Risk Management in Electronic Banking: Concepts and Best Practices Risk Management in Electronic Banking: Concepts and Best Practices Jayaram Kondabagil John Wiley & Sons (Asia) Pte Ltd Copyright © 2007 by John Wiley & Sons (Asia) Pte Ltd Published in 2007 by John Wiley & Sons (Asia) Pte Ltd Clementi Loop, #02-01, Singapore 129809 All rights reserved No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment of the appropriate photocopy fee to the Copyright Clearance Center Requests for permission should be addressed to the Publisher, John Wiley & Sons (Asia) Pte Ltd, Clementi Loop, #02-01, Singapore 129809, tel: 65-64632400, fax: 65-64646912, e-mail: enquiry@wiley.com.sg This publication is designed to provide accurate and authoritative information in regard to the subject matter covered It is sold with the understanding that the publisher is not engaged in rendering professional services If professional advice or other expert assistance is required, the services of a competent professional person should be sought Other Wiley Editorial Offices John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA John Wiley & Sons Ltd, The Atrium Southern Gate, Chichester P019 8SQ, England John Wiley & Sons (Canada) Ltd, 5353 Dundas Street West, Suite 400, Toronto, Ontario, M9B 6HB, Canada John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany Library of Congress Cataloging-in-Publication Data ISBN: 978-0-470-82243-2 Wiley Bicentennial Logo: Richard J Pacifico Typeset in 10.5 on 13 points, Palatino by SNP Best-set Typesetter Ltd., Hong Kong Printed in Singapore by Mainland Press Pte Ltd 10 To the memory of my father Kondabagil Sheshappa Contents List of Figures xiii List of Tables xv Preface xvii Acknowledgments xxiii Foreword xxv PART I: INTRODUCTION TO E-BANKING Chapter Chapter E-Banking Basics Evolution of e-banking Impact on traditional banking E-banking components Regulatory approval E-Banking Risks 10 Strategic risk Operational risk Compliance risk Reputational risk 11 12 13 13 viii Chapter Contents Other risks Risk management challenges The five-pillar approach 14 15 17 Product and Service-specific Risks 19 Internet banking Aggregation services Bill presentment and payment Mobile banking Weblinking Electronic money Cross-border transactions New products and services 19 21 23 24 25 27 27 29 PART II: RISK MANAGEMENT Chapter Chapter Chapter Risk Management Framework 33 Policies and procedures Risk management process Operational risk management Governance and internal controls 34 35 39 40 Risk Management Organization 43 Organization structure Board and senior management Executive risk committee IT management Internal and external audit 43 44 49 51 53 International Standards 56 Basel Committee on banking supervision COBIT 4.0 ISO 17799 OCTAVE COSO – enterprise risk management PCI data security standard Financial Action Task Force 56 57 58 59 60 61 62 ix Contents Corporate governance codes Regulatory guidelines 63 64 Part III: INFORMATION SECURITY Chapter Chapter Chapter Information Security Management 69 Security objectives Security controls Security risk assessment Classification of controls Monitoring and testing Incident response plan 70 73 76 78 79 80 Operational Controls 82 Personnel issues Segregation of duties Technical issues Database management Change management Backups and off-site storage Insurance Fraud management 82 84 86 88 89 90 92 93 Technical Controls 97 Logical access controls Identification and authentication Authentication methods Audit trails Network security Firewalls Malicious code Information security incidents 98 99 101 104 105 108 110 111 PART IV: OUTSOURCING Chapter 10 Outsourcing in E-Banking 117 Types of outsourcing Material outsourcing 118 119 x Chapter 11 Chapter 12 Contents Supervisory approach Key risks of outsourcing Board and senior management responsibility Outsourcing policy 120 121 123 124 Managing Outsourced Services 126 Outsourcing decisions Risk assessment and control Service provider due diligence Offshoring Contingency plans Customer service Monitoring and audit 126 127 130 131 132 132 134 Outsourcing Contracts 137 Contractual provisions Right of access clauses Termination