ebanking_workprogram

7/28/2019 ebanking_workprogram

1/24

E-Banking August 2003

E-BANKING EXAMINATION PROCEDURES

Work Paper

Reference Comment

GENERAL PROCEDURES

Objective 1: Determine the scope for the examination of the institutions e-banking activitiesconsistent with the nature and complexity of the institutions operations.

1. Review the following documents toidentify previously noted issuesrelated to the e-banking area thatrequire follow-up:

Previous regulatory examinationreports

Supervisory strategy Follow-up activities Work papers from previous

examinations Correspondence

2. Identify the e-banking products andservices the institution offers,supports, or provides automaticlinks to (i.e., retail, wholesale,investment, fiduciary, e-commercesupport, etc.).

3. Assess the complexity of these products and services consideringvolumes (transaction and dollar),customer base, significance of feeincome, and technical

sophistication.

4. Identify third-party providers andthe extent and nature of their

processing or support services.

FFIEC IT Examination Handbook Page 1


2/24


Work Paper

Reference Comment

5. Discuss with management or review MIS or other monitoringreports to determine theinstitutions recent experience andtrends for the following:

Intrusions, both attempted andsuccessful;

Fraudulent transactions reported by customers;

Customer complaint volumes andaverage time to resolution; and

Frequency and duration of service disruptions.

6. Review audit and consultantreports, managements responses,and problem tracking systems toidentify potential issues for examination follow-up. Possiblesources include

Internal and external auditreports and Statement of Accounting Standards 70 (SAS70) reviews for service

providers, Security reviews/evaluations

from internal risk review or external consultants (includesvulnerability and penetrationtesting), and

Findings from GLBA securityand control tests and annualGLBA reports to the board.

7. Review network schematic toidentify the location of major e-

banking components. Documentthe location and the entityresponsible for development,operation, and support of each of the major system components.



3/24


Work Paper

Reference Comment

8. Review the institutions e-bankingsite(s) to gain a generalunderstanding of the scope of e-

banking activities and the websitesorganization, structure, andoperability.

9. Discuss with management recentand planned changes in

The types of products andservices offered;

Marketing or pricing strategies;

Network structure; Risk management processes,

including monitoring techniques; Policies, processes, personnel, or

controls, including strategies for intrusion responses or businesscontinuity planning;

Service providers or other technology vendors; and

The scope of independentreviews or the individuals or

entities conducting them.10. Based on the findings from the

previous steps, determine the scopeof the e-banking review. Discuss,as appropriate, with the examiner or office responsible for supervisory oversight of theinstitution.

Select from among the following examination objectives and procedures those that areappropriate to the examinations scope. When more in-depth coverage of an area is

warranted, examiners should select procedures from other booklets of the IT Handbook asnecessary (e.g., Information Security Booklet, Retail Payments Systems Booklet, etc.).For more complex e-banking environments, examiners may need to integrate IT coverage withbusiness line-specific coverage. In those cases, examiners should consult other subject matterexperts and consider inclusion of the member agencys expanded procedures (e.g.,compliance, retail lending, fiduciary/asset management, etc.).



4/24


Work Paper

Reference Comment

BOARD AND MANAGEMENT OVERSIGHT

Objective 2: Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit.

1. Evaluate the institutions short- andlong-term strategies for e-banking

products and services. In assessingthe institutions planning processes,

consider whether The scope and type of e-banking

services are consistent with theinstitutions overall mission,strategic goals, operating plans,and risk tolerance;

The institutions MIS is adequateto measure the success of e-

banking strategies based onclearly defined organizationalgoals and objectives;

Managements understanding of industry standards is sufficient toensure compatibility with legacysystems;

Cost-benefit analyses of e- banking activities consider thecosts of start-up, operation,administration, upgrades,customer support, marketing, risk management, monitoring,independent testing, and vendor oversight (if applicable);

Managements evaluation of security risks, threats, andvulnerabilities is realistic andconsistent with institutions risk

profile; Managements knowledge of

federal and state laws and



5/24


Work Paper

Reference Comment

regulations as they pertain to e- banking is adequate; and

A process exists to periodicallyevaluate the institutions e-

banking product mix andmarketing successes and link those findings to its planning

process.

