permission should be addressed to the Publisher, John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop, #02-01, Singapore 129809, tel: 65-64632400, fax: 65-64646912, e-mail: email@example.com. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional person should be sought.
Other Wiley Editorial Ofﬁces John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA John Wiley & Sons Ltd, The Atrium Southern Gate, Chichester P019 8SQ, England John Wiley & Sons (Canada) Ltd, 5353 Dundas Street West, Suite 400, Toronto, Ontario, M9B 6HB, Canada John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany Library of Congress Cataloging-in-Publication Data ISBN: 978-0-470-82243-2
Wiley Bicentennial Logo: Richard J. Paciﬁco Typeset in 10.5 on 13 points, Palatino by SNP Best-set Typesetter Ltd., Hong Kong Printed in Singapore by Mainland Press Pte Ltd 10 9 8 7 6 5 4 3 2 1
To the memory of my father Kondabagil Sheshappa
List of Figures
List of Tables
PART I: INTRODUCTION TO E-BANKING Chapter 1
Evolution of e-banking Impact on traditional banking E-banking components Regulatory approval
Other risks Risk management challenges The ﬁve-pillar approach
14 15 17
Product and Service-speciﬁc Risks
Internet banking Aggregation services Bill presentment and payment Mobile banking Weblinking Electronic money Cross-border transactions New products and services
19 21 23 24 25 27 27 29
PART II: RISK MANAGEMENT Chapter 4
Risk Management Framework
Policies and procedures Risk management process Operational risk management Governance and internal controls
34 35 39 40
Risk Management Organization
Organization structure Board and senior management Executive risk committee IT management Internal and external audit
43 44 49 51 53
Basel Committee on banking supervision COBIT 4.0 ISO 17799 OCTAVE COSO – enterprise risk management PCI data security standard Financial Action Task Force
56 57 58 59 60 61 62
Corporate governance codes Regulatory guidelines
Part III: INFORMATION SECURITY Chapter 7
Information Security Management
Security objectives Security controls Security risk assessment Classiﬁcation of controls Monitoring and testing Incident response plan
70 73 76 78 79 80
Personnel issues Segregation of duties Technical issues Database management Change management Backups and off-site storage Insurance Fraud management
82 84 86 88 89 90 92 93
Logical access controls Identiﬁcation and authentication Authentication methods Audit trails Network security Firewalls Malicious code Information security incidents
98 99 101 104 105 108 110 111
PART IV: OUTSOURCING Chapter 10
Outsourcing in E-Banking
Types of outsourcing Material outsourcing
Supervisory approach Key risks of outsourcing Board and senior management responsibility Outsourcing policy
120 121 123 124
Managing Outsourced Services
Outsourcing decisions Risk assessment and control Service provider due diligence Offshoring Contingency plans Customer service Monitoring and audit
126 127 130 131 132 132 134
Contractual provisions Right of access clauses Termination clause Offshoring contracts Conﬁdentiality and security clauses Business continuity clauses
138 140 141 141 142 144
PART V: BUSINESS CONTINUITY Chapter 13
Business Continuity Management
The main drivers Board and senior management responsibility Components of BCM Business impact analysis BIA methodologies Recovery strategy
147 149 151 152 153 156
Business Continuity Plan
Major components of BCP Continuity management team Recovery procedures Resource requirements External communications
158 160 162 163 165
Plan maintenance Awareness and training Testing of BCP Testing methods
167 169 171 172
Data Centers and Alternate Sites
Evolution of data centers Location of the sites Mitigating concentration risk Data center design Logistics management Maintenance procedures Alternate site models External support Business continuity in real life
175 176 177 178 180 182 183 185 186
PART VI: LEGAL AND REGULATORY COMPLIANCE Chapter 16
Organization of the compliance function Board and senior management responsibility Role of regulators
194 195 196
Major Compliance Issues
Anti-money laundering Know your customer (KYC) Suspicious activities Privacy of customer information Information disclosures Customer education
198 199 201 202 204 206
High-level review checklist
List of Figures
2.1 4.1 4.2 4.3 5.1 7.1 13.1
The ﬁve-pillar approach Risk management framework Risk management process Risk management triad Risk management organization structure Information security objectives BCM process
Common e-banking services Examples of e-banking components Information sought by regulators for licensing Factors inﬂuencing strategic risk Examples of operational risk Factors affecting a bank’s reputation Key requirements in the risk management process Responsibility of key players in risk management Responsibilities of the Board and senior management Responsibilities of board committees Information security challenges Security objectives and control measures Outline of information security policy Effects of malicious code Outsourcing examples Factors to determine the materiality of an outsourced activity Outline of an outsourcing policy Due diligence parameters for outsourcing Conﬁdentiality and security clauses in outsourcing contracts Potential threats to business continuity Illustrative questionnaire for impact analysis Illustrative list of critical functions Intensity levels of disruption Responsibilities of CMT Triggers for unscheduled maintenance of the BCP BCP testing parameters Broad objectives of anti-money-laundering measures Security-related instructions to customers
