ebanking_workprogram
-
Upload
makarand-lonkar -
Category
Documents
-
view
222 -
download
0
Transcript of ebanking_workprogram
-
7/28/2019 ebanking_workprogram
1/24
E-Banking August 2003
E-BANKING EXAMINATION PROCEDURES
Work Paper
Reference Comment
GENERAL PROCEDURES
Objective 1: Determine the scope for the examination of the institutions e-banking activitiesconsistent with the nature and complexity of the institutions operations.
1. Review the following documents toidentify previously noted issuesrelated to the e-banking area thatrequire follow-up:
Previous regulatory examinationreports
Supervisory strategy Follow-up activities Work papers from previous
examinations Correspondence
2. Identify the e-banking products andservices the institution offers,supports, or provides automaticlinks to (i.e., retail, wholesale,investment, fiduciary, e-commercesupport, etc.).
3. Assess the complexity of these products and services consideringvolumes (transaction and dollar),customer base, significance of feeincome, and technical
sophistication.
4. Identify third-party providers andthe extent and nature of their
processing or support services.
FFIEC IT Examination Handbook Page 1
-
7/28/2019 ebanking_workprogram
2/24
E-Banking August 2003
Work Paper
Reference Comment
5. Discuss with management or review MIS or other monitoringreports to determine theinstitutions recent experience andtrends for the following:
Intrusions, both attempted andsuccessful;
Fraudulent transactions reported by customers;
Customer complaint volumes andaverage time to resolution; and
Frequency and duration of service disruptions.
6. Review audit and consultantreports, managements responses,and problem tracking systems toidentify potential issues for examination follow-up. Possiblesources include
Internal and external auditreports and Statement of Accounting Standards 70 (SAS70) reviews for service
providers, Security reviews/evaluations
from internal risk review or external consultants (includesvulnerability and penetrationtesting), and
Findings from GLBA securityand control tests and annualGLBA reports to the board.
7. Review network schematic toidentify the location of major e-
banking components. Documentthe location and the entityresponsible for development,operation, and support of each of the major system components.
FFIEC IT Examination Handbook Page 2
-
7/28/2019 ebanking_workprogram
3/24
E-Banking August 2003
Work Paper
Reference Comment
8. Review the institutions e-bankingsite(s) to gain a generalunderstanding of the scope of e-
banking activities and the websitesorganization, structure, andoperability.
9. Discuss with management recentand planned changes in
The types of products andservices offered;
Marketing or pricing strategies;
Network structure; Risk management processes,
including monitoring techniques; Policies, processes, personnel, or
controls, including strategies for intrusion responses or businesscontinuity planning;
Service providers or other technology vendors; and
The scope of independentreviews or the individuals or
entities conducting them.10. Based on the findings from the
previous steps, determine the scopeof the e-banking review. Discuss,as appropriate, with the examiner or office responsible for supervisory oversight of theinstitution.
Select from among the following examination objectives and procedures those that areappropriate to the examinations scope. When more in-depth coverage of an area is
warranted, examiners should select procedures from other booklets of the IT Handbook asnecessary (e.g., Information Security Booklet, Retail Payments Systems Booklet, etc.).For more complex e-banking environments, examiners may need to integrate IT coverage withbusiness line-specific coverage. In those cases, examiners should consult other subject matterexperts and consider inclusion of the member agencys expanded procedures (e.g.,compliance, retail lending, fiduciary/asset management, etc.).
FFIEC IT Examination Handbook Page 3
-
7/28/2019 ebanking_workprogram
4/24
E-Banking August 2003
Work Paper
Reference Comment
BOARD AND MANAGEMENT OVERSIGHT
Objective 2: Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit.
