Welcome » IT Booklets » E-Banking » Appendix A: Examination Procedures
The examiner's primary goal in reviewing e-banking activities is to determine whether the institution is providing e-banking products and services in a safe and sound manner that supports compliance with consumer-protection regulations. This determination is based on whether the institution's risk management practices are commensurate with the level of risk in its e-banking activities.
The e-banking examination procedures are a tool to help examiners reach conclusions regarding the effectiveness of an institution's risk management of e-banking activities. Examiners should use their judgment, consistent with the institution's supervisory strategy, in selecting applicable examination objectives and determining the need for specific testing of controls. Examiners may rely on the work of auditors and consultants deemed independent and competent in establishing their examination scope.
The examination procedures that follow focus on the risks inherent in the processes and technologies supporting e-banking products and services. They supplement, but do not replace, procedures from other IT Handbook booklets that apply to general IT activities (e.g., program development and maintenance, networking, information security, etc.). Depending on the scope of coverage targeted, examiners should consider using these procedures in combination with others from the IT Handbook and related issuances.
The structure of the e-banking examination procedures parallels the structure of the narrative portion of this booklet. The procedures cover:
Depending on the complexity of the institution's activities and the scope of prior reviews, it is generally not necessary to complete all of the examination objectives or procedures in order to reach conclusions on the effectiveness of the financial institution's risk management processes. The procedures are designed for conducting targeted, integrated reviews of new or significantly expanded e-banking services. However, for follow-up activities or e-banking reviews conducted as part of a comprehensive review of an institution's IT activities, examiners should customize their e-banking coverage to avoid duplication of topics covered in other examination programs.
This section of the booklet also includes discussion points examiners can use as a reference when talking to management as they are considering or implementing e-banking products and services and a sample list of items to include in the request letter for each of the objectives stated in the examination procedures.
Financial institutions frequently contact examiners seeking guidance on things to consider when they plan to offer or expand e-banking services. The following discussion points are offered as a guide to assist examiners when discussing e-banking plans and strategies with institution management.
Strategic Plans - Decisions on e-banking should be consistent with the financial institution's strategic and operating business plans. Any decision to offer or expand e-banking services should consider customer demand for the services, competitive issues, and the risks in the technology. The institution should periodically evaluate the success of its e-banking strategy and make changes as appropriate.
Impact on Earnings and Capital - Financial institution management should have realistic projections of the expected impact of e-banking on earnings and capital. If management projects a significant impact then profitability plans should address pricing and marketing expenses. If management projects rapid growth in loans or deposits, then plans should address the impact on liquidity, asset quality, and capital adequacy.
E-Banking Software and Service Provider Selection - Financial institutions should provide an appropriate level of due diligence in selecting third-party providers or developing systems in-house. User departments should be involved in the selection process since they will work with the system on a daily basis once it is operational.
Security - Financial institution management should understand security issues associated with e-banking. Security issues include customer verification and authentication, data confidentiality and integrity, and intrusion prevention and detection. Management should measure the effectiveness of security controls.
Internal Controls and Audit - The institution's board and management should ensure that internal control and audit processes are adequate to enable the identification, measurement, and monitoring of the risks associated with e-banking. Management should attempt to quantify increased expenses and losses due to internal control-related weaknesses and fraud.
Legal Requirements - Management should research and understand various legal requirements, including compliance issues, as part of the e-banking decision process. Many legal issues are evolving and will require management to monitor developments.
Vendor Management - Research of outsourcing arrangements should include consideration of potential vendors' financial condition, reputation and expertise, years in business, history of service interruptions and recoveries, and future business plans. Selection should also consider the ability to agree on a contract that clearly defines responsibility for maintaining and sharing information and any resulting liability for its unauthorized use or disclosure.
Business Continuity Planning - Whether provided by the financial institution or a third party, management should plan for recovery of critical e-banking technology and business functions and develop alternate operating processes for use during service disruptions.
Insurance - A review of insurance coverage may be in order to determine if existing policies specifically cover or exclude activities conducted over open networks like the Internet.
