1

NO
1
2

chapter
Introduction of internet banking
Entry of Indian banks into net banking

Impact of I.B on banking performance and risk

4
5
6

Page no

Type of internet banking

Risk management principle
Internet banking in India guidelines
Conclusion
Bibliography/ webliogrephy

Index

Chapter1
Introduction of internet banking
1.1
1.2
1.3
1.4
1.5
1.6

introduction
definition
History
Features
Advantages
Disadvantages

1.1 Introduction
Online banking is an electronic payment system that enables customers of a
financial institution to conduct financial transactions on a website operated by the
institution, such as a retail bank, virtual bank, credit union or building society.
Online banking is also referred as Internet banking, e-banking, virtual banking
and by other terms.
To access a financial institution's online banking facility, a customer with Internet
access would need to register with the institution for the service, and set up some
password (under various names) for customer verification. The password for online
banking is normally not the same as for telephone banking. Financial institutions
now routinely allocate customers numbers (also under various names), whether or
not customers have indicated an intention to access their online banking facility.
Customers' numbers are normally not the same as account numbers, because a
number of customer accounts can be linked to the one customer number. The
customer can link to the customer number any account which the customer
controls, which may be cheque, savings, loan, credit card and other accounts.

Customer numbers will also not be the same as any debit or credit card issued by
the financial institution to the customer.
To access online banking, a customer would go to the financial institution's secured
website, and enter the online banking facility using the customer number and
password previously setup. Some financial institutions have set up additional
security steps for access to online banking, but there is no consistency to the
approach adopted.

1.2 Definition Online banking refers to banking services where depositors can manage more
aspects of their accounts over the Internet, rather than visiting a branch or using the
telephone. Online banking typically is comprised of a secure connection to banking
information through the depositors home computer or another device.
Techopedia explains Online Banking
Online banking offers several main benefits to depositors. It provides a real-time
view of finances and eliminates the need for numerous visits to a bank teller. It can
also take the place of balancing a checkbook and other tedious tasks common to
paper-based banking. Depositors can monitor each transaction in an accessible user
interface to understand how credits, deposits, deductions and payments affect their
account's balance.
Banks that offer online banking are sometimes called "brick-to-click." Many of
these banks still provide branch services but support online options. This
distinguishes them from brick-and-mortar banks, which offer no online services.
6

Brick-and-mortar banks are becoming extremely rare in the age of digital

transactions, and most banks have begun moving a number of customer
interactions

1.3 History
The precursor for the modern home online banking services were the distance
banking services over electronic media from the early 1980s. The term online
became popular in the late '80s and referred to the use of a terminal, keyboard and
TV (or monitor) to access the banking system using a phone line. 'Home banking'
can also refer to the use of a numeric keypad to send tones down a phone line with
instructions to the bank. Online services started in New York in 1981 when four of
the city's major banks) offered home banking services. using the video tax system.
Because of the commercial failure of video tax these banking services never
became popular except in France where the use of video tax was subsidized by the
telecom provider and the UK, where the Pestle system was used.
When the clicks-and-bricks euphoria hit in the late 1990s, many banks began to
view Web-based banking as a strategic imperative. The attraction of banks to
online banking are fairly obvious: diminished transaction costs, easier integration
of services, interactive marketing capabilities, and other benefits that boost
7

customer lists and profit margins. Additionally, Web banking services allow
institutions to bundle more services into single packages, thereby luring customers
and minimizing overhead.
A mergers-and-acquisitions wave swept the financial industries in the mid-and late
1998s, greatly expanding banks' customer bases. Following this, banks looked to
the Web as a way of maintaining their customers and building loyalty. A number of
different factors are causing bankers to shift more of their business to the virtual
realm.
While financial institutions took steps to implement e-banking services in the mid1990s, many consumers were hesitant to conduct monetary transactions over the
web. It took widespread adoption of electronic commerce, based on trailblazing
companies such as America Online, Amazon.com and eBay, to make the idea of
paying for items online widespread. By 2000, 80 percent of U.S. banks offered ebanking. Customer use grew slowly. At Bank of America, for example, it took 10
years to acquire 2 million e-banking customers. However, a significant cultural
change took place after the Y2K scare ended. In 2001, Bank of America became
the first bank to top 3 million online banking customers, more than 20 percent of
its customer base. In comparison, larger national institutions, such as Citigroup
claimed 2.2 million online relationships globally, while J.P. Morgan Chase
estimated it had more than 750,000 online banking customers. Wells Fargo had 2.5
million online banking customers, including small businesses. Online customers
proved more loyal and profitable than regular customers. In October 2001, Bank of
America customers executed a record 3.1 million electronic bill payments, totaling
more than $1 billion. In 2009, a report by Gartner Group estimated that 47 percent
of U.S. adults and 30 percent in the United Kingdom bank online.
8

The UK's first home online banking services known as Home link was set up by
Bank of Scotland for customers of the Nottingham Building Society (NBS) in
1983. The system used was based on the UK's Pestle view link system and used a
computer, such as the BBC Micro, or keyboard (Tan data Td1400) connected to the
telephone system and television set. The system allowed on-line viewing of
statements, bank transfers and bill payments. In order to make bank transfers and
bill payments, a written instruction giving details of the intended recipient had to
be sent to the NBS who set the details up on the Home link system. Typical
recipients were gas, electricity and telephone companies and accounts with other
banks. Details of payments to be made were input into the NBS system by the
account holder via Pestle. A cheque was then sent by NBS to the payee and an
advice giving details of the payment was sent to the account holder. BACS was
later used to transfer the payment directly.
Stanford Federal Credit Union was the first financial institution to offer online
internet banking services to all of its members in October 1994.
Today, many banks are internet only banks. Unlike their predecessors, these
internet only banks do not maintain brick and mortar bank branches. Instead, they
typically differentiate themselves by offering better interest rates and more
extensive online banking features.
.

1.4 Features
We are always looking at ways of providing you with the best service
possible.With Internet Banking you have access to all the online banking features
you expect plus more, including SMS banking services and increased online
security with the BOQ Security Token.

Key features
All the key features of Internet Banking are explained for you:
balance and transaction history search
transaction history export
order new statements
Mobile banking

10

 transfers
pay bills with BPAY
receive bills online with BPAY View
Pay Anyone payments
Multi Payments
Foreign currency calculator
International and RTGS payments
Open or apply for selected accounts
Daily Limits Packages for BPAY, Pay Anyone and Multi Payments
SMS banking services
extra online security with the BOQ Security Token

Business features
If you have a business, find out how Internet Banking can assist you:
payments file upload
direct debit payments and payment templates
11

 related account access

multi user transaction authorization and privilege delegation

1.5 Advantages of Internet banking

Convenience Banks that offer internet banking are open for business
transactions anywhere a client might be as long as there is internet
connection. Apart from periods of website maintenance, services are
available 24 hours a day and 365 days round the year. In a scenario where
12

internet connection is unavailable, customer services are provided round the

clock via telephone.
At the touch of a button, actual time account balances and information are
availed. This hastens the banking processes hence increasing their efficiency
and effectiveness.
Online banking allows for easier updating and maintaining of direct
accounts. The time for changing mailing address is greatly reduced, ordering
of additional checks is availed and provision of actual time interest rates.
Friendlier rates Lack of substantial support and overhead costs results to
direct banks offering higher interest rates on savings and charge lower rates
on mortgages and loans.
Some banks offer high yield certificate of deposits and dont penalize
withdrawals on certificate of deposits, opening of accounts without
minimum deposits and no minimum balance.
Transfer services Online banking allows automatic funding of accounts
from long established bank accounts via electronic funds transfers.
Ease of monitoring A client can monitor his/her spending via a virtual
wallet through certain banks and applications and enable payments.
Ease of transaction the speed of transaction is faster relative to use of
ATMs or customary banking.

13

1.6 Disadvantages of Internet banking

Banking relationship Customary banking allows creation of a personal
touch between a bank and its clients. A personal touch with a bank manager
for example can enable the manager to change terms in your account since

14

he/she has some discretion in case of any personal circumstantial change. It

can include reversal of an undeserved service charge.
Security matters Direct banks are governed by laws and regulations similar
to those of customary banks. Accounts are protected by Federal Deposit
Insurance Corporation (FDIC).
Complex encryption software is used to protect account information.
However, there are no perfect systems. Accounts are prone to hacking
attacks, phishing, malware and illegal activities.
Learning Banks with complicated sites can be cumbersome to navigate and
may require one to read through tutorials to navigate them.
Transaction problems face to face meeting is better in handling complex
transactions and problems. Customary banks may call for meetings and seek
expert advice to solve issues.

Chapter 2
15

The entry of Indian banks into Net

Banking
2.1 Introduction
2.2 Product and service offered
2.3 Future scenario

16

Internet banking system in India

17

2.1 introduction

Internet banking, both as a medium of delivery of banking services and as

a strategic tool for business development, has gained wide acceptance
internationally and is fast catching up in India with more and more banks
entering the fray. India can be said to be on the threshold of a major
banking revolution with net banking having already been unveiled. A
recent questionnaire to which 46 banks responded, has revealed that at
present, 11 banks in India are providing Internet banking services at
different levels, 22 banks propose to offer Internet banking in near future
while the remaining 13 banks have no immediate plans to offer such

facility.
At present, the total Internet users in the country are estimated at 9 lakh.
However, this is expected to grow exponentially to 90 lakh by 2003. Only
about 1% of Internet users did banking online in 1998. This increased to
16.7% in March 2000.* The growth potential is, therefore, immense. Further
incentives provided by banks would dissuade customers from visiting
physical branches, and thus get hooked to the convenience of arm-chair
banking. The facility of accessing their accounts from anywhere in the world
by using a home computer with Internet connection, is particularly
fascinating to Non-Resident Indians and High Net worth Individuals having

multiple bank accounts.

Costs of banking service through the Internet form a fraction of costs
through conventional methods. Rough estimates assume teller cost at Re.1
per transaction, ATM transaction cost at 45 paise, phone banking at 35 paise,
debit cards at 20 paise and Internet banking at 10 paise per transaction. The
cost-conscious banks in the country have therefore actively considered use
of the Internet as a channel for providing services. Fully computerized
18

banks, with better management of their customer base are in a stronger

position to cross-sell their products through this channel.