1. Evaluate the institutions short- andlong-term strategies for e-banking
products and services. In assessingthe institutions planning processes,
consider whether The scope and type of e-banking
services are consistent with theinstitutions overall mission,strategic goals, operating plans,and risk tolerance;
The institutions MIS is adequateto measure the success of e-
banking strategies based onclearly defined organizationalgoals and objectives;
Managements understanding of industry standards is sufficient toensure compatibility with legacysystems;
Cost-benefit analyses of e- banking activities consider thecosts of start-up, operation,administration, upgrades,customer support, marketing, risk management, monitoring,independent testing, and vendor oversight (if applicable);
Managements evaluation of security risks, threats, andvulnerabilities is realistic andconsistent with institutions risk
profile; Managements knowledge of
federal and state laws and
FFIEC IT Examination Handbook Page 4
-
7/28/2019 ebanking_workprogram
5/24
E-Banking August 2003
Work Paper
Reference Comment
regulations as they pertain to e- banking is adequate; and
A process exists to periodicallyevaluate the institutions e-
banking product mix andmarketing successes and link those findings to its planning
process.
2. Determine whether e-bankingguidance and risk considerationshave been incorporated into theinstitutions operating policies toan extent appropriate for the size of the financial institution and thenature and scope of its e-bankingactivities. Consider whether theinstitutions policies and practices
Include e-banking issues in theinstitutions processes andresponsibilities for identifying,measuring, monitoring, andcontrolling risks;
Define e-banking risk appetite in
terms of types of product or service, customer restrictions(local/domestic/foreign), or geographic lending territory;
Consider, if appropriate, e- banking activities as a mission-critical activity for businesscontinuity planning;
Assign day-to-dayresponsibilities for e-bankingcompliance issues includingmarketing, disclosures, and
BSA/OFAC issues; Require e-banking issues to be
included in periodic reporting tothe board of directors on thetechnologies employed, risksassumed, and compensating risk
FFIEC IT Examination Handbook Page 5
-
7/28/2019 ebanking_workprogram
6/24
E-Banking August 2003
Work Paper
Reference Comment
management practices; Maintain policies and procedures
over e-commerce payments (i.e., bill payment or cashmanagement) consistent with therisk and controls associated withthe underlying payment systems(check processing, ACH, wiretransfers, etc.);
Establish policies to address e-commerce support services(aggregation, certificateauthority, commercial websitehosting/design, etc.);
Include e-banking considerationsin the institutions written
privacy policy; and Require the board of directors to
periodically review and approveupdated policies and proceduresrelated to e-banking.
3. Assess the level of oversight by the board and management in ensuring
that planning and monitoring aresufficiently robust to addressheightened risks inherent in e-
banking products and services.Consider whether
The board reviews, approves,and monitors e-bankingtechnology-related projects thatmay have a significant impact onthe financial institutions risk
profile; The board ensures appropriate
programs are in place to overseesecurity, recovery, and third-
party providers of critical e- banking products and services;
Senior management evaluateswhether technologies and
FFIEC IT Examination Handbook Page 6
-
7/28/2019 ebanking_workprogram
7/24
E-Banking August 2003
Work Paper
Reference Comment
products are in line with thefinancial institutions strategicgoals and meet market needs;
Senior management periodicallyevaluates e-banking performancerelative to original/revised
project plans; Senior management has
developed, as appropriate, exitstrategies for high-risk activities;and
Institution personnel have the
proper skill sets to evaluate,select, and implement e-bankingtechnology.
4. Evaluate adequacy of key MISreports to monitor risks in e-
banking activities. Consider monitoring of the following areas:
Systems capacity and utilization; Frequency and duration of
service interruptions; Volume and type of customer
complaints, including time tosuccessful resolution;
Transaction volumes by type,number, dollar amount, behavior (e.g. , bil l payment or cashmanagement transaction needsufficient monitoring to identifysuspicious or unusual activity);
Exceptions to security policieswhether automated or
procedural; Unauthorized penetrations of e-
banking system or network, bothactual and attempted;
Losses due to fraud or processing/balancing errors; and
Credit performance and profitability of accounts
FFIEC IT Examination Handbook Page 7
-
7/28/2019 ebanking_workprogram
8/24
E-Banking August 2003
Work Paper
Reference Comment
originated through e-bankingchannels.
5. Determine whether audit coverageof e-banking activities isappropriate for the type of servicesoffered and the level of risk assumed. Consider the frequencyof e-banking reviews, the adequacyof audit expertise relative to thecomplexity of e-banking activities,the extent of functions outsourcedto third-party providers. The audit
scope should include Testing/verification of security
controls, authenticationtechniques, access levels, etc.;
Reviewing security monitoring processes, including network r isk analysis and vulnerabilityassessments;
Verifying operating controls,including balancing andseparation of duties; and
Validating the accuracy of keyMIS and risk managementreports.