clause Offshoring contracts Confidentiality and security clauses Business continuity clauses 138 140 141 141 142 144 PART V: BUSINESS CONTINUITY Chapter 13 Chapter 14 Business Continuity Management 147 The main drivers Board and senior management responsibility Components of BCM Business impact analysis BIA methodologies Recovery strategy 147 149 151 152 153 156 Business Continuity Plan 158 Major components of BCP Continuity management team Recovery procedures Resource requirements External communications 158 160 162 163 165 xi Contents Chapter 15 Plan maintenance Awareness and training Testing of BCP Testing methods 167 169 171 172 Data Centers and Alternate Sites 175 Evolution of data centers Location of the sites Mitigating concentration risk Data center design Logistics management Maintenance procedures Alternate site models External support Business continuity in real life 175 176 177 178 180 182 183 185 186 PART VI: LEGAL AND REGULATORY COMPLIANCE Chapter 16 Chapter 17 Compliance Function 193 Organization of the compliance function Board and senior management responsibility Role of regulators 194 195 196 Major Compliance Issues 198 Anti-money laundering Know your customer (KYC) Suspicious activities Privacy of customer information Information disclosures Customer education 198 199 201 202 204 206 High-level review checklist 209 Acronyms 225 Glossary 227 References 245 Index 251 List of Figures 2.1 4.1 4.2 4.3 5.1 7.1 13.1 The five-pillar approach Risk management framework Risk management process Risk management triad Risk management organization structure Information security objectives BCM process 18 34 36 40 44 71 151 Glossary Weblink Website Worm 243 A word, phrase, or image on a web page that contains coding that will transport the viewer to a different part of the website or a completely different website by just clicking the mouse A set of web pages that includes a homepage and that is designed, presented, and linked together to form a logical information resource and/or a transaction-initiation interface An independent program, unlike a virus, that replicates from one computer system to another through network connections, resulting in clogged networks as it spreads Risk Management in Electronic Banking: Concepts and Best Practices by Jayaram Kondabagil Copyright © 2007 John Wiley & Sons (Asia) Pte Ltd References Basel Committee on Banking Supervision, www.bis.org Sound Practices for the Management and Supervision of Operational Risk, February 2003 Risk Management Principles for Electronic Banking, July 2003 Management and Supervision of Cross Border Electronic Banking Activities, July 2003 Consolidated KYC Risk Management, October 2004 Compliance and the Compliance Function in Banks, April 2005 Enhancing Corporate Governance for Banking Organisations, February 2006 Core Principles for Effective Banking Supervision, October 2006 The Joint Forum, www.bis.org Outsourcing in Financial Services, February 2005 High-level Principles for Business Continuity, August 2006 World Bank Publications, www.worldbank.org Analyzing and Managing Banking Risk, Hennie Van Greuning, Sonja Brajovic Bratanovic, 2nd Edition, May 2003 Electronic Safety and Soundness – Securing Finance in a New Age, Thomas C Glaessner, Tom Kellermann, Valerie McNevin, February 2004 Technology Risk Checklist Version 7.3, May 2004 245 246 Risk Management in Electronic Banking European Committee for Banking Standards, www.ecbs.org Security Guidelines for E-Banking, August 2004 The Use of Audit Trails in Security Systems: Guidelines for European Banks, November 2001 IT Governance Institute, United States, www.itgi.org Board Briefing on IT Governance, 2nd edition Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd edition Australian Prudential Regulation Authority, www.apra.gov.au Prudential Standard APS 232 Business Continuity Management, April 2005 Prudential Standard APS 231 Outsourcing, October 2006 Bank of Albania, www.bankofalbania.org Regulation on Money Laundering Prevention, February 2004 Regulation on Supervision of Electronic Banking Transactions, March 2005 Banque De France, www.banque-france.fr INTERNET – The Prudential Consequences, December 