Expertise - The financial institution should ensure it has the proper level of expertise to make business decisions regarding e-banking and network security. The board of directors and senior management may need to enhance their understanding of technology issues. If such expertise is not available in-house, the institution should consider engaging outside expertise.
Objective 1: Determine the scope for the examination of the institution's e-banking activities consistent with the nature and complexity of the institution's operations. spacer 1. Review the following documents to identify previously noted issues related to the e-banking area that require follow-up:
2. Identify the e-banking products and services the institution offers, supports, or provides automatic links to (i.e., retail, wholesale, investment, fiduciary, e-commerce support, etc.). 3. Assess the complexity of these products and services considering volumes (transaction and dollar), customer base, significance of fee income, and technical sophistication. 4. Identify third-party providers and the extent and nature of their processing or support services. 5. Discuss with management or review MIS or other monitoring reports to determine the institution's recent experience and trends for the following:
6. Review audit and consultant reports, management's responses, and problem tracking systems to identify potential issues for examination follow-up. Possible sources include:
7. Review network schematic to identify the location of major e-banking components. Document the location and the entity responsible for development, operation, and support of each of the major system components. 8. Review the institution's e-banking site(s) to gain a general understanding of the scope of e-banking activities and the website's organization, structure, and operability. 9. Discuss with management recent and planned changes in:
10. Based on the findings from the previous steps, determine the scope of the e-banking review. Discuss, as appropriate, with the examiner or office responsible for supervisory oversight of the institution. Select from among the following examination objectives and procedures those that are appropriate to the examination's scope. When more in-depth coverage of an area is warranted, examiners should select procedures from other booklets of the IT Handbook as necessary (e.g., "Information Security Booklet," "Retail Payments Systems Booklet," etc.). For more complex e-banking environments, examiners may need to integrate IT coverage with business line-specific coverage. In those cases, examiners should consult other subject matter experts and consider inclusion of the member agency's expanded procedures (e.g., compliance, retail lending, fiduciary/asset management, etc.). BOARD AND MANAGEMENT OVERSIGHT Objective 2: Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit. 1. Evaluate the institution's short- and long-term strategies for e-banking products and services. In assessing the institution's planning processes, consider whether:
2. Determine whether e-banking guidance and risk considerations have been incorporated into the institution's operating policies to an extent appropriate for the size of the financial institution and the nature and scope of its e-banking activities. Consider whether the institution's policies and practices:
3. Assess the level of oversight by the board and management in ensuring that planning and monitoring are sufficiently robust to address heightened risks inherent in e-banking products and services. Consider whether:
4. Evaluate adequacy of key MIS reports to monitor risks in e-banking activities. Consider monitoring of the following areas:
5. Determine whether audit coverage of e-banking activities is appropriate for the type of services offered and the level of risk assumed. Consider the frequency of e-banking reviews, the adequacy of audit expertise relative to the complexity of e-banking activities, the extent of functions outsourced to third-party providers. The audit scope should include:
Objective 3: Determine the quality of the institution's risk management over outsourced technology services. 1. Assess the adequacy of management's due diligence activities prior to vendor selection. Consider whether:
2. Determine whether the institution has reviewed vendor contracts to ensure that the responsibilities of each party are appropriately identified. Consider the following provisions if applicable:
3. Assess the adequacy of ongoing vendor oversight. Consider whether the institution's oversight efforts include:
INFORMATION SECURITY PROCESS Objective 4: Determine if the institution's information security program sufficiently addresses e-banking risks. 1. Determine whether the institution's written security program for customer information required by GLBA guidelines includes e-banking products and services. 2. Discuss the institution's e-banking environment with management as applicable. Based on this discussion, evaluate whether the examination scope should be expanded to include selected Tier II procedures from the IT Handbook's "Information Security Booklet." Consider discussing the following topics:
3. Determine whether the security program includes monitoring of systems and transactions and whether exceptions are analyzed to identify and correct noncompliance with security policies as appropriate. Consider whether the institution adequately monitors the following:
