Appendix A: Examination Procedures

Introduction

The examiner's primary goal in reviewing e-banking activities is to determine whether the institution is providing e-banking products and services in a safe and sound manner that supports compliance with consumer-protection regulations. This determination is based on whether the institution's risk management practices are commensurate with the level of risk in its e-banking activities.

The e-banking examination procedures are a tool to help examiners reach conclusions regarding the effectiveness of an institution's risk management of e-banking activities. Examiners should use their judgment, consistent with the institution's supervisory strategy, in selecting applicable examination objectives and determining the need for specific testing of controls. Examiners may rely on the work of auditors and consultants deemed independent and competent in establishing their examination scope.

The examination procedures that follow focus on the risks inherent in the processes and technologies supporting e-banking products and services. They supplement, but do not replace, procedures from other IT Handbook booklets that apply to general IT activities (e.g., program development and maintenance, networking, information security, etc.). Depending on the scope of coverage targeted, examiners should consider using these procedures in combination with others from the IT Handbook and related issuances.

The structure of the e-banking examination procedures parallels the structure of the narrative portion of this booklet. The procedures cover:

  • Setting the examination scope,
  • Evaluating board and management oversight,
  • Assessing the information security program,
  • Reviewing legal and compliance issues, and
  • Deriving exam conclusions.

Depending on the complexity of the institution's activities and the scope of prior reviews, it is generally not necessary to complete all of the examination objectives or procedures in order to reach conclusions on the effectiveness of the financial institution's risk management processes. The procedures are designed for conducting targeted, integrated reviews of new or significantly expanded e-banking services. However, for follow-up activities or e-banking reviews conducted as part of a comprehensive review of an institution's IT activities, examiners should customize their e-banking coverage to avoid duplication of topics covered in other examination programs.

This section of the booklet also includes discussion points examiners can use as a reference when talking to management as they are considering or implementing e-banking products and services and a sample list of items to include in the request letter for each of the objectives stated in the examination procedures.

Discussion Points for Examiners

Financial institutions frequently contact examiners seeking guidance on things to consider when they plan to offer or expand e-banking services. The following discussion points are offered as a guide to assist examiners when discussing e-banking plans and strategies with institution management.

Strategic Plans - Decisions on e-banking should be consistent with the financial institution's strategic and operating business plans. Any decision to offer or expand e-banking services should consider customer demand for the services, competitive issues, and the risks in the technology. The institution should periodically evaluate the success of its e-banking strategy and make changes as appropriate.

Impact on Earnings and Capital - Financial institution management should have realistic projections of the expected impact of e-banking on earnings and capital. If management projects a significant impact then profitability plans should address pricing and marketing expenses. If management projects rapid growth in loans or deposits, then plans should address the impact on liquidity, asset quality, and capital adequacy.

E-Banking Software and Service Provider Selection - Financial institutions should provide an appropriate level of due diligence in selecting third-party providers or developing systems in-house. User departments should be involved in the selection process since they will work with the system on a daily basis once it is operational.

Security - Financial institution management should understand security issues associated with e-banking. Security issues include customer verification and authentication, data confidentiality and integrity, and intrusion prevention and detection. Management should measure the effectiveness of security controls.

Internal Controls and Audit - The institution's board and management should ensure that internal control and audit processes are adequate to enable the identification, measurement, and monitoring of the risks associated with e-banking. Management should attempt to quantify increased expenses and losses due to internal control-related weaknesses and fraud.

Legal Requirements - Management should research and understand various legal requirements, including compliance issues, as part of the e-banking decision process. Many legal issues are evolving and will require management to monitor developments.

Vendor Management - Research of outsourcing arrangements should include consideration of potential vendors' financial condition, reputation and expertise, years in business, history of service interruptions and recoveries, and future business plans. Selection should also consider the ability to agree on a contract that clearly defines responsibility for maintaining and sharing information and any resulting liability for its unauthorized use or disclosure.

Business Continuity Planning - Whether provided by the financial institution or a third party, management should plan for recovery of critical e-banking technology and business functions and develop alternate operating processes for use during service disruptions.

Insurance - A review of insurance coverage may be in order to determine if existing policies specifically cover or exclude activities conducted over open networks like the Internet.