2000 Risk Management in Financial Conglomerates and Prudential Supervision, Commission Bancaire France, Annual Report 2002 Operational Risk: Current Practices and Regulatory Perspectives, Commission Bancaire France, Annual Report 2003 The Compliance Function in Banks and Investment Companies, Commission Bancaire France, Annual Report 2003 Bank of Japan, www.boj.or.jp/en Business Continuity Planning at Financial Institutions, July 2003 Business Continuity Planning at the Bank of Japan, September 2003 Central Bank of the Bahamas, www.centralbankbahamas.com Minimum Standards for the Outsourcing of Material Functions, May 2004 Guidelines for Licensees’ Electronic Banking Activities, April 2005 References 247 Central Bank of Barbados, www.centralbank.org.bb Guidelines for Electronic Banking, November 2002 De Nederlandsche Bank, www.dnb.nl Electronic Banking: Current Trends and the Implications for Banks and Supervision, Quarterly Bulletin, September 2000 Electronic Banking: From a Prudential Supervisory Perspective, Monthly Report, December 2000 Latest Developments in Supervision, Quarterly Bulletin, June 2004 Federal Financial Institutions Examination Council, www.ffiec.gov IT Examination Handbook Booklets Business Continuity Planning, March 2003 E-Banking, August 2003 Information Security, July 2006 Management, June 2004 Operations, July 2004 Outsourcing Technology Services, June 2004 Authentication in an Internet Banking Environment, November 2005 Hong Kong Monetary Authority, www.info.gov.hk/hkma Supervisory Policy Manuals Outsourcing, December 2001 Business Continuity Planning, December 2002 General Principles for Technology Risk Management, June 2003 Supervision of E-Banking, February 2004 Monetary Authority of Singapore, www.mas.gov.sg Internet Banking Technology Risk Management Guidelines, June 2003 Business Continuity Management Guidelines, June 2003 Guidelines on Outsourcing, July 2005 Reserve Bank of India, www.rbi.org.in Report on Internet Banking, June 2001 Internet Banking in India Guidelines, June 2001 Business Continuity Planning, April 2005 248 Risk Management in Electronic Banking Reserve Bank of New Zealand, www.rbnz.govt.nz Outsourcing Policy, January 2006 Money Laundering, August 2003 Other References A Security Management Framework for Online Services, Department of the Premier and Cabinet Australia, April 2003, www.egov.dpc.wa.gov.au BITS Voluntary Guidelines for Aggregation Services, January 2004, www bitsinfo.org Compliance Risk Management Framework, Westpac Banking Corporation, 2006 www.westpac.com.au Enterprise Risk Management Integrated Framework Executive Summary, September 2004, www.coso.org Guiding Principles for Outsourcing of Back Office Functions for Capital Market Intermediaries, Suruhanjaya Sekuriti Securities Commission, March 2006, www.sc.com.my HSBCnet Getting Started Guide, HSBC Bank, www.hsbcnet.com Introduction to the OCTAVE Approach, Carnegie Mellon Software Engineering Institute, August 2003, www.cert.org/octave Nordea Electronic Banking Guide, Nordea Bank Polska, www.nordea.pl Risk Management Strategy, Housing Corporation London, March 2006, www.housingcorp.gov.uk Security Reference Handbook, Symantec Corporation, 2001, www.symantec com The Orange Book: Management of Risk – Principles and Concepts, HM Treasury UK, October 2004, www.hm-treasury.gov.uk “Too much regulation” tops Banking Banana Skins poll for second year News release dated June 28, 2006, PricewaterhouseCoopers, www.pwc com Speeches Electronic Safety and Soundness for Financial Services – A Pragmatic View, Mr John Palmer, Deputy Managing Director, Monetary Authority of Singapore on May 17, 2004, World Bank Asia Pacific Regional Conference at Singapore Corporate Governance and Risk Management at Community Banks, Susan Schmidt Bies, Governor, Federal Reserve System on August 12, References 249 2004, Federal Reserve Bank of Chicago Community Bank Directors Conference Supervisory Concerns in an IT Environment, Tarisa Watanagase, Deputy Governor, Bank of Thailand on May 12, 2005, Federal Reserve System Course on Electronic Banking and Technology Risk Supervision The Continuous Challenges of Risk Management, Susan