E-Banking

DEFINITION OF E-BANKING
E-banking is defined as the automated delivery of new and traditional banking
products and services directly to customers through electronic, interactive
communication channels. E-banking includes the systems that enable financial

1
institution customers, individuals or businesses, to access accounts, transact
business, or obtain information on financial products and services through a public
or private network, including the Internet. Customers access e-banking services
using an intelligent electronic device, such as a personal computer (PC), personal
digital assistant (PDA), automated teller machine (ATM), kiosk, or Touch Tone
telephone. While the risks and controls are similar for the various e-banking access
channels, this booklet focuses specifically on Internet-based services due to the
Internet’s widely accessible public network
INFORMATIONAL WEBSITES
Informational websites provide customers access to general information about the
financial institution and its products or services. Risk issues examiners should
consider when reviewing informational websites include:
Potential liability and consumer violations for inaccurate or incomplete
information about products, services, and pricing presented on the website;
Potential access to confidential financial institution or customer information
if the website is not properly isolated from the financial institution’s internal
network;
Potential liability for spreading viruses and other malicious code to computers
communicating with the institution’s website; and
Negative public perception if the institution’s on-line services are disrupted or
if its website is defaced or otherwise presents inappropriate or offensive
material.

TRANSACTIONAL WEBSITES
Transactional websites provide customers with the ability to conduct transactions
through the financial institution’s website by initiating banking transactions or
buying products and services. Banking transactions can range from something as
basic as a retail account balance inquiry to a large business-to-business funds
transfer. E-banking services, like those delivered through other delivery channels,
are typically classified based on the type of customer they support. The following
table lists some of the common retail and wholesale e-banking services offered by
financial institutions.
Table 1: Common E-Banking Services
Retail Services Wholesale Services
Account management Account management
Bill payment and
Cash management
presentment
New account opening Small business loan
applications, approvals, or
Consumer wire transfers advances
Investment/Brokerage
Commercial wire transfers
services
Loan application and Business-to-business
approval payments
Account aggregation Employee benefits/pension

2
 administration
Since transactional websites typically enable the electronic exchange of
confidential customer information and the transfer of funds, services provided
through these websites expose a financial institution to higher risk than basic
informational websites. Wholesale e-banking systems typically expose financial
institutions to the highest risk per transaction, since commercial transactions
usually involve larger dollar amounts. In addition to the risk issues associated with
informational websites, examiners reviewing transactional e-banking services
should consider the following issues:
Security controls for safeguarding customer information;
Authentication processes necessary to initially verify the identity of new
customers and authenticate existing customers who access e-banking
services;
Liability for unauthorized transactions;
Losses from fraud if the institution fails to verify the identity of individuals or
businesses applying for new accounts or credit on-line;
Possible violations of laws or regulations pertaining to consumer privacy,
anti-money laundering, anti-terrorism, or the content, timing, or delivery of
required consumer disclosures; and
Negative public perception, customer dissatisfaction, and potential liability
resulting from failure to process third-party payments as directed or within
specified time frames, lack of availability of on-line services, or unauthorized
access to confidential customer information during transmission or storage.

E-BANKING COMPONENTS
E-banking systems can vary significantly in their configuration depending on a
number of factors. Financial institutions should choose their e-banking system
configuration, including outsourcing relationships, based on four factors:
Strategic objectives for e-banking;
Scope, scale, and complexity of equipment, systems, and activities;
Technology expertise; and
Security and internal control requirements.
Financial institutions may choose to support their e-banking services internally.
Alternatively, financial institutions can outsource any aspect of their e-banking
systems to third parties. The following entities could provide or host (i.e., allow
applications to reside on their servers) e-banking-related services for financial
institutions:
Another financial institution,
Internet service provider,
Internet banking software vendor or processor,
Core banking vendor or processor,
Managed security service provider,
Bill payment provider,
Credit bureau, and
Credit scoring company.

3
E-banking systems rely on a number of common components or processes. The
following list includes many of the potential components and processes seen in a
typical institution:
Website design and hosting,
Firewall configuration and management,
Intrusion detection system or IDS (network and host-based),
Network administration,
Security management,
Internet banking server,
E-commerce applications (e.g., bill payment, lending, brokerage),
Internal network servers,
Core processing system,
Programming support, and
Automated decision support systems.
These components work together to deliver e-banking services. Each component
represents a control point to consider.
Through a combination of internal and outsourced solutions, management has
many alternatives when determining the overall system configuration for the
various components of an e-banking system. However, for the sake of simplicity,
this booklet presents only two basic variations. First, one or more technology
service providers can host the e-banking application and numerous network
components as illustrated in the following diagram. In this configuration, the
institution’s service provider hosts the institution’s website, Internet banking
server, firewall, and intrusion detection system. While the institution does not have
to manage the daily administration of these component systems, its management
and board remain responsible for the content, performance, and security of the e-
banking system.
Second, the institution can host all or a large portion of its e-banking systems
internally. A typical configuration for in-house hosted, e-banking services is
illustrated below. In this case, a provider is not between the Internet access and the
financial institution’s core processing system.

E-BANKING SUPPORT SERVICES

In addition to traditional banking products and services, financial institutions can
provide a variety of services that have been designed or adapted to support e-
commerce. Management should understand these services and the risks they pose
to the institution. This section discusses some of the most common support
services: Weblinking, account aggregation, electronic authentication, website
hosting, payments for e-commerce, and wireless banking activities.

WEBLINKING
A large number of financial institutions maintain sites on the World Wide Web.
Some websites are strictly informational, while others also offer customers the
ability to perform financial transactions, such as paying bills or transferring funds
between accounts.
Virtually every website contains “weblinks.” A weblink is a word, phrase, or
image on a webpage that contains coding that will transport the viewer to a
different part of the website or a completely different website by just clicking the

4
mouse. While weblinks are a convenient and accepted tool in website design, their
use can present certain risks. Generally, the primary risk posed by weblinking is
that viewers can become confused about whose website they are viewing and who
is responsible for the information, products, and services available through that
website. There are a variety of risk management techniques institutions should
consider using to mitigate these risks. These risk management techniques are for
those institutions that develop and maintain their own websites, as well as
institutions that use third-party service providers for this function. The agencies
have issued guidance on weblinking that provides details on risks and risk
management techniques financial institutions should consider.

ACCOUNT AGGREGATION
Account aggregation is a service that gathers information from many websites,
presents that information to the customer in a consolidated format, and, in some
cases, may allow the customer to initiate activity on the aggregated accounts. The
information gathered or aggregated can range from publicly available information
to personal account information (e.g., credit card, brokerage, and banking data).
Aggregation services can improve customer convenience by avoiding multiple log-
ins and providing access to tools that help customers analyze and manage their
various account portfolios. Some aggregators use the customer-provided user IDs
and passwords to sign in as the customer. Once the customer’s account is accessed,
the aggregator copies the personal account information from the website for
representation on the aggregator’s site (i.e., “screen scraping”). Other aggregators
use direct data-feed arrangements with website operators or other firms to obtain
the customer’s information. Generally, direct data feeds are thought to provide
greater legal protection to the aggregator than does screen scraping.
Financial institutions are involved in account aggregation both as aggregators and
as aggregation targets. Risk management issues examiners should consider when
reviewing aggregation services include:
Protection of customer passwords and user IDs – both those used to access
the institution’s aggregation services and those the aggregator uses to retrieve
customer information from aggregated third parties – to assure the
confidentiality of customer information and to prevent unauthorized activity,
Disclosure of potential customer liability if customers share their
authentication information (i.e., IDs and passwords) with third parties, and
Assurance of the accuracy and completeness of information retrieved from
the aggregated parties’ sites, including required disclosures
Additional information regarding management of risks in aggregation services can
be found in appendix D.

