E-Banking Booklet

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 10:04, 28 April 2007 by Mdpeters (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

E-Banking Risks

Transaction or Operations Risk

Transaction or Operations risks arises from fraud, processing errors, system disruptions, or other unanticipated events resulting in the institution’s inability to deliver products or services. This risk exists in each product and service offered. The level of transaction risk is affected by the structure of the institution’s processing environment, including the types of services offered and the complexity of the processes and supporting technology.

In most instances, E-banking activities will increase the complexity of the institution’s activities and the quantity of its transaction/operations risk, especially if the institution is offering innovative services that have not been standardized. Since customers expect E-banking services to be available 24 hours a day, 7 days a week, financial institutions should ensure their E-banking infrastructures contain sufficient capacity and redundancy to ensure reliable service availability. Even institutions that do not consider E-banking a critical financial service due to the availability of alternate processing channels, should carefully consider customer expectations and the potential impact of service disruptions on customer satisfaction and loyalty.

The key to controlling transaction risk lies in adapting effective polices, procedures, and controls to meet the new risk exposures introduced by E-banking. Basic internal controls including segregation of duties, dual controls, and reconcilements remain important. Information security controls, in particular, become more significant requiring additional processes, tools, expertise, and testing. Institutions should determine the appropriate level of security controls based on their assessment of the sensitivity of the information to the customer and to the institution and on the institution’s established risk tolerance level.

Credit Risk

Generally, a financial institution’s credit risk is not increased by the mere fact that a loan is originated through an E-banking channel. However, management should consider additional precautions when originating and approving loans electronically, including assuring management information systems effectively track the performance of portfolios originated through E-banking channels. The following aspects of on-line loan origination and approval tend to make risk management of the lending process more challenging. If not properly managed, these aspects can significantly increase credit risk.

  • Verifying the customer’s identity for on-line credit applications and executing an enforceable contract
  • Monitoring and controlling the growth, pricing, underwriting standards, and ongoing credit quality of loans originated through E-banking channels
  • Monitoring and oversight of third-parties doing business as agents or on behalf of the financial institution (for example, an Internet loan origination site or electronic payments processor)
  • Valuing collateral and perfecting liens over a potentially wider geographic area
  • Collecting loans from individuals over a potentially wider geographic area
  • Monitoring any increased volume of, and possible concentration in, out-of-area lending


Liquidity, Interest Rate, Price/Market Risks

Funding and investment-related risks could increase with an institution’s E-banking initiatives depending on the volatility and pricing of the acquired deposits. The Internet provides institutions with the ability to market their products and services globally. Internet-based advertising programs can effectively match yield-focused investors with potentially high-yielding deposits. But Internet-originated deposits have the potential to attract customers who focus exclusively on rates and may provide a funding source with risk characteristics similar to brokered deposits. An institution can control this potential volatility and expanded geographic reach through its deposit contract and account opening practices, which might involve face-to-face meetings or the exchange of paper correspondence.

The institution should modify its policies as necessary to address the following E-banking funding issues:

  • Potential increase in dependence on brokered funds or other highly rate-sensitive deposits
  • Potential acquisition of funds from markets where the institution is not licensed to engage in banking, particularly if the institution does not establish, disclose, and enforce geographic restrictions
  • Potential impact of loan or deposit growth from an expanded Internet market, including the impact of such growth on capital ratios
  • Potential increase in volatility of funds should E-banking security problems negatively impact customer confidence or the market’s perception of the institution


Compliance/Legal Risk

Compliance and legal issues arise out of the rapid growth in usage of E-banking and the differences between electronic and paper-based processes. E-banking is a new delivery channel where the laws and rules governing the electronic delivery of certain financial institution products or services may be ambiguous or still evolving.

Specific regulatory and legal challenges include:

  • Uncertainty over legal jurisdictions and which state’s or country’s laws govern a specific E-banking transaction
  • Delivery of credit and deposit-related disclosures/notices as required by law or regulation
  • Retention of required compliance documentation for on-line advertising, applications, statements, disclosures and notices
  • Establishment of legally binding electronic agreements


Laws and regulations governing consumer transactions require specific types of disclosures, notices, or record keeping requirements. These requirements also apply to E-banking, and federal banking agencies continue to update consumer laws and regulations to reflect the impact of E-banking and on-line customer relationships.