4. Determine the adequacy of the institution's authentication methods and need for multi-factor authentication relative to the sensitivity of systems or transactions. Consider the following processes:
5. If the institution uses passwords for customer authentication, determine whether password administration guidelines adequately address the following:
6. Evaluate access control associated with employee's administrative access to ensure:
7. Evaluate the appropriateness of incident response plans. Consider whether the plans include:
8. Assess whether the information security program includes independent security testing as appropriate for the type and complexity of e-banking activity. Tests should include, as warranted:
Objective 5: Determine if the institution has implemented appropriate administrative controls to ensure the availability and integrity of processes supporting e-banking services. 1. Determine whether employee authorization levels and access privileges are commensurate with their assigned duties and reinforce segregation of duties. 2. Determine whether controls for e-banking applications include:
3. Determine whether audit trails for e-banking activities are sufficient to identify the source of transactions. Consider whether audit trails can identify the source of the following:
4. Evaluate the physical security over e-banking equipment, media, and communication lines. 5. Determine whether business continuity plans appropriately address the business impact of e-banking products and services. Consider whether the plans include the following:
LEGAL AND COMPLIANCE ISSUES Objective 6: Assess the institution's understanding and management of legal and compliance issues associated with e-banking activities. 1. Determine how the institution stays informed on legal and regulatory developments associated with e-banking and thus ensures e-banking activities comply with appropriate consumer compliance regulations. Consider:
2. Review the website content for inclusion of federal deposit insurance logos if insured depository services are offered (12 CFR 328 or 12 CFR 740). 3. Review the website content for inclusion of the following information which institutions should consider to avoid customer confusion and communicate customer responsibilities:
4. If the financial institution electronically delivers consumer disclosures that are required to be provided in writing, assess the institution's compliance with the E-Sign Act. Review to determine whether:
5. Determine whether e-banking support services are in place to facilitate compliance efforts, including:
6. As applicable, determine whether the financial institution has considered the applicability of various laws and regulations to its e-banking activities:
7. If overview of e-banking compliance identifies weaknesses in the institution's consideration and oversight of compliance issues, consider expanding coverage to include more detailed review using agency-specific compliance examination procedures. EXAMINATION CONCLUSIONS Objective 7: Develop conclusions, communicate findings, and initiate corrective action on violations and other examination findings. 1. Assess the potential impact of the examination conclusions on the institution's CAMELS and Uniform Rating System for Information Technology (URSIT) ratings. 2. As applicable to your agency, identify risk areas where the institution's risk management processes are insufficient to mitigate the level of increased risks attributed to e-banking activities. Consider:
3. Prepare a summary memorandum detailing the results of the e-banking examination. Consider:
4. Discuss examination findings and conclusions with the examiner-in-charge. As appropriate, prepare draft report comments that address examination findings indicative of:
5. In coordination with the examiner-in-charge, discuss findings with institution management including, as applicable, conclusions regarding applicable ratings and risks. If necessary, obtain commitments for corrective action. 6. Revise draft e-banking comments to reflect discussions with management and finalize comments for inclusion in the report of examination. 7. As applicable, according to your agency's requirements/instructions, include written comments specifically stating what the regulator should do in the future to effectively supervise e-banking in this institution. Include supervisory objectives, time frames, staffing, and workdays required. 8. Update the agency's information systems and applicable report of examination schedules or tables as applicable.
Objective 1 - Determine the scope for the examination of the institution's e-banking activities consistent with the nature and complexity of the institution's operations.
Objective 2 - Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit.
Objective 3 - Determine the quality of the institution's risk management over outsourced technology services.
Objective 4 - Determine if the institution has appropriately modified its information security program to incorporate e-banking risks.
If e-banking is hosted internally, provide the following additional information:
Objective 5 - Determine if the institution has implemented appropriate administrative controls to ensure the availability, and integrity of processes supporting e-banking services.
Objective 6 - Assess the institution's understanding and management of legal and compliance issues associated with e-banking activities.
If financial institution provides cross-border e-banking products and services, provide the following additional information.