Expertise - The financial institution should ensure it has the proper level of expertise to make business decisions regarding e-banking and network security. The board of directors and senior management may need to enhance their understanding of technology issues. If such expertise is not available in-house, the institution should consider engaging outside expertise.

General Procedures

Objective 1: Determine the scope for the examination of the institution's e-banking activities consistent with the nature and complexity of the institution's operations.
spacer

1.  Review the following documents to identify previously noted issues related to the e-banking area that require follow-up:

  • Previous regulatory examination reports
  • Supervisory strategy
  • Follow-up activities
  • Work papers from previous examinations
  • Correspondence

2. Identify the e-banking products and services the institution offers, supports, or provides automatic links to (i.e., retail, wholesale, investment, fiduciary, e-commerce support, etc.).

3. Assess the complexity of these products and services considering volumes (transaction and dollar), customer base, significance of fee income, and technical sophistication.

4. Identify third-party providers and the extent and nature of their processing or support services. 

5.  Discuss with management or review MIS or other monitoring reports to determine the institution's recent experience and trends for the following:

  • Intrusions, both attempted and successful;
  • Fraudulent transactions reported by customers;
  • Customer complaint volumes and average time to resolution; and
  • Frequency and duration of service disruptions.

6. Review audit and consultant reports, management's responses, and problem tracking systems to identify potential issues for examination follow-up. Possible sources include:

  • Internal and external audit reports and SSAE-16 Attestation reports and reviews for service providers,
  • Security reviews/evaluations from internal risk review or external consultants (includes vulnerability and penetration testing), and
  • Findings from GLBA security and control tests and annual GLBA reports to the board.

7.  Review network schematic to identify the location of major e-banking components. Document the location and the entity responsible for development, operation, and support of each of the major system components.

8.  Review the institution's e-banking site(s) to gain a general understanding of the scope of e-banking activities and the website's organization, structure, and operability. 

9.  Discuss with management recent and planned changes in:

  • The types of products and services offered;
  • Marketing or pricing strategies;
  • Network structure;
  • Risk management processes, including monitoring techniques;
  • Policies, processes, personnel, or controls, including strategies for intrusion responses or business continuity planning;
  • Service providers or other technology vendors; and
  • The scope of independent reviews or the individuals or entities conducting them.

10. Based on the findings from the previous steps, determine the scope of the e-banking review. Discuss, as appropriate, with the examiner or office responsible for supervisory oversight of the institution.

Select from among the following examination objectives and procedures those that are appropriate to the examination's scope. When more in-depth coverage of an area is warranted, examiners should select procedures from other booklets of the IT Handbook as necessary (e.g., "Information Security Booklet," "Retail Payments Systems Booklet," etc.). For more complex e-banking environments, examiners may need to integrate IT coverage with business line-specific coverage. In those cases, examiners should consult other subject matter experts and consider inclusion of the member agency's expanded procedures (e.g., compliance, retail lending, fiduciary/asset management, etc.).

BOARD AND MANAGEMENT OVERSIGHT

Objective 2: Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit.

1. Evaluate the institution's short- and long-term strategies for e-banking products and services. In assessing the institution's planning processes, consider whether:

  • The scope and type of e-banking services are consistent with the institution's overall mission, strategic goals, operating plans, and risk tolerance;
  • The institution's MIS is adequate to measure the success of e-banking strategies based on clearly defined organizational goals and objectives;
  • Management's understanding of industry standards is sufficient to ensure compatibility with legacy systems;
  • Cost-benefit analyses of e-banking activities consider the costs of start-up, operation, administration, upgrades, customer support, marketing, risk management, monitoring, independent testing, and vendor oversight (if applicable);
  • Management's evaluation of security risks, threats, and vulnerabilities is realistic and consistent with institution's risk profile;
  • Management's knowledge of federal and state laws and regulations as they pertain to e-banking is adequate; and
  • A process exists to periodically evaluate the institution's e-banking product mix and marketing successes and link those findings to its planning process.

