Questions?
Please contact John Carlson, Senior
Advisor for Bank Technology, OCC
E-mail:John.Carlson@occ.treas.gov
Telephone: (202) 874-5013

Additional Information is available on

the OCC Website: www.occ.treas.gov
Comptroller of the Currency
Administrator of National Banks