Schmidt Bies, Governor, Federal Reserve System on February 2, 2006, Financial Services Institute, Washington DC A Bank Supervisor’s Perspective on Enterprise Risk Management, Susan Schmidt Bies, Governor, Federal Reserve System on April 28, 2006, Enterprise Risk Management Roundtable, North Carolina State University Risk Management in Banking – A Prudential Perspective, John F Laker, Chairman, Australian Prudential Regulation Authority on September 6, 2006, 59th International Banking Summer School, Melbourne Risk Management in Electronic Banking: Concepts and Best Practices by Jayaram Kondabagil Copyright © 2007 John Wiley & Sons (Asia) Pte Ltd Index Acceptable use policy (AUP) 225, 227 Access control 59, 74, 78–9, 97–9, 108, 155, 182, 185, 189, 209, 215, 220, 227, 233 Access control list 98–9 Access rights 24, 89, 99, 104, 132, 215, 222, 227 Access to regulators 140 Addressing risks 38 Aggregation 4, 8, 21–2, 227 Aggregation services 4, 8, 21–2, 248 Alternate site models 183 Alternate site/s 38, 152, 154, 159–60, 162–4, 172, 175–7, 179, 181–5, 187, 189, 220, 227, 229 Anti-money laundering (AML) 21, 64, 198–9, 201, 209, 221, 225 Anti-virus software 62, 97, 111, 214, 228 Asian tsunami 187 Audit committee 45, 48–9, 54, 80 Audit trail/s 16, 74, 78, 81, 95, 98, 104–5, 110, 141, 215, 218, 228, 246 Authentication 15–16, 20–5, 69, 70, 73–4, 77–8, 94–5, 98–104, 106, 109, 202, 206–7, 213, 215, 223, 228, 231, 233, 235, 237, 239, 241, 247 Authentication data 22, 23, 77, 233, 239 Authentication methods 24, 73, 74, 95, 100–1, 215 Authorization 13, 55, 71–2, 84, 98, 100, 104, 228, 230, 234 Automated clearing house (ACH) 24, 225 Automated teller machine (ATM) 3– 4, 6, 8, 19–20, 28, 93–4, 100, 103, 109, 112, 155, 159, 165, 187, 225 Backup/s 74, 90–1, 132, 144, 148, 153–4, 156, 162, 165, 172, 174–8, 180–1, 183–4, 186–7, 227–8, 233, 236, 241 Bandwidth 11, 178, 185, 228 Bank for International Settlements 56–7, 65 Bank of Japan 174, 246 Banking Banana Skins 2006 193 Barclays 111–12 Basel Accord 50 Basel committee 8, 10, 12, 17, 28, 40– 2, 45–6, 56–7, 71–3, 75, 81, 85, 99, 104–5, 124–5, 129, 131–2, 138, 141, 143, 150, 153, 157, 166, 171, 188, 195–7, 199, 202–4, 245 251 252 Basel Committee on Banking supervision 8, 10, 17, 28, 40–2, 46, 56–7, 71–3, 75, 81, 85, 99, 105, 124–5, 129, 131–2, 138, 141, 143, 150, 153, 157, 166, 171, 188, 195, 197, 199, 203–4, 245 Basel II 12, 148, 195 Bastion host 108 BCM function 150–1 BCM process 9, 151, 228 BCP coordinator 167–70, 173, 228 BIA methodologies 153 Bill presentment and payment 4, 23, 225, 232 Biometric technology 103 Biometrics identifiers 101–2 Board and senior management responsibility 74, 123, 149, 150, 195 Board committees 48 Branches 6, 7, 109, 159, 164, 175, 187, 201 Brand names Browser 19, 106, 206, 229, 239 Business and functional units 53 Business continuity 9, 17, 34–6, 38– 40, 45, 50–1, 55, 57, 59, 64, 72, 74, 77, 78, 80, 120, 123, 125, 130, 132, 134–5, 138–40, 144–5, 147–53, 155, 157–8, 161, 164, 166–8, 170–1, 176, 184, 187–9, 197, 209, 217–20, 225, 228–30, 233, 245–7 Business continuity clauses 144 Business continuity in real life 186 Business continuity management (BCM) 9, 17, 55, 59, 64, 77–8, 130, 132, 139, 147–53, 158, 161, 171–2, 177, 209, 218, 225, 228–9, 246, 247 Business continuity plan (BCP) 38, 40, 45, 50, 74, 77, 92, 123, 125, 132, 135, 144, 150, 152–3, 156–61, 165–74, 185, 187, 197, 209, 218–20, 225, 227–9, 232, 241, 246–7 Risk Management in Electronic Banking Business impact analysis (BIA) 38, 151–3, 156, 171, 225, 228 Business process outsourcing (BPO) 112, 118, 225 Capital adequacy norms xviii Card-based frauds 93 Carnegie Mellon University 59 Central business district (CBD) 177, 225 Centre for the Study of Financial Innovation (CSFI) 193 Certification authority (CA) 106, 225 Certified Information Systems Auditor (CISA) 55, 225 Certified Information Security Manager (CISM) 55, 225 Certified Information Systems Security Professional (CISSP) 55, 225 Change management 89, 167 Chief executive officer (CEO) 49–50, 52, 225 Chief information officer (CIO) 42, 52–3, 110, 112, 201, 211, 225 Chief risk officer (CRO) 49, 50, 212, 225 Choice of Law 142 Citibank 112 