Some of the legal requirements and regulatory guidance that frequently apply to E-banking products and services include:

  • Solicitation, collection and reporting of government monitoring information on applications and loans, as required by Equal Credit Opportunity Act (Regulation B) and Home Mortgage Disclosure Act (Regulation C) regulations
  • Advertising requirements, customer disclosures, or notices required by the Real Estate Settlement Procedures Act (RESPA), Truth in Lending (Regulation Z), and Truth In Savings (Regulation DD) and Fair Housing regulations
  • Proper and conspicuous display of FDIC or NCUA insurance notices
  • Conspicuous web page disclosures indicating that certain types of investment, brokerage, and insurance products offered have certain associated risks including not being insured by federal deposit insurance (FDIC or NCUA)
  • Customer identification programs and procedures, as well as record retention and customer notification requirements, required by the Bank Secrecy Act
  • Customer identification processes to determine whether transactions are prohibited by the Office of Foreign Asset Control (OFAC) and whether customers appear on any list of known or suspected terrorists or terrorist organization provided by any government agency
  • Delivery of privacy and opt-out notices by hand, by mail, or with customer acknowledgment of electronic receipt;additional information
  • Verification of customer identification, reporting, and record keeping requirements of the Bank Secrecy Act (BSA), including requirements for filing a suspicious activity report (SAR)
  • Record retention requirements of the Equal Credit Opportunity Act (Regulation B) and Fair Credit Reporting Act regulations


Institutions that offer E-banking services, both informational and transactional, assume a higher level of compliance risk because of the changing nature of the technology, the speed at which errors can be replicated, and the frequency of regulatory changes to address E-banking issues. The potential for violations is further heightened by the need to ensure consistency between paper and electronic advertisements, disclosures, and notices. Additional information on compliance requirements for E-banking can be found on the agencies’ websites and in references contained in appendix C.

Strategic Risk

A financial institution’s board and management should understand the risks associated with E-banking services and evaluate the resulting risk management costs against the potential return on investment prior to offering E-banking services. Poor E-banking planning and investment decisions can increase a financial institution’s strategic risk. Early adopters of new E-banking services can establish themselves as innovators who anticipate the needs of their customers, but may do so by incurring higher costs and increased complexity in their operations. Conversely, late adopters may be able to avoid the higher expense and added complexity, but do so at the risk of not meeting customer demand for additional products and services.

In managing the strategic risk associated with E-banking services, financial institutions should develop clearly defined E-banking objectives by which the institution can evaluate the success of its E-banking strategy. In particular, financial institutions should pay attention to the following:

  • Adequacy of management information systems (MIS) to track E-banking usage and profitability
  • Costs involved in monitoring E-banking activities or costs involved in overseeing E-banking vendors and technology service providers
  • Design, delivery, and pricing of services adequate to generate sufficient customer demand
  • Retention of electronic loan agreements and other electronic contracts in a format that will be admissible and enforceable in litigation
  • Costs and availability of staff to provide technical support for interchanges involving multiple operating systems, web browsers, and communication devices
  • Competition from other E-banking providers
  • Adequacy of technical, operational, compliance, or marketing support for E-banking products and services


Reputation Risk

An institution’s decision to offer E-banking services, especially the more complex transactional services, significantly increases its level of reputation risk.

Some of the ways in which E-banking can influence an institution’s reputation include:

  • Loss of trust due to unauthorized activity on customer accounts
  • Disclosure or theft of confidential customer information to unauthorized parties (e.g., hackers)
  • Failure to deliver on marketing claims
  • Failure to provide reliable service due to the frequency or duration of service disruptions
  • Customer complaints about the difficulty in using E-banking services and the inability of the institution’s help desk to resolve problems
  • Confusion between services provided by the financial institution and services provided by other businesses linked from the website