Managing Risks of Internet Banking

7/28/2019 Managing Risks of Internet Banking

1/8

Managing Risks of Internet Banking

Priam Kasturiratna

MBA (Sri J), AIB (Sri Lanka), PG DIP in Business & Financial Administration (ICASL)

Email: [email protected]

Abstract

Internet Banking is one of the fastest growing delivery channels in Banking Industry. Whileproviding customers with a long list of benefits; Internet Banks work hard to manage Risk.Todays banks adopt various techniques to identify and manage Internet Banking Risks. Thispaper discuss the range of Risks applicable to Internet Banking services, illustrates and

guides how the Risk Mitigation is achieved in Internet Banking environments.

I. Introduction

Internet Banking expanded rapidly among banking customers during the recent years.

Penetration of Information Communication Technology into financial and commercial fields,and then into daily lifestyles, has created a need and liking for Internet Banking in both Retailand Commercial customer segments.

Today, in 2006 AD, Internet Banking is only a ten-year-old product that has attracted vastnumber of Banking Customers, and has become a vital topic in industry forums. Lookingback at the history of centuries old traditional Banking industry, Internet Banking is perhapsthe most sought after offering.

While the benefits of Internet Banking are so many, Bankers make substantial efforts behindthe scene to manage Risks of Internet Banking.

II. What is Internet Banking, and the Risks in it

Internet Banking is defined as Use of Internet as a remote Delivery channel for BankingServices. Services could be limited to Inquiries to Banking accounts, traditional Bankingservices like Transfer of Funds, Ordering Cheque Books, Stop Payments, Account Openingwith or without new Types of Services like Electronic Bill Payment and Presentments.

Three broad categories of Internet Banking services are,

A. Inquiry Only Services

B. Transactional Services with Inquiries

C. Fully Fledged Internet Only Banking with Online Account Opening, Transactions

and Inquiries

Risk in Internet Banking is defined as an act or an event that would have an adverse impacton the Internet Banking Customer, Bank or any Banking System.

2nd National ISACA Sri Lanka Chapter Conference, Colombo,

Sri Lanka - 2006


2/8

III. Different Categories of Internet Banking Risks

Risk Categories of Internet Banking are almost similar to Risks faced by traditional,automated Financial Institutions.

A. Strategic RiskB. Legal and Regulatory Compliance RiskC. Transactional RiskD. Marketing and Reputational RiskE. Credit Risk

F. Exchange RiskG. Internet Rate Risk

H. Liquidity RiskI. Information Security Risk

Although the Risk categories are same, the applicability and the magnitude of Risk could varydepending on the degree of Automation and Services offered by a specific Bank.

A. STRATEGIC RISK

Strategic Risk is current and prospective effect on earnings or capital arising from,

1. Adverse business decisions2. Improper implementation of decisions

3. Lack of responsiveness to Industry/environmental changes

Majority, if not all of strategic business decisions linked to Internet Banking will create atleast a minimal Strategic Risk. Typical business decisions could be,

1. Whether to offer Internet Banking or not2. Which Category of Internet Banking to offer (Inquiry, Transactional or Full-fledged )3. What Risk Limiting Controls to implement4. Product Positioning5. Fee Structures6. Emphasis and Investment on Business Continuity7. Reaction to Competition

8. Reaction to changes affecting the Industry or environment

B. LEGAL AND REGULATORY COMPLIANCE RISK

Risk to earnings or capital arising from violations or non-conformity to

1. Laws

2. Regulations3. Rules4. Prescribed Practices5. Ethical Standards6. Contractual Terms

Assets can become less worthy, liabilities could increase, or existing laws may fail to address

issues faced by the Bank.


3/8

Legal and Compliance Risks can arise from inadequate or incorrect legal advise,documentation, and on amendments to existing Laws or Rules/Regulations. Legal Risk issometimes difficult to assess and therefore to mitigate successfully. This happens specially injurisdictions with under developed legal structures governing electronic transactions andcommerce.

Sri Lanka, for an example has a under developed legal structure applicable to InternetBanking. Manual Signatures are still mandatory to Contracts, and both Internet Banking andTraditional Banking activities are governed under the same sections of Law. Therefore, Banksuse a combination of Banking Law, Contract Law and Banking Practices to cover LegalRisks.

Dependable Legal Advice on Internet Banking could be scarce resource in situations wherethe countrys Electronic Transactions Law and related Legal Expertise develops at a slowerpace than Internet Banking. Banks must keep an open eye and appropriately manage LegalRisks under changing Legal frameworks.