ELECTRONIC AUTHENTICATION
Verifying the identities of customers and authorizing e-banking activities are
integral parts of e-banking financial services. Since traditional paper-based and in-
person identity authentication methods reduce the speed and efficiency of
electronic transactions, financial institutions have adopted alternative
authentication methods, including:
Passwords and personal identification numbers (PINs),
Digital certificates using a public key infrastructure (PKI),
Microchip-based devices such as smart cards or other types of tokens,

5
 Database comparisons (e.g., fraud-screening applications), and
Biometric identifiers.
The authentication methods listed above vary in the level of security and reliability
they provide and in the cost and complexity of their underlying infrastructures. As
such, the choice of which technique(s) to use should be commensurate with the
risks in the products and services for which they control access. Additional
information on customer authentication techniques can be found in this booklet
under the heading “Authenticating E-Banking Customers.”
The Electronic Signatures in Global and National Commerce (E-Sign) Act
establishes some uniform federal rules concerning the legal status of electronic
signatures and records in commercial and consumer transactions so as to provide
more legal certainty and promote the growth of electronic commerce. The
development of secure digital signatures continues to evolve with some financial
institutions either acting as the certification authority for digital signatures or
providing repository services for digital certificates.

WEBSITE HOSTING
Some financial institutions host websites for both themselves as well as for other
businesses. Financial institutions that host a business customer’s website usually
store, or arrange for the storage of, the electronic files that make up the website.
These files are stored on one or more servers that may be located on the hosting
financial institution’s premises. Website hosting services require strong skills in
networking, security, and programming. The technology and software change
rapidly. Institutions developing websites should monitor the need to adopt new
interoperability standards and protocols such as Extensible Mark-Up Language
(XML) to facilitate data exchange among the diverse population of Internet users.
Risk issues examiners should consider when reviewing website hosting services
include damage to reputation, loss of customers, or potential liability resulting
from:
Downtime (i.e., times when website is not available) or inability to meet
service levels specified in the contract,
Inaccurate website content (e.g., products, pricing) resulting from actions of
the institution’s staff or unauthorized changes by third parties (e.g., hackers),
Unauthorized disclosure of confidential information stemming from security
breaches, and
Damage to computer systems of website visitors due to malicious code (e.g.,
virus, worm, active content) spread through institution-hosted sites.

PAYMENTS FOR E-COMMERCE

Many businesses accept various forms of electronic payments for their products
and services. Financial institutions play an important role in electronic payment
systems by creating and distributing a variety of electronic payment instruments,
accepting a similar variety of instruments, processing those payments, and
participating in clearing and settlement systems. However, increasingly, financial
institutions are competing with third parties to provide support services for e-
commerce payment systems. Among the electronic payments mechanisms that
financial institutions provide for e-commerce are automated clearing house (ACH)
debits and credits through the Internet, electronic bill payment and presentment,
electronic checks, e-mail money, and electronic credit card payments. Additional

6
information on payments systems can be found in other sections of the IT
Handbook.
Most financial institutions permit intrabank transfers between a customer’s
accounts as part of their basic transactional e-banking services. However, third-
party transfers – with their heightened risk for fraud – often require additional
security safeguards in the form of additional authentication and payment
confirmation.

Bill Payment and Presentment

Bill payment services permit customers to electronically instruct their financial
institution to transfer funds to a business’s account at some future specified date.
Customers can make payments on a one-time or recurring basis, with fees typically
assessed as a “per item” or monthly charge. In response to the customer’s
electronic payment instructions, the financial institution (or its bill payment
provider) generates an electronic transaction – usually an automated clearinghouse
(ACH) credit – or mails a paper check to the business on the customer’s behalf. To
allow for the possibility of a paper-based transfer, financial institutions typically
advise customers to make payments effective 3–7 days before the bill’s due date.
Internet-based cash management is the commercial version of retail bill payment.
Business customers use the system to initiate third-party payments or to transfer
money between company accounts. Cash management services also include
minimum balance maintenance, recurring transfers between accounts and on-line
account reconciliation. Businesses typically require stronger controls, including the
ability to administer security and transaction controls among several users within
the business.
This booklet discusses the front-end controls related to the initiation, storage, and
transmission of bill payment transactions prior to their entry into the industry’s
retail payment systems (e.g., ACH, check processing, etc.). The IT Handbook’s
“Retail Payments Systems Booklet” provides additional information regarding the
various electronic transactions that comprise the back end for bill payment
processing. The extent of front-end operating controls directly under the financial
institution’s control varies with the system configuration. Some examples of
typical configurations are listed below in order of increasing complexity, along
with potential control considerations.
Financial institutions that do not provide bill payment services, but may direct
customers to select from several unaffiliated bill payment providers.
Caution customers regarding security and privacy issues through the use
of on-line disclosures or, more conservatively, e-banking agreements.
Financial institutions that rely on a third-party bill payment provider
including Internet banking providers that subcontract to third parties.
Set dollar and volume thresholds and review bill payment transactions
for suspicious activity.
Gain independent audit assurance over the bill payment provider’s
processing controls.
Restrict employees’ administrative access to ensure that the internal
controls limiting their capabilities to originate, modify, or delete bill
payment transactions are at least as strong as those applicable to the
underlying retail payment system ultimately transmitting the transaction.
Restrict by vendor contract and identify the use of any subcontractors

7
 associated with the bill payment application to ensure adequate oversight
of underlying bill payment system performance and availability.
Evaluate the adequacy of authentication methods given the higher risk
associated with funds transfer capabilities rather than with basic account
access.
Consider the additional guidance contained in the IT Handbook’s
“Information Security,” “Retail Payment Systems,” and “Outsourcing
Technology Services” booklets.
Financial institutions that use third-party software to host a bill payment
application internally.
Determine the extent of any independent assessments or certification of
the security of application source code.
Ensure software is adequately tested prior to installation on the live
system.
Ensure vendor access for software maintenance is controlled and
monitored.
Financial institutions that develop, maintain, and host their own bill payment
system.
Consider additional guidance in the IT Handbook’s “Development and
Acquisition Booklet.”
Financial institutions can offer bill payment as a stand-alone service or in
combination with bill presentment. Bill presentment arrangements permit a
business to submit a customer’s bill in electronic form to the customer’s financial
institution. Customers can view their bills by clicking on links on their account’s e-
banking screen or menu. After viewing a bill, the customer can initiate bill
payment instructions or elect to pay the bill through a different payment channel.
In addition, some businesses have begun offering electronic bill presentment
directly from their own websites rather than through links on the e-banking screens
of a financial institution. Under such arrangements, customers can log on to the
business’s website to view their periodic bills. Then, if so desired, they can
electronically authorize the business to “take” the payment from their account. The
payment then occurs as an ACH debit originated by the business’s financial
institution as compared to the ACH credit originated by the customer’s financial
institution in the bill payment scenario described above. Institutions should ensure
proper approval of businesses allowed to use ACH payment technology to initiate
payments from customer accounts.
Cash management applications would include the same control considerations
described above, but the institution should consider additional controls because of
the higher risk associated with commercial transactions. The adequacy of
authentication methods becomes a higher priority and requires greater assurance
due to the larger average dollar size of transactions. Institutions should also
establish additional controls to ensure binding agreements – consistent with any
existing ACH or wire transfer agreements – exist with commercial customers.
Additionally, cash management systems should provide adequate security
administration capabilities to enable the business owners to restrict access rights
and dollar limits associated with multiple-user access to their accounts.