Classification of controls 78 COBIT 4.0 57–8 Cold site 184, 229 Committee of Sponsoring Organizations of the Treadway Commission (COSO) 60 Common e-banking services Communication protocols 165 Compensating control/s 85–6 Compliance function 13, 36, 38, 48, 57, 193–5, 198, 209, 221, 245, 246 Compliance risk 13, 25–6, 29, 49, 122, 194–5, 221, 230, 248 Index Component testing 173 Components of BCM 151–2 Concentration and systemic risk 123 Concentration risk 118, 128, 177–8, 216, 220, 230 Confidentiality and security clauses 142 Contingency plans 124, 132, 140, 217 Continuity management team (CMT) 158, 160–2, 169–70, 173, 225 Contractual liabilities 138 Contractual provisions 131, 138, 142 Control evaluation 78, 127 Control self-assessment 230 Controls 8–9, 16, 20, 24–5, 29, 33–5, 37–42, 45–9, 51, 54–5, 58, 61–2, 64, 71, 73–4, 76–80, 82–3, 85–91, 93, 95, 97–9, 101, 104, 110–11, 113, 121–2, 125, 130, 135, 137, 140, 143, 149, 154, 175, 180, 182, 185, 195–7, 200, 209–10, 213–15, 218–21, 230, 234–6, 239–40, 242 Coordinated testing in the industry 174 Core banking 8, 156, 158, 230 Corporate cash management systems Corporate governance 8–9, 40–1, 47, 53, 57, 63–4, 210–11, 234, 245, 248 Corporate governance codes 63–4 COSO Enterprise Risk Management 60 Country risk 28, 38, 118, 122, 130–1, 141–2, 218, 230 Credit cards 3–4, 72, 93, 106 Credit risk 12–14, 17, 230 Crisis management team (CMT) 158, 160–2, 169–70, 173, 225 Critical function/s 88, 155–7, 169, 178, 189, 231 Cross-border banking 28 Cross-border transactions 13, 27–8 Cross-selling 4–5, 200–1, 231 253 Customer acceptance policy 200 Customer education 14, 95, 206 Customer expectations 10, 15, 148, 156 Customer identification 20, 200, 222 Customer interface 131, 209, 222 Customer misuse 95 Customer profile 5, 11 Customer service 3, 12, 122, 130, 132– 3, 165, 205, 217 Cyber forensics 96, 231 Damage assessment 160–2, 225, 231 Damage assessment team (DAT) 161, 173, 225 Data center design 178 Data center/s 82, 118, 120, 155, 159, 173, 175–6, 178–82, 184, 189, 209, 220 Data flow 9, 55, 231 Data requirements 164 Database administrator (DBA) 88–9, 225, 227 Database management 88, 225 Database management system (DBMS) 8, 225 Debit cards 205 Decryption 210 Demilitarized zone (DMZ) 109, 225, 231 Denial of service (DoS) 70, 88, 92, 107, 147, 152, 202, 225, 231, 232 Deposit insurance 205 Dey report 63 Diebold 103 Digital certificate 94, 101, 104, 106, 229, 232, 237 Digital signature/s 74, 103–4, 232 Dispute resolution 104, 139, 218 Disruption level/s 159, 232 Distributed denial of service (DDoS) 107, 225 254 E-banking basics E-banking components 7–8, 213 E-banking risks 10, 16, 33–4, 36, 38, 46, 51, 197, 209, 211 Eight Special Recommendations on Terrorist Financing 62–3 Electronic banking 3–6, 8–10, 13–15, 17, 22, 25, 27–9, 41–3, 46–7, 49, 51, 54, 56–7, 64, 71–3, 75, 81, 84– 5, 95, 99, 104–5, 117, 124, 193, 196, 203–4, 206, 209, 232, 235, 245–9 Electronic bill presentment and payment (EBPP) 23–4, 225, 232 Electronic fund transfers Electronic money 27, 196 Electronic point of sale (EPOS) 3, 226 Electronic Transactions Law 194 Encryption 70, 74, 95, 97, 106, 206, 215, 231–2, 235, 239 Encryption key 106, 232, 235 Enterprise Risk Management – Integrated Framework 60, 248 Enterprise risk management (ERM) 60–1, 226, 248–9 E-Sign Act 104 European Committee for Banking Standards (ECBS) 105, 225, 246 Evolution of e-banking Executive risk committee 45, 49, 212 Exit strategy risk 122, 232 External auditors 54, 140 External communications 165–6 External support 185 Facilities management 233 FATF Forty Recommendations 62 Financial Action Task Force (FATF) 62–3, 196, 198, 226, 233 Financial risks 16 Fire suppression 181 Firewall/s 8, 74, 108–9, 233 Five-pillar approach 17–18 Fraud management 93 Risk Management in Electronic Banking Generic risk management model xix Globalization 147 Governance and internal controls 40, 64 Hacker 154–5, 233 Heating, ventilation, and airconditioning (HVAC) 181, 226 Hot site 183–4, 233 HSBC Electronic Data Processing India 112 HVAC Systems 181, 229 Hypertext markup language (HTML) 25, 226 ICICI Bank 112 ICT infrastructure 8, 168, 181, 237, 239 Identification and