anking has traditionally been built on the branch-banking model. The unprecedented speed of technological changes over the last two decades has changed the way banking has been done over centuries. Technology has offered tremendous opportunities to banks to surmount geographical, commercial, and demographic barriers; and to deliver products and services at virtually zero marginal cost combined with unbounded reach. The success of a bank is now determined by its ability to deliver innovative products and services, and to provide remote access in a technologically advanced way that meets the changing needs of the customer. We now have a variety of delivery channels from ATMs and the Internet to mobile banking – collectively termed “electronic banking.” However, this has carried risks as well as beneﬁts. Some of the traditional risks associated with banking activities such as strategic, operational, legal, and reputational risks have been modiﬁed and heightened for banks providing electronic banking services. This has inﬂuenced the overall risk proﬁle of banking. It has become all the more critical now for banks to have ﬂexible and responsive operating processes, as well as sound and robust risk management systems that recognize, address and manage these risks in a prudent manner according to the basic characteristics and challenges of e-banking services.
WHY THIS BOOK? Risk management is not a new concept or challenge for banks. Banks have traditionally adopted risk mitigation measures, but the focus has
generally been on ﬁnancial risks such as credit, market, interest rates, and liquidity. Non-ﬁnancial risks such as strategic, operational, compliance, and reputational risks have received only a cursory treatment, more as a need to meet legal and regulatory requirements. The increased share of e-banking activities as a percentage of revenue and volume of business, and the consequent demands, especially on ICT infrastructure, has forced many a bank management to wake up and have another look at its risk management practices. The Basel Committee on Banking Supervision has been working on this aspect for more than a decade, and its latest report, Risk Management Principles for Electronic Banking, issued in July 2003, is a signiﬁcant step in activating regulators around the world to take notice of the need to treat e-banking risks on a separate platform. A ﬂood of regulatory guidelines has supplemented this in the last two years. This book is a pioneering effort to provide a conceptual framework for the management of risks in an electronic banking environment, supplemented by an overview of sound practices based on international standards and guidelines on risk management. Basel II has introduced explicit capital adequacy requirements for operating risk in the new accord. With Basel II capital adequacy norms due for implementation across the world (different countries have set different deadlines starting from this year), there is an increasing interest and regulatory focus on operational risk management. As electronic banking forms a major component of operational risk, Risk Management in Electronic Banking is presented at the most appropriate time.
ORGANIZATION OF THE BOOK This publication follows and recommends a ﬁve-pillar approach for the management of risks in an electronic banking environment:
Pillar Pillar Pillar Pillar Pillar
I II III IV V
Risk management framework Information security management Outsourcing management Business continuity management Legal and regulatory compliance.
Introduction to E-Banking
The introductory part provides an overview of e-banking and associated risks, and lays the foundation for the rest of the book. Chapter 1 traces the evolution of electronic banking and its impact on traditional banking, followed by an overview of e-banking components and the regulatory approval process. Chapter 2 contains a discussion on strategic, operational, compliance, reputational, and other risks in an e-banking environment. The product and service-speciﬁc risks, such as those relating to Internet banking, aggregation services, bill presentment and payment, mobile banking, and cross-border transactions are covered in Chapter 3.
The conceptual framework for the management of electronic banking risks is covered in this part. Chapter 4 details the adaptation of the generic risk management model to an electronic banking environment. Chapter 5 provides a detailed analysis of the risk management organization with associated roles and responsibilities. Chapter 6 gives an overview of the international standards, guidelines, and sound practices.