8
Person-to-Person Payments
Electronic person-to-person payments, also known as e-mail money, permit
consumers to send “money” to any person or business with an e-mail address.
Under this scenario, a consumer electronically instructs the person-to-person
payment service to transfer funds to another individual. The payment service then
sends an e-mail notifying the individual that the funds are available and informs
him or her of the methods available to access the funds including requesting a
check, transferring the funds to an account at an insured financial institution, or
retransmitting the funds to someone else. Person-to-person payments are typically
funded by credit card charges or by an ACH transfer from the consumer’s account
at a financial institution. Since neither the payee nor the payer in the transaction
has to have an account with the payment service, such services may be offered by
an insured financial institution, but are frequently offered by other businesses as
well.
Some of the risk issues examiners should consider when reviewing bill payment,
presentment, and e-mail money services include:
Potential liability for late payments due to service disruptions,
Liability for bill payment instructions originating from someone other than
the deposit account holder,
Losses from person-to-person payments funded by transfers from credit cards
or deposit accounts over which the payee does not have signature authority,
Losses from employee misappropriation of funds held pending access
instructions from the payer, and
Potential liability directing payment availability information to the wrong e-
mail or for releasing funds in response to e-mail from someone other than the
intended payee.

WIRELESS E-BANKING
Wireless banking is a delivery channel that can extend the reach and enhance the
convenience of Internet banking products and services. Wireless banking occurs
when customers access a financial institution's network(s) using cellular phones,
pagers, and personal digital assistants (or similar devices) through
telecommunication companies’ wireless networks. Wireless banking services in the
United States typically supplement a financial institution's e-banking products and
services.
Wireless devices have limitations that increase the security risks of wireless-based
transactions and that may adversely affect customer acceptance rates. Device
limitations include reduced processing speeds, limited battery life, smaller screen
sizes, different data entry formats, and limited capabilities to transfer stored
records. These limitations combine to make the most recognized Internet language,
Hypertext Markup Language (HTML), ineffective for delivering content to
wireless devices. Wireless Markup Language (WML) has emerged as one of a few
common language standards for developing wireless device content. Wireless
Application Protocol (WAP) has emerged as a data transmission standard to
deliver WML content.
Manufacturers of wireless devices are working to improve device usability and to
take advantage of enhanced “third-generation” (3G) services. Device
improvements are anticipated to include bigger screens, color displays, voice
recognition applications, location identification technology (e.g., Federal

9
Communications Commission (FCC) Enhanced 911), and increased battery
capacity. These improvements are geared towards increasing customer acceptance
and usage. Increased communication speeds and improvements in devices during
the next few years should lead to continued increases in wireless subscriptions.
As institutions begin to offer wireless banking services to customers, they should
consider the risks and necessary risk management controls to address security,
authentication, and compliance issues. Some of the unique risk factors associated
with wireless banking that may increase a financial institution's strategic,
transaction, reputation, and compliance risks are discussed in appendix E.

TRANSACTION/OPERATIONS RISK
Transaction/Operations risk arises from fraud, processing errors, system
disruptions, or other unanticipated events resulting in the institution’s inability to
deliver products or services. This risk exists in each product and service offered.
The level of transaction risk is affected by the structure of the institution’s
processing environment, including the types of services offered and the complexity
of the processes and supporting technology.
In most instances, e-banking activities will increase the complexity of the
institution’s activities and the quantity of its transaction/operations risk, especially
if the institution is offering innovative services that have not been standardized.
Since customers expect e-banking services to be available 24 hours a day, 7 days a
week, financial institutions should ensure their e-banking infrastructures contain
sufficient capacity and redundancy to ensure reliable service availability. Even
institutions that do not consider e-banking a critical financial service due to the
availability of alternate processing channels, should carefully consider customer
expectations and the potential impact of service disruptions on customer
satisfaction and loyalty.
The key to controlling transaction risk lies in adapting effective polices,
procedures, and controls to meet the new risk exposures introduced by e-banking.
Basic internal controls including segregation of duties, dual controls, and
reconcilements remain important. Information security controls, in particular,
become more significant requiring additional processes, tools, expertise, and
testing. Institutions should determine the appropriate level of security controls
based on their assessment of the sensitivity of the information to the customer and
to the institution and on the institution’s established risk tolerance level. Security
controls are discussed in this booklet’s “Risk Management of E-Banking
Activities” section under the heading “Information Security Program.”

CREDIT RISK
Generally, a financial institution’s credit risk is not increased by the mere fact that
a loan is originated through an e-banking channel. However, management should
consider additional precautions when originating and approving loans
electronically, including assuring management information systems effectively
track the performance of portfolios originated through e-banking channels. The
following aspects of on-line loan origination and approval tend to make risk
management of the lending process more challenging. If not properly managed,
these aspects can significantly increase credit risk.
Verifying the customer’s identity for on-line credit applications and executing
an enforceable contract;
Monitoring and controlling the growth, pricing, underwriting standards, and

10
 ongoing credit quality of loans originated through e-banking channels;
Monitoring and oversight of third-parties doing business as agents or on
behalf of the financial institution (for example, an Internet loan origination
site or electronic payments processor);
Valuing collateral and perfecting liens over a potentially wider geographic
area;
Collecting loans from individuals over a potentially wider geographic area;
and
Monitoring any increased volume of, and possible concentration in, out-of-
area lending.

LIQUIDITY, INTEREST RATE, PRICE/MARKET RISKS

Funding and investment-related risks could increase with an institution’s e-banking
initiatives depending on the volatility and pricing of the acquired deposits. The
Internet provides institutions with the ability to market their products and services
globally. Internet-based advertising programs can effectively match yield-focused
investors with potentially high-yielding deposits. But Internet-originated deposits
have the potential to attract customers who focus exclusively on rates and may
provide a funding source with risk characteristics similar to brokered deposits. An
institution can control this potential volatility and expanded geographic reach
through its deposit contract and account opening practices, which might involve
face-to-face meetings or the exchange of paper correspondence. The institution
should modify its policies as necessary to address the following e-banking funding
issues:
Potential increase in dependence on brokered funds or other highly rate-
sensitive deposits;
Potential acquisition of funds from markets where the institution is not
licensed to engage in banking, particularly if the institution does not establish,
disclose, and enforce geographic restrictions;
Potential impact of loan or deposit growth from an expanded Internet market,
including the impact of such growth on capital ratios; and
Potential increase in volatility of funds should e-banking security problems
negatively impact customer confidence or the market’s perception of the
institution.

COMPLIANCE/LEGAL RISK
Compliance and legal issues arise out of the rapid growth in usage of e-banking
and the differences between electronic and paper-based processes. E-banking is a
new delivery channel where the laws and rules governing the electronic delivery of
certain financial institution products or services may be ambiguous or still
evolving. Specific regulatory and legal challenges include:
Uncertainty over legal jurisdictions and which state’s or country’s laws
govern a specific e-banking transaction,
Delivery of credit and deposit-related disclosures/notices as required by law
or regulation,
Retention of required compliance documentation for on-line advertising,
applications, statements, disclosures and notices; and