2.2 Products and services offered

Banks in India are at different stages of the web-enabled banking cycle.
Initially, a bank, which is not having a web site, allows its customer to
communicate with it through an e-mail address; communication is limited to
a small number of branches and offices which have access to this e-mail
account. As yet, many scheduled commercial banks in India are still in the
first stage of Internet banking operations.
With gradual adoption of Information Technology, the bank puts up a website that provides general information on the banks, its location, services
available e.g. loan and deposits products, application forms for downloading
and e-mail option for enquiries and feedback. It is largely a marketing or
advertising tool. For example, Vijaya Bank provides information on its website about its NRI and other services. Customers are required to fill in
applications on the Net and can later receive loans or other products
requested for at their local branch. A few banks provide the customer to
enquire into his demat account (securities/shares) holding details, transaction
details and status of instructions given by him. These web sites still do not
allow online transactions for their customers.
Some of the banks permit customers to interact with them and transact
electronically with them. Such services include request for opening of
accounts, requisition for cheque books, stop payment of cheques, viewing
and printing statements of accounts, movement of funds between accounts
within the same bank, querying on status of requests, instructions for
opening of Letters of Credit and Bank Guarantees etc. These services are
being initiated by banks like ICICI Bank Ltd., HDFC Bank Ltd. Citibank,
19

Global Trust Bank Ltd., UTI Bank Ltd., Bank of Madura Ltd., Federal Bank
Ltd. etc. Recent entrants in Internet banking are Allahabad Bank (for its
corporate customers through its Allnet service) and Bank of Punjab Ltd.
State Bank of India has announced that it will be providing such services
soon. Certain banks like ICICI Bank Ltd., have gone a step further within
the transactional stage of Internet banking by allowing transfer of funds by
an account holder to any other account holder of the bank.
Some of the more aggressive players in this area such as ICICI Bank Ltd.,
HDFC Bank Ltd., UTI Bank Ltd., Citibank, Global Trust Bank Ltd. and
Bank of Punjab Ltd. offer the facility of receipt, review and payment of bills
on-line. These banks have tied up with a number of utility companies. The
Infinity service of ICICI Bank Ltd. also allows online real time shopping
mall payments to be made by customers. HDFC Bank Ltd. has made eshopping online and real time with the launch of its payment gateway. It has
tied up with a number of portals to offer business-to-consumer (B2C) ecommerce transactions. The first online real time e-commerce credit card
transaction in the country was carried out on the Easy3shoppe.com shopping
mall, enabled by HDFC Bank Ltd. on a VISA card.
Banks like ICICI Bank Ltd., HDFC Bank Ltd. etc. are thus looking to
position themselves as one stop financial shops. These banks have tied up
with computer training companies, computer manufacturers, Internet
Services Providers and portals for expanding their Net banking services, and
widening their customer base. ICICI Bank Ltd. has set up a web based joint
venture for on-line distribution of its retail banking products and services on
the Internet, in collaboration with Satyam Infoway, a private ISP through a
portal named as icicisify.com. The customer base of www.satyamonline.com
portal is also available to the bank. Setting up of Internet kiosks and
20

permeation through the cable television route to widen customer base are
other priority areas in the agendas of the more aggressive players. Centurion
Bank Ltd. has taken up equity stake in the teauction.com portal, which aims
to bring together buyers, sellers, registered brokers, suppliers and
associations in the tea market and substitute their physical presence at the
auctions announced.
Banks providing Internet banking services have been entering into
agreements with their customers setting out the terms and conditions of the
services. The terms and conditions include information on the access
through user-id and secret password, minimum balance and charges,
authority to the bank for carrying out transactions performed through the
service, liability of the user and the bank, disclosure of personal information
for statistical analysis and credit scoring also, non-transferability of the
facility, notices and termination, etc.
The race for market supremacy is compelling banks in India to adopt the
latest technology on the Internet in a bid to capture new markets and
customers. HDFC Bank Ltd. with its Freedom- the e-Age Saving Account
Service, Citibank with Suvidha and ICICI Bank Ltd. with its Mobile
Commerce service have tied up with cell phone operators to offer Mobile
Banking to their customers. Global Trust Bank Ltd. has also announced that
it has tied up with cellular operators to launch mobile banking services.
Under Mobile Banking services, customers can scan their accounts to seek
balance and payments status or instruct banks to issue cheques, pay bills or
deliver statements of accounts. It is estimated that by 2003, cellular phones
will have become the premier Internet access device, outselling personal
computers. Mobile banking will further minimize the need to visit a bank
branch.
21

2.3 The Future Scenario

Compared to banks abroad, Indian banks offering online services still have
a long way to go. For online banking to reach a critical mass, there has to be
sufficient number of users and the sufficient infrastructure in place. The
Infinity product of ICICI Bank Ltd. gets only about 30,000 hits per month,
with around 3,000 transactions taking place on the Net per month through
this service. Though various security options like line encryption, branch
connection encryption, firewalls, digital certificates, automatic sign-offs,
random pop-ups and disaster recovery sites are in place or are being looked
at, there is as yet no Certification Authority in India offering Public Key
Infrastructure which is absolutely necessary for online banking. The
customer can only be assured of a secured conduit for its online activities if
an authority certifying digital signatures is in place. The communication
bandwidth available today in India is also not enough to meet the needs of
high priority services like online banking and trading. Banks offering online
facilities need to have an effective disaster recovery plan along with
comprehensive risk management measures. Banks offering online facilities
also need to calculate their downtime losses, because even a few minutes of
downtime in a week could mean substantial losses. Some banks even today
do not have uninterrupted power supply unit or systems to take care of
prolonged power breakdown. Proper encryption of data and effective use of
passwords are also matters that leave a lot to be desired. Systems and

processes have to be put in place to ensure that errors do not take place.
Users of Internet Banking Services are required to fill up the application
forms online and send a copy of the same by mail or fax to the bank. A
contractual agreement is entered into by the customer with the bank for
22

using the Internet banking services. In this way, personal data in the
applications forms is being held by the bank providing the service. The
contract details are often one-sided, with the bank having the absolute
discretion to amend or supplement any of the terms at any time. For these
reasons domestic customers for whom other access points such as ATMs,
telebanking, personal contact, etc. are available, are often hesitant to use the
Internet banking services offered by Indian banks. Internet Banking, as an
additional delivery channel, may, therefore, be attractive / appealing as a
value added service to domestic customers. Non-resident Indians for whom
it is expensive and time consuming to access their bank accounts maintained
in India find net banking very convenient and useful.
The Internet is in the public domain whereby geographical boundaries are
eliminated. Cyber crimes are therefore difficult to be identified and
controlled. In order to promote Internet banking services, it is necessary that
the proper legal infrastructure is in place. Government has introduced the
Information Technology Bill, which has already been notified in October
2000. Section 72 of the Information Technology Act, 2000 casts an
obligation of confidentiality against disclosure of any electronic record,
register, correspondence and information, except for certain purposes and
violation of this provision is a criminal offence. Notification for appointment
of Authorities to certify digital signatures, ensuring confidentiality of data, is
likely to be issued in the coming months. Comprehensive enactments like
the Electronic Funds Transfer Act in U.K. and data protection rules and
regulations in the developed countries are in place abroad to prevent
unauthorized access to data, malafide or otherwise, and to protect the
individuals rights of privacy. The legal issues are, however, being debated

23

in our country and it is expected that some headway will be made in this
respect in the near future.
Notwithstanding the above drawbacks, certain developments taking place at
present, and expected to take place in the near future, would create a
conducive environment for online banking to flourish. For example, Internet
usage is expected to grow with cheaper bandwidth cost. The Department of
Telecommunications (DOT) is moving fast to make available additional
bandwidth, with the result that Internet access will become much faster in
the future. This is expected to give a fillip to Internet banking in India.
The proposed setting up of a Credit Information Bureau for collecting and
sharing credit information on borrowers of lending institutions online would
give a fillip to electronic banking. The deadline set by the Chief Vigilance
Commissioner for computerization of not less than 70 percent of the bank's
business by end of January 2001 has also given a greater thrust to
development of banking technology. The recommendations of the
Vasudevan Committee on Technological Up gradation of Banks in India
have also been circulated to banks for implementation. In this background,
banks are moving in for dation on a technological upgrade large scale.
Internet banking is expected to get a boost from such developments.
Reserve Bank of India has taken the initiative for facilitating real time funds
transfer through the Real Time Gross Settlement (RTGS) System. Under the
RTGS system, transmission, processing and settlements of the instructions
will be done on a continuous basis. Gross settlement in a real time mode
eliminates credit and liquidity risks. Any member of the system will be able
to access it through only one specified gateway in order to ensure rigorous
access control measures at the user level. The system will have various
levels of security, viz., Access security, 128 bit cryptography, firewall,
24

certification etc. Further, Generic Architecture, both domestic and cross

border, aimed at providing inter-connectivity across banks has been accepted
for implementation by RBI. Following a reference made this year, in the
Monetary and Credit Policy statement of the Governor, banks have been
advised to develop domestic generic model in their computerization plans to
ensure seamless integration. The abovementioned efforts would enable
online banking to become more secure and efficient
With the process of dematerialization of shares having gained considerable
ground in recent years, banks have assumed the role of depository
participants. In addition to customers deposit accounts, they also maintain
demat accounts of their clients. Online trading in equities is being allowed
by SEBI. This is another area which banks are keen to get into. HDFC Bank
Ltd., has tied up with about 25 equity brokerages for enabling third party
transfer of funds and securities through its business-to-business (B2B)
portal, e-Net. Demat account holders with the bank can receive securities
directly from the brokers accounts. The bank has extended its web interface
to the software vendors of National Stock Exchange through a tie-up with
NSE.IT the infotech arm of the exchange. The bank functions as the
payment bank for enabling funds transfer from its customers account to
brokers accounts. The bank is also setting up a net broking arm, HDFC
Securities, for enabling trading in stocks through the web. The focus on
capital market operations through the web is based on the banks strategy on
tapping customers interested in trading in equities through the Internet.
Internet banking thus promises to become a popular delivery channel not
only for retail banking products but also for online securities trading.
An upcoming payment gateway is being developed by ICICI and Global
Tele System, which will enable customers to transfer funds to banks which
25

are part of the project. Transfer of funds can be made through credit/debit/
smart cards and cheques, with the central payment switch enabling the
transactions. Banks are showing interest in this new concept, which will
facilitate inter-bank funds transfers and other e-commerce transactions, thus
highlighting the role of banks in e-commerce as intermediaries between
buyers and sellers in the whole payment process.
WAP (Wireless Application Protocol) telephony is the merger of mobile
telephony with the Internet. It offers two-way connectivity, unlike Mobile
Banking where the customer communicates to a mailbox answering
machine. Users may surf their accounts, download items and transact a
wider range of options through the cellphone screen. WAP may provide the
infrastructure for P2P (person to person) or P2M (person to merchant)
payments. It would be ideal for transactions that do not need any cash backup,
such as online investments. Use of this cutting edge technology could well
determine which bank obtains the largest market share in electronic banking.
IDBI Bank Ltd. has recently launched its WAP- based mobile phone banking
services (offering facilities such as banking enquiry, cheque book request,
statements request, details of the banks products etc).
At present, there are only 2.6 phone connections per 100 Indians, against the
world average of 15 connections per 100. The bandwidth capacity available
in the country is only 3.2 gigabits per second, which is around 60% of
current demand. Demand for bandwidth is growing by 350% a year in India.
With the help of the latest technology, Indian networks will be able to handle
40 gigabits of Net traffic per second (as compared to 10 gigabits per second
in Malaysia). Companies like Reliance, Bharti Telecom and the Tata Group
are investing billions of rupees to build fiber optic lines and telecom
infrastructure for data, voice and Internet telephony. The online population
26

has increased from just 500,000 in 1998 to 5 million in 2000. By 2015, the
online population is expected to reach 70 million. IT services is a $1.5
billion industry in India growing at a rate of 55% per annum. Keeping in
view all the above developments, Internet banking is likely to grow at a
rapid pace and most banks will enter into this area soon. Rapid strides are
already being made in banking technology in India and Internet banking is a
manifestation of this. Every day sees new tie-ups, innovations and strategies
being announced by banks. State Bank of India has recently announced its
intention to form an IT subsidiary. A sea change in banking services is on the
cards. It would, however, be essential to have in place a proper regulatory,
supervisory and legal framework, particularly as regards security of
transactions over the Net, for regulators and customers alike to be
comfortable with this form of banking.

