Internal Controls

Segregation of duties. E-banking support relies on staff in the service provider's operations or staff in the institution's bookkeeping, customer service, network administration, or information security areas. However, no one employee should be able to process a transaction from start to finish. Institution management must identify and mitigate areas where conflicting duties create the opportunity for insiders to commit fraud. For example, network administrators responsible for configuring servers and firewalls should not be the only ones responsible for checking compliance with security policies related to network access. Customer service employees with access to confidential customer account information should not be responsible for daily reconcilements of e-banking transactions.

Dual controls. Some sensitive transactions necessitate making more than one employee approve the transaction before authorizing the transaction. Large electronic funds transfers or access to encryption keys are examples of two e-banking activities that would typically warrant dual controls.

Reconcilements. E-banking systems should provide sufficient accounting reports to allow employees to reconcile individual transactions to daily transaction totals.

Suspicious activity. Financial institutions should establish fraud detection controls that could prompt additional review and reporting of suspicious activity. Some potential concerns to consider include false or erroneous application information, large check deposits on new e-banking accounts, unusual volume or size of funds transfers, multiple new accounts with similar account information or originating from the same Internet address, and unusual account activity initiated from a foreign Internet address. Security- and fraud-related events may require the filing of a SAR with the Financial Crimes Enforcement Network (FinCEN).

Similar website names. Financial institutions should exercise care in selecting their website name(s) in order to reduce possible confusion with those of other Internet sites. Institutions should periodically scan the Internet to identify sites with similar names and investigate any that appear to be posing as the institution. Suspicious sites should be reported to appropriate criminal and regulatory authorities.

Error checks. E-banking activities provide limited opportunities for customers to ask questions or clarify their intentions regarding a specific transaction. Institutions can reduce customer confusion and the potential for unintended transactions by requiring written contracts explaining rights and responsibilities, by providing clear disclosures and on-line instructions or help functions, and by incorporating proactive confirmations into the transaction initiation process.

On-line instructions, help features, and proactive confirmations are typically part of the basic design of an e-banking system and should be evaluated as part of the initial due diligence process. On-line forms can include error checks to identify common mistakes in various fields. Proactive confirmations can require customers to confirm their actions before the transaction is accepted for processing. For example, a bill payment customer would enter the amount and date of payment and specify the intended recipient. But, before accepting the customer's instructions for processing, the system might require the customer to review the instructions entered and then confirm the instruction's accuracy by clicking on a specific box or link.

Alternate channel confirmations. Financial institutions should consider the need to have customers confirm sensitive transactions like enrollment in a new on-line service, large funds transfers, account maintenance changes, or suspicious account activity. Positive confirmations for sensitive on-line transactions provide the customer with the opportunity to help catch fraudulent activity. Financial institutions can encourage customer participation in fraud detection and increase customer confidence by sending confirmations of certain high-risk activities through additional communication channels such as the telephone, e-mail, or traditional mail.


Previous Section
Administrative controls
Next Section
Business Continuity Controls