authentication 99 Identity theft 94, 101, 200, 233 Impact on traditional banking Incident response 14, 40, 75, 80–1, 98, 214, 233 Incident response plan 80 Information and communication technologies (ICT) 87 Information classification 99, 231 Information disclosures 198, 203–4, 222 Information help desk 161 Information security 17, 34–6, 38, 45, 50, 55, 58–60, 62, 67, 69–71, 73–82, 89, 96, 106, 111, 209, 212–14, 225– 7, 240, 246–7 Information security challenges 69–70 Information security incidents 74, 111 Information security management 58, 69, 71, 73, 75, 77, 79, 81–2, 209, 212 Information security objectives 70 Information security officer (ISO) 75, 226 Index Information security policy 35, 74–6, 78, 212–13, 227 Information system/s (IS) 40, 50, 54– 5, 59, 77, 87, 120, 225–6, 233, 235, 240, 242 Information systems audit 54–5, 225 Information technology (IT) Informational websites 19–20 Infrastructure requirements 158, 164, 168 Insurance 4, 6, 37–8, 40, 50, 57, 59, 92–3, 130, 149, 200, 205, 213, 217, 231, 239 Integrated simulation/Full operations test 173 Intensity levels of disruption 159 Interdependencies 76, 132, 149, 155–6, 166, 174, 219 Interest rate risk 234 Internal and external audit 41, 45, 53, 140, 212 Internal audit 29, 48, 53–5, 119, 152, 172, 194, 220, 221, 234 Internal communication 249 Internal Control – Integrated Framework 60 Internal controls 8–9, 33–4, 37, 39–42, 51, 54, 64, 83, 95, 104, 130, 135, 140, 195, 210, 218, 234, 242 Internal risk culture 234 Internal threats 95 International Electrotechnical Commission (IEC) 58 International Organization for Standardization (ISO) 58 International standards 56–7, 59, 61, 63, 65 Internet banking 7, 19, 21, 24, 106, 112, 155, 165, 247 Internet service provider (ISP) 109 Internet-only banks Intrusion detection system (IDS) 106 Inventory of assets 77 255 ISO 17799 58–9 IT Act 104 IT governance 11, 41–2, 45, 47, 74, 211, 234, 246 IT Governance Institute 42, 246 IT management 11, 42, 45, 48, 51, 75, 83 IT outsourcing 118, 142 IT steering committee 42, 52, 211 Kabay, M.E 113 Key management 106, 154, 235 Know your customer (KYC) 120, 199 Least privilege 98–9, 235 Legacy systems 15, 235 Linked websites 216 Liquidity risk 235 Location of the sites 176 Logical access controls 78, 97–8, 182, 209, 215 Logistics management 180 Magnetic ink character recognition (MICR) 226 Maintenance procedures 167–8, 182 Major compliance issues 198–9, 201, 203, 205, 207 Major components of BCP 158 Major operational disruption 147, 153, 158–9, 166, 171, 238 Malicious code 20, 26, 70, 77, 97, 110– 11, 152, 228, 235 Malware 88, 235 Management controls 78 Managing outsourced services 126–7, 129, 131, 133, 135 Market risk 12–13 Market transparency 148 Mastercard 62 Material outsourcing 119–20, 152 McKinsey 44 Mitigating concentration risk 177 256 Risk Management in Electronic Banking Mobile banking 4, 16, 24–5, 214 Model Law on Electronic Commerce 193 Money laundering 21, 27–8, 62–4, 95, 101, 194, 198–9, 201, 209, 221, 225, 233, 235, 246, 248 Monitoring 8, 37, 39, 45, 47–8, 61, 74– 6, 79–80, 85–6, 89, 107, 110, 125, 129–30, 134–5, 142, 160, 164, 178, 195, 197–8, 201, 212, 214–15, 230, 235–6, 239 Outsourcing contracts 123, 125, 137, 139, 141, 143, 209, 217 Outsourcing decisions 117, 126–7, 216 Outsourcing examples 118 Outsourcing in E-Banking 117, 119, 121, 123, 125 Outsourcing management 13, 134, 209, 216 Outsourcing management group 134 Outsourcing policy 35, 124–5, 134, 216, 248 Network security 78, 92, 105–6, 178, 209, 215 Network-based frauds 94 New products and services 29, 39, 74, 79, 204, 213 New York Stock Exchange (NYSE) 64 Non-financial risks 16, 17, 37, 45 Non-repudiation 69, 72–4, 236 Norwich University 113 Packet filter 108 Patch 64, 88–90, 110, 214, 237 Payment card industry (PCI) 61 Payments for e-commerce 24 PCI data security standard 61 Penetration testing 79, 98, 106–7, 237 Personal digital assistant (PDA) 24, 182, 226 Personal identification number (PIN) 39, 242, 257 Personnel issues 78, 82 Phishing 94, 237 Physical devices 101–2 Physical security 69, 98, 180, 182, 237 Plan distribution 170 Plan maintenance 167–8 Policies and procedures 33–5, 54, 78, 83–4, 125, 134–5, 182, 