For this booklet, e-banking is defined as the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels. E-banking includes the systems that enable Financial institution customers, individuals or businesses, to access accounts, transact business, or obtain information on financial products and services through a public or private network, including the Internet. Customers access e-banking services using an intelligent electronic device, such as a personal computer (PC), personal digital assistant (PDA), automated teller machine (ATM), kiosk, or Touch Tone telephone. While the risks and controls are similar for the various e-banking access channels, this booklet focuses specifically on Internet-based services due to the Internet’s widely accessible public network. Accordingly, this booklet begins with a discussion of the two primary types of Internet websites: informational and transactional.
INFORMATIONAL WEBSITES
Informational websites provide customers access to general information about the financial institution and its products or services.
TRANSACTIONAL WEBSITES
Transactional websites provide customers with the ability to conduct transactions through the financial institution’s website by initiating banking transactions or
buying products and services. Banking transactions can range from something as basic as a retail account balance inquiry to a large business-to-business funds
transfer. E-banking services, like those delivered through other delivery channels, are typically classified based on the type of customer they support.
buying products and services. Banking transactions can range from something as basic as a retail account balance inquiry to a large business-to-business funds
transfer. E-banking services, like those delivered through other delivery channels, are typically classified based on the type of customer they support.
E-BANKING SUPPORT SERVICES
In addition to traditional banking products and services, Financial Institutions can provide a variety of services that have been designed or adapted to support e-commerce. Management should understand these services and the risks they pose to the institution. This section discusses some of the most common support services: weblinking, account aggregation, electronic authentication, website hosting, payments for e-commerce, and wireless banking activities.
WEBLINKING
A large number of financial Institutions maintain sites on the World Wide Web. Some websites are strictly informational, while others also offer customers the ability to perform financial transactions, such as paying bills or transferring funds between accounts. Virtually every website contains “weblinks.” A weblink is a word, phrase, or image on a webpage that contains coding that will transport the viewer to a different part of the website or a completely different website by just clicking the mouse. While weblinks are a convenient and accepted tool in website design, their use can present certain risks. Generally, the primary risk posed by
weblinking is that viewers can become confused about whose website they are
viewing and who is responsible for the information, products, and services vailable through that website. There are a variety of risk management techniques institutions should consider using to mitigate these risks. These risk management techniques are for those institutions that develop and maintain their own websites, as well as institutions that use third-party service providers for this function. The agencies have issued guidance on weblinking that provides details on risks and risk management techniques financial institutions should consider.
weblinking is that viewers can become confused about whose website they are
viewing and who is responsible for the information, products, and services vailable through that website. There are a variety of risk management techniques institutions should consider using to mitigate these risks. These risk management techniques are for those institutions that develop and maintain their own websites, as well as institutions that use third-party service providers for this function. The agencies have issued guidance on weblinking that provides details on risks and risk management techniques financial institutions should consider.
ACCOUNT AGGREGATION
Account aggregation is a service that gathers information from many websites, presents that information to the customer in a consolidated format, and, in some cases, may allow the customer to initiate activity on the aggregated accounts. The information gathered or aggregated can range from publicly available
information to personal account information (e.g., credit card, brokerage, and banking data). Aggregation services can improve customer convenience by avoiding multiple log-ins and providing access to tools that help customers analyze and manage their various account portfolios.
information to personal account information (e.g., credit card, brokerage, and banking data). Aggregation services can improve customer convenience by avoiding multiple log-ins and providing access to tools that help customers analyze and manage their various account portfolios.
ELECTRONIC AUTHENTICATION
Verifying the identities of customers and authorizing e-banking activities are integral parts of e-banking financial services. Since traditional paper-based and in-person identity authentication methods reduce the speed and efficiency of electronic transactions, financial institutions have adopted alternative
authentication methods, including: Passwords and personal identification
numbers (PINs), Digital certificates using a public key infrastructure (PKI), Microchip-based devices such as smart cards or other types of tokens, Database comparisons (e.g., fraud-screening applications), and Biometric identifiers. The authentication methods listed above vary in the level of security and reliability they provide and in the cost and complexity of their underlying infrastructures. As such, the choice of which technique(s) to use should be commensurate with the risks in the products and services for which they control access.
authentication methods, including: Passwords and personal identification
numbers (PINs), Digital certificates using a public key infrastructure (PKI), Microchip-based devices such as smart cards or other types of tokens, Database comparisons (e.g., fraud-screening applications), and Biometric identifiers. The authentication methods listed above vary in the level of security and reliability they provide and in the cost and complexity of their underlying infrastructures. As such, the choice of which technique(s) to use should be commensurate with the risks in the products and services for which they control access.
