The steps you will need to take and what you need to monitor will depend, in part, upon the nature of your bank's Web site as well as whether you are hosting the site in-house or have outsourced the work.
Start with the guidance from the regulatory agencies. The FFIEC Information Systems Examination Handbook, in Chapter 8, describes an Internal/External Audit Workprogram. While its scope is broader than just an online banking Web site, it is certainly helpful for reviewing risks associated with online banking. The section on Security - Physical and Data Workprogram should also be beneficial.
If you are using an outsourced provider, be sure to review the recently issued FFIEC guidance on Risk Management of Outsourced Technology Services. Among the areas it directs an institution's attention to are:
- Due Diligence in Selecting a Service Provider;
- Contract Issues; and
- Service Provider Oversight.
Proactively protect your institution's domain name, as suggested in regulatory issuances such as FDIC's November 8, 2000 Bank Technology Bulletin. Your institution must guard against cyberpirates and cybersquatters.
If you give required disclosures electronically, you need to be in compliance with the E-Sign Act. For more information on that Act, see Richard Insley's Sixty Second Solution on the subject or review the Act itself.
An FDIC paper issued in July on Information System Security Issues will help you focus on three important basics of IS security: prevention, detection, and response. When the interagency guidelines on information security are finalized, they will give even more clarity to this crucial area.
On page 10 of FDIC's Electronic Banking Safety and Soundness Examination Procedures, you'll find a useful chart that delineates the specific areas of concern and risks.
National banks will find the OCC guidance on Internet banking issues conveniently gathered in one spot.
Elsewhere on this site, you'll find articles about logging email and meeting compliance deadlines associated with certain types of email requests and a variety of other related topics. You'll also want to watch Andy Zavoina's Sixty Second Solution on the ADA and Your Web Site and Richard Insley's Sixty Second Solution on the Children's Online Privacy Protection Act.
There are many, many steps you can take, from simply viewing the main pages of your bank's Web site each day to ensure they have not been altered by hackers, to saving an electronic copy of your site to an archive on both a regular periodic basis, as well as routinely when any modifications are made to the site to satisfy record retention requirements.
Keep checking BankersOnline.com as we will continue to bring you additional information and suggestions about coping with the challenges posed by new technologies.
First published on BankersOnline.com 1/02/01