Trust and security has always been an essential feature of the banking system. Information security management is today an essential business requirement in view of the capture, transmission, processing, and storage of data in digitized forms over open networks. Recent regulatory requirements related to information security and internal control magnify these concerns. The different components of information security management are discussed in Chapter 7, while chapters 8 and 9 deal with the operational and technical controls to be built under the security management framework.
Outsourcing and third-party dependencies have become an integral part and the most critical component of the electronic banking schematics of banks. The range and the relative complexity of these outsourced activities are increasing and so are the risks. The key risks in outsourcing, Board and management responsibility, sound practices for managing
outsourced services, and outsourcing contracts are dealt with in this part.
This part provides a conceptual framework for the business continuity management (BCM) function and each component of BCM is discussed in detail. Chapter 14 gives a detailed method to develop a business continuity plan (BCP). Chapter 15 is devoted to data centers in view of the critical role they are playing in e-banking schematics.
Legal and Regulatory Compliance
This part deals with the legal and regulatory compliance requirements applicable for an electronic banking environment. Chapter 16 deals with the organization of the compliance function, the roles of the Board and senior management, and the regulators in the compliance function. The last chapter discusses major compliance issues, including measures to ensure privacy of customer information and anti-money laundering, and the importance of information disclosures and customer education. To increase the practical utility of Risk Management in Electronic Banking, case studies based on some of the most recently reported events have been included. The high-level review checklist provided at the end of the book will facilitate a quick management review of the status of risk management in banks providing electronic banking services. The glossary and acronyms of the relevant terms used, and a list of references, are also appended.
INTENDED AUDIENCE Risk management has moved up the organizational ladder and is more of a management than technical issue. It is a multidisciplinary function with roles and responsibilities associated with all sections of personnel in a bank. Keeping this in mind, the technical jargon has been kept to the bare minimum. Risk Management in Electronic Banking is aimed at central bankers, Board members, the senior management of banks, senior managers with risk management responsibilities, operational risk managers, IT manage-
ment in banks, senior operations staff, auditors and compliance ofﬁcers, technology service providers, and risk management consultants. Researchers and academics working in the risk management area and students of banking-related courses will ﬁnd this an informative reference book.
AN EXPLANATORY NOTE There are signiﬁcant differences with regard to the functions of the Board of Directors and senior management across countries dependent on the corporate governance codes and regulations applicable for the particular legal or regulatory jurisdiction. For example, the US “board of directors” has functional similarities with the “supervisory boards” in Germany, whereas the functions of a German “management board” are akin to senior management functions. Owing to these differences, without going into the legalities, the terms Board of Directors and senior management are used in this book only to identify the two distinct decision-making functions within a bank: the former with the main function of supervising the executive body comprising of senior management and general management, and the latter with executive functions. Likewise there are differences in the supervisory structure across jurisdictions. Some central banks perform both regulatory and supervisory functions. In some countries the regulatory and supervisory functions are divided among two or more agencies. For the sake of consistency the term regulator is used throughout the book.
would like to acknowledge the contribution of my professional colleagues U.M. Kamath, B.M. Tambakad, and B.K. Bhat for their valuable suggestions. I would also like to thank the Basel Committee on Banking Supervision for granting permission to use text from their publications. The publication of this book would not have been possible without the interest shown in my proposal and the assistance rendered by Nick Wallwork and his able team at Wiley. My special thanks are due to Fiona Wong, Janis Soo, and Edward Caruso. Finally, I would like to note the support of my family: my wife Saroja and our twin daughters Kavya and Kruthi. Thanks also to our son Karthik who prepared the diagrams used in the book. Any comments, suggestions, and inadvertent inaccuracies that are entirely my responsibility can be sent to me at firstname.lastname@example.org.