2. Determine whether e-banking guidance and risk considerations have been incorporated into the institution's operating policies to an extent appropriate for the size of the financial institution and the nature and scope of its e-banking activities. Consider whether the institution's policies and practices:

  • Include e-banking issues in the institution's processes and responsibilities for identifying, measuring, monitoring, and controlling risks;
  • Define e-banking risk appetite in terms of types of product or service, customer restrictions (local/domestic/foreign), or geographic lending territory;
  • Consider, if appropriate, e-banking activities as a mission-critical activity for business continuity planning;
  • Assign day-to-day responsibilities for e-banking compliance issues including marketing, disclosures, and BSA/OFAC issues;
  • Require e-banking issues to be included in periodic reporting to the board of directors on the technologies employed, risks assumed, and compensating risk management practices;
  • Maintain policies and procedures over e-commerce payments (i.e., bill payment or cash management) consistent with the risk and controls associated with the underlying payment systems (check processing, ACH, wire transfers, etc.);
  • Establish policies to address e-commerce support services (aggregation, certificate authority, commercial website hosting/design, etc.);
  • Include e-banking considerations in the institution's written privacy policy; and
  • Require the board of directors to periodically review and approve updated policies and procedures related to e-banking.

3. Assess the level of oversight by the board and management in ensuring that planning and monitoring are sufficiently robust to address heightened risks inherent in e-banking products and services. Consider whether:

  • The board reviews, approves, and monitors e-banking technology-related projects that may have a significant impact on the financial institution's risk profile;
  • The board ensures appropriate programs are in place to oversee security, recovery, and third-party providers of critical e-banking products and services;
  • Senior management evaluates whether technologies and products are in line with the financial institution's strategic goals and meet market needs;
  • Senior management periodically evaluates e-banking performance relative to original/revised project plans;
  • Senior management has developed, as appropriate, exit strategies for high-risk activities; and
  • Institution personnel have the proper skill sets to evaluate, select, and implement e-banking technology.

4. Evaluate adequacy of key MIS reports to monitor risks in e-banking activities. Consider monitoring of the following areas:

  • Systems capacity and utilization;
  • Frequency and duration of service interruptions;
  • Volume and type of customer complaints, including time to successful resolution;
  • Transaction volumes by type, number, dollar amount, behavior (e.g., bill payment or cash management transaction need sufficient monitoring to identify suspicious or unusual activity);
  • Exceptions to security policies whether automated or procedural;
  • Unauthorized penetrations of e-banking system or network, both actual and attempted;
  • Losses due to fraud or processing/balancing errors; and
  • Credit performance and profitability of accounts originated through e-banking channels.

5. Determine whether audit coverage of e-banking activities is appropriate for the type of services offered and the level of risk assumed. Consider the frequency of e-banking reviews, the adequacy of audit expertise relative to the complexity of e-banking activities, the extent of functions outsourced to third-party providers. The audit scope should include:

  • Testing/verification of security controls, authentication techniques, access levels, etc.;
  • Reviewing security monitoring processes, including network risk analysis and vulnerability assessments;
  • Verifying operating controls, including balancing and separation of duties; and
  • Validating the accuracy of key MIS and risk management reports.

Objective 3: Determine the quality of the institution's risk management over outsourced technology services.

1. Assess the adequacy of management's due diligence activities prior to vendor selection. Consider whether:

  • Strategic and business plans are consistent with outsourcing activity, and
  • Vendor information was gathered and analyzed prior to signing the contract, and the analysis considered the following:
    Vendor reputation;
    Financial condition;
    Costs for development, maintenance, and support;
    Internal controls and recovery processes; and
    Ability to provide required monitoring reports.

2. Determine whether the institution has reviewed vendor contracts to ensure that the responsibilities of each party are appropriately identified. Consider the following provisions if applicable:

  • Description of the work performed or service provided;
  • Basis for costs, description of additional fees, and details on how prices may change over the term of the contract;
  • Implementation of an appropriate information security program;
  • Audit rights and responsibilities;
  • Contingency plans for service recovery;
  • Data backup and protection provisions;
  • Responsibilities for data security and confidentiality and language complying with the GLBA 501(b) guidelines regarding security programs;
  • Hardware and software upgrades;
  • Availability of vendor's financial information;
  • Training and problem resolution;
  • Reasonable penalty and cancellation provisions;
  • Prohibition of contract assignment;
  • Limitations over subcontracting (i.e., prohibition or notification prior to engaging a subcontractor for data processing, software development, or ancillary services supporting the contracted service to the institution);
  • Termination rights without excessive fees, including the return of data in a machine-readable format in a timely manner;
  • Financial institution ownership of the data;
  • Covenants dealing with the choice of law (United States or foreign nation); and
  • Rights of federal regulators to examine the services, including processing and support conducted from a foreign nation.