11
 Establishment of legally binding electronic agreements.
Laws and regulations governing consumer transactions require specific types of
disclosures, notices, or record keeping requirements. These requirements also
apply to e-banking, and federal banking agencies continue to update consumer
laws and regulations to reflect the impact of e-banking and on-line customer
relationships. Some of the legal requirements and regulatory guidance that
frequently apply to e-banking products and services include:
Solicitation, collection and reporting of government monitoring information
on applications and loans, as required by Equal Credit Opportunity Act
(Regulation B) and Home Mortgage Disclosure Act (Regulation C)
regulations;
Advertising requirements, customer disclosures, or notices required by the
Real Estate Settlement Procedures Act (RESPA), Truth in Lending
(Regulation Z), and Truth In Savings (Regulation DD) and Fair Housing
regulations;
Proper and conspicuous display of FDIC or NCUA insurance notices;
Conspicuous webpage disclosures indicating that certain types of investment,
brokerage, and insurance products offered have certain associated risks,
including not being insured by federal deposit insurance (FDIC or NCUA);
Customer identification programs and procedures, as well as record retention
and customer notification requirements, required by the Bank Secrecy Act;
Customer identification processes to determine whether transactions are
prohibited by the Office of Foreign Asset Control (OFAC) and, when
necessary, whether customers appear on any list of known or suspected
terrorists or terrorist organization provided by any government agency;
Delivery of privacy and opt-out notices by hand, by mail, or with customer
acknowledgement of electronic receipt;
Verification of customer identification, reporting, and record keeping
requirements of the Bank Secrecy Act (BSA), including requirements for
filing a suspicious activity report (SAR); and
Record retention requirements of the Equal Credit Opportunity Act
(Regulation B) and Fair Credit Reporting Act regulations.
Institutions that offer e-banking services, both informational and transactional,
assume a higher level of compliance risk because of the changing nature of the
technology, the speed at which errors can be replicated, and the frequency of
regulatory changes to address e-banking issues. The potential for violations is
further heightened by the need to ensure consistency between paper and electronic
advertisements, disclosures, and notices. Additional information on compliance
requirements for e-banking can be found on the agencies’ websites and in
references contained in appendix C.

STRATEGIC RISK
A financial institution’s board and management should understand the risks
associated with e-banking services and evaluate the resulting risk management
costs against the potential return on investment prior to offering e-banking
services. Poor e-banking planning and investment decisions can increase a
financial institution’s strategic risk. Early adopters of new e-banking services can

12
establish themselves as innovators who anticipate the needs of their customers, but
may do so by incurring higher costs and increased complexity in their operations.
Conversely, late adopters may be able to avoid the higher expense and added
complexity, but do so at the risk of not meeting customer demand for additional
products and services. In managing the strategic risk associated with e-banking
services, financial institutions should develop clearly defined e-banking objectives
by which the institution can evaluate the success of its e-banking strategy. In
particular, financial institutions should pay attention to the following:
Adequacy of management information systems (MIS) to track e-banking
usage and profitability;
Costs involved in monitoring e-banking activities or costs involved in
overseeing e-banking vendors and technology service providers;
Design, delivery, and pricing of services adequate to generate sufficient
customer demand;
Retention of electronic loan agreements and other electronic contracts in a
format that will be admissible and enforceable in litigation;
Costs and availability of staff to provide technical support for interchanges
involving multiple operating systems, web browsers, and communication
devices;
Competition from other e-banking providers; and
Adequacy of technical, operational, compliance, or marketing support for e-
banking products and services.

REPUTATION RISK
An institution’s decision to offer e-banking services, especially the more complex
transactional services, significantly increases its level of reputation risk. Some of
the ways in which e-banking can influence an institution’s reputation include:
Loss of trust due to unauthorized activity on customer accounts,
Disclosure or theft of confidential customer information to unauthorized
parties (e.g., hackers),
Failure to deliver on marketing claims,
Failure to provide reliable service due to the frequency or duration of service
disruptions,
Customer complaints about the difficulty in using e-banking services and the
inability of the institution’s help desk to resolve problems, and
Confusion between services provided by the financial institution and services
provided by other businesses linked from the website.

This diagram illustrates the transaction flow for one possible configuration where
the bank relies on a technology service provider to host its Internet banking
application.
Internet banking customer sends an e-banking transaction through their
Internet Service Provider (ISP) via a phone, wireless, or broadband
connection.
The customer’s ISP routes the transaction through the Internet and sends it
to the e-banking service provider's ISP, which routes it to the provider.
The transaction enters the provider's network through a router, which

13
 directs the e-banking transaction through a firewall to the application
running on the Internet banking server.
The website server and Internet banking server may have host-based
intrusion detection system (IDS) software monitoring the server and its
files to provide alerts of potential unauthorized modifications.
Network IDS software may reside at different points within the network to
analyze the message for potential attack characteristics that suggest an
intrusion attempt.
The Internet banking application processes the transaction against account
balance data through a real time connection to the core banking system or a
database of account balance data, which is updated periodically from the
core banking system.
The Internet banking server has a firewall filtering Internet traffic from its
internal network
As noted in the prior section, e-banking has unique characteristics that may
increase an institution’s overall risk profile and the level of risks associated with
traditional financial services, particularly strategic, operational, legal, and
reputation risks. These unique e-banking characteristics include:
Speed of technological change,
Changing customer expectations,
Increased visibility of publicly accessible networks (e.g., the Internet),
Less face-to-face interaction with financial institution customers,
Need to integrate e-banking with the institution’s legacy computer systems,
Dependence on third parties for necessary technical expertise, and
Proliferation of threats and vulnerabilities in publicly accessible networks.
Management should review each of the processes discussed in this section to adapt
and expand the institution’s risk management practices as necessary to address the
risks posed by e-banking activities.

BOARD AND MANAGEMENT OVERSIGHT

E-BANKING STRATEGY
Financial institution management should choose the level of e-banking services
provided to various customer segments based on customer needs and the
institution’s risk assessment considerations. Institutions should reach this decision
through a board-approved, e-banking strategy that considers factors such as
customer demand, competition, expertise, implementation expense, maintenance
costs, and capital support. Some institutions may choose not to provide e-banking
services or to limit e-banking services to an informational website. Financial
institutions should periodically re-evaluate this decision to ensure it remains
appropriate for the institution’s overall business strategy. Institutions may define
success in many ways including growth in market share, expanding customer
relationships, expense reduction, or new revenue generation. If the financial
institution determines that a transactional website is appropriate, the next decision
is the range of products and services to make available electronically to its
customers. To deliver those products and services, the financial institution may
have more than one website or multiple pages within a website for various
business lines.

14
COST-BENEFIT ANALYSIS AND RISK ASSESSMENT
Financial institutions should base any decision to implement e-banking products
and services on a thorough analysis of the costs and benefits associated with such
action. Some of the reasons institutions offer e-banking services include:
Lower operating costs,
Greater geographic diversification,
Improved or sustained competitive position,
Increased customer demand for services, and
New revenue opportunities.
The individuals conducting the cost-benefit analysis should clearly understand the
risks associated with e-banking so that cost considerations fully incorporate
appropriate risk mitigation controls. Without such expertise, the cost-benefit
analysis will most likely underestimate the time and resources needed to properly
oversee e-banking activities, particularly the level of technical expertise needed to
provide competent oversight of in-house or outsourced activities. In addition to the
obvious costs for personnel, hardware, software, and communications, the analysis
should also consider:
Changes to the institution’s policies, procedures, and practices;
The impact on processing controls for legacy systems;
The appropriate networking architecture, security expertise, and software
tools to maintain system availability and to protect and respond to
unauthorized access attempts;
The skilled staff necessary to support and market e-banking services during
expanded hours and over a wider geographic area, including possible
expanded market and cross-border activity;
The additional expertise and MIS needed to oversee e-banking vendors or
technology service providers;
The higher level of legal, compliance, and audit expertise needed to support
technology-dependent services;
Expanded MIS to monitor e-banking security, usage, and profitability and to
measure the success of the institution’s e-banking strategy;
Cost of insurance coverage for e-banking activities;
Potential revenues under different pricing scenarios;
Potential losses due to fraud; and
Opportunity costs associated with allocating capital to e-banking efforts.