Introducing new types of services or transactions on Internet is quite a challenging task.Establishing legal/regulatory rights of parties is very important in designing documentation

such as agreements or contracts. Proper completion of documentation is equally important inevery contract, including Service Level Agreements and Internet Banking Service relatedapplications completed at operational level.

Documentation procedures should be comprehensive with signature verifications, establishing

a customers rights to access or transact on accounts, multi currency transaction capabilities,safe custody and preservation of documents throughout the period of services and up to the

prescribed number of years for preserving documents.

Regulations and Rules imposed by Regulatory Bodies to be taken into account when the

services are designed, and such should be adequately covered in contractual documents. If anamendment to existing Rules/Regulations requires an amendment to the existing contracts,

such changes should be duly incorporated immediately.

C. TRANSACTIONAL RISK

Transactional Risk is current or future effect on earnings or capital due to errors, frauds or

failure to maintain service levels of transaction/s. Transactions are defined as Business eventsor information grouped together due to having similar or single business purpose.Transactional Risk can arise from a financial transaction or a non financial transaction like aStop Payment, or a Change of Customer Address.

In hypothetical situations, a Cheque Stopped via Internet Banking gets paid later due to adelay in updating the Banking System. Confirmation of a Bill Payment during the night mayfail to reach the Billing Company due to a faulty communication link, and as a result, theUtility Service (could be Electricity, Telephone etc.) gets disconnected.

Both fall into Transactional Risk conditions created via Internet Banking. Transactional Riskcan vary with the obvious Business value of the particular transaction to the customer. Incase, if the customer proves the Bank has not taken Reasonable Efforts in performing itsduties or negligent, resulting loss (Risk) to the Bank could be even more than themonetary value of the transaction.

Mitigating Transactional Risk can become a strenuous task due to dependencies to third partyservice providers, 24X7 services and complexity of system structures. Preventive measures ina couple of areas would not be effective due to many possible avenues that could originate a


4/8

Transactional Risk. Effective way to mitigate Transactional Risk is to develop an InformationSecurity Governance Framework so that the entire range of possibilities is covered.

D. MARKETING AND REPUTATIONAL RISK

Marketing/Reputational Risk can be defined as current or prospective effect on earnings orcapital arising out of Negative Public Opinion.

Marketing/Reputational Risk affects the organisations ability to establish newbusiness/services, could hamper continuity of present business/services, and could even resultin litigation.

Poor Service Quality can make a Internet Bank especially vulnerable toMarketing/Reputational Risk.

Internet Banking customers get less opportunity to personally discuss their problemscompared to traditional Banking , hence making it more likely to get frustrated and go to a

competitor.

When a Bank shifts is emphasis more towards Internet Banking, it could result in gradualalienation from longstanding customers /general public, and the Bank tends to loose theirhearts over time. Possibility that is far more dangerous is that the Bank itself failing torecognise the pulse of the customer due to loss of personal contact. A Bank having lost touchwill find its Marketing activities increasingly ineffective over time, resulting in deterioration

of image and eventually earnings.

E. CREDIT RISK

Credit Risk is defined as Risk to earnings or capital due to obligors failure to honour terms or

repayments of a credit facility.

Credit Risk in Internet Banking Lending is higher than traditional Bank lending due tolimitless geographical coverage, absence of a personal contact making it impractical toestablish the borrowers identity and physical existence. The usual good faith of a borrowercannot be established as in traditional Banking. Hence, Internet Banks could either perform aserious evaluation, or decide not to lend solely on the Internet.

Credit Risk Mitigation in Internet Banking can be handled more successfully with HybridModel Internet Banking. Hybrid Internet Banking is where the Internet Banking Services areoffered by a Traditional Brick and Mortar Bank, thereby facilitating physical contact with thecustomer. Many Banks in the region, including Sri Lankan Banks that offer Hybrid Internet

Banking are capable of lending to Internet Banking Customers after an assessment of CreditRisk.

F. EXCHANGE RISK

Exchange Risk creates due to assets in one currency are backed by liabilities in anothercurrency, and the value of assets/liabilities change due to Exchange Rate fluctuations.Availability of non-domestic currency deposits and unrestricted transfers among thosedeposits could land the Bank in high Exchange Risk.

Inter-currency transactions by Internet Banking customers can create an Exchange Risk whenthe exchange rates are volatile. For an example, if a customer exchanges deposits from onecurrency to another during the night (when the bank is closed for business), and if the


5/8

currency of the new deposit has appreciated by the next day, the bank faces a loss due toincreased value of new Deposit Liability.