3.  Assess the adequacy of ongoing vendor oversight. Consider whether the institution's oversight efforts include:

  • Designation of personnel accountable for monitoring activities and services;
  • Control over remote vendor access (e.g., dial-in, dedicated line, Internet);
  • Review of service provider's financial condition;
  • Periodic reviews of business continuity plans, including compatibility with those of the institution;
  • Review of service provider audits (e.g., third-party reviews) and regulatory examination reports; and
  • Review and monitoring of performance reports for services provided.

INFORMATION SECURITY PROCESS

Objective 4: Determine if the institution's information security program sufficiently addresses e-banking risks.

1.  Determine whether the institution's written security program for customer information required by GLBA guidelines includes e-banking products and services.

2.  Discuss the institution's e-banking environment with management as applicable. Based on this discussion, evaluate whether the examination scope should be expanded to include selected Tier II procedures from the IT Handbook's "Information Security Booklet." Consider discussing the following topics:

  • Current knowledge of attackers and attack techniques;
  • Existence of up-to-date equipment and software inventories;
  • Rapid response capability for newly discovered vulnerabilities;
  • Network access controls over external connections;
  • Hardening of systems;
  • Malicious code prevention;
  • Rapid intrusion detection and response procedures;
  • Physical security of computing devices;
  • User enrollment, change, and termination procedures;
  • Authorized use policy;
  • Personnel training;
  • Independent testing; and
  • Service provider oversight.

3.  Determine whether the security program includes monitoring of systems and transactions and whether exceptions are analyzed to identify and correct noncompliance with security policies as appropriate. Consider whether the institution adequately monitors the following:

  • Systems capacity and utilization;
  • The frequency and duration of service interruptions;
  • The volume and type of customer complaints, including time to resolution;
  • Transaction volumes by type, number, and dollar amount;
  • Security exceptions;
  • Unauthorized penetrations of e-banking system or network, both actual and attempted (e.g., firewall and intrusion detection system logs); and
  • E-banking losses due to fraud or errors.

4. Determine the adequacy of the institution's authentication methods and need for multi-factor authentication relative to the sensitivity of systems or transactions. Consider the following processes:

  • Account access
  • Intrabank funds transfer
  • Account maintenance
  • Electronic bill payment
  • Corporate cash management
  • Other third-party payments or asset transfers

5. If the institution uses passwords for customer authentication, determine whether password administration guidelines adequately address the following:

  • Selection of password length and composition considering ease of remembering, vulnerability to compromise, sensitivity of system or information protected, and use as single- or multi-factor authentication;
  • Restrictions on the use of automatic log-on features;
  • User lockout after a number of failed log-on attempts - industry practice is generally no more than 3 to 5 incorrect attempts;
  • Password expiration for sensitive internal or high-value systems;
  • Users' ability to select and/or change their passwords;
  • Passwords disabled after a prolonged period of inactivity;
  • Secure process for password generation and distribution;
  • Termination of customer connections after a specified interval of inactivity - industry practice is generally not more than 10 to 20 minutes;
  • Procedures for resetting passwords, including forced change at next log-on after reset;
  • Review of password exception reports;
  • Secure access controls over password databases, including encryption of stored passwords;
  • Password guidance to customers and employees regarding prudent password selection and the importance of protecting password confidentiality; and
  • Avoidance of commonly available information (i.e., name, social security number) as user IDs.

6. Evaluate access control associated with employee's administrative access to ensure:

  • Administrative access is assigned only to unique, employee-specific IDs;
  • Account creation, deletion, and maintenance activity is monitored; and
  • Access to funds-transfer capabilities is under dual control and consistent with controls over payment transmission channel (e.g., ACH, wire transfer, Fedline).