MONITORING AND ACCOUNTABILITY

Once an institution implements its e-banking strategy, the board and management
should periodically evaluate the strategy’s effectiveness. A key aspect of such an
evaluation is the comparison of actual e-banking acceptance and performance to
the institution’s goals and expectations. Some items that the institution might use
to monitor the success and cost effectiveness of its e-banking strategy include:
Revenue generated,
Website availability percentages,
Customer service volumes,

15
 Number of customers actively using e-banking services,
Percentage of accounts signed up for e-banking services, and
The number and cost per item of bill payments generated.
Without clearly defined and measurable goals, management will be unable to
determine if e-banking services are meeting the customers’ needs as well as the
institution’s growth and profitability expectations.
In evaluating the effectiveness of the institution’s e-banking strategy, the board
should also consider whether appropriate policies and procedures are in effect and
whether risks are properly controlled. Unless the initial strategy establishes clear
accountability for the development of policies and controls, the board will be
unable to determine where and why breakdowns in the risk control process
occurred.

AUDIT
An important component of monitoring is an appropriate independent audit
function. Financial institutions offering e-banking products and services should
expand their audit coverage commensurate with the increased complexity and risks
inherent in e-banking activities. Financial institutions offering e-banking services
should ensure the audit program expands to include:
Scope and coverage, including the entire e-banking process as applicable (i.e.,
network configuration and security, interfaces to legacy systems, regulatory
compliance, internal controls, and support activities performed by third-party
providers);
Personnel with sufficient technical expertise to evaluate security threats and
controls in an open network (i.e., the Internet); and
Independent individuals or companies conducting the audits without
conflicting e-banking or network security roles.

MANAGING OUTSOURCING RELATIONSHIPS

DUE DILIGENCE FOR OUTSOURCING SOLUTIONS

A key consideration in preparing an e-banking cost-benefit analysis is whether the
financial institution supports e-banking services in-house or outsources support to
one or more third parties (i.e., a technology service provider or TSP). Transactional
e-banking is typically a front-end system that relies on a programming link called
an interface to transfer information and transactions between the e-banking system
and the institution’s core processing applications (e.g., loans, deposits, asset
management). Such interfaces can be between in-house systems, outsourced
systems, or a combination of both. This flexibility allows institutions to select
those products and services that best meet their e-banking needs, but it can also
complicate the vendor oversight process when multiple vendors are involved.
Choosing to use the services of one or more TSPs can help financial institutions
manage costs, obtain necessary expertise, expand customer product offerings, and
improve service quality. However, this choice does not absolve financial
institutions from understanding and managing the risks associated with TSP
services. In fact, service providers may introduce additional risks and
interdependencies that financial institutions must understand and manage.
Table 2 below summarizes some of the advantages and disadvantages of
supporting technology-based products and services in-house versus contracting for

16
 support with a TSP. Regardless of whether an institution’s e-banking services are
outsourced or processed in-house, the institution should periodically review
whether this arrangement continues to meet current and anticipated future needs.
Table 2: Advantages and Disadvantages of Common Processing Alternatives
Processing Application
Advantages Disadvantages
Hardware Software
In-house Developed Systems designed to meet Costs to develop/maintain
Purchas in-house institution’s specific needs. system.
ed or
Ability to offer unique Requires high level of technical
Leased
products and services. expertise.
Direct oversight of risks.
Purchased Cheaper than in-house Cost of technical expertise to
with in- developed, while retaining maintain system, modify vendor’s
house ability to adapt system and software, and integrate vendor
modification directly oversee risks. updates.
s
Purchased Requires lower level of Limited ability to customize
without expertise to maintain system products/services and differentiate
modification and applications. unique products.
s
Direct oversight of risks.
Outsourced Outsourced Minimal need for technical No ownership interest.
To TSP to TSP expertise. Limited ability to customize
Increases implementation products/services.
speed. Need processes to oversee risks
Lower start-up costs. in outsourced activities or
services.

CONTRACTS FOR THIRD-PARTY SERVICES

As with all outsourced financial services, institutions must have a formal contract
with the TSP that clearly addresses the duties and responsibilities of the parties
involved. In the past, some institutions have had informal security expectations for
software vendors or Internet access providers that had never been committed to
writing. This lack of clear responsibilities and consensus has lead to breakdowns in
internal controls and allowed security incidents to occur. The IT Handbook’s
“Outsourcing Technology Services Booklet” lists detailed contract
recommendations for TSPs. Institutions should tailor these recommendations to e-
banking services as necessary. Specific examples of e-banking contract issues
include:
Restrictions on use of nonpublic customer information collected or stored by
the TSP;
Requirements for appropriate controls to protect the security of customer
information held by the TSP
Service-level standards such as website “up-time,” hyperlink performance,
customer service response times, etc.;

17
 Incident response plans, including notification responsibilities, to respond to
website outage, defacement, unauthorized access, or malicious code;
Business continuity plans for e-banking services including alternate
processing lines, backup servers, emergency operating procedures, etc.;
Performance of, and access to, vulnerability assessments, penetration tests,
and financial and operations audits;
Limitations on subcontracting of services, either domestically or
internationally;
Choice of law and jurisdiction for dispute resolution and access to
information by the financial institution and its regulators; and
For foreign-based vendors or service providers (i.e., country of residence is
different from that of the institution), in addition to the above items, contract
options triggered by increased risks due to adverse economic or political
developments in the vendor’s or service provider’s home country.

OVERSIGHT AND MONITORING OF THIRD PARTIES

Financial institutions that outsource e-banking technical support must provide
sufficient oversight of service providers’ activities to identify and control the
resulting risks. The key to good oversight typically lies in effective MIS. However,
for MIS to be effective the financial institution must first establish clear
performance expectations. Wherever possible, these expectations should be clearly
documented in the service contract or an addendum to the contract. Effective and
timely MIS can alert the serviced institution to developing service, financial or
security problems at the vendor — problems that might require execution of
contingency plans supporting a change in vendor or in the existing service
relationship.
The type and frequency of monitoring reports needed varies, depending on the
complexity of the services provided and the division of responsibilities between
the institution and its service provider(s). Service providers can build MIS
capabilities into the administrative modules of their application, provide on-line
reports, or they can provide periodic written reports. Some examples of items that
might be tracked by e-banking monitoring reports are listed below:
E-banking service availability. Reports might include statistics regarding the
frequency and duration of service disruptions, including the reasons for any service
disruptions (maintenance, equipment/network problems, security incidents, etc.);
“up time” and “down time” percentages for website and e-banking services; and
volume and type of website access problems reported by e-banking customers.
Activity levels and service volumes. Reports might include number of accounts
serviced, number and percentage of new, active, or inactive accounts; breakdown
of intrabank transfers by number, dollar size, and account type; bill payment
activity by number, average dollar, and recurring versus one-time payments;
volume of associated ACH returns and rejects, fee breakdown by source and type;
and activity on informational website usage by webpages viewed.
Performance efficiency. Reports might include average response times by time of
day (including complaints about slow response); bill payment activity by check
versus ACH; server capacity utilization; customer service contacts by type of
inquiry and average time to resolution; and losses from errors, fraud, or repudiated
items.
Security incidents. Reports might include volume of rejected log-on attempts,

18
password resets, attempted and successful penetration attempts, number and type
of trapped viruses or other malicious code, and any physical security breaches.
Vendor stability. Reports might include quarterly or annual financial reports,
number of new or departing customers, changes in systems or equipment, and
employee turnover statistics, including any changes in management positions.
Quality Assurance. Reports on performance, audit results, penetration tests, and
vulnerability assessments, including servicer actions to address any identified
deficiencies.

