| Booklet:
E-Banking Section: E-Banking Risks |
|||||||||||||||||||||||||||
TRANSACTION/OPERATIONS
RISK
Transaction/Operations risk arises from fraud, processing errors, system
disruptions, or other unanticipated events resulting in the institution’s
inability to deliver products or services. This risk exists in each product
and service offered. The level of transaction risk is affected by the
structure of the institution’s processing environment, including
the types of services offered and the complexity of the processes and
supporting technology.
In most instances, e-banking activities will increase the complexity of the institution’s activities and the quantity of its transaction/operations risk, especially if the institution is offering innovative services that have not been standardized. Since customers expect e-banking services to be available 24 hours a day, 7 days a week, financial institutions should ensure their e-banking infrastructures contain sufficient capacity and redundancy to ensure reliable service availability. Even institutions that do not consider e-banking a critical financial service due to the availability of alternate processing channels, should carefully consider customer expectations and the potential impact of service disruptions on customer satisfaction and loyalty.
The key to controlling transaction risk lies in adapting effective polices, procedures, and controls to meet the new risk exposures introduced by e-banking. Basic internal controls including segregation of duties, dual controls, and reconcilements remain important. Information security controls, in particular, become more significant requiring additional processes, tools, expertise, and testing. Institutions should determine the appropriate level of security controls based on their assessment of the sensitivity of the information to the customer and to the institution and on the institution’s established risk tolerance level. Security controls are discussed in this booklet’s “Risk Management of E-Banking Activities” section under the heading “Information Security Program.”
CREDIT
RISK
Generally, a financial institution’s credit risk is not increased
by the mere fact that a loan is originated through an e-banking channel.
However, management should consider additional precautions when originating
and approving loans electronically, including assuring management information
systems effectively track the performance of portfolios originated through
e-banking channels. The following aspects of on-line loan origination
and approval tend to make risk management of the lending process more
challenging. If not properly managed, these aspects can significantly
increase credit risk.
|
|
Verifying the customer’s identity for on-line credit applications and executing an enforceable contract; |
|
|
Monitoring and controlling the growth, pricing, underwriting standards, and ongoing credit quality of loans originated through e-banking channels; |
|
|
Monitoring and oversight of third-parties doing business as agents or on behalf of the financial institution (for example, an Internet loan origination site or electronic payments processor); |
|
|
Valuing collateral and perfecting liens over a potentially wider geographic area; |
|
|
Collecting loans from individuals over a potentially wider geographic area; and |
|
|
Monitoring any increased volume of, and possible concentration in, out-of-area lending. |
LIQUIDITY,
INTEREST RATE, PRICE/MARKET RISKS
Funding and investment-related risks could increase with an institution’s
e-banking initiatives depending on the volatility and pricing of the acquired
deposits. The Internet provides institutions with the ability to market
their products and services globally. Internet-based advertising programs
can effectively match yield-focused investors with potentially high-yielding
deposits. But Internet-originated deposits have the potential to attract
customers who focus exclusively on rates and may provide a funding source
with risk characteristics similar to brokered deposits. An institution
can control this potential volatility and expanded geographic reach through
its deposit contract and account opening practices, which might involve
face-to-face meetings or the exchange of paper correspondence. The institution
should modify its policies as necessary to address the following e-banking
funding issues:
|
|
Potential
increase in dependence on brokered funds or other highly rate-sensitive
deposits; |
|
|
Potential acquisition of funds from markets where the institution is not licensed to engage in banking, particularly if the institution does not establish, disclose, and enforce geographic restrictions; |
|
|
Potential impact of loan or deposit growth from an expanded Internet market, including the impact of such growth on capital ratios; and |
|
|
Potential increase in volatility of funds should e-banking security problems negatively impact customer confidence or the market’s perception of the institution. |
COMPLIANCE/LEGAL
RISK
Compliance and legal issues arise out of the rapid growth in usage of
e-banking and the differences between electronic and paper-based processes.