7. Evaluate the appropriateness of incident response plans. Consider whether the plans include:

  • A response process that assures prompt notification of senior management and the board as dictated by the probable severity of damage and potential monetary loss related to adverse events;
  • Adequate outreach strategies to inform the media and customers of the event and any corrective measures;
  • Consideration of legal liability issues as part of the response process, including notifications of customers specifically or potentially affected; and
  • Information-sharing procedures to bring security breaches to the attention of appropriate management and external entities (e.g., regulatory agencies, Suspicious Activity Reports, information-sharing groups, law enforcement, etc.).

8.  Assess whether the information security program includes independent security testing as appropriate for the type and complexity of e-banking activity. Tests should include, as warranted:

  • Independent audits
  • Vulnerability assessments
  • Penetration testing

Objective 5: Determine if the institution has implemented appropriate administrative controls to ensure the availability and integrity of processes supporting e-banking services.

1.  Determine whether employee authorization levels and access privileges are commensurate with their assigned duties and reinforce segregation of duties.

2. Determine whether controls for e-banking applications include:

  • Appropriate balancing and reconciling controls for e-banking activity;
  • Protection of critical data or information from tampering during transmission and from viewing by unauthorized parties (e.g., encryption);
  • Automated validation techniques such as check digits or hash totals to detect tampering with message content during transmission;
  • Independent control totals for transactions exchanged between e-banking applications and legacy systems; and
  • Ongoing review for suspicious transactions such as large-dollar transactions, high transaction volume, or unusual account activity

3. Determine whether audit trails for e-banking activities are sufficient to identify the source of transactions. Consider whether audit trails can identify the source of the following:

  • On-line instructions to open, modify, or close a customer's account;
  • Any transaction with financial consequences;
  • Overrides or approvals to exceed established limits; and
  • Any activity granting, changing, or revoking systems access rights or privileges (e.g., revoked after three unsuccessful attempts).

4. Evaluate the physical security over e-banking equipment, media, and communication lines.

5. Determine whether business continuity plans appropriately address the business impact of e-banking products and services. Consider whether the plans include the following:

  • Regular review and update of e-banking contingency plans;
  • Specific staff responsible for initiating and managing e-banking recovery plans;
  • Adequate analysis and mitigation of any single points of failure for critical networks;
  • Strategies to recover hardware, software, communication links, and data files; and
  • Regular testing of back-up agreements with external vendors or critical suppliers.

LEGAL AND COMPLIANCE ISSUES

Objective 6: Assess the institution's understanding and management of legal and compliance issues associated with e-banking activities.

1. Determine how the institution stays informed on legal and regulatory developments associated with e-banking and thus ensures e-banking activities comply with appropriate consumer compliance regulations. Consider:

  • Existence of a process for tracking current litigation and regulations that could affect the institution's e-banking activities;
  • Assignment of personnel responsible for monitoring e-banking legislation and the requirements of or changes to compliance regulations; and
  • Inclusion of e-banking activity and website content in the institution's compliance management program.

2. Review the website content for inclusion of federal deposit insurance logos if insured depository services are offered (12 CFR 328 or 12 CFR 740).

3. Review the website content for inclusion of the following information which institutions should consider to avoid customer confusion and communicate customer responsibilities:

  • Disclosure of corporate identity and location of head and branch offices for financial institutions using a trade name;
  • Disclosure of applicable regulatory information, such as the identity of the institution's primary regulator or information on how to contact or file a complaint with the regulator;
  • Conspicuous notices of the inapplicability of FDIC/NCUA insurance to, the potential risks associated with, and the actual product provider of, the specific investment and insurance products offered;
  • Security policies and customer usage responsibilities (including security disclosures and Internet banking agreements);
  • On-line funds transfer agreements for bill payment or cash management users; and
  • Disclosure of privacy policy - financial institutions are encouraged, but not required, to disclose their privacy policies on their websites - to include:
    "Conspicuous" disclosure of the privacy policy on the website in a manner that complies with the privacy regulation and
    Information on how to "opt out" of sharing (if the institution shares information with third parties).