2. Determine whether e-bankingguidance and risk considerationshave been incorporated into theinstitutions operating policies toan extent appropriate for the size of the financial institution and thenature and scope of its e-bankingactivities. Consider whether theinstitutions policies and practices

Include e-banking issues in theinstitutions processes andresponsibilities for identifying,measuring, monitoring, andcontrolling risks;

Define e-banking risk appetite in

terms of types of product or service, customer restrictions(local/domestic/foreign), or geographic lending territory;

Consider, if appropriate, e- banking activities as a mission-critical activity for businesscontinuity planning;

Assign day-to-dayresponsibilities for e-bankingcompliance issues includingmarketing, disclosures, and

BSA/OFAC issues; Require e-banking issues to be

included in periodic reporting tothe board of directors on thetechnologies employed, risksassumed, and compensating risk



6/24


Work Paper

Reference Comment

management practices; Maintain policies and procedures

over e-commerce payments (i.e., bill payment or cashmanagement) consistent with therisk and controls associated withthe underlying payment systems(check processing, ACH, wiretransfers, etc.);

Establish policies to address e-commerce support services(aggregation, certificateauthority, commercial websitehosting/design, etc.);

Include e-banking considerationsin the institutions written

privacy policy; and Require the board of directors to

periodically review and approveupdated policies and proceduresrelated to e-banking.

3. Assess the level of oversight by the board and management in ensuring

that planning and monitoring aresufficiently robust to addressheightened risks inherent in e-

banking products and services.Consider whether

The board reviews, approves,and monitors e-bankingtechnology-related projects thatmay have a significant impact onthe financial institutions risk

profile; The board ensures appropriate

programs are in place to overseesecurity, recovery, and third-

party providers of critical e- banking products and services;

Senior management evaluateswhether technologies and



7/24


Work Paper

Reference Comment

products are in line with thefinancial institutions strategicgoals and meet market needs;

Senior management periodicallyevaluates e-banking performancerelative to original/revised

project plans; Senior management has

developed, as appropriate, exitstrategies for high-risk activities;and

Institution personnel have the

proper skill sets to evaluate,select, and implement e-bankingtechnology.

4. Evaluate adequacy of key MISreports to monitor risks in e-

banking activities. Consider monitoring of the following areas:

Systems capacity and utilization; Frequency and duration of

service interruptions; Volume and type of customer

complaints, including time tosuccessful resolution;

Transaction volumes by type,number, dollar amount, behavior (e.g. , bil l payment or cashmanagement transaction needsufficient monitoring to identifysuspicious or unusual activity);

Exceptions to security policieswhether automated or

procedural; Unauthorized penetrations of e-

banking system or network, bothactual and attempted;

Losses due to fraud or processing/balancing errors; and

Credit performance and profitability of accounts



8/24


Work Paper

Reference Comment

originated through e-bankingchannels.

5. Determine whether audit coverageof e-banking activities isappropriate for the type of servicesoffered and the level of risk assumed. Consider the frequencyof e-banking reviews, the adequacyof audit expertise relative to thecomplexity of e-banking activities,the extent of functions outsourcedto third-party providers. The audit

scope should include Testing/verification of security

controls, authenticationtechniques, access levels, etc.;

Reviewing security monitoring processes, including network r isk analysis and vulnerabilityassessments;

Verifying operating controls,including balancing andseparation of duties; and

Validating the accuracy of keyMIS and risk managementreports.

Objective 3: Determine the quality of the institutions risk management over outsourced technology services.

1. Assess the adequacy of managements due diligenceactivities prior to vendor selection.Consider whether

Strategic and business plans areconsistent with outsourcingactivity, and

Vendor information was gatheredand analyzed prior to signing thecontract, and the analysis



9/24


Work Paper

Reference Comment

considered the following:- Vendor reputation;- Financial condition;- Costs for development,

maintenance, and support;- Internal controls and recovery

processes; and- Ability to provide required

monitoring reports.

2. Determine whether the institutionhas reviewed vendor contracts toensure that the responsibilities of each party are appropriatelyidentified. Consider the following

provisions if applicable:

Description of the work performed or service provided;

Basis for costs, description of additional fees, and details onhow prices may change over theterm of the contract;

Implementation of an appropriate

information security program; Audit rights and responsibilities; Contingency plans for service

recovery; Data backup and protection

provisions; Responsibilities for data security

and confidentiality and languagecomplying with the GLBA501(b) guidelines regardingsecurity programs;

Hardware and software upgrades; Availability of vendors financialinformation;

Training and problem resolution; Reasonable penalty and

cancellation provisions;



10/24


Work Paper

Reference Comment

Prohibition of contractassignment;

Limitations over subcontracting(i.e., prohibition or notification

prior to engaging a subcontractor for data processing, softwaredevelopment, or ancillaryservices supporting thecontracted service to theinstitution);

Termination rights withoutexcessive fees, including thereturn of data in a machine-readable format in a timelymanner;

Financial institution ownershipof the data;

Covenants dealing with thechoice of law (United States or foreign nation); and

Rights of federal regulators toexamine the services, including

processing and supportconducted from a foreign nation.

