| Booklet:
E-Banking Section: Appendix A: Examination Procedures Subsection: E-Banking Request Letter Items |
|||||||||||||||||||||||||||
E-BANKING REQUEST LETTER ITEMS
| Objective 1 – Determine the scope for the examination of the institution’s e-banking activities consistent with the nature and complexity of the institution’s operations. |
|||
|
|
An organization chart of e-banking personnel including the name, title, and phone number of the e-banking examination contact. |
||
|
|
A list of URLs for all financial institution-affiliated websites. |
||
|
|
A list all e-banking platforms utilized and network diagrams including servers, routers, firewalls, and supporting system components. |
||
|
|
A
list of all e-banking related products and services including transaction
volume data on each if it is available. |
||
|
|
A
description of any changes in e-banking activities or future e-banking
plans since the last exam. |
||
|
|
Diagrams
illustrating the e-banking transaction workflow. |
||
|
|
Copies
of recent monitoring reports that illustrate trends and experiences
with intrusion attempts, successful intrusions, fraud losses, service
disruptions, customer complaint volumes, and complaint resolution
statistics. |
||
|
|
Copies
of findings from, and management/board responses to, the following: |
||
 |
Internal and external audit reports (including SAS 70s on service providers and testing of the information security program), | ||
|
Annual tests of the written information security program as required by GLBA, | ||
|
Vulnerability assessments, | ||
|
Penetration tests, and | ||
|
Other independent security tests or e-banking risk reviews | ||
| Objective 2 – Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit. |
|||
|
|
Internal
or external audit schedules, audit scope, and background/training
information on individuals conducting e-banking audits. |
||
|
|
Descriptions of e-banking-related training provided to employees including date, attendees, and topics. | ||
|
|
Strategic
plans or feasibility studies related to e-banking. |
||
|
|
Insurance
policies covering e-banking activities such as blanket bond, errors
and omissions, and any riders relating to e-banking. |
||
|
|
Copies
of recent management and board reports that measure or analyze e-banking
performance both strategically and technically, such as percentage
of customers using e-banking channels or system capacity to maintain
current and planned level of transactional activity. |
||
| Objective 3 – Determine the quality of the institution’s risk management over outsourced technology services. |
|||
|
|
Policies
and procedures related to vendor management |
||
|
|
A
list of all third-party providers, contractors, or support vendors,
including the name, services provided, address, and phone number
for each. |
||
|
|
Documentation
supporting initial or ongoing due diligence of the above vendors
including financial condition, service level performance, security
reporting, audit reports, security assessments, and disaster recovery
tests as appropriate. |
||
|
|
Vendor
contracts (make available upon request). |
||
| Objective 4 – Determine if the institution has appropriately modified its information security program to incorporate e-banking risks. |
|||
|
|
Findings
from security risk assessments pertaining to e-banking activities. |
||
|
|
Information
security policies and procedures associated with e-banking systems,
products, or services, including policies associated with customer
authentication, employee e-mail usage, and Internet usage. |
||
|
|
A
list or report of authorized users and access levels for e-banking
platforms, including officers, employees, system vendors, customers,
and other users. |
||
|
|
Samples
of e-banking-related security reports reviewed by IT management,
senior management, or the board including suspicious activity, unauthorized
access attempts, outstanding vulnerabilities, fraud or security
event reports, etc. |
||
|
|
Documentation related to any successful e-banking intrusion or fraud attempt. | ||
| If e-banking is hosted internally, provide the following additional information: |
|||
|
|
A list of security software tools employed by the institution including
product name, vendor name, and version number for filtering routers,
firewalls, network-based intrusion detection software (IDS), host-based
IDS, and event correlation analysis software (illustrate placement
on network diagram); |
||
|
|
Policies
related to identification and patching of new vulnerabilities; and |
||
|
|
Descriptions
of router access control rules, firewall rules, and IDS event detection
and response rules including the corresponding logs. |
||
| Objective 5 – Determine if the institution has implemented appropriate administrative controls to ensure the availability, and integrity of processes supporting e-banking services. |
|||
|
|
E-banking
policies and procedures related to account opening, customer authentication,
maintenance, bill payment or e-banking transaction processing, settlement,
and reconcilement. |
||
|
|
Business
resumption plans for e-banking services. |
||
| Objective 6 – Assess the institution’s understanding and management of legal and compliance issues associated with e-banking activities. |
|||
|
|
Policies
and procedures related to e-banking consumer compliance issues including
website content, disclosures, BSA, financial record keeping, and
the institution’s trade area. |
||
|
|
A
list of any pending lawsuits or contingent liabilities with potential
losses relating to e-banking activities. |
||
|
|
Documentation
of customer complaints related to e-banking products and services. |
||
|
|
Copies
of, or publicly available weblinks to, privacy statements, consumer
compliance disclosures, security disclosures, and e-banking agreements. |
||
| If financial institution provides cross-border e-banking products and services, provide the following additional information. |
|||
|
|
Policies
for, or a description of, permissible cross-border e-banking including
types of products and services such as account opening, account
access, or funds transfer, and restrictions such as geographic location,
citizenship, etc. |
||
|
|
Policies
for, or a description of, the institution’s due diligence
process for accepting cross-border business. |
||
·
·