The examiner’s primary goal in reviewing e-banking activities is to determine whether the institution is providing e-banking products and services in a safe and sound manner that supports compliance with consumer-protection regulations. This determination is based on whether the institution’s risk management practices are commensurate with the level of risk in its e-banking activities.
The e-banking examination procedures are a tool to help examiners reach conclusions regarding the effectiveness of an institution’s risk management of e-banking activities. Examiners should use their judgment, consistent with the institution’s supervisory strategy, in selecting applicable examination objectives and determining the need for specific testing of controls. Examiners may rely on the work of auditors and consultants deemed independent and competent in establishing their examination scope.
The examination procedures that follow focus on the risks inherent in the processes and technologies supporting e-banking products and services. They supplement, but do not replace, procedures from other IT Handbook booklets that apply to general IT activities (e.g., program development and maintenance, networking, information security, etc.). Depending on the scope of coverage targeted, examiners should consider using these procedures in combination with others from the IT Handbook and related issuances.
The structure of the e-banking examination procedures parallels the structure of the narrative portion of this booklet. The procedures cover:
 | Setting the examination scope, |
| Evaluating board and management oversight, |
| Assessing the information security program, |
| Reviewing legal and compliance issues, and |
| Deriving exam conclusions. |
Depending on the complexity of the institution’s activities and the scope of prior reviews, it is generally not necessary to complete all of the examination objectives or procedures in order to reach conclusions on the effectiveness of the financial institution’s risk management processes. The procedures are designed for conducting targeted, integrated reviews of new or significantly expanded e-banking services. However, for follow-up activities or e-banking reviews conducted as part of a comprehensive review of an institution’s IT activities, examiners should customize their e-banking coverage to avoid duplication of topics covered in other examination programs.
This section of the booklet also includes discussion points examiners can use as a reference when talking to management as they are considering or implementing e-banking products and services and a sample list of items to include in the request letter for each of the objectives stated in the examination procedures
Discussion Points for Examiners
Financial institutions frequently contact examiners seeking guidance on things to consider when they plan to offer or expand e-banking services. The following discussion points are offered as a guide to assist examiners when discussing e-banking plans and strategies with institution management.
Strategic Plans — Decisions on e-banking should be consistent with the financial institution’s strategic and operating business plans. Any decision to offer or expand e-banking services should consider customer demand for the services, competitive issues, and the risks in the technology. The institution should periodically evaluate the success of its e-banking strategy and make changes as appropriate.
Impact on Earnings and Capital — Financial institution management should have realistic projections of the expected impact of e-banking on earnings and capital. If management projects a significant impact then profitability plans should address pricing and marketing expenses. If management projects rapid growth in loans or deposits, then plans should address the impact on liquidity, asset quality, and capital adequacy.
E-Banking Software and Service Provider Selection — Financial institutions should provide an appropriate level of due diligence in selecting third-party providers or developing systems in-house. User departments should be involved in the selection process since they will work with the system on a daily basis once it is operational.
Security — Financial institution management should understand security issues associated with e-banking. Security issues include customer verification and authentication, data confidentiality and integrity, and intrusion prevention and detection. Management should measure the effectiveness of security controls.
Internal Controls and Audit — The institution’s board and management should ensure that internal control and audit processes are adequate to enable the identification, measurement, and monitoring of the risks associated with e-banking. Management should attempt to quantify increased expenses and losses due to internal control-related weaknesses and fraud.
Legal Requirements — Management should research and understand various legal requirements, including compliance issues, as part of the e-banking decision process. Many legal issues are evolving and will require management to monitor developments.
Vendor Management — Research of outsourcing arrangements should include consideration of potential vendors’ financial condition, reputation and expertise, years in business, history of service interruptions and recoveries, and future business plans. Selection should also consider the ability to agree on a contract that clearly defines responsibility for maintaining and sharing information and any resulting liability for its unauthorized use or disclosure.
Business Continuity Planning — Whether provided by the financial institution or a third party, management should plan for recovery of critical e-banking technology and business functions and develop alternate operating processes for use during service disruptions.
Insurance — A review of insurance coverage may be in order to determine if existing policies specifically cover or exclude activities conducted over open networks like the Internet.
Expertise — The financial institution should ensure it has the proper level of expertise to make business decisions regarding e-banking and network security. The board of directors and senior management may need to enhance their understanding of technology issues. If such expertise is not available in-house, the institution should consider engaging outside expertise.