E-banking is a new delivery channel where the laws and rules governing
the electronic delivery of certain financial institution products or services
may be ambiguous or still evolving. Specific regulatory and legal challenges
include:
|
|
Uncertainty over legal jurisdictions and which state’s or country’s laws govern a specific e-banking transaction, |
|
|
Delivery of credit and deposit-related disclosures/notices as required by law or regulation, |
|
|
Retention of required compliance documentation for on-line advertising, applications, statements, disclosures and notices; and |
|
|
Establishment of legally binding electronic agreements. |
Laws and regulations governing consumer transactions require specific types of disclosures, notices, or record keeping requirements. These requirements also apply to e-banking, and federal banking agencies continue to update consumer laws and regulations to reflect the impact of e-banking and on-line customer relationships. Some of the legal requirements and regulatory guidance that frequently apply to e-banking products and services include:
|
|
Solicitation, collection and reporting of government monitoring information on applications and loans, as required by Equal Credit Opportunity Act (Regulation B) and Home Mortgage Disclosure Act (Regulation C) regulations; |
|
|
Advertising requirements, customer disclosures, or notices required by the Real Estate Settlement Procedures Act (RESPA), Truth in Lending (Regulation Z), and Truth In Savings (Regulation DD) and Fair Housing regulations; |
|
|
Proper and conspicuous display of FDIC or NCUA insurance notices; |
|
|
Conspicuous webpage disclosures indicating that certain types of investment, brokerage, and insurance products offered have certain associated risks, including not being insured by federal deposit insurance (FDIC or NCUA); |
|
|
Customer identification programs and procedures, as well as record retention and customer notification requirements, required by the Bank Secrecy Act; |
|
|
Customer identification processes to determine whether transactions are prohibited by the Office of Foreign Asset Control (OFAC) and, when necessary, whether customers appear on any list of known or suspected terrorists or terrorist organization provided by any government agency; |
|
|
Delivery
of privacy and opt-out notices by hand, by mail, or with customer
acknowledgement of electronic receipt; |
|
|
Verification of customer identification, reporting, and record keeping requirements of the Bank Secrecy Act (BSA), including requirements for filing a suspicious activity report (SAR); and |
|
|
Record retention requirements of the Equal Credit Opportunity Act (Regulation B) and Fair Credit Reporting Act regulations. |
Institutions that offer e-banking services, both informational and transactional, assume a higher level of compliance risk because of the changing nature of the technology, the speed at which errors can be replicated, and the frequency of regulatory changes to address e-banking issues. The potential for violations is further heightened by the need to ensure consistency between paper and electronic advertisements, disclosures, and notices. Additional information on compliance requirements for e-banking can be found on the agencies’ websites and in references contained in appendix C.
STRATEGIC
RISK
A financial institution’s board and management should understand
the risks associated with e-banking services and evaluate the resulting
risk management costs against the potential return on investment prior
to offering e-banking services. Poor e-banking planning and investment
decisions can increase a financial institution’s strategic risk.
Early adopters of new e-banking services can establish themselves as innovators
who anticipate the needs of their customers, but may do so by incurring
higher costs and increased complexity in their operations. Conversely,
late adopters may be able to avoid the higher expense and added complexity,
but do so at the risk of not meeting customer demand for additional products
and services. In managing the strategic risk associated with e-banking
services, financial institutions should develop clearly defined e-banking
objectives by which the institution can evaluate the success of its e-banking
strategy. In particular, financial institutions should pay attention to
the following:
|
|
Adequacy of management information systems (MIS) to track e-banking usage and profitability; |
|
|
Costs involved in monitoring e-banking activities or costs involved in overseeing e-banking vendors and technology service providers; |
|
|
Design, delivery, and pricing of services adequate to generate sufficient customer demand; |
|
|
Retention of electronic loan agreements and other electronic contracts in a format that will be admissible and enforceable in litigation; |
|
|
Costs and availability of staff to provide technical support for interchanges involving multiple operating systems, web browsers, and communication devices; |
|
|
Competition from other e-banking providers; and |
|
|
Adequacy of technical, operational, compliance, or marketing support for e-banking products and services. |
REPUTATION
RISK
An institution’s decision to offer e-banking services, especially
the more complex transactional services, significantly increases its level
of reputation risk. Some of the ways in which e-banking can influence
an institution’s reputation include:
|
|
Loss of trust due to unauthorized activity on customer accounts, |
|
|
Disclosure or theft of confidential customer information to unauthorized parties (e.g., hackers), |
|
|
Failure to deliver on marketing claims, |
|
|
Failure to provide reliable service due to the frequency or duration of service disruptions, |
|
|
Customer complaints about the difficulty in using e-banking services and the inability of the institution’s help desk to resolve problems, and |
|
|
Confusion between services provided by the financial institution and services provided by other businesses linked from the website. |