"Internet banking" refers to systems that enable bank customers to access accounts and general information on bank products and services through a personal computer (PC) or other intelligent device. Internet banking products and services can include wholesale products for corporate customers as well as retail and fiduciary products for consumers. Ultimately, the products and services obtained through Internet banking are mirror products and services offered through other bank delivery channels.
Types of Internet Banking Informational Communicative Transactional
Internet Banking Risks
Credit Risk Credit risk is the risk to earnings or capital arising from an obligor's failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer, or borrower performance. It arises any time bank funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, whether on or off the banks balance sheet. Internet banking provides the opportunity for banks to expand their geographic range. Customers can reach a given institution from literally anywhere in the world. In dealing with customers over the Internet, absent any personal contact, it is challenging for institutions to verify the bonafides of their customers, which is an important element in making sound credit decisions. Verifying collateral and perfecting security agreements also can be challenging with out-of-area borrowers. Unless properly managed, Internet banking could lead to a concentration in out-of-area credits or credits within a single industry. Moreover, the question of which state's or country's laws control an Internet relationship is still developing. Effective management of a portfolio of loans obtained through the Internet requires that the board and management understand and control the bank's lending risk profile and credit culture. They must assure that effective policies, processes, and practices are in place to control the risk associated with such loans.
Interest Rate Risk Interest rate risk is the risk to earnings or capital arising from movements in interest rates. From an economic perspective, a bank focuses on the sensitivity of the value of its assets, liabilities and revenues to changes in interest rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (repricing risk); from changing rate relationships among different yield curves affecting bank activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from interest-related options embedded in bank products (options risk). Evaluation of interest rate risk must consider the impact of complex, illiquid hedging strategies or products, and also the potential impact that changes in interest rates will have on fee income. In those situations where trading is separately managed, this refers to structural positions and not trading portfolios. Internet banking can attract deposits, loans, and other relationships from a larger pool of possible customers than other forms of marketing. Greater access to customers who primarily seek the best rate or term reinforces the need for managers to maintain appropriate asset/liability management systems, including the ability to react quickly to changing market conditions.
Liquidity Risk Liquidity risk is the risk to earnings or capital arising from a bank's inability to meet its obligations when they come due, without incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned changes in funding sources. Liquidity risk also arises from the failure to recognize or address changes in market conditions affecting the ability of the bank to liquidate assets quickly and with minimal loss in value. Internet banking can increase deposit volatility from customers who maintain accounts solely on the basis of rate or terms. Asset/liability and loan portfolio management systems should be appropriate for products offered through Internet banking. Increased monitoring of liquidity and changes in deposits and loans may be warranted depending on the volume and nature of Internet account activities.
Price Risk Price risk is the risk to earnings or capital arising from changes in the value of traded portfolios of financial instruments. This risk arises from market making, dealing, and position taking in interest rate, foreign exchange, equity, and commodities markets. Banks may be exposed to price risk if they create or expand deposit brokering, loan sales, or securitization programs as a result of Internet banking activities. Appropriate management systems should be maintained to monitor, measure, and manage price risk if assets are actively traded.
Foreign Exchange Risk Foreign exchange risk is present when a loan or portfolio of loans is denominated in a foreign currency or is funded by borrowings in another currency. In some cases, banks will enter into multi-currency credit commitments that permit borrowers to select the currency they prefer to use in each rollover period. Foreign exchange risk can be intensified by political, social, or economic developments. The consequences can be unfavorable if one of the currencies involved becomes subject to stringent exchange controls or is subject to wide exchange-rate fluctuations. Foreign exchange risk is discussed in more detail in the "Foreign Exchange," booklet of the Comptroller's Handbook. Banks may be exposed to foreign exchange risk if they accept deposits from non-U.S. residents or create accounts denominated in currencies other than U.S. dollars. Appropriate systems should be developed if banks engage in these activities.