200–1, 210, 212, 218, 230, 234 Preventive maintenance 182–3 Preventive measures 63, 94, 219 PricewaterhouseCoopers 41, 193, 248 Principle of least privilege 98–9 Privacy 6, 16, 24, 28, 35, 55, 64, 70, 97, 122, 124, 142–3, 154, 196, 198, 201–3, 205, 209, 221–2, 237, 239 Privacy of customer information 64, 196, 198, 202, 209, 222 Privacy policy 35, 205, 222 Privacy program 203 Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) 59, 226 Offshoring 38, 119, 131, 141–2, 217– 18, 236 Offshoring contracts 141–2, 218 Offsite storage 74, 91–2, 165, 236 Online transaction 204, 223, 236 Open networks 16, 70, 108, 213 Operational controls 78–9, 82–3, 85, 87, 89, 91, 93, 95, 209, 214, 236 Operational risk 12–15, 20, 24, 34, 39– 40, 49, 53, 57, 64, 82–4, 86–8, 117, 122, 144, 148, 194, 219, 236, 245–6 Operational risk and Basel II 148 Operational risk management 39–40, 64, 82–3, 144, 194 Operations recovery team (ORT) 161, 226 Organization structure 35, 42–4, 83, 210–11, 234 Index Product and service-specific risks 19, 21, 23, 25, 27 Products and services 4–6, 8, 12–13, 19, 24–6, 29, 38–9, 74, 79, 87, 95, 100, 119, 147, 175, 197, 201, 203–4, 206, 210, 213, 222–3, 231–2 Proxy firewall 108 Public key infrastructure (PKI) 103 Real-time processing 184 Reciprocal arrangement 186 Record maintenance 200 Recovery objective/s 157, 228, 237 Recovery procedure/s 159, 161–3, 169–71, 227, 231 Recovery strategy 151, 156, 160, 171, 184, 229, 238 Recovery time objective (RTO) 144, 155–7, 177, 183, 219 Recovery timeframes 156–7 Redressal mechanism 133 Regulatory approval 8–9 Regulatory guidelines 9, 38, 64–5, 119, 121, 135, 196, 199, 203, 222 Reporting requirements 28, 139, 167 Reputation 10–16, 20–3, 25–6, 28–9, 37, 45–6, 49–50, 69, 71–2, 80, 84, 87–90, 117, 119, 122, 127, 130, 142, 149, 152, 155, 160, 170, 180, 199– 202, 204, 212, 214, 217, 229–30, 235–6, 238–9 Reputation risk 14–15, 26, 46, 80, 122, 180, 201 Residual risk 37, 39, 238 Resilience 147–8, 151–2, 164, 174, 228, 238 Resource requirements 159, 162–3, 229 Response time 133, 148, 188, 238 Responsibilities of Board and senior management 46 Responsibilities of board committees 48 257 Responsibilities of CMT 160 Revisions to the plan 169 Right of access 139–40, 142 Right of access clauses 140 Right of audit 140 Risk 8–17, 19–29, 31, 33–61, 63–4, 71– 93, 97–100, 105, 111, 117–32, 134– 5, 137, 139–42, 144, 147–58, 161, 170, 172, 176–80, 182, 184, 186, 189, 193–206, 209–14, 216–26, 230, 232–6, 238–9, 241, 242, 245–9 Risk analysis and assessment 238 Risk appetite 37, 39, 46, 50, 238–9 Risk assessment 28–9, 37–8, 52, 54, 58, 61, 76–8, 80, 92, 126–8, 131, 184, 186, 197, 213, 219 Risk assessment and control 127 Risk categories 14–15, 238 Risk committee 45, 48–9, 212 Risk control 13, 37, 120, 129, 239 Risk identification 36–8, 239 Risk management 8–10, 15–17, 28–9, 31, 33–7, 39–41, 43–54, 56–61, 63– 4, 71–3, 75, 78–9, 81–3, 85, 99, 105, 119–21, 124, 127–8, 131, 134– 5, 140, 144, 149, 194–7, 199, 202–4, 209–13, 216, 221, 226, 233–4, 239, 245–9 Risk management challenges 15 Risk management department 50, 75, 212 Risk management framework 17, 33– 4, 39, 45–6, 48, 59, 82–3, 121, 149, 194–5, 209–10, 248 Risk management organization 33, 43–4, 209, 211 Risk management organization structure 44 Risk management practices 16, 44, 61, 211 Risk management process 9, 16, 33–7, 45–6, 196–7, 211 Risk management triad 40 258 Risk mitigation 13, 17, 34, 47, 60, 128, 137, 199, 239 Risk monitoring 37, 39, 239 Risk profile 11, 17, 29, 36, 46, 48, 50, 56, 117, 121, 127–8, 148, 155, 196– 7, 211, 213, 216, 219, 239 Risk transfer 37, 92, 100, 211, 239 Role in risk management 45 Role in strategic planning 46 Role of regulators 196 Scalability 16, 101, 185, 215, 239 Scheduled system maintenance 183 Screen scraping 21–3, 239 Secure socket layer (SSL) 94, 106, 120, 206, 226, 232 Security 6–9, 12–13, 15–17, 21–8, 34–6, 38–9, 45, 47, 50–1, 55, 58–62, 67, 69–71, 73–82, 87, 89–92, 95–111, 113, 118, 120, 124, 126, 130, 134–6, 139–43, 149, 165, 178, 180, 182–3, 185, 197, 200, 206–9, 212–15, 217– 18, 223–7, 231–3, 235, 237, 239–42, 246–8 Security and confidentiality of information 142–3, 217 Security controls 16, 58, 73, 76, 