Managing the risks and implementing controls for Internet banking is an imperative objective of the banks. The most dangerous thing is to treat the risks as a technical problem and leave it to IT management to manage. The board and senior management of banks should establish effective management control over the risks associated with e-banking activities. Senior management should ensure that they do not engage in e-banking projects unless they have necessary technical and risk management oversight expertise at all levels. They should set the tone in managing risk by establishing key delegations and reporting mechanisms, separation of duties and escalation procedures. Management should set up a formal risk assessment process in the organization and should ensure that ongoing due diligence and risk analyses are performed as the bank initiates or expands Internet banking activities. Security controls also need special attention from management because of the open nature of the Internet and the pace of technological change. The specific focus areas that will enhance internet security include the following: Authentication; Nonrepudiation; Segregation of duties.
Authentication: This means ensuring customers are verified and their identities established before conducting business over the Internet. Passwords, biometric methods, challenge-response systems, public key infrastructure are some of the ways of strengthening authentication. There is a growing trend towards single-sign-on applications, where the customer needs only a single ID to access his entire relationship.
Nonrepudiation: Banks should make certain that customers who transact on the Internet cannot later deny having originated the transactions. Using techniques like PKI (digital certificates), strong nonrepudiation can be achieved.
Segregation of duties: As in any traditional process, segregation of duties is vital to prevent perpetration of fraud by any individual.
Banks should ensure that there are appropriate measures to protect the data integrity of e-banking transactions, records and information. All e-banking transactions should generate clear audit trails, which should be archived. It is also vital to generate and protect records of customer instructions in a legally acceptable format. Management should strengthen information security controls to preserve the confidentiality and integrity of customer data by implementing methods such as Firewalls, ethical hacking tests, physical and logical access controls.
Nonrepudiation: Banks should make certain that customers who transact on the Internet cannot later deny having originated the transactions. Using techniques like PKI (digital certificates), strong nonrepudiation can be achieved.
Segregation of duties: As in any traditional process, segregation of duties is vital to prevent perpetration of fraud by any individual.
Banks should ensure that there are appropriate measures to protect the data integrity of e-banking transactions, records and information. All e-banking transactions should generate clear audit trails, which should be archived. It is also vital to generate and protect records of customer instructions in a legally acceptable format. Management should strengthen information security controls to preserve the confidentiality and integrity of customer data by implementing methods such as Firewalls, ethical hacking tests, physical and logical access controls.
The senior management of banks should also establish effective Legal and Reputational Risk Management in the following ways:
Privacy: To protect the privacy of the customers Banks should articulate a privacy policy and should communicate this to customers. Customers must be allowed opt-out options, and great care must be exercised before sharing customer information with outside entities. If customers are from a different jurisdiction, then the strongest privacy law may apply.
Availability: Banks should have business continuity and contingency planning processes to help ensure continuous availability of Internet banking services. This is challenging because of the potential for high transaction volume and the demand for 24-hour, seven-day-a-week availability.
Incident response: Banks should also formulate appropriate incident response plans to detect, manage, contain and minimize problems arising from internal and external attacks. There should be clear escalation paths, a communication strategy for customers and the press and a documented chain of command. Finally, there should be a process for collecting and preserving forensic evidence after an adverse event.
Availability: Banks should have business continuity and contingency planning processes to help ensure continuous availability of Internet banking services. This is challenging because of the potential for high transaction volume and the demand for 24-hour, seven-day-a-week availability.
Incident response: Banks should also formulate appropriate incident response plans to detect, manage, contain and minimize problems arising from internal and external attacks. There should be clear escalation paths, a communication strategy for customers and the press and a documented chain of command. Finally, there should be a process for collecting and preserving forensic evidence after an adverse event.
Risk management of e-banking should be incorporated within the existing risk management disciplines in the organization and new control procedures should be implemented with rapid changes in technology.
No comments:
Post a Comment