4. If the financial institution electronically delivers consumer disclosures that are required to be provided in writing, assess the institution's compliance with the E-Sign Act. Review to determine whether:

  • The disclosures:
    - Are clear and conspicuous;
    - Inform the consumer of any right or option to receive the record in paper or non-electronic form;
    - Inform the consumer of the right to withdraw consent, including any conditions, consequences, or fees associated with such action;
    - Inform consumers of the hardware and software needed to access and retain the disclosure for their records; and 
    - Indicate whether the consent applies to only a particular transaction or to identified categories of records.
  • The procedures the consumer uses to affirmatively consent to electronic delivery reasonably demonstrate the consumer's ability to access/view disclosures.

5. Determine whether e-banking support services are in place to facilitate compliance efforts, including:

  • Effective customer support by the help desk, addressing:
    - Complaint levels and resolution statistics,
    - Performance relative to customer service level expectations, and
    - Review of complaints/problems for patterns or trends indicative of processing deficiencies or security weaknesses.
  • Appropriate processes for authenticating and maintaining electronic signatures (E-Sign Act).

6. As applicable, determine whether the financial institution has considered the applicability of various laws and regulations to its e-banking activities:

  • Monitoring of potential money-laundering activities associated with e-banking required by the Bank Secrecy Act (31 CFR 103.18);
  • Filing of Suspicious Activity Reports for unusual or unauthorized e-banking activity or computer security intrusions requirements (regulation cites vary by agency);
  • Screening of on-line applications and activity for entities/countries prohibited by the Office of Foreign Asset Control (31 CFR 500 et. seq.); and
  • Authenticating new e-banking customers using identification techniques consistent with the requirements of Bank Secrecy Act (31 CFR 103) and the USA PATRIOT Act [12 CFR 21 (OCC), 12 CFR 208 and 211 (Board), 12 CFR 326 (FDIC), 12 CFR 563 (OTS), and 12 CFR 748 (NCUA)].

7.  If overview of e-banking compliance identifies weaknesses in the institution's consideration and oversight of compliance issues, consider expanding coverage to include more detailed review using agency-specific compliance examination procedures.

EXAMINATION CONCLUSIONS

Objective 7: Develop conclusions, communicate findings, and initiate corrective action on violations and other examination findings.

1. Assess the potential impact of the examination conclusions on the institution's CAMELS and Uniform Rating System for Information Technology (URSIT) ratings.

2. As applicable to your agency, identify risk areas where the institution's risk management processes are insufficient to mitigate the level of increased risks attributed to e-banking activities. Consider:

  • Transaction/operations risk
  • Credit risk
  • Liquidity risk
  • Interest rate and price/market risk
  • Compliance/legal risk
  • Strategic risk
  • Reputation risk

3. Prepare a summary memorandum detailing the results of the e-banking examination. Consider:

  • Deficiencies noted and recommended corrective action regarding deficient policies, procedures, practices, or other concerns;
  • Appropriateness of strategic and business plans;
  • Adequacy and adherence to policies;
  • Adequacy of security controls and risk management systems;
  • Compliance with applicable laws and regulations;
  • Adequacy of internal controls;
  • Adequacy of audit coverage and independent security testing;
  • Other matters of significance; and
  • Recommendations for future examination coverage (including need for additional specialized expertise).

4.  Discuss examination findings and conclusions with the examiner-in-charge. As appropriate, prepare draft report comments that address examination findings indicative of:

  • Significant control weaknesses or risks (note the root cause of the deficiency, consequence of inaction or benefit of action, management corrective action, the time frame for correction, and the person responsible for corrective action);
  • Deviations from safety and soundness principles that may result in financial or operational deterioration if not addressed; or
  • Substantive noncompliance with laws or regulations.

5. In coordination with the examiner-in-charge, discuss findings with institution management including, as applicable, conclusions regarding applicable ratings and risks. If necessary, obtain commitments for corrective action. 

6.  Revise draft e-banking comments to reflect discussions with management and finalize comments for inclusion in the report of examination. 

7. As applicable, according to your agency's requirements/instructions, include written comments specifically stating what the regulator should do in the future to effectively supervise e-banking in this institution. Include supervisory objectives, time frames, staffing, and workdays required.

8.  Update the agency's information systems and applicable report of examination schedules or tables as applicable.

E-Banking Request Letter Items

Objective 1 - Determine the scope for the examination of the institution's e-banking activities consistent with the nature and complexity of the institution's operations.