Chapter 3

27

Impact of Internet Banking on Bank

Performance and Risk: The Indian
Experience
3.1 Introduction
3.2 Trend in I.B
3.3 Macroeconomic challenges
3.4 New challenges for regulator
3.4.1 Regulatory risk
3.4.2 Legal risk
3.5

regulatory tool

3.5.1 adaption
3.5.2 operational risk
3.5.3 reputational risk
3.5.4 legalization
3.5.5 harmonization
3.5.6 integration
1.1 Introduction
28

Electronic banking has been around for some time in the form of automatic teller
machines and telephone transactions. More recently, it has been transformed by the
Internet, a new delivery channel for banking services that benefits both customers
and banks. Access is fast, convenient, and available around the clock, whatever the
customer's location (see illustration above). Plus, banks can provide services more
efficiently and at substantially lower costs. For example, a typical customer
transaction costing about $1 in a traditional "brick and mortar" bank branch or
$0.60 through a phone call costs only about $0.02 online.
Electronic banking also makes it easier for customers to compare banks' services
and products, can increase competition among banks, and allows banks to
penetrate new markets and thus expand their geographical reach. Some even see
electronic banking as an opportunity for countries with underdeveloped financial
systems to leapfrog developmental stages. Customers in such countries can access
services more easily from banks abroad and through wireless communication
systems,

which

are

developing

more

rapidly

than

traditional

"wired"

communication networks.
The flip side of this technological boom is that electronic banking is not only
susceptible to, but may exacerbate, some of the same risksparticularly
governance, legal, operational, and reputationalinherent in traditional banking.
In addition, it poses new challenges. In response, many national regulators have
already modified their regulations to achieve their main objectives: ensuring the
safety and soundness of the domestic banking system, promoting market
discipline, and protecting customer rights and the public trust in the banking
system. Policymakers are also becoming increasingly aware of the greater potential
impact of macroeconomic policy on capital movements.
29

3.2 Trends in electronic banking

Internet banking is gaining ground. Banks increasingly operate websites through

which customers are able not only to inquire about account balances and interest
and exchange rates but also to conduct a range of transactions. Unfortunately, data
on Internet banking are scarce, and differences in definitions make cross-country
comparisons difficult. Even so, one finds that Internet banking is particularly
widespread in Austria, Korea, the Scandinavian countries, Singapore, Spain, and
Switzerland, where more than 75 percent of all banks offer such services (see
chart). The Scandinavian countries have the largest number of Internet users, with
up to one-third of bank customers in Finland and Sweden taking advantage of ebanking.

In the United States, Internet banking is still concentrated in the largest banks. In
mid-2001, 44 percent of national banks maintained transactional websites, almost
double the number in the third quarter of 1999. These banks account for over 90
30

percent of national banking system assets. The larger banks tend to offer a wider
array of electronic banking services, including loan applications and brokerage
services. While most U.S. consumers have accounts with banks that offer Internet
services, only about 6 percent of them use these services.
To date, most banks have combined the new electronic delivery channels with
traditional brick and mortar branches ("brick and click" banks), but a small number
have emerged that offer their products and services predominantly, or only, through
electronic distribution channels. These "virtual" or Internet-only banks do not have
a branch network but might have a physical presence, for example, an
administrative office or non branch facilities like kiosks or automatic teller
machines. The United States has about 30 virtual banks; Asia has 2, launched in
2000 and 2001; and the European Union has severaleither as separately licensed
entities or as subsidiaries or branches of brick and mortar banks.

3.3 The macroeconomic challenges

But the challenges are not limited to regulators. As the advent of e-banking quickly
changes the financial landscape and increases the potential for quick cross-border
capital movements, macroeconomic policymakers face several difficult questions.
If electronic banking does make national boundaries irrelevant by facilitating
capital movements, what does this imply for macroeconomic management?
How is monetary policy affected when, for example, the use of electronic
means makes it easier for banks to avoid reserve requirements, or when

31

business can be conducted in foreign currencies as easily as in domestic

currency?
When offshore banking and capital flight are potentially only a few mouse
clicks away, does a government have any leeway for independent monetary
or fiscal policy?
How will the choice of the exchange rate regime be affected, and how will ebanking influence the targeted level of international reserves of a central
bank?
Can a government afford to make any mistakes? Will the spread of
electronic banking impose harsh market discipline on governments as well
as on businesses?
The answers to these questions fall into two emerging strands of thought. First, the
technological revolutionparticularly the expansion of electronic money but also,
more broadly, electronic advances in banking practicescould result in a
decoupling of households' and firms' decisions from the purely financial operations
of the central bank. Thus, the ability of monetary policy to influence inflation and
economic activity would be threatened.
Second, as electronic banking expands financial transaction costs can decline
significantly. The result would be tantamount to a reduction in the "sand in the
wheels" of the financial sector machinery, making capital flows even easier to
effect, with a potential erosion of the effectiveness of domestic monetary policy. In
this regard, proponents of the Tobin taxwhich would tax short-term capital flows
to increase their cost and, thereby, the sand in the wheelswould feel that
electronic banking makes an even more compelling case for introducing such a tax.
32

one, the markets will provide the answer, possibly at a high economic cost. Further
research on policy-related issues in the period ahead is therefore critical. ities or as
subsidiaries or branches of brick and mortar banks.

3.4 New challenges for regulators

This changing financial landscape brings with it new challenges for bank
management and regulatory and supervisory authorities. The major ones stem from
increased cross-border transactions resulting from drastically lower transaction
costs and the greater ease of banking activities, and from the reliance on
technology to provide banking services with the necessary security.

3.4.1 Regulatory risk. Because the Internet allows services to be provided

from anywhere in the world, there is a danger that banks will try to avoid
regulation and supervision. What can regulators do? They can require even banks
that provide their services from a remote location through the Internet to be
licensed. Licensing would be particularly appropriate where supervision is weak
and cooperation between a virtual bank and the home supervisor is not adequate.
Licensing is the norm, for example, in the United States and most of the countries
of the European Union. A virtual bank licensed outside these jurisdictions that
wishes to offer electronic banking services and take deposits in these countries
must first establish a licensed branch.
Determining when a bank's electronic services trigger the need for a license can be
difficult, but indicators showing where banking services originate and where they
are provided can help. For example, a virtual bank licensed in country X is not
seen as taking deposits in country Y if customers make their deposits by posting
checks to an address in country X. If a customer makes a deposit at an automatic
33

teller machine in country Y, however, that transaction would most likely be

considered deposit taking in country Y. Regulators need to establish guidelines to
clarify the gray areas between these two cases.

3.4.2 Legal risk. Electronic banking carries heightened legal risks for banks.
Banks can potentially expand the geographical scope of their services faster
through electronic banking than through traditional banks. In some cases, however,
they might not be fully versed in a jurisdiction's local laws and regulations before
they begin to offer services there, either with a license or without a license if one is
not required. When a license is not required, a virtual banklacking contact with
its host country supervisormay find it even more difficult to stay abreast of
regulatory changes. As a consequence, virtual banks could unknowingly violate
customer protection laws, including on data collection and privacy, and regulations
on soliciting. In doing so, they expose themselves to losses through lawsuits or
crimes that are not prosecuted because of jurisdictional disputes.
Money laundering is an age-old criminal activity that has been greatly facilitated
by electronic banking because of the anonymity it affords. Once a customer opens
an account, it is impossible for banks to identify whether the

34

3.5 Regulatory tools

There are four key tools that regulators need to focus on to address the new
challenges posed by the arrival of e-banking.

3.5.1 Adaptation. In light of how rapidly technology is changing and what the
changes mean for banking activities, keeping regulations up to date has been, and
continues to be, a far-reaching, time-consuming, and complex task. In May 2001,
the Bank for International Settlements issued its "Risk Management Principles for
Electronic Banking," which discusses how to extend, adapt, and tailor the existing
risk-management framework to the electronic banking setting. For example, it
recommends that a bank's board of directors and senior management review and
approve the key aspects of the security control process, which should include
measures to authenticate the identity and nominal account holder is conducting a
transaction or even where the transaction is taking place. To combat money
laundering, many countries have issued specific guidelines on identifying
customers. They typically comprise recommendations for verifying an individual's
identity and address before a customer account is opened and for monitoring online
transactions, which requires great vigilance.
In a report issued in 2000, the Organization for Economic Cooperation and
Development's Financial Action Task Force raised another concern. With electronic
banking crossing national boundaries, whose regulatory authorities will investigate
and pursue money laundering violations? The answer, according to the task force,
lies in coordinating legislation and regulation internationally to avoid the creation
of safe havens for criminal activities.

3.5.2 Operational risk. The reliance on new technology to provide services

makes security and system availability the central operational risk of electronic
35

banking. Security threats can come from inside or outside the system, so banking
regulators and supervisors must ensure that banks have appropriate practices in
place to guarantee the confidentiality of data, as well as the integrity of the system
and the data. Banks' security practices should be regularly tested and reviewed by
outside experts to analyze network vulnerabilities and recovery preparedness.
Capacity planning to address increasing transaction volumes and new
technological developments should take account of the budgetary impact of new
investments, the ability to attract staff with the necessary expertise, and potential
dependence on external service providers. Managing heightened operational risks
needs to become an integral part of banks' overall management of risk, and
supervisors need to include operational risks in their safety and soundness
evaluations.

3.5.3 Reputational risk. Breaches of security and disruptions to the system's

availability can damage a bank's reputation. The more a bank relies on electronic
delivery channels, the greater the potential for reputational risks. If one electronic
bank encounters problems that cause customers to lose confidence in electronic
delivery channels as a whole or to view bank failures as systemwide supervisory
deficiencies, these problems can potentially affect other providers of electronic
banking services. In many countries where electronic banking is becoming the
trend, bank supervisors have put in place internal guidance notes for examiners,
and many have released risk-management guidelines for banks.
Reputational risks also stem from customer misuse of security precautions or
ignorance about the need for such precautions. Security risks can be amplified and
may result in a loss of confidence in electronic delivery channels. The solution is
consumer educationa process in which regulators and supervisors can assist. For
36

example, some bank supervisors provide links on their websites allowing

customers to identify online banks with legitimate charters and deposit insurance.
They also issue tips on Internet banking, offer consumer help lines, and issue
warnings about specific entities that may be conducting unauthorized banking
operations in the country.
authorization of customers, promote non repudiation of transactions, protect data
integrity, and ensure segregation of duties within e-banking systems, databases,
and applications. Regulators and supervisors must also ensure that their staffs have
the relevant technological expertise to assess potential changes in risks, which may
require significant investment in training and in hardware and software.

3.5.4 Legalization. New methods for conducting transactions, new instruments,

and new service providers will require legal definition, recognition, and
permission. For example, it will be essential to define an electronic signature and
give it the same legal status as the handwritten signature. Existing legal definitions
and permissionssuch as the legal definition of a bank and the concept of a
national borderwill also need to be rethought.

3.5.5 Harmonization. International harmonization of electronic banking

regulation must be a top priority. This means intensifying cross-border cooperation
between supervisors and coordinating laws and regulatory practices internationally
and domestically across different regulatory agencies. The problem of jurisdiction
that arises from "borderless" transactions is, as of this writing, in limbo. For now,
each country must decide who has jurisdiction over electronic banking involving
its citizens. The task of international harmonization and cooperation can be viewed
as the most daunting in addressing the challenges of electronic banking.

37

3.5.6 Integration. This is the process of including information technology

issues and their accompanying operational risks in bank supervisors' safety and
soundness evaluations. In addition to the issues of privacy and security, for
example, bank examiners will want to know how well the bank's management has
elaborated its business plan for electronic banking. A special challenge for
regulators will be supervising the functions that are outsourced to third-party
vendors.

Chapter 4
Types of internet banking

4.1

Informational I.B
38

4.2
4.3

communicative I.B
Transactional I.B

4.4

Types of risks in Internet banking

4.4.1

operational risk

4.4.2 Security risk

4.4.3 System architecture and design
4.4.4 reputational risk
4.4.5 legal risk
4.4.6 money laundering risk
4.4.7 cross border risk
4.4.7 strategic risk
4.4.8 liquidity risk
4.4.9 other risk credit risk
a
b

credit risk
liquidity risk

4.1 Informational Internet Banking

o This fundamental level of banking does not allow patrons to view or maintain
accounts, nor does it allow for communication between the financial institution and
customers. Informational Internet banking simply means the bank provides basic
information about its products and services, much like a brochure. This is meant
for marketing purposes only, and there is no connection to the bank's main
computer systems.
39

4.2 Communicative Online Banking

o Communicative online banking allows for some communication between the
patron and bank. However, this is typically limited to fundamental interactions
such as account inquiries, new account updates, loan or mortgage applications,
contact information updates and balances. Communicative online banking may
connect with the bank's main computer systems.