Exchange Risks could be mitigated by maintaining exchange rates up to date, and/or byimposing inter-currency transaction restrictions, the more practical method being restrictions.Value based daily transaction limits; effecting transactions subject to Banks screening;exception reporting and restricting credits to third parties are some of the common measures.

G. INTEREST RATE RISK

Interest Rate Risk is defined as the Risk to earnings or capital due to moving Interest Rates.

Banks look at sensitivity of assets, liabilities and revenue value to changes in Interest Rates.Internet Banks attracts deposits, loans from a wider number of BEST deal-seeking customersthan a traditional Bank.

Deposit owners have high level of freedom with their funds. Hence the number of controls

and manpower needed to maintain the appropriate asset/liability management and fastreaction to changing market conditions is higher in Internet Banking.

H. LIQUIDITY RISK

Liquidity Risk is defined as Risk to earnings or capital due to the Banks inability to meet itsobligations as and when they fall due, without incurring unacceptable losses.

Firstly, Interest Rates/Terms are key reasons for customers to maintain Internet Banking

accounts, secondly they get access to deposits and retain their ability to transact at any time ofthe day or from anywhere. Therefore, Internet Banking increases likelihood of depositmobility, increasing the Liquidity Risk to the Bank.

Unlike in Exchange Risk, Liquidity is applicable even to domestic currency. Value based

daily transaction limits, subjecting transactions to an approval process, exception reportingand restricting third party credits, limiting fund movement only within the bank are some ofthe commonly used controls.

I. INFORMATION SECURITY RISK

Information Security Risk could be defined as the Risk arising due to improper or inadequateInformation Security Processes.

Information Security Risk makes the organisation vulnerable to hacker attacks, viruses, data

theft, social engineering attacks, data destruction and fraud. Lack of awareness andcommitment of Senior Level Management is a common cause for non-existence or slacknessof Information Security Governance framework in Internet Banks.

Weak Information Security can open-up loopholes in multiple areas. For an example, anunmanaged Firewall Policies could create easy targets for hacker attacks, data theft and datadestruction. Similarly, front office employees unaware of Social Engineering could divulgesensitive information to 3

rdparties, making the Bank liable for breach of Secrecy between the

Bank and Customer, in extreme cases even leading to hacker attacks and Reputational Risk.


6/8

IV. Practical Risk Mitigation in Internet Banking

Successful Risk Mitigation in an Internet Banking environment is net result of many taskareas covered in an Information Security Governance Framework, each task individually andjointly supporting and supplementing others.

A. StrategiesB. Security ImplementationsC. Contractual RelationshipsD. Internal Policies, Standards, Processes and Procedures

E. Restrictions and ControlsF. Training and User Education

G. Transferring RiskH. Business Continuity Planning

A. STRATEGIES

Business Strategies of Internet Bank can be fine tuned or adjusted to minimise Risks ofInternet Banking. For an example, if the Bank considers safe only to provide Internet Bankingservices within the country, it can focus only to the local market.

B. SECURITY IMPLEMENTATIONS

Covers Systems Security Implementations like Firewalls, Secure ID, Secure Socket Layer(SSL) Encryption, Intruder Detection, Virus Guards etc., and maintaining each of them up todate with periodic updates and patches.

Security implementations act as deterrents to prospective security violators, improvesCustomer Confidence and reduces or prevent Security Incidents, thereby minimising SystemDowntime and related costs.

C. CONTRACTUAL RELATIONSHIPS

Includes Service Level Agreements, Customer Applications for Internet Banking. Well-defined Contractual Relationships safeguard the Bank from Legal, Regulatory andTransactional Risks.

Employee Contract Management is equally vital to ensure protection against employee theftand malpractices.

D. INTERNAL POLICIES, STANDARDS, PROCESSES AND PROCEDURES

Internal Policies, Standards and Procedures ensure a specific way of action in conducting

business. Some of those actions include

1. Responding to New Internet Banking Customer enrolment requests2. Adhering to Know Your Customer (KYC) Rules3. Maintaining existing customer activities

4. Customer requests and issues Management5. Periodic Activity, Trends and Exception Monitoring/ follow-up

6. Auditing Processes

7. Legal Issues and disputes Management8. Regulatory Reporting


7/8


8/8

3. Ramakrishnan G., Risk Management for Internet Banking, Information SystemsControl Journal, Information Systems Audit and Control Association, 2001

4. Reuters Limited, Banks yield to Microsoft flaw, 2002

Managing Risks of Internet Banking

Documents

Transcript of Managing Risks of Internet Banking