DEFINITION OF E-BANKING
For this booklet, e-banking is defined as the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels. E-banking includes the systems that enable financial institution customers, individuals or businesses, to access accounts, transact business, or obtain information on financial products and services through a public or private network, including the Internet. Customers access e-banking services using an intelligent electronic device, such as a personal computer (PC), personal digital assistant (PDA), automated teller machine (ATM), kiosk, or Touch Tone telephone. While the risks and controls are similar for the various e-banking access channels, this booklet focuses specifically on Internet-based services due to the Internet’s widely accessible public network. Accordingly, this booklet begins with a discussion of the two primary types of Internet websites: informational and transactional.
For this booklet, e-banking is defined as the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels. E-banking includes the systems that enable financial institution customers, individuals or businesses, to access accounts, transact business, or obtain information on financial products and services through a public or private network, including the Internet. Customers access e-banking services using an intelligent electronic device, such as a personal computer (PC), personal digital assistant (PDA), automated teller machine (ATM), kiosk, or Touch Tone telephone. While the risks and controls are similar for the various e-banking access channels, this booklet focuses specifically on Internet-based services due to the Internet’s widely accessible public network. Accordingly, this booklet begins with a discussion of the two primary types of Internet websites: informational and transactional.
Informational websites provide customers access to general information about the financial institution and its products or services. Risk issues examiners should consider when reviewing informational websites include:
 | Potential liability and consumer violations for inaccurate or incomplete information about products, services, and pricing presented on the website; |
| Potential access to confidential financial institution or customer information if the website is not properly isolated from the financial institution’s internal network; |
| Potential liability for spreading viruses and other malicious code to computers communicating with the institution’s website; and |
| Negative public perception if the institution’s on-line services are disrupted or if its website is defaced or otherwise presents inappropriate or offensive material. |
TRANSACTIONAL WEBSITESTransactional websites provide customers with the ability to conduct transactions through the financial institution’s website by initiating banking transactions or buying products and services. Banking transactions can range from something as basic as a retail account balance inquiry to a large business-to-business funds transfer. E-banking services, like those delivered through other delivery channels, are typically classified based on the type of customer they support. The following table lists some of the common retail and wholesale e-banking services offered by financial institutions.
Table 1: Common E-Banking Services
Retail Services | Wholesale Services |
Account management | Account management |
Bill payment and presentment | Cash management |
New account opening | Small business loan applications, approvals, or advances |
Consumer wire transfers | |
Investment/Brokerage services | Commercial wire transfers |
Loan application and approval | Business-to-business payments |
Account aggregation | Employee benefits/pension administration |
Since transactional websites typically enable the electronic exchange of confidential customer information and the transfer of funds, services provided through these websites expose a financial institution to higher risk than basic informational websites. Wholesale e-banking systems typically expose financial institutions to the highest risk per transaction, since commercial transactions usually involve larger dollar amounts. In addition to the risk issues associated with informational websites, examiners reviewing transactional e-banking services should consider the following issues:
| Security controls for safeguarding customer information; |
| Authentication processes necessary to initially verify the identity of new customers and authenticate existing customers who access e-banking services; |
| Liability for unauthorized transactions; |
| Losses from fraud if the institution fails to verify the identity of individuals or businesses applying for new accounts or credit on-line; |
| Possible violations of laws or regulations pertaining to consumer privacy, anti-money laundering, anti-terrorism, or the content, timing, or delivery of required consumer disclosures; and |
| Negative public perception, customer dissatisfaction, and potential liability resulting from failure to process third-party payments as directed or within specified time frames, lack of availability of on-line services, or unauthorized access to confidential customer information during transmission or storage. |
E-BANKING COMPONENTS
E-banking systems can vary significantly in their configuration depending on a number of factors. Financial institutions should choose their e-banking system configuration, including outsourcing relationships, based on four factors:
E-banking systems can vary significantly in their configuration depending on a number of factors. Financial institutions should choose their e-banking system configuration, including outsourcing relationships, based on four factors:
| Strategic objectives for e-banking; |
| Scope, scale, and complexity of equipment, systems, and activities; |
| Technology expertise; and |
| Security and internal control requirements. |
Financial institutions may choose to support their e-banking services internally. Alternatively, financial institutions can outsource any aspect of their e-banking systems to third parties. The following entities could provide or host (i.e., allow applications to reside on their servers) e-banking-related services for financial institutions:
| Another financial institution, |
| Internet service provider, |
| Internet banking software vendor or processor, |
| Core banking vendor or processor, |
| Managed security service provider, |
| Bill payment provider, |
| Credit bureau, and |
| Credit scoring company. |
E-banking systems rely on a number of common components or processes. The following list includes many of the potential components and processes seen in a typical institution:
| Website design and hosting, |
| Firewall configuration and management, |
| Intrusion detection system or IDS (network and host-based), |
| Network administration, |
| Security management, |
| Internet banking server, |
| E-commerce applications (e.g., bill payment, lending, brokerage), |
| Internal network servers, |
| Core processing system, |
| Programming support, and |
| Automated decision support systems. |
These components work together to deliver e-banking services. Each component represents a control point to consider.
Through a combination of internal and outsourced solutions, management has many alternatives when determining the overall system configuration for the various components of an e-banking system. However, for the sake of simplicity, this booklet presents only two basic variations. First, one or more technology service providers can host the e-banking application and numerous network components as illustrated in the following diagram. In this configuration, the institution’s service provider hosts the institution’s website, Internet banking server, firewall, and intrusion detection system. While the institution does not have to manage the daily administration of these component systems, its management and board remain responsible for the content, performance, and security of the e-banking system