4.3 Transactional Internet Banking

o The most popular online banking type, transactional Internet banking offers all of
the benefits of a traditional brick-and-mortar institution. This includes full control
over your accounts---deposits, withdrawals, transfers, updates and online
payments. Increased security measures now make Internet banking safe, secure and
convenient, especially in the case of mobile online banking.

4.4 Risk in internet banking

A major driving force behind the rapid spread of I-banking all over the world is
its acceptance as an extremely cost effective delivery channel of banking services
as compared to other existing channels. However, Internet is not an unmixed
blessing to the banking sector. Along with reduction in cost of transactions, it has
also brought about a new orientation to risks and even new forms of risks to which
banks conducting i-banking expose themselves. Regulators and supervisors all
over the world are concerned that while banks should remain efficient and cost
40

effective, they must be conscious of different types of risks this form of banking
entails and have systems in place to manage the same. An important and distinctive
feature is that technology plays a significant part both as source and tool for
control of risks. Because of rapid changes in information technology, there is no
finality either in the types of risks or their control measures. Both evolve
continuously. The thrust of regulatory action in risk control has been to identify
risks in broad terms and to ensure that banks have minimum systems in place to
address the same and that such systems are reviewed on a continuous basis in
keeping with changes in technology. In the following paragraphs a generic set of
risks are discussed as the basis for formulating general risk control guidelines,
which this Group will address.

4.4.1 Operational risks:

Operational risk, also referred to as transactional risk is the most common form of
risk associated with i-banking. It takes the form of inaccurate processing of
transactions, non enforceability of contracts, compromises in data integrity, data
privacy and confidentiality, unauthorized access / intrusion to banks systems and
transactions etc. Such risks can arise out of weaknesses in design, implementation
and monitoring of banks information system. Besides inadequacies in technology,
human factors like negligence by customers and employees, fraudulent activity of
employees and crackers / hackers etc. can become potential source of operational
risk. Often there is thin line of difference between operational risk and security risk
and both terminologies are used interchangeably.

4.4.2 Security risks:

41

Internet is a public network of computers which facilitates flow of data /

information and to which there is unrestricted access. Banks using this medium for
financial transactions must, therefore, have proper technology and systems in place
to build a secured environment for such transactions.
Security risk arises on account of unauthorized access to a banks critical
information stores like accounting system, risk management system, portfolio
management system, etc. A breach of security could result in direct financial loss to
the bank. For example, hackers operating via the Internet, could access, retrieve
and use confidential customer information and also can implant virus. This may
result in loss of data, theft of or tampering with customer information, disabling of
a significant portion of banks internal computer system thus denying service, cost
of repairing these etc.
2.3 In addition to external attacks banks are exposed to security risk from internal
sources e.g. employee fraud. Employees being familiar with different systems and
their weaknesses become potential security threats in a loosely controlled
environment. They can manage to acquire the authentication data in order to access
the customer accounts causing losses to the bank.
Unless specifically protected, all data / information transfer over the Internet can
be monitored or read by unauthorized persons. There are programs such as
sniffers which can be set up at web servers or other critical locations to collect
data like account numbers, passwords, account and credit card numbers. Data
privacy and confidentiality issues are relevant even when data is not being
transferred over the net. Data residing in web servers or even banks internal
systems are susceptible to corruption if not properly isolated through firewalls
from Internet.
42

The risk of data alteration, intentionally or unintentionally, but unauthorized is real

in a networked environment, both when data is being transmitted or stored. Proper
access control and technological tools to ensure data integrity is of utmost
importance to banks. Another important aspect is whether the systems are in place
to quickly detect any such alteration and set the alert.
Identity of the person making a request for a service or a transaction as a customer
is crucial to legal validity of a transaction and is a source of risk to a bank. A
computer connected to Internet is identified by its IP (Internet Protocol) address.
There are methods available to masquerade one computer as another, commonly
known as IP Spoofing. Likewise user identity can be misrepresented. Hence,
authentication control is an essential security step in any e-banking system.
Non-repudiation involves creating a proof of communication between two parties,
say the bank and its customer, which neither can deny later. Banks system must be
technologically equipped to handle these aspects which are potential sources of
risk.

4.4.3 System architecture and design

Appropriate system architecture and control is an important factor in managing
various kinds of operational and security risks. Banks face the risk of wrong choice
of technology, improper system design and inadequate control processes. For
example, if access to a system is based on only an IP address, any user can gain
access by masquerading as a legitimate user by spoofing IP address of a genuine
user. Numerous protocols are used for communication across Internet. Each
protocol is designed for specific types of data transfer. A system allowing

43

communication with all protocols, say HTTP , FTP , telnet etc. is more prone to
attack than one designed to permit say, only HTTP.
Choice of appropriate technology is a potential risk banks face. Technology which
is outdated, not scalable or not proven could land the bank in investment loss, a
vulnerable system and inefficient service with attendant operational and security
risks and also risk of loss of business.
Many banks rely on outside service providers to implement, operate and maintain
their e-banking systems. Although this may be necessary when banks do not have
the requisite expertise, it adds to the operational risk. The service provider gains
access to all critical business information and technical systems of the bank, thus
making the system vulnerable. In such a scenario, the choice of vendor, the
contractual arrangement for providing the service etc., become critical components
of banks security. Bank should educate its own staff and over dependencies on
these vendors should be avoided as far as possible.
Not updating banks system in keeping with the rapidly changing technology,
increases operational risk because it leaves holes in the security system of the
bank. Also, staff may fail to understand fully the nature of new technology
employed. Further, if updating is left entirely at customers end, it may not be
updated as required by the bank. Thus education of the staff as well as users plays
an important role to avoid operational risk.
Approaches to reduce security related operational risk are discussed in detail in
Chapter-6. These include access control, use of firewalls, cryptographic techniques,
public key encryption, digital signature etc.

4.4.4 Reputational risks

44

Reputational risk is the risk of getting significant negative public opinion, which
may result in a critical loss of funding or customers. Such risks arise from actions
which cause major loss of the public confidence in the banks' ability to perform
critical functions or impair bank-customer relationship. It may be due to banks
own action or due to third party action.
The main reasons for this risk may be system or product not working to the
expectations of the customers, significant system deficiencies, significant security
breach (both due to internal and external attack), inadequate information to
customers about product use and problem resolution procedures, significant
problems with communication networks that impair customers access to their
funds or account information especially if there are no alternative means of
account access. Such situation may cause customer-discontinuing use of product or
the service. Directly affected customers may leave the bank and others may follow
if the problem is publicized.
Other reasons include losses to similar institution offering same type of services
causing customer to view other banks also with suspicion, targeted attacks on a
bank like hacker spreading inaccurate information about bank products, a virus
disturbing banks system causing system and data integrity problems etc.
Possible measures to avoid this risk are to test the system before implementation,
back-up facilities, contingency plans including plans to address customer problems
during system disruptions, deploying virus checking, deployment of ethical
hackers for plugging the loopholes and other security measures.
It is significant not only for a single bank but also for the system as a whole.
Under extreme circumstances, such a situation might lead to systemic disruptions
45

in the banking system as a whole. Thus the role of the regulator becomes even
more important as not even a single bank can be allowed to fail.

4.4.5.Legal risks
Legal risk arises from violation of, or non-conformance with laws, rules,
regulations, or prescribed practices, or when the legal rights and obligations of
parties to a transaction are not well established.
Given the relatively new nature of Internet banking, rights and obligations in some
cases are uncertain and applicability of laws and rules is uncertain or ambiguous,
thus causing legal risk.
Other reasons for legal risks are uncertainty about the validity of some agreements
formed via electronic media and law regarding customer disclosures and privacy
protection. A customer inadequately informed about his rights and obligations, may
not take proper precautions in using Internet banking products or services, leading
to disputed transactions, unwanted suits against the bank or other regulatory
sanctions.
In the enthusiasm of enhancing customer service, bank may link their Internet site
to other sites also. This may cause legal risk. Further, a hacker may use the linked
site to defraud a bank customer.
If banks are allowed to play a role in authentication of systems such as acting as a
Certification Authority, it will bring additional risks. A digital certificate is
intended to ensure that a given signature is, in fact, generated by a given signer.
Because of this, the certifying bank may become liable for the financial losses
incurred by the party relying on the digital certificate.
46

4.4.6 Money laundering risk

As Internet banking transactions are conducted remotely banks may find it
difficult to apply traditional method for detecting and preventing undesirable
criminal activities. Application of money laundering rules may also be
inappropriate for some forms of electronic payments. Thus banks expose
themselves to the money laundering risk. This may result in legal sanctions for
non-compliance with 'know your customer' laws.
To avoid this, banks need to design proper customer identification and screening
techniques, develop audit trails, conduct periodic compliance reviews, frame
policies and procedures to spot and report suspicious activities in Internet
transactions.

4.4.7 Cross border risks

Internet banking is based on technology that, by its very nature, is designed to
extend the geographic reach of banks and customers. Such market expansion can
extend beyond national borders. This causes various risks.
It includes legal and regulatory risks, as there may be uncertainty about legal
requirements in some countries and jurisdiction ambiguities with respect to the
responsibilities of different national authorities. Such considerations may expose
banks to legal risks associated with non-compliance of different national laws and
regulations, including consumer protection laws, record-keeping and reporting
requirements, privacy rules and money laundering laws.

47

If a bank uses a service provider located in another country, it will be more

difficult to monitor it thus, causing operational risk. Also, the foreign-based service
provider or foreign participants in Internet banking are sources of country risk to
the extent that foreign parties become unable to fulfill their obligations due to
economic, social or political factors.
Cross border transaction accentuates credit risk, since it is difficult to appraise an
application for a loan from a customer in another country compared to a customer
from a familiar customer base. Banks accepting foreign currencies in payment for
electronic money may be subjected to market risk because of movements in
foreign exchange rates.

4.4.8. Strategic Risk

This risk is associated with the introduction of a new product or service. Degree of
this risk depends upon how well the institution has addressed the various issues
related to development of a business plan, availability of sufficient resources to
support this plan, credibility of the vendor (if outsourced) and level of the
technology used in comparison to the available technology etc.
For reducing such risk, banks need to conduct proper survey, consult experts
from various fields, establish achievable goals and monitor performance. Also they
need to analyze the availability and cost of additional resources, provision of
adequate supporting staff, proper training of staff and adequate insurance coverage.
Due diligence needs to be observed in selection of vendors, audit of their
performance and establishing alternative arrangements for possible inability of a
vendor to fulfill its obligation . Besides this, periodic evaluations of new

48

technologies and appropriate consideration for the costs of technological up

gradation are required.

4.4.9. Other risks

Traditional banking risks such as credit risk, liquidity risk, interest rate risk and
market risk are also present in Internet banking. These risks get intensified due to
the very nature of Internet banking on account of use of electronic channels as well
as absence of geographical limits. However, their practical consequences may be of
a different magnitude for banks and supervisors than operational, reputational and
legal risks. This may be particularly true for banks that engage in a variety of
banking activities, as compared to banks or bank subsidiaries that specialize in
Internet banking.