INFORMATION SECURITY PROGRAM

Information security is essential to a financial institution’s ability to deliver e-
banking services, protect the confidentiality and integrity of customer information,
and ensure that accountability exists for changes to the information and the
processing and communications systems. Depending on the extent of in-house
technology, a financial institution’s e-banking systems can make information
security complex with numerous networking and control issues. The IT
Handbook’s “Information Security Booklet” addresses security in much greater
detail. Refer to that booklet for additional information on security and to
supplement the examination coverage in this booklet.
SECURITY GUIDELINES
Financial institutions must comply with the “Guidelines Establishing Standards for
Safeguarding Customer Information” (guidelines) as issued pursuant to the
Gramm–Leach–Bliley Act of 1999 (GLBA). When financial institutions introduce
e-banking or related support services, management must re-assess the impact to
customer information under the GLBA. The guidelines require financial
institutions to:
Ensure the security and confidentiality of customer information;
Protect against any anticipated threats or hazards to the security or integrity of
such information; and
Protect against unauthorized access to or use of such information that could
result in substantial harm or inconvenience to any customer.
The guidelines outline specific measures institutions should consider in
implementing a security program. These measures include:
Identifying and assessing the risks that may threaten consumer information;
Developing a written plan containing policies and procedures to manage and
control these risks;
Implementing and testing the plan; and
Adjusting the plan on a continuing basis to account for changes in
technology, the sensitivity of customer information, and internal or external
threats to information security.
The guidelines also outline the responsibilities of management to oversee the
protection of customer information including the security of customer information
maintained or processed by service providers. Oversight of third-party service
providers and vendors is discussed in this booklet under the headings “Board and
Management Oversight” and “Managing Outsourcing Relationships.” Additional
information on the guidelines can be found in the IT Handbook’s “Management
Booklet.” The IT Handbook’s “Information Security Booklet” presents additional
information on the risk assessment process and information processing controls.

19
The guidelines required by the GLBA apply to customer information stored in
electronic form as well as paper-based records. Examination procedures
specifically addressing compliance with the GLBA guidelines can be accessed
through the agency websites listed in the reference section of this booklet.
Although the guidelines supporting GLBA define customer as “a consumer who
has a customer relationship with the institution,” management should consider
expanding the written information security program to cover the institution’s own
confidential records as well as confidential information about its commercial
customers.

INFORMATION SECURITY CONTROLS

Security threats can affect a financial institution through numerous vulnerabilities.
No single control or security device can adequately protect a system connected to a
public network. Effective information security comes only from establishing layers
of various control, monitoring, and testing methods. While the details of any
control and the effectiveness of risk mitigation depend on many factors, in general,
each financial institution with external connectivity should ensure the following
controls exist internally or at their TSP.
Ongoing knowledge of attack sources, scenarios, and techniques. Financial
institutions should maintain an ongoing awareness of attack threats through
membership in information-sharing entities such as the Financial Services -
Information Sharing and Analysis Center (FS-ISAC), Infragard, the CERT
Coordination Center, private mailing lists, and other security information
sources. All defensive measures are based on knowledge of the attacker’s
capabilities and goals, as well as the probability of attack.
Up-to-date equipment inventories, and network maps. Financial institutions
should have inventories of machines and software sufficient to support
timely security updating and audits of authorized equipment and software. In
addition, institutions should understand and document the connectivity
between various network components including remote users, internal
databases, and gateway servers to third parties. Inventories of hardware and
the software on each system can accelerate the institution’s response to
newly discovered vulnerabilities and support the proactive identification of
unauthorized devices or software.
Rapid response capability to react to newly discovered vulnerabilities.
Financial institutions should have a reliable process to become aware of new
vulnerabilities and to react as necessary to mitigate the risks posed by newly
discovered vulnerabilities. Software is seldom flawless. Some of those flaws
may represent security vulnerabilities, and the financial institution may need
to correct the software code using temporary fixes, sometimes called a
“patch.” In some cases, management may mitigate the risk by reconfiguring
other computing devices. Frequently, the financial institution must respond
rapidly, because a widely known vulnerability is subject to an increasing
number of attacks.
Network access controls over external connections. Financial institutions
should carefully control external access through all channels including
remote dial-up, virtual private network connections, gateway servers, or
wireless access points. Typically, firewalls are used to enforce an
institution’s policy over traffic entering the institution’s network. Firewalls

20
are also used to create a logical buffer, called a “demilitarized zone,” or
DMZ, where servers are placed that receive external traffic. The DMZ is
situated between the outside and the internal network and prevents direct
access between the two. Financial institutions should use firewalls to enforce
policies regarding acceptable traffic and to screen the internal network from
directly receiving external traffic.
System hardening. Financial institutions should “harden” their systems prior
to placing them in a production environment. Computer equipment and
software are frequently shipped from the manufacturer with default
configurations and passwords that are not sufficiently secure for a financial
institution environment. System “hardening” is the process of removing or
disabling unnecessary or insecure services and files. A number of
organizations have current efforts under way to develop security benchmarks
for various vendor systems. Financial institutions should assess their systems
against these standards when available.
Controls to prevent malicious code. Financial institutions should reduce the
risks posed by malicious code by, among other things, educating employees
in safe computing practices, installing anti-virus software on servers and
desktops, maintaining up-to-date virus definition files, and configuring their
systems to protect against the automatic execution of malicious code.
Malicious code can deny or degrade the availability of computing services;
steal, alter, or insert information; and destroy any potential evidence for
criminal prosecution. Various types of malicious code exist including
viruses, worms, and scripts using active content.
Rapid intrusion detection and response procedures. Financial institutions
should have mechanisms in place to reduce the risk of undetected system
intrusions. Computing systems are never perfectly secure. When a security
failure occurs and an attacker is “in” the institution’s system, only rapid
detection and reaction can minimize any damage that might occur.
Techniques used to identify intrusions include intrusion detection systems
(IDS) for the network and individual servers (i.e., host computer), automated
log correlation and analysis, and the identification and analysis of
operational anomalies.
Physical security of computing devices. Financial institutions should mitigate
the risk posed by unauthorized physical access to computer equipment
through such techniques as placing servers and network devices in areas that
are available only to specifically authorized personnel and restricting
administrative access to machines in those limited access areas. An
attacker’s physical access to computers and network devices can
compromise all other security controls. Computers used by vendors and
employees for remote access to the institution’s systems are also subject to
compromise. Financial institutions should ensure these computers meet
security and configuration requirements regardless of the controls governing
remote access.
User enrollment, change, and termination procedures. Financial institutions
should have a strong policy and well-administered procedures to positively
identify authorized users when given initial system access (enrollment) and,
thereafter, to limit the extent of their access to that required for business
purposes, to promptly increase or decrease the degree of access to mirror

21
 changing job responsibilities, and to terminate access in a timely manner
when access is no longer needed.
Authorized use policy. Each financial institution should have a policy that
addresses the systems various users can access, the activities they are
authorized to perform, prohibitions against malicious activities and unsafe
computing practices, and consequences for noncompliance. All internal
system users and contractors should be trained in, and acknowledge that they
will abide by, rules that govern their use of the institution’s system.
Training. Financial institutions should have processes to identify, monitor,
and address training needs. Each financial institution should train their
personnel in the technologies they use and the institution’s rules governing
the use of that technology. Technical training is particularly important for
those who oversee the key technology controls such as firewalls, intrusion
detection, and device configuration. Security awareness training is important
for all users, including the institution’s e-banking customers.
Independent testing. Financial institutions should have a testing plan that
identifies control objectives; schedules tests of the controls used to meet
those objectives; ensures prompt corrective action where deficiencies are
identified; and provides independent assurance for compliance with security
policies. Security tests are necessary to identify control deficiencies. An
effective testing plan identifies the key controls, then tests those controls at a
frequency based on the risk that the control is not functioning. Security
testing should include independent tests conducted by personnel without
direct responsibility for security administration. Adverse test results indicate
a control is not functioning and cannot be relied upon. Follow-up can include
correction of the specific control, as well as a search for, and correction of, a
root cause. Types of tests include audits, security assessments, vulnerability
scans, and penetration tests.