WEBSITE HOSTING
Some financial institutions host websites for both themselves as well as for other
businesses. Financial institutions that host a business customer’s website usually store, or arrange for the storage of, the electronic files that make up the website. These files are stored on one or more servers that may be located on the hosting financial institution’s premises. Website hosting services require strong skills in networking, security, and programming. The technology and software
change rapidly. Institutions developing websites should monitor the need to adopt new interoperability standards and protocols such as Extensible Mark-Up
Language (XML) to facilitate data exchange among the diverse population of Internet users. Risk issues examiners should consider when reviewing website hosting services include damage to reputation, loss of customers, or potential liability resulting from: Downtime (i.e., times when website is not available) or inability to meet service levels specified in the contract, Inaccurate website content (e.g., products, pricing) resulting from actions of the institution’s staff or unauthorized changes by third parties (e.g.,hackers), Unauthorized disclosure of confidential information stemming from security breaches, and Damage to computer systems of website visitors due to malicious code (e.g., virus,
worm, active content) spread through institution-hosted sites.
businesses. Financial institutions that host a business customer’s website usually store, or arrange for the storage of, the electronic files that make up the website. These files are stored on one or more servers that may be located on the hosting financial institution’s premises. Website hosting services require strong skills in networking, security, and programming. The technology and software
change rapidly. Institutions developing websites should monitor the need to adopt new interoperability standards and protocols such as Extensible Mark-Up
Language (XML) to facilitate data exchange among the diverse population of Internet users. Risk issues examiners should consider when reviewing website hosting services include damage to reputation, loss of customers, or potential liability resulting from: Downtime (i.e., times when website is not available) or inability to meet service levels specified in the contract, Inaccurate website content (e.g., products, pricing) resulting from actions of the institution’s staff or unauthorized changes by third parties (e.g.,hackers), Unauthorized disclosure of confidential information stemming from security breaches, and Damage to computer systems of website visitors due to malicious code (e.g., virus,
worm, active content) spread through institution-hosted sites.
PAYMENTS FOR E-COMMERCE
Many businesses accept various forms of electronic payments for their products and services. Financial institutions play an important role in electronic payment systems by creating and distributing a variety of electronic payment instruments, accepting a similar variety of instruments, processing those payments, and participating in clearing and settlement systems. However, increasingly, financial institutions are competing with third parties to provide support services for e-commerce payment systems.
Person-to-Person Payments
Electronic person- to-person payments, also known as e-mail money, permit consumers to send “money” to any person or business with an e-mail address.
Under this scenario, a consumer electronically instructs the person-to-person payment service to transfer funds to another individual. The payment service then sends an e-mail notifying the individual that the funds are available and informs him or her of the methods available to access the funds including requesting a check, transferring the funds to an account at an insured financial
institution, or retransmitting the funds to someone else. Person-to-person payments are typically funded by credit card charges or by an ACH transfer from the consumer’s account at a financial institution. Since neither the payee
nor the payer in the transaction has to have an account with the payment service, such services may be offered by an insured financial institution, but are frequently offered by other businesses as well. Some of the risk issues xaminers should consider when reviewing bill payment, presentment, and e-mail money services include: Potential liability for late payments due to service disruptions, Liability for bill payment instructions originating from someone other than the
deposit account holder, Losses from person-to-person payments funded by transfers from credit cards or deposit accounts over which the payee does not have signature authority, Losses from employee misappropriation of funds held pending access instructions from the payer, and Potential liability directing payment availability Information to the wrong e-mail or for releasing funds in response to e-mail from someone other than the intended payee.
Under this scenario, a consumer electronically instructs the person-to-person payment service to transfer funds to another individual. The payment service then sends an e-mail notifying the individual that the funds are available and informs him or her of the methods available to access the funds including requesting a check, transferring the funds to an account at an insured financial
institution, or retransmitting the funds to someone else. Person-to-person payments are typically funded by credit card charges or by an ACH transfer from the consumer’s account at a financial institution. Since neither the payee
nor the payer in the transaction has to have an account with the payment service, such services may be offered by an insured financial institution, but are frequently offered by other businesses as well. Some of the risk issues xaminers should consider when reviewing bill payment, presentment, and e-mail money services include: Potential liability for late payments due to service disruptions, Liability for bill payment instructions originating from someone other than the
deposit account holder, Losses from person-to-person payments funded by transfers from credit cards or deposit accounts over which the payee does not have signature authority, Losses from employee misappropriation of funds held pending access instructions from the payer, and Potential liability directing payment availability Information to the wrong e-mail or for releasing funds in response to e-mail from someone other than the intended payee.
WIRELESS E-BANKING
Wireless banking is a delivery channel that can extend the reach and enhance the convenience of Internet banking products and services.Wireless banking occurs when customers access a financial institution's network(s) using cellular phones, pagers, and personal digital assistants (or similar devices) through
telecommunication companies’ wireless networks.
telecommunication companies’ wireless networks.
