Wow! I would have liked the answer to this question in 1997 as I began rewriting the electronic operations rules for the thrift industry. However, at that time, the buzz around phrases like electronic banking and specifically Internet banking was just getting started. Since that time, the federal regulatory banking agencies have issued volumes of useful information on these topics that you should begin to review and understand. Typically, you can find the materials on each of the regulatory websites under a search for key phrases such as electronic banking, Internet banking, information technology, security, outsourcing, aggregation, payment systems, privacy etc. BankersOnline also has a quick link list to some of these inside its Technology area.
As a “novice,” you have a lot of homework to catch up on to ensure that you do a thorough audit. I recommend that you begin with a high-level review of your electronic banking operations. I have outlined 13 steps below to help ensure that you cover the key aspects. You can dig deeper as your knowledge expertise increases. But these 13 steps are consistent with the initial e-banking review performed by most examiners. As the examiners dig deeper, they typically begin to map your compliance to the FFIEC IS Handbook and more recent guidelines related to security, vendor management, IT internal audit, payment systems, business continuity, and service providers.
- Have you clearly defined the purpose and objectives of your web site? Are they consistent with your overall strategic plan for the institution?
- What type of cost benefit analysis was performed as part of your decision to develop a transactional web site?
- What is the budget for this operation and expected annual operating and maintenance costs (including telecommunications, hardware, software, and personnel)?
- Is this service covered under your fidelity insurance policy?
- What steps have you taken to identify, review, and make changes in policies and procedures for each of the program areas that are affected by the deployment and operation of the web site?
- Do you support the web site with internal staff or rely on outside assistance? How do you maintain effective controls?
- Do you have formal written contracts with any vendors that help you deploy and maintain your site?
- What type of recurring test do you conduct to ensure that your system controls are effective?
- How do you protect the confidentiality of customer data? Have you implemented and tested your customer information security program in compliance with GLBA Section 501(b)?
- Have your disaster recovery and contingency plans been updated to include the web site activities and services?
- What procedures have you established to confirm the identity of new customers who open accounts online?
- How do you monitor your site to ensure that it complies with all applicable regulations?
In addition to this list, you might want to obtain a copy of an article I published - "Are You E-Ready?" It was first printed in the November 2000 issue of the Independent Banker. You can also find a copy at www.moneinc.com/resources/publications.htm. This article will provide you with some additional background on the bigger picture planning issues that your institution should consider.
Best of luck! You are going to have a lot of fun with this project!
First published on BankersOnline.com 4/1/02