AUTHENTICATING E-BANKING CUSTOMERS

E-banking introduces the customer as a direct user of the institution’s technology.
Customers have to log on and use the institution’s systems. Accordingly, the
financial institution must control their access and educate them in their security
responsibilities. While authentication controls play a significant role in the internal
security of an organization, this section of the booklet discusses authentication
only as it relates to the e-banking customer.
Authenticating New Customers
Verifying a customer’s identity, especially that of a new customer, is an integral
part of all financial services. Consistent with the USA PATRIOT Act, federal
regulations require that by October 1, 2003, each financial institution must develop
and implement a customer identification program (CIP) that is appropriate given
the institution’s size, location and type of business. The CIP must be written,
incorporated into the institution’s Bank Secrecy Act/Anti-Money Laundering
program, and approved by the institution’s board of directors. The CIP must
include risk-based procedures to verify the identity of customers (generally persons
opening new accounts). Procedures in the program should describe how the bank
will verify the identity of the customer using documents, nondocumentary
methods, or a combination of both. The procedures should reflect the institution’s

22
account opening processes – whether face-to-face or remotely as part of the
institution’s e-banking services.
As part of its nondocumentary verification methods, a financial institutions may
rely on third parties to verify the identity of an applicant or assist in the
verification. The financial institution is responsible for ensuring that the third party
uses the appropriate level of verification procedures to confirm the customer’s
identity. New account applications submitted on-line increase the difficulty of
verifying the application information. Many institutions choose to require the
customer to come into an office or branch to complete the account opening
process. Institutions conducting the entire account opening process through the
mail or on-line should consider using third-party databases to provide:
Positive verification to ensure that material information provided by an
applicant matches information available from third-party sources,
Logical verification to ensure that information provided is logically
consistent, and
Negative verification to ensure that information provided has not previously
been associated with fraudulent activity (e.g., an address previously
associated with a fraudulent application ).

Authenticating Existing Customers

In addition to the initial verification of customer identities, the financial institution
must also authenticate its customers’ identities each time they attempt to access
their confidential on-line information. The authentication method a financial
institution chooses to use in a specific e-banking application should be appropriate
and “commercially reasonable” in light of the risks in that application. Whether a
method is a commercially reasonable system depends on an evaluation of the
circumstances. Financial institutions should weigh the cost of the authentication
method, including technology and procedures, against the level of protection it
affords and the value or sensitivity of the transaction or data to both the institution
and the customer. What constitutes a commercially reasonable system may change
over time as technology and standards evolve.
Authentication methods involve confirming one or more of three factors:
Something only the user should know, such as a password or PIN;
Something the user possesses, such as an ATM card, smart card, or token; or
Something the user is, such as a biometric characteristic like a fingerprint or
iris pattern.
Authentication methods that depend on more than one factor are typically more
difficult to compromise than single-factor systems therefore suggesting a higher
reliability of authentication. For example, the use of a customer ID and password is
considered single-factor authentication since both items are something the user
knows. A common example of two-factor authentication is found in most ATM
transactions where the customer is required to provide something the user
possesses (i.e., the card) and something the user knows (i.e., the PIN). Single factor
authentication alone may not be adequate for sensitive communications, high
dollar value transactions, or privileged user access (i.e., network administrators).
Multi-factor techniques may be necessary in those cases. Institutions should
recognize that a single factor system may be “tiered” (e.g., require multiple
passwords) to enhance security without the implementation of a true two-factor
system.

23
Password Administration
Despite the concerns regarding single-factor authentication, many e-banking
services still rely on a customer ID and password to authenticate an existing
customer. Some security professionals criticize passwords for a number of reasons
including the need for passwords whose strength places the password beyond the
user’s ability to comply with other password policies such as not writing the
password down. Password-cracking software and log-on scripts can frequently
guess passwords regardless of the use of encryption. Popular acceptance of this
form of authentication rests on its ease of use and its adaptability within existing
infrastructures.
Financial institutions that allow customers to use passwords with short character
length, readily identifiable words or dates, or widely used customer information
(e.g., Social Security numbers) may be exposed to excessive risks in light of the
security threats from hackers and fraudulent insider abuse. Stronger security in
password structure and implementation can help mitigate these risks. Another way
to mitigate the risk of scripted attacks is to make the user ID more random and not
based on any easily determined format or commonly available information. There
are three aspects of passwords that contribute to the security they provide:
password secrecy, password length and composition, and administrative controls.
Password secrecy. The security provided by password-only systems depends on
the secrecy of the password. If another party obtains the password, he or she can
perform the same transactions as the intended user. Passwords can be
compromised because of customer behavior or techniques that capture passwords
as they travel over the Internet. Attackers can also use well-known weaknesses to
gain access to a financial institution's (or its service provider’s) Internet-connected
systems and obtain password files. Because of these vulnerabilities, passwords and
password files should be encrypted when stored or transmitted over open networks
such as the Internet. The system should prohibit any user, including the system or
security administrator, from printing or viewing unencrypted passwords. In
addition, security administrators should ensure password files are protected and
closely monitored for compromise because if stolen an attacker may be able to
decrypt an encrypted password file.
Financial institutions need to emphasize to customers the importance of protecting
the password's confidentiality. Customers should be encouraged to log off
unattended computers that have been used to access on-line banking systems
especially if they used public access terminals such as in a library, institution
lobby, or Internet cafe.
Password length and composition. The appropriate password length and
composition depends on the value or sensitivity of the data protected by the
password and the ability of the user to maintain the password as a shared secret.
Common identification items — for example, dictionary words, proper names, or
social security numbers — should not be used as passwords. Password
composition standards that require numbers or symbols in the sequence of a
password, in conjunction with both upper and lower case alphabetic characters,
provide a stronger defense against password-cracking programs. Selecting letters
that do not create a common word but do create a mnemonic — for example the
first letter of each word in a favorite phrase, poem, or song — can create a
memorable password that is difficult to crack.

24
Systems linked to open networks, like the Internet, are subject to a greater number
of individuals who may attempt to compromise the system. Attackers may use
automated programs to systematically generate millions of alphanumeric
combinations to learn a customer's password (i.e., “brute force” attack). A financial
institution can reduce the risk of password compromise by communicating and
enforcing prudent password selection, providing guidance to customers and
employees, and careful protection of the password file.
Password administration controls. When evaluating password-based e-banking
systems, management should consider whether the authentication system’s control
capabilities are consistent with the financial institution's security policy. This
includes evaluating such areas as password length and composition requirements,
incorrect log-on lockout, password expiration, repeat password usage, and
encryption requirements, as well as the types of activity monitoring and exception
reports in use.
Each financial institution must evaluate the risks associated with its authentication
methods given the nature of the transactions and information accessed. Financial
institutions that assess the risk and decide to rely on passwords, should implement
strong password administration standards.

ADMINISTRATIVE CONTROLS
E-banking activities are subject to the same risks as other banking processes.
However, the processes used to monitor and control these risks may vary because
of e-banking’s heavy reliance on automated systems and the customer’s direct
access to the institution’s computer network. Some of the controls that help assure
the integrity and availability of e-banking systems are discussed below.
INTERNAL CONTROLS
Segregation of duties. E-banking support relies on staff in the service provider’s
operations or staff in the institution’s bookkeeping, customer service, network
administration, or information security areas. However, no one employee should
be able to process a transaction from start to finish. Institution management must
identify and mitigate areas where conflicting duties create the opportunity for
insiders to commit fraud. For example, network administrators responsible for
configuring servers and firewalls should not be the only ones responsible for
checking compliance with security policies related to network access. Customer
service employees with access to confidential customer account information should
not be responsible for daily reconcilements of e-banking transactions.
Dual controls. Some sensitive transactions necessitate making more than one
employee approve the transaction before authorizing the transaction. Large
electronic funds transfers or access to encryption keys are examples of two e-
banking activities that would typically warrant dual controls.
Reconcilements. E-banking systems should provide sufficient accounting reports to
allow employees to reconcile individual transactions to daily transaction totals.
Suspicious activity. Financial institutions should establish fraud detection controls
that could prompt additional review and reporting of suspicious activity. Some
potential concerns to consider include false or erroneous application information,
large check deposits on new e-banking accounts, unusual volume or size of funds
transfers, multiple new accounts with similar account information or originating
from the same Internet address, and unusual account activity initiated from a
foreign Internet address. Security- and fraud-related events may require the filing
of a SAR with the Financial Crimes Enforcement Network (FinCEN).