Objective 3: Determine the quality of the institutions risk management over outsourced technology services.
1. Assess the adequacy of managements due diligenceactivities prior to vendor selection.Consider whether
Strategic and business plans areconsistent with outsourcingactivity, and
Vendor information was gatheredand analyzed prior to signing thecontract, and the analysis
FFIEC IT Examination Handbook Page 8
-
7/28/2019 ebanking_workprogram
9/24
E-Banking August 2003
Work Paper
Reference Comment
considered the following:- Vendor reputation;- Financial condition;- Costs for development,
maintenance, and support;- Internal controls and recovery
processes; and- Ability to provide required
monitoring reports.
2. Determine whether the institutionhas reviewed vendor contracts toensure that the responsibilities of each party are appropriatelyidentified. Consider the following
provisions if applicable:
Description of the work performed or service provided;
Basis for costs, description of additional fees, and details onhow prices may change over theterm of the contract;
Implementation of an appropriate
information security program; Audit rights and responsibilities; Contingency plans for service
recovery; Data backup and protection
provisions; Responsibilities for data security
and confidentiality and languagecomplying with the GLBA501(b) guidelines regardingsecurity programs;
Hardware and software upgrades; Availability of vendors financialinformation;
Training and problem resolution; Reasonable penalty and
cancellation provisions;
FFIEC IT Examination Handbook Page 9
-
7/28/2019 ebanking_workprogram
10/24
E-Banking August 2003
Work Paper
Reference Comment
Prohibition of contractassignment;
Limitations over subcontracting(i.e., prohibition or notification
prior to engaging a subcontractor for data processing, softwaredevelopment, or ancillaryservices supporting thecontracted service to theinstitution);
Termination rights withoutexcessive fees, including thereturn of data in a machine-readable format in a timelymanner;
Financial institution ownershipof the data;
Covenants dealing with thechoice of law (United States or foreign nation); and
Rights of federal regulators toexamine the services, including
processing and supportconducted from a foreign nation.
3. Assess the adequacy of ongoingvendor oversight. Consider whether the institutions oversightefforts include
Designation of personnelaccountable for monitoringactivities and services;
Control over remote vendor access (e.g., dial-in, dedicatedline, Internet);
Review of service providersfinancial condition;
Periodic reviews of businesscontinuity plans, includingcompatibility with those of theinstitution;
Review of service provider
FFIEC IT Examination Handbook Pa ge 10
-
7/28/2019 ebanking_workprogram
11/24
E-Banking August 2003
Work Paper
Reference Comment
audits (e.g., SAS 70 reports) andregulatory examination reports;and
Review and monitoring of performance reports for services provided.
INFORMATION SECURITY PROCESS
Objective 4: Determine if the institutions information security program sufficiently addressese-banking risks.
1. Determine whether the institutionswritten security program for customer information required byGLBA guidelines includes e-
banking products and services.
2. Discuss the institutions e-bankingenvironment with management asapplicable. Based on this
discussion, evaluate whether theexamination scope should beexpanded to include selected Tier II
procedures from the IT HandbooksInformation Security Booklet.Consider discussing the followingtopics:
Current knowledge of attackersand attack techniques;
Existence of up-to-dateequipment and softwareinventories;
Rapid response capability for newly discovered vulnerabilities;
Network access controls over external connections;
Hardening of systems; Malicious code prevention;
FFIEC IT Examination Handbook Pa ge 11
-
7/28/2019 ebanking_workprogram
12/24
E-Banking August 2003
Work Paper
Reference Comment
Rapid intrusion detection andresponse procedures;
Physical security of computingdevices;
User enrollment, change, andtermination procedures;
Authorized use policy; Personnel training; Independent testing; and Service provider oversight.