(a) Credit risk is the risk that a counter party will not settle an obligation for full
value, either when due or at any time thereafter. Banks may not be able to properly
evaluate the credit worthiness of the customer while extending credit through
remote banking procedures, which could enhance the credit risk. Presently, banks
generally deal with more familiar customer base. Facility of electronic bill
payment in Internet banking may cause credit risk if a third party intermediary fails
to carry out its obligations with respect to payment. Proper evaluation of the
creditworthiness of a customer and audit of lending process are a must to avoid
such risk.
9.3 Another facility of Internet banking is electronic money. It brings various types
of risks associated with it. If a bank purchases e-money from an issuer in order to
resell it to a customer, it exposes itself to credit risk in the event of the issuer
defaulting on its obligation to redeem electronic money,.
49

(b) Liquidity Risk arises out of a banks inability to meet its obligations when
they become due without incurring unacceptable losses, even though the bank may
ultimately be able to meet its obligations. It is important for a bank engaged in
electronic money transfer activities that it ensures that funds are adequate to cover
redemption and settlement demands at any particular time. Failure to do so, besides
exposing the bank to liquidity risk, may even give rise to legal action and
reputational risk.
Similarly banks dealing in electronic money face interest rate risk because of
adverse movements in interest rates causing decrease in the value of assets relative
to outstanding electronic money liabilities. Banks also face market risk because of
losses in on-and-off balance sheet positions arising out of movements in market
prices including foreign exchange rates. Banks accepting foreign currency in
payment for electronic money are subject to this type of risk.
. Risk of unfair competition: Internet banking is going to intensify the competition
among various banks. The open nature of Internet may induce a few banks to use
unfair practices to take advantage over rivals. Any leaks at network connection or
operating system etc., may allow them to interfere in a rival banks system.
Thus one can find that along with the benefits, Internet banking carries various
risks for bank itself as well as banking system as a whole. The rapid pace of
technological innovation is likely to keep changing the nature and scope of risks
banks face. These risks must be balanced against the benefits. Supervisory and
regulatory authorities are required to develop methods for identifying new risks,
assessing risks, managing risks and controlling risk exposure. But authorities need
to keep in consideration that the development and use of Internet banking are still
in their early stages, and policies that hamper useful innovation and
50

experimentation should be avoided. Thus authorities need to encourage banks to

develop a risk management process rigorous and comprehensive enough to deal
with known risks and flexible enough to accommodate changes in the type and
intensity of the risks.

51

Chapter 5
RISK MANAGEMENT
PRINCIPLES

52

5.1 Meaning
5.1 The risk management principles set five broad and overlapping categories of
issues: Board and Management Oversight; Security Controls; Outsourcing
Management, Legal and Reputational Risk Management and Management of Cross
Border Activities. They are summarized below and discussed more specially.
5.2 The board of directors and senior management are responsible for developing
the authorized institutions business strategy and establishing an effective
management oversight over risks. Therefore they are expected to take an
explicit, informed and documented strategic decision as to whether and how
the authorized institution is to provide electronic banking services. They
Should also decide on the specific accountabilities, policies and controls to
address risks, as well as the review and approval of the key aspects of the
authorized institutions security control process and a process for managing
risks associated with outsourcing relationships and third-party dependencies.
5.3 The substance of the security control processes of authorized institutions
should include the establishment of appropriate authorization privileges and
authentication measures, logical and physical access controls, adequate
infrastructure security to maintain appropriate boundaries and restrictions on
both internal and external user activities and data integrity of transactions,
records and information. The existence of clear audit trails for all electronic
banking transactions should be ensured and measures to preserve confidentiality of
data and records should be appropriate with the sensitivity of such information.
Authorized institutions should maintain an ongoing awareness of attack threats and
train their staff in the technology controls they use and the relevant rules. Security
awareness training is also important for all users, including customers of
authorized institutions.
53

5.4 Some authorized institutions may rely on another unit of the same group (e.g.
head office) and outside service providers to operate and maintain systems or
business processes that support their electronic banking services. With increased
reliance upon partners and third party service providers, it lessens authorized
institutions direct control on electronic banking functions. Moreover, as electronic
banking applications and services have become more technologically advanced and
have grown in strategic importance, it may lead to increased risk concentrations
upon a small number of specialized third party vendors and service providers.
These factors underscore the need for a comprehensive and ongoing evaluation of
outsourcing relationship and other external dependencies. Therefore steps should
be taken to ensure that authorized institutions existing risk management processes,
security control process, due diligence and oversight processes for outsourcing
relationships are appropriately evaluated and modified to accommodate electronic
banking services.
5.5 Authorized institutions generally have a clear responsibility to provide their
customers with a level of comfort regarding information disclosures, protection of
customer data and business availability. To minimize and protect themselves
against legal and reputation risks associated with electronic banking activities,
authorized institutions should make adequate disclosure of information on their
web sites, take appropriate measures to ensure adherence to customer privacy
requirements and deliver electronic banking services on a consistent and timely
basis in accordance with high customer expectations for constant and rapid
availability and potentially high transaction demand. Authorized institutions should
have the ability to deliver electronic banking services to all end-users and be able
to maintain such availability in all circumstances. Effective incident response
mechanisms are also critical to minimize operational, legal and reputation risks
arising from unexpected events, including internal and external attacks, that may
54

affect the provision of electronic banking systems and services. To meet customers
expectations, authorized institutions should therefore have effective capacity,
business continuity and contingency planning. Authorized institutions should also
develop appropriate incident response plans, including communication strategies,
that ensure business continuity, control reputation risk and limit liability associated
with disruptions in their electronic banking services.
5.6 The Internet greatly facilitates an authorized institutions ability to distribute
products and services over virtually unlimited geographic territories. If an
authorized institution in one jurisdiction provides such cross border transactional
on-line banking products and services to residents of another jurisdiction without
any licensed physical presence in the host jurisdiction, it is subjected to
increased legal, regulatory and country risk due to the substantial differences that
may exist between jurisdictions with respect to licensing, supervision and customer
protection requirements. To avoid inadvertent non-compliance with a foreign
countrys laws or regulations, as well as to manage relevant country risk factors,
authorized institutions contemplating cross border electronic banking operations
need to fully explore these risks before undertaking such operations and effectively
manage them.

5.2 BOARD AND MANAGEMENT OVERSIGHT

5.2.1 The board of directors and senior management have the responsibility and
accountability to manage and control the risks associated with electronic banking.
A sound and robust risk management for electronic banking calls for them to fully
recognize the challenges posed by the fundamental characteristics of electronic
banking and to possess the knowledge and skill to manage the authorized
institutions use of electronic banking technologies and products, thereby
appropriately modify the existing control system to ensure that it is robust enough
55

to identify, assess, monitor and control the risks associated with electronic banking.
For this reason, amongst others, the board and senior management should:
(a) conduct adequate up-front strategic review and thorough analysis of the costs,
benefits and risks before:
reaching the decisions to integrate electronic banking activities into the
corporate strategic goals;
establishing the authorized institutions risk appetite; and
choosing the level 3 of such services.
(b) assess the feasibility of the business plans and ascertain that the authorized
institution has sufficient financial, human and technical resources and expertise
(which may include in-house or outsourced expertise) as well as adequate risk
management and internal control procedures to provide electronic banking
services;
(c) establish policies and procedures that are fit for purpose to assess, monitor
and control the risks associated with electronic banking in a timely manner. These
include the establishment of:
key delegations and reporting mechanisms including the necessary escalation
procedures for incidents that impact the authorized institutions safety, soundness
or reputation;
where applicable, control measures to ensure compliance with the due diligence
requirements for non-face-to-face customers stipulated in relevant supervisory
guidelines (e.g. the AMCMs Anti-Money Laundering and Combating

the

Financing of Terrorism Guideline for Financial Institutions); and

other necessary steps to address the unique risk factors associated with ensuring
the integrity and availability of electronic banking products and services;

56

(d) maintain a strong security control system for electronic banking activities in
order to manage and minimize security risks caused by potential internal and
external security threats.
(e) establish a comprehensive and ongoing due diligence and oversight process for
managing the authorized institutions outsourcing relationships and other third
party dependencies supporting electronic banking.
(f) put in place effective legal and reputational risk management controls, including
customer protection and education, information disclosures and a viable business
recovery and continuity plan throughout the authorized institution to ensure
continued availability of electronic banking services and to manage unexpected
events, including internal.
Typically, electronic banking services can be broadly categorized into three levels:
(i) informational, which provides the marketing information about an authorized
institutions products and services; (ii) simple transactional, which allows some
interaction between the authorized institutions system and the customer and which
may be limited to account inquiry, loan applications, static file updates, and
submission of information by customers, but do not permit any account transfers;
and (iii) advanced transactional, which allows customers to electronically transfer
funds to/from their accounts, pay bills, and conduct other transactions online etc.
and external attacks that may hamper the provision of electronic banking services
and (g) put in place effective management controls for its cross-border electronic
banking activities, if any.
5.2.2 In view of the constant changes occurring in the electronic banking
environment, the board and senior management should on a regular basis review
the relevant policies and procedures to ascertain that they are both appropriate and
timely to the nature and scope of electronic banking activities.
The board and senior management should assess the financial impact of the
57

implementation and ongoing maintenance of electronic banking services and

consider the potential impact on the authorized institutions customer base, loan
quality and composition, deposit volume, volatility, liquidity sources, and
transaction volume, as well as the impact on other relevant factors that may be
affected by the adoption of new delivery channels. These areas should be
monitored and analyzed on an ongoing basis to ensure that any impact on the
authorized institutions financial condition resulting from electronic banking
services is appropriately managed and controlled.
6.2.3 The board and senior managements monitoring of the electronic banking
activities may also be exercised through the review of periodic reports tracking
customer usage, complaints, downtime, unreconciled transactions, and system
usage relative to capacity. An appropriate independent audit function is also an
important component of monitoring. The audit coverage should be expanded
commensurate with the increased complexity and risks inherent in electronic
banking activities and should include the entire electronic banking process as
applicable (i.e. network configuration and security, interfaces to legacy systems,
regulatory compliance, internal controls, support activities performed by thirdparty providers etc.).
5.3 SECURITY CONTROLS
5.3.1 Authorized institutions should recognize that electronic banking must be
secure to achieve a high level of confidence with both customers and business.
It is the responsibility of bank management to provide adequate assurances that
transactions performed and information flowed through the electronic delivery
channels are properly protected. For this reason, a strong and comprehensive
electronic banking security control system should be maintained.

58

5.3.2 To address and control the relevant risks and security threats in electronic
banking, the security control system of authorized institutions should meet with the
following objectives:
(a) Authentication. Authorized institutions should use reliable and appropriate
authentication methods to validate and verify the identity and authorization of their
electronic banking customers. The authentication method an authorized institution
chooses to use in a specific electronic banking application should be appropriate
and reasonable in light of the managements assessment of the risks in that
application. An authorized institution should weigh the cost of the authentication
method, including technology and procedures, against the level of protection it
affords and the value or sensitivity of the transaction or data to both itself and the
customers. Authorized institutions should also note that the constituents of a
reasonable system might change over time as technology and standard evolve. In
basic terms, the process of authentication is to validate the claimed identify of the
customer by verifying one or more of the three factors of what the customer
knows (usually a password or personal identification number), what the
customer has (such as a smart card, a security token or digital certificate) and
what the customer is (such as a biometric characteristic like a fingerprint or iris
pattern). Authentication methods that depend on more than one factor are typically
more difficult to compromise than single-factor system4 and would thereby
suggest a higher reliability authentication. The use of single factor authentication
alone is generally considered not adequate for sensitive communications, high
value transactions, third party transfers or privileged user access (i.e., network
administrators). Multi-factor techniques are necessary in those cases unless there
are adequate security measures, risk mitigating controls (e.g. in some authorized
institutions, third-party transfers are restricted to accounts that have been pre-

59

registered) and effective monitoring mechanism to detect suspicious transactions

and unusual activities.