Transaction Risk Transaction risk is the current and prospective risk to earnings and capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Transaction risk is evident in each product and service offered and encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services, and the internal control environment. A high level of transaction risk may exist with Internet banking products, particularly if those lines of business are not adequately planned, implemented, and monitored. Banks that offer financial products and services through the Internet must be able to meet their customers' expectations. Banks must also ensure they have the right product mix and capacity to deliver accurate, timely, and reliable services to develop a high level of confidence in their brand name. Customers who do business over the Internet are likely to have little tolerance for errors or omissions from financial institutions that do not have sophisticated internal controls to manage their Internet banking business. Likewise, customers will expect continuous availability of the product and Web pages that are easy to navigate. Software to support various Internet banking functions is provided to the customer from a variety of sources. Banks may support customers using customer-acquired or bank-supplied browsers or personal financial manager (PFM) software. Good communications between banks and their customers will help manage expectations on the compatibility of various PFM software products. Attacks or intrusion attempts on banks' computer and network systems are a major concern. Studies show that systems are more vulnerable to internal attacks than external, because internal system users have knowledge of the system and access. Banks should have sound preventive and detective controls to protect their Internet banking systems from exploitation both internally and externally. See OCC Bulletin 99-9, "Infrastructure Threats from Cyber- Terrorists" for additional information. Contingency and business resumption planning is necessary for banks to be sure that they can deliver products and services in the event of adverse circumstances. Internet banking products connected to a robust network may actually make this easier because back up capabilities can be spread over a wide geographic area. For example, if the main server is inoperable, the network could automatically reroute traffic to a back up server in a different geographical location. Security issues should be considered when the institution develops its contingency and business resumption plans. In such situations, security and internal controls at the back-up location should be as sophisticated as those at the primary processing site. High levels of system availability will be a key expectation of customers and will likely differentiate success levels among financial institutions on the Internet. National banks that offer bill presentment and payment will need a process to settle transactions between the bank, its customers, and external parties. In addition to transaction risk, settlement failures could adversely affect reputation, liquidity, and credit risk.
Risk Management Financial institutions should have a technology risk management process to enable them to identify, measure, monitor, and control their technology risk exposure. Examiners should refer to OCC Bulletin 98-3, "Technology Risk Management" for additional guidance on this topic. Risk management of new technologies has three essential elements: The planning process for the use of the technology. Implementation of the technology. The means to measure and monitor risk. The OCC's objective is to determine whether a bank is operating its Internet banking business in a safe and sound manner. The OCC expects banks to use a rigorous analytic process to identify, measure, monitor, and control risk. Examiners will determine whether the level of risk is consistent with the bank's overall risk tolerance and is within the bank's ability to manage and control. The risk planning process is the responsibility of the board and senior management. They need to possess the knowledge and skills to manage the bank's use of Internet banking technology and technology-related risks. The board should review, approve, and monitor Internet banking technology-related projects that may have a significant impact on the bank's risk profile. They should determine whether the technology and products are in line with the bank's strategic goals and meet a need in their market. Senior management should have the skills to evaluate the technology employed and risks assumed. Periodic independent evaluations of the Internet banking technology and products by auditors or consultants can help the board and senior management fulfill their responsibilities. Implementing the technology is the responsibility of management. Management should have the skills to effectively evaluate Internet banking technologies and products, select the right mix for the bank, and see that they are installed appropriately. If the bank does not have the expertise to fulfill this responsibility internally, it should consider contracting with a vendor who specializes in this type of business or engaging in an alliance with another provider with complementary technologies or expertise. Measuring and monitoring risk is the responsibility of management. Management should have the skills to effectively identify, measure, monitor, and control risks associated with Internet banking. The board should receive regular reports on the technologies employed, the risks assumed, and how those risks are managed. Monitoring system performance is a key success factor. As part of the design process, a national bank should include effective quality assurance and audit processes in its Internet banking system. The bank should periodically review the systems to determine whether they are meeting the performance standards.
Internal Controls Internal controls over Internet banking systems should be commensurate with an institution's level of risk. As in any other banking area, management has the ultimate responsibility for developing and implementing a sound system of internal controls over the bank's Internet banking technology and products. Regular audits of the control systems will help ensure that the controls are appropriate and functioning properly. For example, the control objectives for an individual bank's Internet banking technology and products might focus on: Consistency of technology planning and strategic goals, including efficiency and economy of operations and compliance with corporate policies and legal requirements. Data availability, including business recovery planning. Data integrity, including providing for the safeguarding of assets, proper authorization of transactions, and reliability of the process and output. Data confidentiality and privacy safeguards. Reliability of MIS. Once control objectives are established, management has the responsibility to install the necessary internal controls to see that the objectives are met. Management also has the responsibility to evaluate the appropriateness of the controls on a cost-benefit basis. That analysis may take into account the effectiveness of each control in a process, the dollar volume flowing through the process, and the cost of the controls. Examiners will need to understand the bank's operational environment to evaluate the proper mix of internal controls and their adequacy. According to the Information Systems Audit and Control Association (ISACA) the basic internal control components include: Internal accounting controls - used to safeguard the assets and reliability of financial records. These would include transaction records and trial balances Operational controls - used to ensure that business objectives are being met. These would include operating plans and budgets to compare actual against planned performance. Administrative controls - used to ensure operational efficiency and adherence to policies and procedures. These would include periodic internal and external audits.
Conclusion This paper has thus covered the various aspects of internet banking risks. Also, the suggestions given in the form of control measures may be followed to achieve the desired results and overcome the demerits.