78–80, 98, 110–11, 213–14, 240 Security event 76, 233, 240 Security incident 59, 74, 78, 111, 113, 233 Security management 8, 17, 21, 58, 69, 74–5, 79, 82, 97, 109, 118, 209, 212, 248 Security objectives (main entry) 70– 71, 73–4, 110 Availability 74 Confidentiality 74 Integrity 74 Security objectives and control measures 74 Security policy 9, 35, 59, 74–6, 108, 185, 212–13, 227, 240 Risk Management in Electronic Banking Security related instructions to customers 206, 223 Security risk assessment 38, 76–78, 80, 213 Security risk management 78–9, 209, 213 Segregation of duties 74, 84–6, 215 Selection of a service provider 209, 216 Service levels 52, 139, 157 Service provider 7–10, 16, 21, 27–8, 38–9, 61, 69–70, 77, 79, 85, 105, 109, 117–44, 147, 153, 155, 163, 166–7, 172, 174, 176, 178, 185, 202, 209, 216–20, 222, 226, 228, 230, 233, 240 Service provider due diligence 38, 126, 130 Service-level agreement (SLA) 38, 125, 139, 169, 196, 217, 219, 226 Shared secrets 101, 103 Smart card 27, 94, 100–2, 240 Sniffer 94, 107, 241 Software Engineering Institute 59, 248 Split operations 184, 241 Spoofing 94, 241 Spyware 94, 110, 206, 235, 241 Staff requirements 154, 163 Storage area network (SAN) 8, 226 Strategic planning 6, 40, 46–7, 51–2, 63, 90, 128, 209–10 Strategic risk 11, 49, 121, 239, 241 Structured walk-through test 173 Subcontracting 120, 139, 144 Supervisory approach 120 Supporting infrastructure 41, 176, 180, 220, 233, 237 Suspicious activities 199, 201, 222 System 3, 7–12, 14–16, 23–7, 40–3, 45– 8, 50–6, 58–64, 69–72, 74, 76–82, 84–8, 90–1, 95, 98–108, 110–11, 118–24, 127–9, 131–2, 135, 140, 259 Index 142, 147–9, 152–3, 155, 157–66, 169, 172, 174–5, 177, 179–89, 194– 200, 202, 206, 210, 212–15, 217, 219, 225–43, 246, 248–9 System administrator 7, 84, 99 System components 61 System hardening 74, 87–8, 241 Systemic risk 118, 123, 128, 147, 242 Systems design, implementation, and maintenance 74, 87 Technical controls 38, 78–9, 97, 242 Technical issues 40, 58, 70, 82, 86, 134, 213 Technology standards 86–7 Telecommunications 4, 7, 16, 24, 94, 164–5, 172, 178, 180, 185, 187, 241 Terrorism and natural disasters 148 Terrorist financing 62–3 Test plan 159, 171–2 Testing 9, 15, 28, 33, 54, 74, 79, 87, 90, 98, 106–7, 110, 113, 132, 144, 150, 152, 164, 170–4, 179, 218, 220, 237 Testing methods 172 Testing of BCP 171 The Joint Forum 57, 124–5, 129, 131– 2, 138, 141, 143, 150, 153, 157, 166, 171, 188, 245 The Sarbanes-Oxley Act of 2002 42, 64 Threat 10, 34, 38–9, 59–60, 74, 76–9, 95, 97, 147, 152–4, 162, 167, 176–7, 189, 196–7, 212–13, 219–20, 226, 237, 242 Threat profile 242 Threats and vulnerabilities 10, 38, 76–9, 197, 213 Toronto Stock Exchange 63 Transaction cost 6, 21 Transactional websites 20 Trojan horse 110, 242 Types of frauds 93 Types of outsourcing 118 Uninterruptible power supply (UPS) 164, 190, 226 United Nations Commission on International Trade Law (UNICTRAL) 103, 193 Universal serial bus (USB) 102, 226 Very early smoke detection alert (VESDA) 181 Virus 20, 62, 70, 79, 88, 92, 97, 109–11, 206, 214, 228, 231, 235, 242–3 Visa 62 Vulnerability 10, 25, 37–8, 40, 59–60, 70, 76–9, 82, 88, 93, 107, 128, 193, 197, 211, 213, 219, 226, 242 Water leakage 182 Weblink 25–6, 243 Weblinking 25 Website 7–8, 14, 19–26, 42, 56–7, 59, 62–5, 94, 101, 106, 111, 133, 183, 204–6, 222–3, 234, 239, 243 Website hosting 26 Wells Fargo Bank, NA 112 Wells Fargo Home Mortgage 112 Westpac Banking Corporation 194, 248 Wireless application protocol (WAP) 25, 226 Wireless markup language (WML) 25, 226 World Bank 63, 113, 196, 198, 245, 248 Worm 110, 235, 243 ... reference for anyone involved in electronic banking Mark Mobius Managing Director Templeton Asset Management Ltd Risk Management in Electronic Banking: Concepts and Best Practices by Jayaram... of electronic banking The book gives an excellent review of the wide scope of electronic banking on traditional banking and business methods It then delves into the risks inherent in e -banking, ... comprising life and Risk Management in Electronic Banking general insurance, mutual funds, stock-broking, depository services, housing finance, and the like Brand Names The importance of banking brand