isk Management in Electronic Banking is a comprehensive study of the concepts and best practices in electronic banking. It ﬁlls a badly needed global requirement for not only bankers but also all users of electronic banking. The book gives an excellent review of the wide scope of electronic banking on traditional banking and business methods. It then delves into the risks inherent in e-banking, including strategic, operational, compliance, reputational, and others. The author’s ﬁve-pillar approach used to manage risks gives practitioners a structured foundation with each of the ﬁve pillars covered in book. Of particular interest are the sections on outsourcing management and business continuity management. In the chapter on product and service-speciﬁc risks, the sections on transactional websites and aggregation services cover those new and unique e-banking requirements. Top management will be particularly interested in reading the section on business continuity. IT managers will want to study the section on data centers and alternate sites. Compliance managers will want to read the Compliance Function section. The High-level Review Checklist and Glossary at the end of the book are also particularly useful. Jayaram Kondabagil has produced an excellent work that will be the key reference for anyone involved in electronic banking. Mark Mobius Managing Director Templeton Asset Management Ltd
EVOLUTION OF E-BANKING Banks are deemed to be the early users of technology and the main drivers of technological revolution. The ﬁrst applications of the computer age within banking were the use of mainframes, and later minicomputers, to process data such as customer accounts, bank inventories, personnel records, and accounting packages that ultimately evolved into spreadsheets. The use of technology was as a support tool for banking operations, helping staff to do their work faster, more conveniently, and with less human errors. The idea of direct customer services was less clear, but the ﬁrst ATM (automated teller machine) came into commercial use in 1968. ATMs were the ﬁrst visible face of electronic banking. From being mere currency dispensers they have now evolved into multifunctional devices enabling customers to conduct a whole range of transactions from account management, funds transfer, to bill payments. It took nearly 16 years for the ﬁrst 100,000 ATMs to be operational, whereas the next 100,000 were in place in a mere four years. The day of smart ATMs that use biometrics to recognize customers and cross-sell ﬁnancial products with a fair knowledge of the investment and purchasing preferences of customers is not far off. The next step in providing direct customer service came with the extended use of debit and credit cards in merchants’ shops through EPOS (electronic point of sale) technology. Electronic fund transfers was another application where technology was used extensively, mainly to cut down on costs and to speed up payments. This led to the development of specialized products like corporate cash management systems. 3
Risk Management in Electronic Banking
The proliferation of the Internet gave a real boost to electronic banking and moved banking services from back-end applications to customercentric front ends. The open networked environment provided instant global access to information, products, and services, so now the customers could bank from the comfort of their homes. It is estimated that as at March 2007 about 16.9% of the world’s population are Internet users. Globally, the number of broadband subscribers by the end of 2006 was estimated to be about 281 million and is expected to cross 400 million by 2010, underlining the potential. The developments in Internet technology have led to the development of new products such as aggregation services, bill presentment and payment, and personalized ﬁnancial portals. The advances in telecommunication technology have helped the development of a new facet of electronic banking; namely, mobile banking. Wireless is estimated to be growing at more than three times the rate of landlines globally. With the number of connections estimated at 2.6 billion as at the end of 2006, and expected to cross 4 billion by 2010, mobile banking is set to become a major delivery channel. An indicative list of common e-banking services is provided in Table 1.1 below.
TABLE 1.1 Common e-banking services Financial information news Product and service information Branch and ATM locators Account management Cash management Business-to-business payments New account opening Employee beneﬁts administration Pension administration Insurance Depository services
Person-to-person payments Interest rates and currency rates Promotions and cross-selling Helpline information Bill payment and presentment Funds transfer to different accounts Consumer/commercial wire transfers Investment/brokerage services Loan application and approval Account aggregation Credit cards
This is only an indicative list, and the services and products are of varied complexity.
IMPACT ON TRADITIONAL BANKING Banking has traditionally been built on the branch-banking model with two basic competitive advantages; namely, a brand name and
customer relationships. The speed of change and advancements in information technology (IT) have brought changes to the way banking has been done for centuries and will continue to inﬂuence future banking trends. The nature of distribution channels has changed dramatically. Today the competition in the banking sector is determining the success of a bank by its ability to deliver innovative products and services in a technologically advanced way that meets the changing needs of the customer. Some of the perceptible changes are as follows.
Changing Customer Proﬁle Previously customers changed banks only in extreme circumstances. Now they can do so at the click of a mouse. A comparison by customers of the products and services offered by the different banks is facilitated by the easy availability of information on the Internet. This enables customers to shop around for the best offer. Further, the costs of switching are lower in the case of electronic banking, which could reduce customer loyalty and compel them to buy the most attractive product from each bank. On the darker side there is information overload. Many a time, customers are confused as to whom they are dealing with and on what terms. They have also become more vulnerable to scams and frauds.
Market Transparency The market has become more transparent due to easy availability of information. This means that banks are obtaining more information about the product ranges of the competitors as soon as they are launched. New innovative products are being copied more rapidly, thereby accelerating product standardization and commoditization.
