| Booklet:
E-Banking Section: Appendix A: Examination Procedures Subsection: Introduction |
|||||||||||||||||||||||||||
The examiner’s primary goal in reviewing e-banking activities is to determine whether the institution is providing e-banking products and services in a safe and sound manner that supports compliance with consumer-protection regulations. This determination is based on whether the institution’s risk management practices are commensurate with the level of risk in its e-banking activities.
The e-banking examination procedures are a tool to help examiners reach conclusions regarding the effectiveness of an institution’s risk management of e-banking activities. Examiners should use their judgment, consistent with the institution’s supervisory strategy, in selecting applicable examination objectives and determining the need for specific testing of controls. Examiners may rely on the work of auditors and consultants deemed independent and competent in establishing their examination scope.
The examination procedures that follow focus on the risks inherent in the processes and technologies supporting e-banking products and services. They supplement, but do not replace, procedures from other IT Handbook booklets that apply to general IT activities (e.g., program development and maintenance, networking, information security, etc.). Depending on the scope of coverage targeted, examiners should consider using these procedures in combination with others from the IT Handbook and related issuances.
The structure of the e-banking examination procedures parallels the structure of the narrative portion of this booklet. The procedures cover:
|
|
Setting the examination scope, |
|
|
Evaluating board and management oversight, |
|
|
Assessing the information security program, |
|
|
Reviewing legal and compliance issues, and |
|
|
Deriving exam conclusions. |
Depending on the complexity of the institution’s activities and the scope of prior reviews, it is generally not necessary to complete all of the examination objectives or procedures in order to reach conclusions on the effectiveness of the financial institution’s risk management processes. The procedures are designed for conducting targeted, integrated reviews of new or significantly expanded e-banking services. However, for follow-up activities or e-banking reviews conducted as part of a comprehensive review of an institution’s IT activities, examiners should customize their e-banking coverage to avoid duplication of topics covered in other examination programs.
This
section of the booklet also includes discussion points examiners can use
as a reference when talking to management as they are considering or implementing
e-banking products and services and a sample list of items to include
in the request letter for each of the objectives stated in the examination
procedures.