  • An organization chart of e-banking personnel including the name, title, and phone number of the e-banking examination contact.
  • A list of URLs for all financial institution-affiliated websites.
  • A list all e-banking platforms utilized and network diagrams including servers, routers, firewalls, and supporting system components.
  • A list of all e-banking related products and services including transaction volume data on each if it is available.
  • A description of any changes in e-banking activities or future e-banking plans since the last exam.
  • Diagrams illustrating the e-banking transaction workflow.
  • Copies of recent monitoring reports that illustrate trends and experiences with intrusion attempts, successful intrusions, fraud losses, service disruptions, customer complaint volumes, and complaint resolution statistics.
  • Copies of findings from, and management/board responses to, the following:
    - Internal and external audit reports (including third-party reviews on service providers and testing of the information security program), 
    - Annual tests of the written information security program as required by GLBA,
    - Vulnerability assessments,
    - Penetration tests, and
    - Other independent security tests or e-banking risk reviews

Objective 2 - Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit.

  • Internal or external audit schedules, audit scope, and background/training information on individuals conducting e-banking audits.
  • Descriptions of e-banking-related training provided to employees including date, attendees, and topics.
  • Strategic plans or feasibility studies related to e-banking.
  • Insurance policies covering e-banking activities such as blanket bond, errors and omissions, and any riders relating to e-banking.
  • Copies of recent management and board reports that measure or analyze e-banking performance both strategically and technically, such as percentage of customers using e-banking channels or system capacity to maintain current and planned level of transactional activity.

Objective 3 - Determine the quality of the institution's risk management over outsourced technology services.

  • Policies and procedures related to vendor management
  • A list of all third-party providers, contractors, or support vendors, including the name, services provided, address, and phone number for each.
  • Documentation supporting initial or ongoing due diligence of the above vendors including financial condition, service level performance, security reporting, audit reports, security assessments, and disaster recovery tests as appropriate.
  • Vendor contracts (make available upon request).

Objective 4 - Determine if the institution has appropriately modified its information security program to incorporate e-banking risks.

  • Findings from security risk assessments pertaining to e-banking activities.
  • Information security policies and procedures associated with e-banking systems, products, or services, including policies associated with customer authentication, employee e-mail usage, and Internet usage.
  • A list or report of authorized users and access levels for e-banking platforms, including officers, employees, system vendors, customers, and other users.
  • Samples of e-banking-related security reports reviewed by IT management, senior management, or the board including suspicious activity, unauthorized access attempts, outstanding vulnerabilities, fraud or security event reports, etc.
  • Documentation related to any successful e-banking intrusion or fraud attempt.

If e-banking is hosted internally, provide the following additional information:

  • A list of security software tools employed by the institution including product name, vendor name, and version number for filtering routers, firewalls, network-based intrusion detection software (IDS), host-based IDS, and event correlation analysis software (illustrate placement on network diagram);
  • Policies related to identification and patching of new vulnerabilities; and
  • Descriptions of router access control rules, firewall rules, and IDS event detection and response rules including the corresponding logs.

Objective 5 - Determine if the institution has implemented appropriate administrative controls to ensure the availability, and integrity of processes supporting e-banking services.

  • E-banking policies and procedures related to account opening, customer authentication, maintenance, bill payment or e-banking transaction processing, settlement, and reconcilement.
  • Business resumption plans for e-banking services.

Objective 6 - Assess the institution's understanding and management of legal and compliance issues associated with e-banking activities.

  • Policies and procedures related to e-banking consumer compliance issues including website content, disclosures, BSA, financial record keeping, and the institution's trade area.
  • A list of any pending lawsuits or contingent liabilities with potential losses relating to e-banking activities.
  • Documentation of customer complaints related to e-banking products and services.
  • Copies of, or publicly available weblinks to, privacy statements, consumer compliance disclosures, security disclosures, and e-banking agreements.

If financial institution provides cross-border e-banking products and services, provide the following additional information.

  • Policies for, or a description of, permissible cross-border e-banking including types of products and services such as account opening, account access, or funds transfer, and restrictions such as geographic location, citizenship, etc.
  • Policies for, or a description of, the institution's due diligence process for accepting cross-border business.

 

Previous Section
Transaction Monitoring and Consumer Disclosures
Next Section
Appendix B: Glossary