Cross-selling The availability of information about customer banking trends and preferences gives banks the potential to cross-sell other ﬁnancial products and services. Many major banks have for some time now recognized this and they are in fact no longer in the business of banking, deﬁned to be the provision of loans and advances, deposits, and transaction payment services. They are instead in the business of ﬁnancial services, providing an integrated and one-stop package of services comprising life and
Risk Management in Electronic Banking
general insurance, mutual funds, stock-broking, depository services, housing ﬁnance, and the like.
Brand Names The importance of banking brand names is increasing. In an e-banking environment where personal contact is limited and where products and services can be copied rapidly, the brand name is an instrument with which banks can distinguish themselves from their competitors. A number of banks have already set up subsidiaries for providing e-banking services under a new brand name or under the name of the parent bank.
Transaction Costs E-banking transactions are much cheaper than transactions conducted at the branch. Recent estimates indicate direct costs of a banking transaction effected through branch, ATM, and the Internet to be $1.27, $0.27, and $0.01 respectively. This has turned yesterday’s competitive advantage of a large branch network into a comparative disadvantage to many banks.
Branches There were many doomsday prophecies about the gradual demise of branches. But branches have again bounced back into the strategic plans of the banks, though with decreased numbers and a structural change. Some activities – like personal banking services, direct enquiries, processing loan requests, and ﬁnancial advice – require the individual attention of a professional bank manager and are better handled at the local branch level.
Internet-only Banks Pure Internet banks created a lot of euphoria a couple of years back. Their market share is still very small and many have been forced out of the market. The main reasons are the online privacy and security fears of consumers, the lack of human interaction, and the lack of trust due to the dotcom debacle. The advent of the electronic banking era was set to be the most fundamental transformation ever faced by the industry. In days to come technology will be used to maximize revenues rather than to minimize costs, and electronic banking services will be complementary to, rather
than a substitute for, branches. In the long run, traditional elements such as branding, customer loyalty, physical locations, people, and cultures will continue to matter in determining which banks succeed in the electronic age.
E-BANKING COMPONENTS The role of technology in supporting the e-banking function has become increasingly complex. IT operations traditionally housed in a computer data center with user connections through terminals have become more dynamic and include distributed environments, integrated applications, telecommunication options, Internet connectivity, and an array of computer operating platforms. As the complexity of technology has grown, banks have increased their reliance on vendors, partners, and other third parties for a variety of technology solutions and services. Normally the two alternatives are: •
One or more technology service providers host the e-banking application and numerous network components, including the institution’s website, Internet banking server, and ﬁrewall and intrusion detection system. While the institution does not have to manage the daily administration of these component systems, its Board and senior management remain responsible for the content, performance, and security of the e-banking system. The institution hosts all or a larger portion of its e-banking system internally. The core processing system of the institution is directly linked to the Internet through the components mentioned above. The system administration responsibility rests with the institution.
The overall system conﬁguration adopted for the various components of an e-banking system is a combination of internal and outsourced solutions. The potential components and processes seen in a typical institution, which work together to deliver e-banking services, are given in Table 1.2 on page 8. The ﬁnal conﬁguration depends on a number of factors: • • • •
the strategic objectives of e-banking the scope, scale, and complexity of equipment, systems, and activities technology expertise security and internal control requirements.
Risk Management in Electronic Banking
TABLE 1.2 Examples of e-banking components Operational processes ICT infrastructure
For different products and services offered; for example, net-banking and aggregation services Servers for net-banking, email, and internal networks Communication systems Storage area networks (SAN) Item processing equipment such as MICR coders ATMs Operating systems Core banking processing system E-banking applications such as bill pay Automated decision-support systems System performance monitoring Intrusion detection systems Programming support Network administration Security management Firewall conﬁguration and management Conﬁguration management Website design and hosting Disaster recovery services
Technical conﬁgurations become more complex in tune with the advancements in technology, and many specialized service providers enter the market catering to speciﬁc aspects of e-banking operations.
REGULATORY APPROVAL Banks wishing to provide or enhance existing transactional electronic banking services should normally seek prior approval from the regulators in the countries where they intend to provide such services. The Basel Committee on Banking Supervision report, Core Principles Methodology, issued in October 2006, has enunciated the following principle with regard to licensing criteria. Principle 3.9: Licensing criteria The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reﬂect the scope and degree of sophistication of the proposed activities of the bank.