The Bank of International Settlements (BIS) has released a report that urges banks to review their risk management strategies in light of the way technology advances have magnified and changed traditional risk exposures.
The Basel Committee on Banking Supervision, which authored the report, points to several key areas that are having an impact. These include the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems, and the increasing dependence of banks on third parties that provide the necessary information technology.
The committee has identified 14 risk management principles that cover strategic, operational, legal and reputational risks. It shies away from defining these as 'minimum requirements' or 'best practice' because banks each have their own unique business strategy and environment, and these are constantly changing. However, a key theme of the report is that senior management should take responsibility for extending their existing risk management policies and processes to cover e-banking activities. As legacy systems and traditional business practice is increasingly integrated with new technology, risk management practice should also reflect this integration.
These are the general principles that the committee has identified:
Board and Management Oversight:
1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies.
Security Controls:
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking transactions.
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems, databases and applications.
8. Data integrity of e-banking transactions, records, and information.
9. Establishment of clear audit trails for e-banking transactions.
10. Confidentiality of key bank information.
Legal and Reputational Risk Management:
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to ensure availability of e-banking systems and services.
14. Incident response planning.
The committee says that these principles aren’t fundamentally different to those applied to banking activities delivered through other distribution channels and are therefore derived from principles expressed by BIS committees and supervisors over the years. However, in some areas - such as the management of outsourcing relationships, security controls and legal and reputational risk management - the characteristics and implications of the internet distribution channel has necessitated a more detailed examination.