25
Similar website names. Financial institutions should exercise care in selecting their
website name(s) in order to reduce possible confusion with those of other Internet
sites. Institutions should periodically scan the Internet to identify sites with similar
names and investigate any that appear to be posing as the institution. Suspicious
sites should be reported to appropriate criminal and regulatory authorities.
Error checks. E-banking activities provide limited opportunities for customers to
ask questions or clarify their intentions regarding a specific transaction. Institutions
can reduce customer confusion and the potential for unintended transactions by
requiring written contracts explaining rights and responsibilities, by providing
clear disclosures and on-line instructions or help functions, and by incorporating
proactive confirmations into the transaction initiation process.
On-line instructions, help features, and proactive confirmations are typically part
of the basic design of an e-banking system and should be evaluated as part of the
initial due diligence process. On-line forms can include error checks to identify
common mistakes in various fields. Proactive confirmations can require customers
to confirm their actions before the transaction is accepted for processing. For
example, a bill payment customer would enter the amount and date of payment and
specify the intended recipient. But, before accepting the customer’s instructions for
processing, the system might require the customer to review the instructions
entered and then confirm the instruction’s accuracy by clicking on a specific box or
link.
Alternate channel confirmations. Financial institutions should consider the need to
have customers confirm sensitive transactions like enrollment in a new on-line
service, large funds transfers, account maintenance changes, or suspicious account
activity. Positive confirmations for sensitive on-line transactions provide the
customer with the opportunity to help catch fraudulent activity. Financial
institutions can encourage customer participation in fraud detection and increase
customer confidence by sending confirmations of certain high-risk activities
through additional communication channels such as the telephone, e-mail, or
traditional mail.

BUSINESS CONTINUITY CONTROLS

E-banking customers often expect 24-hour availability. Service interruptions can
significantly affect customers if the institution offers more than the most basic
services. For example, customer bill payment transactions may not be paid on
time. Due to the potential impact on customers and customer service, financial
institutions should analyze the impact of service outages and take steps to decrease
the probability of outages and minimize the recovery time if one should occur.
Some considerations include:
Conducting a business impact analysis of e-banking services that defines the
minimum level of service required and establishes recovery-time objectives;
Building redundancy into critical network components to avoid single points
of failure;
Updating business continuity plans to address e-banking;
Developing customer communication plans prior to an outage;
Reviewing the compatibility of key third parties’ business continuity plans;
and
Periodically testing business resumption capabilities to determine if
objectives can be met.

26
Based on activity volumes, number of customer effected, and the availability of
alternate service channels (branches, checks, etc.), some institutions may not
consider e-banking services as “mission critical“ warranting a high priority in its
business continuity plan. Management should periodically reassess this decision to
ensure the supporting rationale continues to reflect actual growth and expansion in
e-banking services.

LEGAL AND COMPLIANCE ISSUES

Financial institutions should comply with all legal requirements relating to e-
banking, including the responsibility to provide their e-banking customers with
appropriate disclosures and to protect customer data. Failure to comply with these
responsibilities could result in significant compliance, legal, or reputation risk for
the financial institution.
TRADE NAMES ON THE INTERNET
Financial institutions may choose to use a name different from their legal name for
their e-banking operations. Since these trade names are not the institution’s official
corporate title, information on the website should clearly identify the institution’s
legal name and physical location. This is particularly important for websites that
solicit deposits since persons may inadvertently exceed deposit insurance limits.
The risk management techniques financial institutions should use are based on an
“Interagency Statement for Branch Names” issued May 1, 1998.
Financial institutions that use trade names for e-banking operations should:
Disclose clearly and conspicuously, in signs, advertising, and similar
materials that the facility is a division or operating unit of the insured
institution;
Use the legal name of the insured institution for legal documents, certificates
of deposit, signature cards, loan agreements, account statements, checks,
drafts, and other similar documents; and
Train staff of the insured institution regarding the possibility of customer
confusion with respect to deposit insurance.
Disclosures must be clear, prominent, and easy to understand. Examples of how
Internet disclosures may be made conspicuous include using large font or type that
is easily viewable when a page is first opened; inserting a dialog page that appears
whenever a customer accesses a webpage; or placing a simple graphic near the top
of the page or in close proximity to the financial institution’s logo. These examples
are only some of the possibilities for conspicuous disclosures given the available
technology. Front-line employees (e.g., call center staff) should be trained to
ensure that customers understand these disclosures and mitigate confusion
associated with multiple trade names.

WEBSITE CONTENT
Financial institutions can take a number of steps to avoid customer confusion
associated with their website content. Some examples of information a financial
institution might provide to its customers on its website include:
The name of the financial institution and the location of its main office (and
branch offices if applicable);
The identity of the primary financial institution supervisory authority
responsible for the supervision of the financial institution's main office;
Instructions on how customers can contact the financial institution's customer

27
 service center regarding service problems, complaints, suspected misuse of
accounts, etc.;
Instructions on how to contact the applicable supervisor to file consumer
complaints; and
Instructions for obtaining information on deposit insurance coverage and the
level of protection that the insurance affords, including links to the FDIC or
NCUA websites at http://www.fdic.gov or www.ncua.gov, respectively.

CUSTOMER PRIVACY AND CONFIDENTIALITY

Maintaining the privacy of a customer’s information is one of the cornerstones
upon which trust in the U.S. banking system is based. Misuse or unauthorized
disclosure of confidential customer data may expose a financial institution to
customer litigation or action by regulatory agencies. To meet expectations
regarding the privacy of customer information, financial institutions should ensure
that their privacy policies and standards comply with applicable privacy laws and
regulations, particularly the privacy requirements established by GLBA. The
regulation implementing GLBA’s requirements also describes standards on
electronic disclosures that apply if an institution elects to display its privacy policy
on its website.
TRANSACTION MONITORING AND CONSUMER DISCLOSURES
The general requirements and controls that apply to paper-based transactions also
apply to electronic financial services. Consumer financial services regulations
generally require that institutions send, provide, or deliver disclosures to
consumers as opposed to merely making the disclosures available. Financial
institutions are permitted to provide such disclosures electronically if they obtain
consumers’ consent in a manner consistent with the requirements of the federal
Electronic Signatures in Global and National Commerce Act (the E-Sign Act). The
Federal Reserve Board has issued interim rules providing guidance on how the E-
Sign Act applies to the consumer financial services and fair lending laws and
regulations administered by the Board. However mandatory compliance with the
interim rules was not required at the time of this booklet’s publication. Financial
institutions may provide electronic disclosures under their existing policies or
practices, or may follow the interim rules, until the Board issues permanent rules.
When disclosures are required to be in writing, the E-Sign Act requires that
financial institutions generally must obtain a consumer’s affirmative consent to
provide disclosures electronically. Under the E-Sign Act, a consumer must among
other things provide such consent electronically and in a manner that reasonably
demonstrates that he or she can access the electronic record in the format used by
the institution. In addition, the institution must advise customers of their right to
withdraw their consent for electronic disclosures and explain any conditions,
consequences, or fees triggered by withdrawing such consent.

28