(b) Non-repudiation. Non-repudiation involves creating proof of the origin or

delivery of electronic information to protect the sender against false denial by the
recipient that the data have been received or to protect the recipient against false
denial by the sender that the data have been sent. Authorized institutions should,
commensurate with the materiality and type of the electronic banking transaction,
implement adequate measures to safeguard the accuracy and completeness of
electronic information transmitted over external and internal networks to help
establish non-repudiation and ensure confidentiality and integrity of electronic
banking transactions. For example, the use of public key cryptography, digital
signature and digital certificate arrangements can uniquely identify the person who
initiates

For example, the use of a customer identification and password is

considered single-factor authentication since both items are something the

customer knows. transaction, append a digital signature to the transaction, detect
unauthorized modifications and prevent subsequent disavowal.

(c) Data and transaction integrity. Data integrity refers to the assurance that
information transmitted, processed or stored is not altered without authorization.
Failure to maintain the data integrity of transactions, records and information can
expose authorized institutions to financial losses as well as to substantial legal and
reputation risks. Authorized institutions should therefore ensure that appropriate
measures are in place to ascertain the accuracy, completeness and reliability of
information processed, transmitted, or stored. The common practices used to
maintain data integrity within an electronic banking environment include:
electronic banking transactions should be conducted in a manner that makes
them highly resistant to tampering throughout the entire process;
60

electronic banking records should be stored, accessed and modified in a manner

that makes them highly resistant to tampering;
electronic banking transaction and record-keeping processes should be designed
in a manner as to make it virtually impossible to circumvent detection of
unauthorized changes;
adequate change control policies, including monitoring and testing procedures,
should be in place to protect against any electronic banking system changes that
may erroneously or unintentionally compromise controls or data reliability; and
any tampering with electronic banking transactions or records should be
detected by transaction processing, monitoring and record keeping functions.

(d) Segregation of duties. Segregation of duties is an essential element of

internal controls designed to reduce the risk of fraud in operational processes and
systems and ensure that transactions and assets are properly authorized.
Responsibilities and duties that should be separated and performed by different
groups of personnel are operating systems function, system design and
development, application maintenance programming, computer operations,
database administration, security administration, data security, librarian and backup
data file custody. It is also desirable that job rotation and cross training for security
administration functions be instituted. Transaction processes should be designed so
that no single person could initiate, approve, execute and enter transactions into a
system in a manner that would enable fraudulent actions to be perpetrated and
concealed.

(e) Authorization controls. Authorized institutions need to strictly control

authorization and access privileges, as failure to provide adequate authorization
control could allow individuals to alter their authority, circumvent segregation and
gain access to electronic banking systems, networks, databases or applications to
61

which they are not privileged. Authorization and access rights should base on job
responsibility and the necessity to have them to fulfill ones duties. In principle:
no person by virtue of rank or position should have any intrinsic right to access
confidential data, applications, system resources or facilities. Only employees with
proper authorization should be allowed to access confidential information and use
system resources solely for legitimate purposes;
no one should have concurrent access to both production systems and backup
systems, particularly data files and computer facilities; and
any person who needs to access backup files or system recovery resources
should be duly authorized for a specific reason and a specified time only.

(f) Maintenance of audit trails. An authorized institutions internal control

may be weakened if it is unable to maintain clear audit trails for its electronic
banking activities. Authorized institutions should therefore ensure that clear audit
trails exists for all electronic banking transactions so that all critical electronic
banking events and applications can be independently audited. In particular, clear
audit trails should exist under the following types of electronic banking
transactions:
the opening5, modification or closing of a customers account;
any transaction with financial consequences;
any authorization granted to a customer to exceed a limit; and
any granting, modification or revocation of systems access right or privileges.

(g) Confidentiality of sensitive information. Confidentiality is the

assurance that sensitive information is only accessible be authorized parties.
Misuse or unauthorized disclosure of sensitive data and records exposes an
authorized institution to both reputation and legal risks. Therefore, authorized
institutions should implement appropriate 5 The authorized institution should have
62

applied customer identification process at the outset of its relationship with the
customer, in accordance with the AMCMs AML/CFT Guideline for Financial
Institutions .technologies to maintain confidentiality and integrity of sensitive
information, in particular customer information, while it is being transmitted over
the internal and external networks and also when it is stored inside the authorized
institutions internal systems. Cryptographic technologies can be used to protect
the confidentiality and integrity of sensitive information. Authorized institutions
should choose cryptographic technologies that are appropriate to the sensitivity and
importance of information and the extent of protection needed and, only those that
are making use of internationally recognized cryptographic algorithms where the
strengths of the algorithms have been subjected to extensive tests.
5.3.3 The security controls of authorized institutions may involve the use of
hardware and software tools and other security measures to deter unauthorized
access to all critical electronic banking systems, servers, networks, databases and
applications. In addition to the fulfillment of the objectives to safeguard the
authenticity and confidentiality of data and operating processes authorized
institutions should ensure an appropriate level of application security, put in place
infrastructure that conform to industry sound practices and implement other
controls sufficient to manage the unique security risks confronting them. The
relevant control considerations include but not limited to:
(a) ongoing awareness of attack sources, scenarios, and techniques;
(b) up-to-date equipment inventories and network maps;
(c) rapid identification and mitigation of vulnerabilities;
(d) network access controls over external connections;
(e) use of intrusion detection tools and intrusion response procedures; and
(f) physical security of all electronic banking computer equipment and media.

63

5.3.4 Authorized institutions should evaluate their security control system

periodically to ensure continued effectiveness. Ongoing training at different levels
of staff should also be provided in order to help them to have the necessary skills to
comply with the security control system and to keep abreast of the technological
and industrial advancements. For those who oversee the key technology controls
such as firewalls, intrusion prevention/detection, and device configuration,
technical training is particularly important for them.
5.3.5 Authorized institutions security risks may be heightened if their customers
do not know or understand the necessary security precautions relating to the use of
electronic banking services. To complement the above-mentioned security controls,
authorized institutions should provide easy-to-understand to their customers on
electronic banking security precautions through effective channels (e.g. their
websites,

messages

on

customer

statements,

promotional

leaflets,

and

circumstances when frontline staff communicate with customers etc.) and oblige
them of their responsibilities to take reasonable measures.
5.3.6 The advice to customers on the need to take precautionary measures against
fraudulent websites and e-mails is particularly important. It has been noted that one
tactic frequently used by fraudsters is to send out emails that are purporting to be
sent by an authorized institution. The email normally requests the recipients to
make connection to a fake website via an embedded hyperlink and to trick the
recipients into revealing sensitive information such as electronic banking account
login names and passwords. The advice to be given by authorized institutions
should therefore include a reminder that customers should not access electronic
banking accounts through hyperlinks embedded in emails or Internet search
engines. Authorized institutions should keep themselves alert of the existence of
any fraudulent websites and should have made clear to their customers that they
would not ask for sensitive account and personal information via emails. In case
64

authorized institutions find any fraudulent website that looks similar to their own,
they are expected to:
(a) report the case to the Judiciary Police with advice to the AMCM;
(b) issue a press release to clarify that they have no connection with the fraudulent
website and, in case there were emails containing hyperlink to the fraudulent
website, that they have not sent such emails; and
(c) ask the customers who have conducted financial transactions through the
website to contact them for remedial actions.
5.4 OUTSOURCING MANAGEMENT
5.4.1 It has become quite common for authorized institutions to outsource certain
parts or all of their electronic banking operations, to an affiliate or third party
For example, to install anti-virus,

and firewall software into their personal

computers, to update the anti-virus and firewall products with security patches or
newer versions on a regular basis etc. The operations to be outsourced may
include the operating of software application, web site hosting and development,
Internet access, and customer service or call-centre maintenance etc.
In the case of stored value card schemes, the specific operations to be outsourced
may include, for example, balance enquiry functions, the uploading of value to the
cards and the transfer of value that has been service providers. Whatever the
reasons for outsourcing, authorized institutions should note that their
responsibilities and accountabilities would not be diminished or relieved by the
outsourcing of their operations. Specifically, their duty to maintain secrecy under
the Financial System Act, the Personal Data Protection Law and other statutory
provisions will continue to apply to them after outsourcing. Authorized institutions
should therefore provide effective oversight of the service providers activities to
identify and control the resulting risks and to ensure that their outsourcing
arrangements are in compliance with relevant statutory requirements. Authorized
65

institutions are expected to adopt the sound practices on outsourcing as given

under paragraphs 6.2 to 6.6 below. Additional sound practices for managing
outsourced electronic banking systems can also be found from Appendix II of the
Basel Committees paper Risk Management Principles for Electronic Banking
5.4.2 Authorized institutions should understand fully the risks associated with
entering into an outsourcing arrangement. Before a service provider is appointed,
due diligence should be carried out to consider the service providers financial
condition, experience, expertise, technological compatibility, and customer
satisfaction.
5.4.3 There should be a formal contract between the authorized institution and the
service provider. The terms and conditions governing the roles, relationships,
obligations and responsibilities of the concerned parties should be carefully and
properly defined in writing. Examples of the contract issues include:
(a) restrictions on use of non-public customer information collected or stored by
the service provider;
(b) requirements for appropriate controls to protect the security of customer
information held by the service provider and, ownership of the information after
expiration or termination of the contract;
(c) service-level standards such as website up-time, hyperlink performance,
customer service response times, etc;
(d) incident response plans, including notification responsibilities, to respond to
website outage, defacement, unauthorized access, or malicious code;
(e) business continuity plans for electronic banking services including alternate
processing lines, backup servers, emergency operating procedures, etc;
(f) provisions for the conduct of independent reviews and/or audits of security,
internal controls and business continuity and contingency plans;
(g) limitations on subcontracting of services, either domestically or
66

internationally; and
(h) choice of law and jurisdiction for dispute resolution and access to information
by the authorized institution and relevant regulators.
5.4.4 Authorized institutions should require service providers to implement
security policies, procedures and controls that are at least as stringent as the
authorized institutions would expect for their own operations. They should also
require service providers to develop and implement viable contingency and
business continuity plans to ensure the continuity of their service and performance.
Such plans should be reviewed, updated and tested regularly by the service
providers in accordance with changing technological conditions and operational
requirements.
5.4.5 On a regular basis authorized institutions should conduct due diligence
reviews to evaluate whether service providers are capable of delivering the level of
performance, able to maintain an adequate level of security, and keep abreast of the
rapidly changing technology. Appropriate processes should also be established to
monitor the service providers financial condition, and contract compliance.
Authorized institutions should track the performance of the services provided
and/or any security problems or the service providers financial conditions through
online or periodic written reports from service providers. The information to be
required includes, but not limited to the following:

(a) Availability of service e.g. statistics regarding the frequency and duration
of service disruption (including the reasons for disruptions), up time and down
time percentages; and volume and type of access problems reported by customers;

(b) level and volumes of activities e.g. number of accounts serviced, web
pages viewed, number and percentage of new, active or inactive accounts; and
type, number and value of transactions;
67

(c) Efficiency of performance e.g. average response times by time of day,

server capacity utilization, type of customer service enquiry and average time to
resolution;

(d) Incidents on security volume of rejected log-on attempts, password

resets, attempted and successful penetration attempts, number and type trapped
viruses or other malicious code, and any physical security breaches;

(e) Stability of service provider - quarterly or annual financial reports,

number of new or departing customers, changes in systems, employee turnover and
changes in management positions;

