Risk management principles
We discuss each of the mentioned risk management principles for e-banking in detail here and also specify specific technical solutions and sound practices that may be considered as effective ways to address the issues.

Establishment of specific accountability, policies and controls to manage e-banking risks

The Board of Directors and senior management of the bank should review all new e-banking projects, which have a significant impact on the bank’s risk profile and strategy for appropriate strategic and cost/reward analysis. Some gaps in the traditional risk management policies and processes that the Board and senior management might have to address:

• Establishing key delegations and reporting mechanisms for incident handling including reporting procedures for external supervisory authorities
• Addressing key factors associated with confidentiality, integrity and availability of e-banking products and services
• Ensuring that third parties to whom the bank has outsourced key systems or applications take appropriate security measures
• Ensuring that appropriate due diligence is performed before the bank conducts cross-border e-banking activities

Establishment of a comprehensive security control process

A comprehensive set of security policies and procedures should be developed based on a threat and vulnerability analysis of e-banking assets.

The following are key elements of an effective e-banking security process:

• Explicit responsibility should be assigned for establishing and maintaining corporate security policies
• Sufficient physical controls should be established to provide a secure area to house the e-banking systems including armed guards, CCTV with motion sensors, smoke and fire alarm systems, and biometric authentication like fingerprint or retina scan
• Security profiles should be created and specific authorization privileges assigned to all users of e-banking systems including customers, internal users, and system administrators and outsourced service providers. LDAP-based directory solutions or Identity management solutions can be used for an effective implementation of this requirement.
• Storage of sensitive data on organization’s desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans
• Appropriate techniques should be employed to mitigate external threats, including the use of:
  • Firewalls to separate all DMZs, internal networks and external untrusted networks
  • Virus-scanning software at all critical entry points (like firewalls, remote access servers, e-mail servers) and on each desktop system
  • Host- and network-based intrusion detection systems to detect violations of security polices and controls
  • Periodic penetration testing of internal and external networks
• Regular monitoring and correlation of access and activity logs should be performed for all perimeter devices, intrusion detection systems, applications and databases
• Current industry security developments should be continuously tracked and appropriate software upgrades and service packs should be installed
• A rigorous background check should be performed for all employees, service providers and contractors

Authentication of e-banking customers
To ensure legitimate access and reduce the risk of identity theft, banks should use reliable methods for verifying the identity and authorization of new and existing customers.

Banks can use a variety of authentication mechanisms, including PINs, passwords, smart cards, biometrics and digital certificates. Multi-factor authentication systems generally provide greater assurance, although they may pose greater implementation complexities. The selection of an authentication method should be based on careful risk analysis of the e-banking system’s transactional capabilities, the sensitivity and value of the stored e-banking data and customer’s ease of usage.

Measures to ensure segregation of duties
By their very nature, e-banking systems and applications require that traditional controls should be reviewed and adapted to ensure effectiveness. To establish and maintain segregation of duties in an e-banking environment, banks should take into consideration the following issues:

• Transaction processes and systems should be designed to ensure that no single employee can enter, authorize and complete a transaction
• Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity
• Segregation should be maintained between those developing and those administrating e-banking systems
• Internal authorization controls within e-banking systems, applications and databases

In order to maintain segregation of duties, banks need to strictly control authorization controls and access privileges. The following are sound practices relating to authorization controls:

Specific authorization and access privileges should be assigned to all individuals

No individual, agent or system should have the authority to change his own authority or access privileges in an authorization database

Any modification to an authorization database should be duly authorized by an authenticated source

Authorization databases should be resistant to tampering and corruption and sufficient audit trails should exist to document any modification or tampering

Data integrity of e-banking transactions and information
Data integrity refers to the assurance that information that is in-transit or in storage is not altered without authorization. Banks should ensure that appropriate measures are in place to ascertain the accuracy, completeness and reliability of e-banking transactions, records and information that is either transmitted over public networks or stored in internal bank databases.

Banks can use one-way hash functions to compute and verify checksums for in-transit or stored data. File integrity checkers are also useful tools to ascertain any modified files and restore last known good copies, if required.

Establishment of clear audit trails for e-banking transactions
Banks are not only challenged to ensure that effective internal controls can be provided in highly automated environments, but also that controls can be independently audited, particularly for all e-banking events and applications. The following should be considered, to determine if clear audit trails are maintained:

• Opening, modification or closing of a customer account
• Any transaction with financial consequences
• Any authorization granted to a customer to exceed a limit
• Any modification in access rights and privileges of e-banking systems

Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution. Also, it should be ensured that audit trails are not tampered with and can be used as evidence in a court of law.

Confidentiality of bank information
To preserve confidentiality of key e-banking information, banks should ensure that:

• Data is classified into different groups and are only accessed by duly authorized and authenticated individuals, agents or systems
• During transmission over public or private networks, all confidential bank data are protected from unauthorized viewing or modification using industry standard encryption algorithms and technologies
• All access to restricted data is logged and efforts are made to ensure that access logs are resistant to tampering
  

Privacy of customer information
To meet the risk challenges concerning the preservation of privacy of customer information, banks should ensure that:

The bank''s customer privacy policies and standards comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking services

• Customers are made aware of the bank''s privacy policies concerning use of e-banking services
• Customers may decline ("opt out") from permitting the bank to share with a third party for cross-marketing purposes any information about the customer’s personal needs, interests, financial position or banking activity
• Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized
• The bank’s standards for customer data use must be met when third parties have access to customer data through outsourcing relationships

Availability of e-banking systems
Banks have to maintain high availability and continuity of e-banking systems, considering the potential for high transaction demand (especially during peak time periods) and high customer expectations regarding short transaction processing cycle times and constant 24x7 availability. To provide customers with the continuity of e-banking services they expect, banks should ensure that:

• Current and future capacity of critical e-banking delivery systems are assessed on an ongoing basis
• E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed
• E-banking systems, applications and infrastructure are designed and implemented keeping in mind the need for high-availability for e.g., multiple redundant Internet links, routers, switches, web servers with an external hardware load balancing device, high-availability databases with fail-over, etc
• Appropriate processing alternatives for managing demand should be developed when e-banking systems appear to be reaching defined capacity checkpoints
• Appropriate business continuity and disaster recovery plans for critical e-banking processing and delivery systems are in place
  Regular disaster recovery drills are performed to check effectiveness of disaster

Conclusion
E-banking introduces new risks for banks and thus there is a need for having a rigorous risk management process to address them. The above risk management principles and practices should be considered as a baseline for assessing and addressing e-banking risks. Banks should ensure that appropriate controls have been deployed to address attack prevention, detection, monitoring and response.