3. Assess the adequacy of ongoingvendor oversight. Consider whether the institutions oversightefforts include

Designation of personnelaccountable for monitoringactivities and services;

Control over remote vendor access (e.g., dial-in, dedicatedline, Internet);

Review of service providersfinancial condition;

Periodic reviews of businesscontinuity plans, includingcompatibility with those of theinstitution;

Review of service provider

FFIEC IT Examination Handbook Pa ge 10


11/24


Work Paper

Reference Comment

audits (e.g., SAS 70 reports) andregulatory examination reports;and

Review and monitoring of performance reports for services provided.

INFORMATION SECURITY PROCESS

Objective 4: Determine if the institutions information security program sufficiently addressese-banking risks.

1. Determine whether the institutionswritten security program for customer information required byGLBA guidelines includes e-

banking products and services.

2. Discuss the institutions e-bankingenvironment with management asapplicable. Based on this

discussion, evaluate whether theexamination scope should beexpanded to include selected Tier II

procedures from the IT HandbooksInformation Security Booklet.Consider discussing the followingtopics:

Current knowledge of attackersand attack techniques;

Existence of up-to-dateequipment and softwareinventories;

Rapid response capability for newly discovered vulnerabilities;

Network access controls over external connections;

Hardening of systems; Malicious code prevention;



12/24


Work Paper

Reference Comment

Rapid intrusion detection andresponse procedures;

Physical security of computingdevices;

User enrollment, change, andtermination procedures;

Authorized use policy; Personnel training; Independent testing; and Service provider oversight.

3. Determine whether the security

program includes monitoring of systems and transactions andwhether exceptions are analyzed toidentify and correct noncompliancewith security policies asappropriate. Consider whether theinstitution adequately monitors thefollowing:

Systems capacity and utilization; The frequency and duration of

service interruptions;

The volume and type of customer complaints, including time toresolution;

Transaction volumes by type,number, and dollar amount;

Security exceptions; Unauthorized penetrations of e-

banking system or network, bothactual and at tempted (e.g.,firewall and intrusion detectionsystem logs); and

E-banking losses due to fraud or errors.

4. Determine the adequacy of theinstitutions authentication methodsand need for multi-factor authentication relative to thesensitivity of systems or



13/24


Work Paper

Reference Comment

transactions. Consider thefollowing processes:

Account access Intrabank funds transfer Account maintenance Electronic bill payment Corporate cash management Other third-party payments or

asset transfers

5. If the institution uses passwords for customer authentication, determinewhether password administrationguidelines adequately address thefollowing:

Selection of password length andcomposition considering ease of remembering, vulnerability tocompromise, sensitivity of system or information protected,and use as single- or multi-factor authentication;

Restrictions on the use of

automatic log-on features; User lockout after a number of

failed log-on attempts industry practice is generally no morethan 3 to 5 incorrect attempts;

Password expiration for sensitiveinternal or high-value systems;

Users ability to select and/or change their passwords;

Passwords disabled after a prolonged period of inactivity;

Secure process for passwordgeneration and distribution;

Termination of customer connections after a specifiedinterval of inactivity industry

practice is generally not morethan 10 to 20 minutes;



14/24


Work Paper

Reference Comment

Procedures for resetting passwords, including forcedchange at next log-on after reset;

Review of password exceptionreports;

Secure access controls over password databases, includingencryption of stored passwords;

Password guidance to customersand employees regarding prudent

password selection and theimportance of protecting

password confidentiality; and Avoidance of commonlyavailable information (i.e., name,social security number) as user IDs.

6. Evaluate access control associatedwith employees administrativeaccess to ensure

Administrative access is assignedonly to unique, employee-specific IDs;

Account creation, deletion, andmaintenance activity ismonitored; and

Access to funds-transfer capabilities is under dual controland consistent with controls over

payment transmission channel(e.g. , ACH, wire transfer,Fedline).