(f) Assurance on quality - reports on performance, audit results, penetration

tests, and vulnerability assessments.
5.4.6 Throughout the course of outsourcing, authorized institutions should have in
place contingency plans to prepare for the possibility that the current service
providers might not be able to continue operations or render the services required.
Such plans should also cater for the need to change the service providers or the
service relationship due to substandard performance of the service providers or any
other problems identified in the above due diligence process.
5.4.7 Regular audits of the outsourced operations will help ensure that relevant
controls are appropriate and functioning properly. In addition to the
abovementioned oversight processes, authorized institutions should ensure that
periodic independent internal and/or external audits are conducted on the
outsourced operations to at least the same scope required if such operations were
conducted in-house.
5.7 LEGAL AND REPUTATIONAL RISK MANAGEMENT
5.7.1 In electronic banking, the face-to-face interaction and the paper-based
exchange of information with customers are limited. Therefore it is particularly
68

important for authorized institutions to provide their electronic banking customers

with appropriate disclosure, to protect customer data, and to maintain business
availability that approaches the level at which traditional banking distribution
channels are used. Failure to comply with these responsibilities could result in
significant legal and reputation risks for the authorized institutions.
5.7.2 Before offering a new electronic banking service to customers, authorized
institutions should evaluate carefully the legal and reputation risks associated with
such service. Authorized institutions should also perform regular assessments to
ensure that their controls for managing legal and reputation risks remain proper
and adequate. When it is possible and appropriate, authorized institutions may take
out insurance for their electronic banking activities.
5.7.3 Examples of the controls for legal and reputation risks include:

(a) Information disclosures Authorized institutions should ensure that

adequate information is disclosed to avoid customer confusion and to allow
potential customers to make a determination of their identity and regulatory status
prior to entering into electronic banking transactions. For example, the information
that an authorized institution may provide to its customers / potential customers on
its website includes but not limited to:
the name of the authorized institution and the location of its head office ;
the identity of the primary supervisory authority responsible for the supervision
of the authorized institutions head office ;
instructions on how customers can contact the authorized institutions customer
service center regarding service problems, complaints, suspected misuse of
accounts, etc.;
the terms and conditions applying to electronic banking products and services,
which should set out clearly the respective rights, obligations and responsibilities
between the authorized institution and its customers;
69

the authorized institutions customer privacy and security policy and security
measures and reasonable precautions customers should take when accessing their
online accounts.
the jurisdictions to which the authorized institution intends to provide electronic
banking services or, conversely, the jurisdictions to which it does not intend to
provide its products and services; and
other information that may be appropriate or required by specific jurisdictions.

(b) Customer privacy and confidentiality. Maintaining the privacy of a

customers information is a key responsibility for an authorized institution.
Authorized institutions should ensure that their privacy policies and standards
comply with applicable privacy laws and regulations. For example, reasonable
endeavors should be made to ensure that:
the authorized institutions customer privacy policies and standards take account
of and comply with all privacy regulations and laws applicable to the jurisdictions
to which it is providing electronic banking products and services;
customers are informed of the authorized institutions privacy policies and
relevant privacy issues concerning use of electronic banking products and services;
customers may disallow the authorized institution to share with a third party for
cross-marketing purposes any information about the customers personal needs,
interests, financial position or banking activity;
customer data are not used for purposes beyond which they are specifically
allowed or for purposes beyond which customers have authorized; and
the authorized institutions standards for customer data use must be met when
third parties have access to customer data through outsourcing relationships.
Additional sound practices for maintaining the privacy of customer electronic
banking information can also be found from Appendix V of the Basel Committees
paper Risk Management Principles for Electronic Banking.
70

(c) Effective capacity, business continuity and contingency planning.

Interruption in services may significantly affect electronic banking customers, who
often expect 24-hour availability. Due to the potential impact (e.g. bill payment
transactions cannot be paid on time) on customers and customer service,
authorized institutions should analyze the impact of service outages and take steps
to decrease the probability of outages and minimize the recovery time. For
example, authorized institutions need to ensure that:
the current and future capacity of critical electronic banking systems and the
relevant supports to the network infrastructure are assessed on an going basis;
electronic banking systems can handle high and low transaction
Volume and systems performance and capacity is consistent with the projected
transaction volume and future growth; and
appropriate business continuity and contingency plans8 for critical electronic
banking processing and delivery systems are in place and regularly tested.
Other sound capacity, business continuity and contingency planning practices can
be found from Appendix VI of the Basel Committees paper Risk Management
Principles for Electronic Banking.

(d) Incident response and management. Authorized institutions should

develop appropriate incident response plans and procedures to manage,
In light of the activity volumes, number of customer affected, and the availability
of alternate service channels, some institutions may not consider electronic
banking services as mission critical warranting a high priority in its business
continuity plan. Management should periodically reassess this decision to ensure
the supporting rationale continues to reflect actual growth and expansion in
electronic banking services. contain and minimize problems arising from
unexpected events, including internal and external attacks that may hamper the
71

provision of electronic banking systems and services. An effective incident

response should include:
plans to address recovery of electronic banking systems and services;
mechanisms to identify an incident or crisis as soon as it occurs and to assess its
materiality and impact;
an incident response team with the authority to act in an emergency and
sufficiently trained in analyzing incident detection/response systems, interpreting
the significance of related output and determining the appropriate action to be
taken;
a clear chain of command, encompassing both internal as well as outsourced
operations
a communication strategy to adequately address the concerns of external parties
(e.g. customers, media and business partners);
a process for alerting the AMCM in the event of material security breaches or
disruptive incidents; and
a process for collecting and preserving forensic evidence to facilitate the
subsequent reviews and prosecution of attackers.

5.8 MANAGEMENT OF CROSS-BORDER ACTIVITIES

5.8.1 Taking advantage of the open, ubiquitous and automated nature of the
Internet, many international institutions are providing electronic banking products
and services to their customers in different countries/jurisdictions through the web
sites of their branches or subsidiaries in those countries. Some other institutions
have also begun to conduct electronic banking activities remotely from one
jurisdiction to residents in another jurisdiction where they do not already have a
licensed establishment.

72

5.8.2 The Basel Committee has defined the provision of transactional online
products or services by an institution in one jurisdiction to residents of another
jurisdiction as cross border electronic banking. Given the developments affecting
issues of legal jurisdiction and choice of laws considerations with respect to crossborder commerce, institutions that engage in cross-border
for the different levels of electronic banking services. electronic banking may face
increased legal risk. Specifically, unless institutions conduct adequate due
diligence they run the risk of potential noncompliance with different laws and
regulations, including applicable consumer protection laws, advertising and
disclosure laws, record-keeping and reporting requirements, privacy rules and antimoney laundering laws in foreign jurisdictions.
5.8.3 Accordingly, prior to engaging in cross-border electronic banking activities,
all authorized institutions operating in Macao should prior consult the
AMCM, which needs to be satisfied that authorized institutions have:
(a) Conducted adequate and appropriate risk assessment and due diligence to
ensure that they can adequately manage the attendant risks and that they comply
with the laws and regulations of the foreign jurisdictions at which the electronic
banking services are directed; and
(b) Established an effective and ongoing risk management program for assessing,
controlling and monitoring risks arising from cross-border electronic banking
activities.
5.8.4 These authorized institutions are also expected to define and generally
mitigate their due diligence obligations by posting on their websites a disclaimer
that limits their on-line products and services to only the residents of specified
jurisdictions10, although the legal effect of such a disclaimer might be somewhat
uncertain. In addition, they should provide sufficient disclosure on their websites to

73

allow potential customers to determine their identity, place of incorporation and

regulatory status.

5.9 INDEPENDENT ASSESSMENTS

5.9.1 Given the importance of managing the risks associated with electronic
banking, authorized institutions should make arrangements for independent
assessments to be conducted on their electronic banking systems before the launch
of the relevant services or major enhancements to existing services.
The independent assessments should, at a minimum, cover the following areas and
taking into account the guidance in paragraphs 4 to 8 of this Guideline:
(a) board and management oversight;
(b) security controls;
(c) outsourcing management;
(d) legal and reputational risk management; and
Or, conversely, authorized institutions may disclose the jurisdictions to which they
do not intend to provide their products and services
(e) management of cross border activities.
5.9.2 The person(s) appointed by an authorized institution to perform independent
assessment should have, and be able to demonstrate, then necessary expertise in
the relevant fields. He/she should be independent from the parties that develop or
administer the electronic banking system and should not be involved in the
operations to be reviewed or in selecting or implementing the relevant control
measures to be reviewed. He/she should be able to report findings freely and
directly to the authorized institutions senior management. As long as the assessor
meets the above criteria, he/she can be the authorized institutions internal staff or
external party (e.g. an external auditor or other third-parties services providers).

74

5.9.3 Subsequent to an initial independent assessment, an authorized institution

should conduct risk assessment at least every two years or when there are
substantial changes to determine if further independent assessment should be
required and the frequency and scope of such independent assessment. Any
substantial changes to the risk profile of the services being provided, significant
modifications of the network infrastructure and applications, material system
vulnerabilities or major security breaches are to be taken into consideration in the
risk assessment.
5.9.4 Reports of independent assessments should be submitted to the AMCM,
which will during on-site examinations and off-site reviews use the reports as
reference. In case authorized institutions have engaged different parties to conduct
separate independent assessments on different aspects of their electronic banking
services, they may submit either combined reports or all relevant reports separately
to the AMCM. Such independent assessment reports should cover at least the
following items:
(a) time of assessment and stage of development of the relevant system;
(b) scope and approach adopted, including descriptions of the system components,
internal networks and network equipment that are covered;
(c) the assessors findings and recommendations; and
(d) management responses.

5.10 SUPERVISORY APPROACH

5.10.1 In light of the possible implications regarding operational, reputation and
other relevant risks, authorized institutions should notify and discuss their plans
with the AMCM prior to the launch of new electronic banking services or

75

make significant changes to existing services. In particular, prior consultation with

AMCM should take place before an authorized institution engages in cross-border
electronic banking activities.
5.10.2 The AMCM will generally require an authorized institution to present and
discuss its strategic outlook for launching electronic banking services,
demonstrating compatibility with the overall strategy of the authorized institutions
operations, the risk analysis for the planned project together with details of
risk/reward study. The management of the authorized institution is expected to
demonstrate that it has reviewed the current risk profile of its operations,
considered the impact of implementing an electronic service and that the board (or
head office in the case of a branch of an overseas authorized institution) has
concluded that there are no undue adverse implications for the safety and
soundness of the operations given its resources, risk management systems and
technical expertise.
5.10.3 Specifically, an authorized institution should satisfy the AMCM that the
following issues are properly addressed:
(a) there is proper board and/or senior management oversight;
(b) major technology-related controls relevant to electronic banking have been
addressed;
(c) there are appropriate security measures in place, both physical and logical
together with other requisite risk management controls;
(d) relevant issues related to activities such as outsourcing and cross border
electronic banking activities have been addressed;
(e) a cost-benefit analysis has been conducted of the provision of the new
electronic banking service;

76

(f) an electronic banking strategy, which clearly outline the policies, practices and
procedures that address and control all of the risks associated with electronic
banking, has been developed and documented;
(g) the effectiveness of the implementation plan will be monitored on an ongoing
basis and updated periodically to take account of changes in technology, legal
developments and the business environment including external and internal threats
to information security; and
(h) relevant risks are monitored on an ongoing basis.

5.10.4 The AMCM will, in the course of its onsite examinations and offsite
reviews, determine as appropriate the adequacy of authorized institutions risk
management of electronic banking services based on the requirements set out in
this Guideline. Meanwhile, authorized institutions that are already offering
electronic banking services are expected to ensure that their existing systems,
including the arrangement for independent assessments, are in compliance with
this Guideline

as soon as practicable and within 12 months of the date of this

Guideline.

77

Chapter 6
Internet Banking in India Guidelines
6.1 Introduction
6.2 Technology and security stander
6.3 Legal issue

78

6.4 Regulatory and Supervisory Issues 6.1 Introduction

Reserve Bank of India had set up a Working Group on Internet Banking to

examine different aspects of Internet Banking (I-banking).
The Group had focused on three major areas of I-banking, i.e., (i) technology and
security issues, (ii) legal issues and (iii) regulatory and supervisory issues. A copy
of the Groups report is enclosed. RBI has accepted the recommendations of the
Group to be implemented in a phased manner. Accordingly, the following
guidelines are issued for implementation by banks. Banks are also advised that
they may be guided by the original report, for a detailed guidance on different
issues.