3. Determine whether the security
program includes monitoring of systems and transactions andwhether exceptions are analyzed toidentify and correct noncompliancewith security policies asappropriate. Consider whether theinstitution adequately monitors thefollowing:
Systems capacity and utilization; The frequency and duration of
service interruptions;
The volume and type of customer complaints, including time toresolution;
Transaction volumes by type,number, and dollar amount;
Security exceptions; Unauthorized penetrations of e-
banking system or network, bothactual and at tempted (e.g.,firewall and intrusion detectionsystem logs); and
E-banking losses due to fraud or errors.
4. Determine the adequacy of theinstitutions authentication methodsand need for multi-factor authentication relative to thesensitivity of systems or
FFIEC IT Examination Handbook Pa ge 12
-
7/28/2019 ebanking_workprogram
13/24
E-Banking August 2003
Work Paper
Reference Comment
transactions. Consider thefollowing processes:
Account access Intrabank funds transfer Account maintenance Electronic bill payment Corporate cash management Other third-party payments or
asset transfers
5. If the institution uses passwords for customer authentication, determinewhether password administrationguidelines adequately address thefollowing:
Selection of password length andcomposition considering ease of remembering, vulnerability tocompromise, sensitivity of system or information protected,and use as single- or multi-factor authentication;
Restrictions on the use of
automatic log-on features; User lockout after a number of
failed log-on attempts industry practice is generally no morethan 3 to 5 incorrect attempts;
Password expiration for sensitiveinternal or high-value systems;
Users ability to select and/or change their passwords;
Passwords disabled after a prolonged period of inactivity;
Secure process for passwordgeneration and distribution;
Termination of customer connections after a specifiedinterval of inactivity industry
practice is generally not morethan 10 to 20 minutes;
FFIEC IT Examination Handbook Pa ge 13
-
7/28/2019 ebanking_workprogram
14/24
E-Banking August 2003
Work Paper
Reference Comment
Procedures for resetting passwords, including forcedchange at next log-on after reset;
Review of password exceptionreports;
Secure access controls over password databases, includingencryption of stored passwords;
Password guidance to customersand employees regarding prudent
password selection and theimportance of protecting
password confidentiality; and Avoidance of commonlyavailable information (i.e., name,social security number) as user IDs.
6. Evaluate access control associatedwith employees administrativeaccess to ensure
Administrative access is assignedonly to unique, employee-specific IDs;
Account creation, deletion, andmaintenance activity ismonitored; and
Access to funds-transfer capabilities is under dual controland consistent with controls over
payment transmission channel(e.g. , ACH, wire transfer,Fedline).
7. Evaluate the appropriateness of incident response plans. Consider whether the plans include
A response process that assures prompt notification of senior management and the board asdictated by the probable severityof damage and potential
FFIEC IT Examination Handbook Pa ge 14
-
7/28/2019 ebanking_workprogram
15/24
E-Banking August 2003
Work Paper
Reference Comment
monetary loss related to adverseevents;
Adequate outreach strategies toinform the media and customersof the event and any correctivemeasures;
Consideration of legal liabilityissues as part of the response
process, including notificationsof customers specifically or
potentially affected; and Information-sharing procedures
to bring security breaches to theattention of appropriatemanagement and external entities(e.g. , regulatory agencies,Suspicious Activity Reports,information-sharing groups, lawenforcement, etc.).
8. Assess whether the informationsecurity program includesindependent security testing asappropriate for the type andcomplexity of e-banking activity.Tests should include, as warranted:
Independent audits Vulnerability assessments Penetration testing
Objective 5: Determine if the institution has implemented appropriate administrative controlsto ensure the availability and integrity of processes supporting e-banking services.
1. Determine whether employeeauthorization levels and access
privileges are commensurate withtheir assigned duties and reinforcesegregation of duties.
2. Determine whether controls for e- banking applications include
FFIEC IT Examination Handbook Pa ge 15
-
7/28/2019 ebanking_workprogram
16/24
E-Banking August 2003
Work Paper
Reference Comment
Appropriate balancing andreconciling controls for e-
banking activity; Protection of critical data or
information from tamperingduring transmission and fromviewing by unauthorized parties(e.g., encryption);
Automated validation techniquessuch as check digits or hashtotals to detect tampering withmessage content duringtransmission;
Independent control totals for transactions exchanged betweene-banking applications andlegacy systems; and
Ongoing review for suspicioustransactions such as large-dollar transactions, high transactionvolume, or unusual accountactivity.