7. Evaluate the appropriateness of incident response plans. Consider whether the plans include

A response process that assures prompt notification of senior management and the board asdictated by the probable severityof damage and potential



15/24


Work Paper

Reference Comment

monetary loss related to adverseevents;

Adequate outreach strategies toinform the media and customersof the event and any correctivemeasures;

Consideration of legal liabilityissues as part of the response

process, including notificationsof customers specifically or

potentially affected; and Information-sharing procedures

to bring security breaches to theattention of appropriatemanagement and external entities(e.g. , regulatory agencies,Suspicious Activity Reports,information-sharing groups, lawenforcement, etc.).

8. Assess whether the informationsecurity program includesindependent security testing asappropriate for the type andcomplexity of e-banking activity.Tests should include, as warranted:

Independent audits Vulnerability assessments Penetration testing

Objective 5: Determine if the institution has implemented appropriate administrative controlsto ensure the availability and integrity of processes supporting e-banking services.

1. Determine whether employeeauthorization levels and access

privileges are commensurate withtheir assigned duties and reinforcesegregation of duties.

2. Determine whether controls for e- banking applications include



16/24


Work Paper

Reference Comment

Appropriate balancing andreconciling controls for e-

banking activity; Protection of critical data or

information from tamperingduring transmission and fromviewing by unauthorized parties(e.g., encryption);

Automated validation techniquessuch as check digits or hashtotals to detect tampering withmessage content duringtransmission;

Independent control totals for transactions exchanged betweene-banking applications andlegacy systems; and

Ongoing review for suspicioustransactions such as large-dollar transactions, high transactionvolume, or unusual accountactivity.

3. Determine whether audit trails for

e-banking activities are sufficientto identify the source of transactions. Consider whether audit trails can identify the sourceof the following:

On-line instructions to open,modify, or close a customersaccount;

Any transaction with financialconsequences;

Overrides or approvals to exceedestablished limits; and

Any activity granting, changing,or revoking systems access rightsor privileges (e.g., revoked after three unsuccessful attempts).

4. Evaluate the physical security over



17/24


Work Paper

Reference Comment

e-banking equipment, media, andcommunication lines.

5. Determine whether businesscontinuity plans appropriatelyaddress the business impact of e-

banking products and services.Consider whether the plans includethe following:

Regular review and update of e- banking contingency plans;

Specific staff responsible for

ini tiating and managing e- banking recovery plans;

Adequate analysis and mitigationof any single points of failure for critical networks;

Strategies to recover hardware,software, communication links,and data files; and

Regular testing of back-upagreements with external vendorsor critical suppliers.

LEGAL AND COMPLIANCE ISSUES

Objective 6: Assess the institutions understanding and management of legal and complianceissues associated with e-banking activities.

1. Determine how the institution staysinformed on legal and regulatorydevelopments associated with e-

banking and thus ensures e-bankingactivities comply with appropriateconsumer compliance regulations.Consider

Existence of a process for tracking current litigation andregulations that could affect the



18/24


Work Paper

Reference Comment

institutions e-banking activities; Assignment of personnel

responsible for monitoring e- banking legislation and therequirements of or changes tocompliance regulations; and

Inclusion of e-banking activityand website content in theinstitutions compliancemanagement program.

2. Review the website content for inclusion of federal depositinsurance logos if insureddepository services are offered (12CFR 328 or 12 CFR 740).

3. Review the website content for inclusion of the followinginformation which institutionsshould consider to avoid customer confusion and communicatecustomer responsibilities:

Disclosure of corporate identity

and location of head and branchoffices for financial institutionsusing a trade name;

Disclosure of applicableregulatory information, such asthe identity of the institutions

primary regulator or informationon how to contact or fi le acomplaint with the regulator;

Conspicuous notices of theinapplicability of FDIC/NCUAinsurance to, the potential risks

associated with, and the actual product provider of, the specif icinvestment and insurance

products offered; Security policies and customer

usage responsibilities (includingsecurity disclosures and Internet



19/24


Work Paper

Reference Comment

banking agreements); On-line funds transfer

agreements for bill payment or cash management users; and

Disclosure of privacy policy financial institutions areencouraged, but not required, todisclose their privacy policies ontheir websites to include

- Conspicuous disclosure of the privacy policy on the website ina manner that complies with the

privacy regulation and- Information on how to opt outof sharing (if the institutionshares information with third

parties).