6.2 Technology and Security Standards:

a. Banks should designate a network and database administrator with clearly
defined roles as indicated in the Groups report.
b. Banks should have a security policy duly approved by the Board of Directors.
There should be a segregation of duty of Security Officer / Group dealing
exclusively with information systems security and Information Technology
Division which actually implements the computer systems. Further, Information
Systems Auditor will audit the information system.
c. Banks should introduce logical access controls to data, systems, application
Software, utilities, telecommunication lines, libraries, system software, etc.
Logical access control techniques may include user-ids, passwords, smart cards or
other biometric technologies.
d. At the minimum, banks should use the proxy server type of firewall so that there
is no direct connection between the Internet and the banks system. It facilitates a
high level of control and in-depth monitoring using logging and auditing tools. For
sensitive systems, a state full inspection firewall is recommended which
79

thoroughly inspects all packets of information, and past and present transactions
are compared. These generally include a real time security alert.
e. All the systems supporting dial up services through modem on the same LAN as
the application server should be isolated to prevent intrusions into the network as
this may bypass the proxy server.
f. PKI (Public Key Infrastructure) is the most favored technology for secure
Internet banking services. However, as it is not yet commonly available, banks
should use the following alternative system during the transition, until the PKI is
put in place:
1. Usage of SSL (Secured Socket Layer), which ensures server authentication and
use of client side certificates issued by the banks themselves using a Certificate
Server. 2. The use of at least 128-bit SSL for securing browser to web server
communications and, in addition, encryption of sensitive data like passwords in
transit within the enterprise itself.
g. It is also recommended that all unnecessary services on the application server
such as FTP (File Transfer Protocol), telnet should be disabled. The application
server should be isolated from the e-mail server.
h. All computer accesses, including messages received, should be logged. Security
violations (suspected) should be reported and follow up action taken should be
kept in mind while framing future policy. Banks should acquire tools for
monitoring systems and the networks against intrusions and attacks. These tools
should be used regularly to avoid security breaches. The banks should review their
security infrastructure and security policies regularly and optimize them in the light
of their own experiences and changing technologies. They should educate
their security personnel and also the end-users on a continuous basis.
The information security officer and the information system auditor should
undertake periodic penetration tests of the system, which should include:
80

1. Attempting to guess passwords using password-cracking tools.

2. Search for back door traps in the programs.
3. Attempt to overload the system using DDOS (Distributed Denial of Service) &
DOS (Denial of Service) attacks.
4. Check if commonly known holes in the software, especially the browser and the
e-mail software exist.
5. The penetration testing may also be carried out by engaging outside experts
(often called Ethical Hackers).
j. Physical access controls should be strictly enforced. Physical security should
cover all the information systems and sites where they are housed, both against
internal and external threats.
k. Banks should have proper infrastructure and schedules for backing up data. The
backed-up data should be periodically tested to ensure recovery without loss of
transactions in a time frame as given out in the banks security policy. Business
continuity should be ensured by setting up disaster recovery sites. These facilities
should also be tested periodical.
l. All applications of banks should have proper record keeping facilities for legal
purposes. It may be necessary to keep all received and sent messages both in
encrypted and decrypted form.
m. Security infrastructure should be properly tested before using the systems and
applications for normal operations. Banks should upgrade the systems by installing
patches released by developers to remove bugs and loopholes, and upgrade to
newer versions which give better security and control.

81

6.3 Legal Issues

a. Considering the legal position prevalent, there is an obligation on the part of
banks not only to establish the identity but also to make enquiries about integrity
and reputation of the prospective customer. Therefore, even though request for
opening account can be accepted over Internet, accounts should be opened only
after proper introduction and physical verification of the identity of the customer.
b. From a legal perspective, security procedure adopted by banks for authenticating
users needs to be recognized by law as a substitute for signature. In India, the
Information Technology Act, 2000, in Section 3(2) provides for a particular
technology as a means of authenticating electronic record. Any other method used
by banks for authentication should be recognized as a source of legal risk.
c. Under the present regime there is an obligation on banks to maintain secrecy and
confidentiality of customersaccounts. In the Internet banking scenario, the risk of
banks not meeting the above obligation is high on account of several factors.
Despite all reasonable precautions, banks may be exposed to enhanced risk of
liability to customers on account of breach of secrecy, denial of service etc.,
because of hacking/ other technological failures. The banks should, therefore,
institute adequate risk control measures to manage such risks.
d. In Internet banking scenario there is very little scope for the banks to act on
stop- payment instructions from the customers. Hence, banks should clearly notify
to the customers the timeframe and the circumstances in which any stop-payment
instructions could be accepted.
e. The Consumer Protection Act, 1986 defines the rights of consumers in India and
is applicable to banking services as well. Currently, the rights and liabilities of
customers availing of Internet banking services are being determined by bilateral
agreements between the banks and customers. Considering the banking practice
82

and rights enjoyed by customers in traditional banking, banks liability to the

customers non account of unauthorized transfer through hacking, denial of service
on account of technological failure etc. needs to be assessed and banks providing
Internet banking should insure themselves against such risks.

6.4

Regulatory and Supervisory Issues

As recommended by the Group, the existing regulatory framework over banks will
be extended to Internet banking also. In this regard, it is advised that
1.Only such banks which are licensed and supervised in India and have a physical
presence in India will be permitted to offer Internet banking products to residents
of India. Thus, both banks and virtual banks incorporated outside the country and
having no physical presence in India will not, for the present, be permitted to offer
Internet banking services to Indian residents.
2 The products should be restricted to account holders only and should not be
offered in other jurisdictions.
3. The services should only include local currency products.
4. The in-out scenario where customers in cross border jurisdictions are offered
banking services by Indian banks and the out-in scenario where Indian residents
are offered banking services by banks operating in cross-border jurisdictions are
generally not permitted and this approach will apply to Internet banking also. The
existing exceptions for limited purposes under FEMA i.e. where resident Indians
have been permitted to continue to maintain their accounts with overseas banks
etc., will, however, be permitted.
5. Overseas branches of Indian banks will be permitted to offer Internet banking
services to their overseas customers subject to their satisfying, in addition to the
host supervisor, the home supervisor. Given the regulatory approach as above,
banks are advised to follow the following instructions:
83

a. All banks, who propose to offer transactional services on the Internet

should obtain prior approval from RBI. Banks application for such permission
should indicate its business plan, analysis of cost and benefit, operational
arrangements like technology adopted, business partners, third party service
providers and systems and control procedures the bank proposes to adopt for
managing risks.
The bank should also submit a security policy covering recommendations made in
this circular and a certificate from an independent auditor that the minimum
requirements prescribed have been met. After the initial approval the banks will be
obliged to inform RBI any material changes in the services / products offered by
them.
b. Banks will report to RBI every breach or failure of security systems and
procedure and the latter, at its discretion, may decide to commission special audit /
inspection of such banks.
c. The guidelines issued by RBI on Risks and Controls in Computers and
Telecommunications vide circular dated 4th February 1998 will equally apply to
Internet banking. The RBI as supervisor will cover the entire risks associated with
electronic banking as a part of its regular inspections of bank.
d. Banks should develop outsourcing guidelines to manage risks arising out of third
Party service providers, such as, disruption in service, defective services and
personnel of service providers gaining intimate knowledge of banks systems and
Misutilizing the same, etc., effective.
e. With the increasing popularity of e-commerce, it has become necessary to set up
Inter-bank Payment Gateways for settlement of such transactions. The protocol
for transactions between the customer, the bank and the portal and the framework
for setting up of payment gateways as recommended by the Group should be
adopted for internet banking.
84

F .Only institutions who are members of the cheque clearing system in the country
Will be permitted to participate in Inter-bank payment gateways for Internet
payment. Each gateway must nominate a bank as the clearing bank to settle all
transactions. Payments affected using credit cards, payments arising out of cross
border e-commerce transactions and all intra-bank payments (i.e., transactions
involving only one bank) should be excluded for settlement through an inter-bank
payment gateway.
g. Inter-bank payment gateways must have capabilities for both net and gross
settlement. All settlement should be intra-day and as far as possible, in real time.
h. Connectivity between the gateway and the computer system of the member bank
should be achieved using a leased line network (not through Internet) with
appropriate data encryption standard. All transactions must be authenticated.
Once, the regulatory framework is in place, the transactions should be digitally
certified by any licensed certifying agency. SSL / 128 bit encryption must be used
as minimum level of security. Reserve Bank may get the security of the entire
infrastructure both at the payment gateways end and the participating institutions
end certified prior to making the facility available for customers use.
I .Bilateral contracts between the payee and payees bank, the participating banks
and service provider and the banks themselves will form the legal basis for such
transactions. The rights and obligations of each party must be clearly defined and
should be valid in a court of law.
j. Banks must make mandatory disclosures of risks, responsibilities and liabilities
of the customers in doing business through Internet through a disclosure template.
The banks should also provide their latest published financial results over the net.
k. Hyperlinks from banks website often raise the issue of reputational risk. Such
links should not mislead the customers into believing that banks sponsor any
85

Particular product or any business unrelated to banking. Hyperlinks from a banks

Websites should be confined to only those portals with which they have a payment
arrangement or sites of their subsidiaries or principals. Hyperlinks to

86

CONCLUSION
Thus reaching to the conclusion of my project I observe that Traditional banks
offer many service to their customers including, accepting customer money
deposits, providing various banking services to customers, and making loan to
individuals and companies. Compared with traditional channels of offering
banking services through physical branches, e-banking uses the Internet to deliver
traditional banking services to their customers, such as opening accounts,
transferring funds, and electronic bill payment. E-banking can be offered in two
main ways. First, an existing b a n k w i t h physical offices can also establish
an online site and offer e-banking services to its customers in addition to the
regular channel. For example, Citibank is a leader in e-banking, offering walk-in,
face-to-face banking at its branches throughout many parts of the world as
well as e-banking services through the World Wide Web. Generally, e-banking
is provided without extra cost to customers. Customers are attracted by the
convenience of e-banking through the Internet, and in turn, banks can operate more
efficiently when customers perform transactions by themselves rather than going to
a branch and dealing with a branch representative. E-banking services are
delivered to customers through the Internet and the web using Hypertext
Markup Language (HTML).
In

order

to

use

E-banking

services, customers need Internet access and

Web browsersoftware.Multimedia information in HTML format from

online banks can be displayed in web browsers. The heart of the e-banking
application is the computer system, which

web servers, database management

systems, and web application programs that can generate dynamic

HTML pages. One of the main concerns of e-banking is security. Without great
confidence i n security, customers are unwilling to use a public network, such as
87

t h e Internet, to view their financial information online and conduct

financial transactions. Some of the security threats include invasion of
individuals' privacy and theft of confidential information.
On October 1, 2000, t h e

electronic

signatures

bill

took

effect,

recognizing documents signed online as legal. Some banks plan to begin

using electronic checks as soon as they can work out various security
measures .The range of e-banking services is likely to increase in the future.
S o m e banks plan to introduce electronic money and electronic checks. Electronic
money can be stored in computers or smart cards and consumers can use the
electronic money to purchase small value items over the Internet.

88

BIBLOGRAPHY
enm.wikipedia.org (wiki) online bank.
www.bis.org/pab/bcbs98.htm
http/banking service .com94
#sthash./prgw7t.dpuf
www.infotechlead.com
www.silicon india.com:81
http:/.ehow.com/list6949866 types-internet banking
iamshahman.Word press. Com/../type of e-banking

89

90

91

92

93