3. Determine whether audit trails for
e-banking activities are sufficientto identify the source of transactions. Consider whether audit trails can identify the sourceof the following:
On-line instructions to open,modify, or close a customersaccount;
Any transaction with financialconsequences;
Overrides or approvals to exceedestablished limits; and
Any activity granting, changing,or revoking systems access rightsor privileges (e.g., revoked after three unsuccessful attempts).
4. Evaluate the physical security over
FFIEC IT Examination Handbook Pa ge 16
-
7/28/2019 ebanking_workprogram
17/24
E-Banking August 2003
Work Paper
Reference Comment
e-banking equipment, media, andcommunication lines.
5. Determine whether businesscontinuity plans appropriatelyaddress the business impact of e-
banking products and services.Consider whether the plans includethe following:
Regular review and update of e- banking contingency plans;
Specific staff responsible for
ini tiating and managing e- banking recovery plans;
Adequate analysis and mitigationof any single points of failure for critical networks;
Strategies to recover hardware,software, communication links,and data files; and
Regular testing of back-upagreements with external vendorsor critical suppliers.
LEGAL AND COMPLIANCE ISSUES
Objective 6: Assess the institutions understanding and management of legal and complianceissues associated with e-banking activities.
1. Determine how the institution staysinformed on legal and regulatorydevelopments associated with e-
banking and thus ensures e-bankingactivities comply with appropriateconsumer compliance regulations.Consider
Existence of a process for tracking current litigation andregulations that could affect the
FFIEC IT Examination Handbook Pa ge 17
-
7/28/2019 ebanking_workprogram
18/24
E-Banking August 2003
Work Paper
Reference Comment
institutions e-banking activities; Assignment of personnel
responsible for monitoring e- banking legislation and therequirements of or changes tocompliance regulations; and
Inclusion of e-banking activityand website content in theinstitutions compliancemanagement program.
2. Review the website content for inclusion of federal depositinsurance logos if insureddepository services are offered (12CFR 328 or 12 CFR 740).
3. Review the website content for inclusion of the followinginformation which institutionsshould consider to avoid customer confusion and communicatecustomer responsibilities:
Disclosure of corporate identity
and location of head and branchoffices for financial institutionsusing a trade name;
Disclosure of applicableregulatory information, such asthe identity of the institutions
primary regulator or informationon how to contact or fi le acomplaint with the regulator;
Conspicuous notices of theinapplicability of FDIC/NCUAinsurance to, the potential risks
associated with, and the actual product provider of, the specif icinvestment and insurance
products offered; Security policies and customer
usage responsibilities (includingsecurity disclosures and Internet
FFIEC IT Examination Handbook Pa ge 18
-
7/28/2019 ebanking_workprogram
19/24
E-Banking August 2003
Work Paper
Reference Comment
banking agreements); On-line funds transfer
agreements for bill payment or cash management users; and
Disclosure of privacy policy financial institutions areencouraged, but not required, todisclose their privacy policies ontheir websites to include
- Conspicuous disclosure of the privacy policy on the website ina manner that complies with the
privacy regulation and- Information on how to opt outof sharing (if the institutionshares information with third
parties).
4. If the financial institutionelectronically delivers consumer disclosures that are required to be
provided in writing, assess theinstitutions compliance with the E-Sign Act. Review to determine
whether The disclosures- Are clear and conspicuous;- Inform the consumer of any right
or option to receive the record in paper or non-electronic form;
- Inform the consumer of the rightto withdraw consent, includingany conditions, consequences, or fees associated with such action;
- Inform consumers of thehardware and software needed toaccess and retain the disclosurefor their records; and
- Indicate whether the consentapplies to only a particular transaction or to identified
FFIEC IT Examination Handbook Pa ge 19
-
7/28/2019 ebanking_workprogram
20/24
E-Banking August 2003
Work Paper
Reference Comment
categories of records. The procedures the consumer
uses to affirmatively consent toelectronic delivery reasonablydemonstrate the consumersability to access/viewdisclosures.