4. If the financial institutionelectronically delivers consumer disclosures that are required to be

provided in writing, assess theinstitutions compliance with the E-Sign Act. Review to determine

whether The disclosures- Are clear and conspicuous;- Inform the consumer of any right

or option to receive the record in paper or non-electronic form;

- Inform the consumer of the rightto withdraw consent, includingany conditions, consequences, or fees associated with such action;

- Inform consumers of thehardware and software needed toaccess and retain the disclosurefor their records; and

- Indicate whether the consentapplies to only a particular transaction or to identified



20/24


Work Paper

Reference Comment

categories of records. The procedures the consumer

uses to affirmatively consent toelectronic delivery reasonablydemonstrate the consumersability to access/viewdisclosures.

5. Determine whether e-bankingsupport services are in place tofacilitate compliance efforts,including

Effective customer support bythe help desk, addressing

- Complaint levels and resolutionstatistics,

- Performance relative to customer service level expectations, and

- Review of complaints/ problemsfor patterns or trends indicativeof processing deficiencies or security weaknesses and

Appropriate processes for authenticating and maintainingelectronic signatures (E-SignAct).

6. As applicable, determine whether the financial institution hasconsidered the applicability of various laws and regulations to itse-banking activities:

Monitoring of potential money-laundering activities associatedwith e-banking required by the

Bank Secrecy Act (31 CFR 103.18); Filing of Suspicious Activity

Reports for unusual or unauthorized e-banking activityor computer security intrusionsrequirements (regulation cites



21/24


Work Paper

Reference Comment

vary by agency); Screening of on-line applications

and activity for entities/countries prohibited by the Office of Foreign Asset Control (31 CFR 500 et. seq.); and

Authenticating new e-bankingcustomers using identificationtechniques consistent with therequirements of Bank SecrecyAct (31 CFR 103) and the USAPATRIOT Act [12 CFR 21(OCC), 12 CFR 208 and 211(Board), 12 CFR 326 (FDIC), 12CFR 563 (OTS), and 12 CFR 748(NCUA)].

7. If overview of e-bankingcompliance identifies weaknessesin the institutions considerationand oversight of compliance issues,consider expanding coverage toinclude more detailed review usingagency-specific complianceexamination procedures.

EXAMINATION CONCLUSIONS

Objective 7: Develop conclusions, communicate findings, and initiate corrective action onviolations and other examination findings.

1. Assess the potential impact of theexamination conclusions on the

institutions CAMELS andUniform Rating System for Information Technology (URSIT)ratings.

2. As applicable to your agency,identify risk areas where the



22/24


Work Paper

Reference Comment

institutions risk management processes are insufficient tomitigate the level of increased risksattributed to e-banking activities.Consider

Transaction/operations risk Credit risk Liquidity risk Interest rate and price/market

risk Compliance/legal risk Strategic risk Reputation risk

3. Prepare a summary memorandumdetailing the results of the e-

banking examination. Consider

Deficiencies noted andrecommended corrective actionregarding deficient policies,

procedures, practices, or other concerns;

Appropriateness of strategic and

business plans; Adequacy and adherence to

policies; Adequacy of security controls

and risk management systems; Compliance with applicable laws

and regulations; Adequacy of internal controls; Adequacy of audit coverage and

independent security testing; Other matters of significance;

and Recommendations for future

examination coverage (includingneed for additional specializedexpertise).



23/24


Work Paper

Reference Comment

4. Discuss examination findings andconclusions with the examiner-in-charge. As appropriate, preparedraft report comments that addressexamination findings indicative of

Significant control weaknesses or risks (note the root cause of thedeficiency, consequence of inaction or benefit of action,management corrective action,the time frame for correction,and the person responsible for

corrective action); Deviations from safety andsoundness principles that mayresult in financial or operationaldeterioration if not addressed; or

Substantive noncompliance withlaws or regulations.

5. In coordination with the examiner-in-charge, discuss findings withinstitution management including,as applicable, conclusions

regarding applicable ratings andrisks. If necessary, obtaincommitments for corrective action.

6. Revise draft e-banking commentsto reflect discussions withmanagement and finalize commentsfor inclusion in the report of examination.

7. As applicable, according to your agencys requirements/instructions,

include written commentsspecifically stating what theregulator should do in the future toeffectively supervise e-banking inthis institution. Includesupervisory objectives, timeframes, staffing, and workdays



24/24


Work Paper

Reference Comment

required.

8. Update the agencys informationsystems and applicable report of examination schedules or tables asapplicable.

Examiner Date

Reviewers Initials

ebanking_workprogram

Documents

Transcript of ebanking_workprogram