5. Determine whether e-bankingsupport services are in place tofacilitate compliance efforts,including
Effective customer support bythe help desk, addressing
- Complaint levels and resolutionstatistics,
- Performance relative to customer service level expectations, and
- Review of complaints/ problemsfor patterns or trends indicativeof processing deficiencies or security weaknesses and
Appropriate processes for authenticating and maintainingelectronic signatures (E-SignAct).
6. As applicable, determine whether the financial institution hasconsidered the applicability of various laws and regulations to itse-banking activities:
Monitoring of potential money-laundering activities associatedwith e-banking required by the
Bank Secrecy Act (31 CFR 103.18); Filing of Suspicious Activity
Reports for unusual or unauthorized e-banking activityor computer security intrusionsrequirements (regulation cites
FFIEC IT Examination Handbook Pa ge 20
-
7/28/2019 ebanking_workprogram
21/24
E-Banking August 2003
Work Paper
Reference Comment
vary by agency); Screening of on-line applications
and activity for entities/countries prohibited by the Office of Foreign Asset Control (31 CFR 500 et. seq.); and
Authenticating new e-bankingcustomers using identificationtechniques consistent with therequirements of Bank SecrecyAct (31 CFR 103) and the USAPATRIOT Act [12 CFR 21(OCC), 12 CFR 208 and 211(Board), 12 CFR 326 (FDIC), 12CFR 563 (OTS), and 12 CFR 748(NCUA)].
7. If overview of e-bankingcompliance identifies weaknessesin the institutions considerationand oversight of compliance issues,consider expanding coverage toinclude more detailed review usingagency-specific complianceexamination procedures.
EXAMINATION CONCLUSIONS
Objective 7: Develop conclusions, communicate findings, and initiate corrective action onviolations and other examination findings.
1. Assess the potential impact of theexamination conclusions on the
institutions CAMELS andUniform Rating System for Information Technology (URSIT)ratings.
2. As applicable to your agency,identify risk areas where the
FFIEC IT Examination Handbook Pa ge 21
-
7/28/2019 ebanking_workprogram
22/24
E-Banking August 2003
Work Paper
Reference Comment
institutions risk management processes are insufficient tomitigate the level of increased risksattributed to e-banking activities.Consider
Transaction/operations risk Credit risk Liquidity risk Interest rate and price/market
risk Compliance/legal risk Strategic risk Reputation risk
3. Prepare a summary memorandumdetailing the results of the e-
banking examination. Consider
Deficiencies noted andrecommended corrective actionregarding deficient policies,
procedures, practices, or other concerns;
Appropriateness of strategic and
business plans; Adequacy and adherence to
policies; Adequacy of security controls
and risk management systems; Compliance with applicable laws
and regulations; Adequacy of internal controls; Adequacy of audit coverage and
independent security testing; Other matters of significance;
and Recommendations for future
examination coverage (includingneed for additional specializedexpertise).
FFIEC IT Examination Handbook Pa ge 22
-
7/28/2019 ebanking_workprogram
23/24
E-Banking August 2003
Work Paper
Reference Comment
4. Discuss examination findings andconclusions with the examiner-in-charge. As appropriate, preparedraft report comments that addressexamination findings indicative of
Significant control weaknesses or risks (note the root cause of thedeficiency, consequence of inaction or benefit of action,management corrective action,the time frame for correction,and the person responsible for
corrective action); Deviations from safety andsoundness principles that mayresult in financial or operationaldeterioration if not addressed; or
Substantive noncompliance withlaws or regulations.
5. In coordination with the examiner-in-charge, discuss findings withinstitution management including,as applicable, conclusions
regarding applicable ratings andrisks. If necessary, obtaincommitments for corrective action.
6. Revise draft e-banking commentsto reflect discussions withmanagement and finalize commentsfor inclusion in the report of examination.
7. As applicable, according to your agencys requirements/instructions,
include written commentsspecifically stating what theregulator should do in the future toeffectively supervise e-banking inthis institution. Includesupervisory objectives, timeframes, staffing, and workdays
FFIEC IT Examination Handbook Pa ge 23
-
7/28/2019 ebanking_workprogram
24/24
E-Banking August 2003
Work Paper
Reference Comment
required.
8. Update the agencys informationsystems and applicable report of examination schedules or tables asapplicable.
Examiner Date
Reviewers Initials