United States General Accounting Office GAO Report to the Chairman, Committee on Banking and Financial Services, House of Representatives July 1999 ELECTRONIC BANKING Enhancing Federal Oversight of Internet Banking Activities GAO/GGD-99-91 GAO United States General Accounting Office Washington, D.C. 20548 General Government Division B-280366 July 6, 1999 The Honorable James A. Leach Chairman, Committee on Banking and Financial Services House of Representatives Dear Mr. Chairman: As you requested, this report discusses federal oversight of depository institutions’ Internet banking activities. Internet banking involves individuals’ use of personal computers connected to their depository institutions over the Internet to transfer funds between accounts, make payments, or obtain information, such as account balances. The recent rapid growth of Internet banking services has led to congressional concern about the safety and security of such banking activities and the preparedness of banking regulators to help ensure safe and sound Internet banking operations. The objectives of this report are to (1) describe the risks posed by Internet banking and the extent of any industrywide Internet banking-related problems, (2) assess the methods used by regulators to track depository institutions’ plans to provide Internet banking services, (3) determine how regulators examined Internet banking activities, and (4) determine the extent to which regulators examined firms providing Internet banking support services to depository institutions. Internet banking heightens various types of traditional banking risks of Results In Brief concern to regulators, including strategic, compliance, security, 1 reputation, and transactional risks. As provided in regulatory guidance to banks, savings and loan associations (thrifts), and credit unions, these risks should be managed through implementation of risk management systems that emphasize, among other things, active board and senior management oversight, effective internal controls, and comprehensive and ongoing internal audit programs. Examinations of Internet banking that we reviewed found that some depository institutions were not taking all the necessary precautions to mitigate Internet banking risks. While deficiencies were found, none of these examinations reported any financial losses or security breaches. However, during the time of our review, too few examinations had been completed to identify the extent of any industrywide Internet banking-related problems. 1 For a definition of these risks see pages 8 and 9. Page 1 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 In general, the regulators said that few examinations had been completed because Internet banking is a relatively new activity and implementation of examination programs has required examiner training and testing of new examination procedures. In addition, they said that the number of examiners with expertise in information systems was limited and that some examiners who might otherwise have been deployed by some regulators to monitor Internet banking in the past 2 years were diverted by 2 higher-priority efforts to address the Year 2000 computer problem. While the regulators have shared information on issues of common concern to them in the past, they have not routinely shared information on identified Internet banking risks and examination results. As more examinations are completed, sharing of information among the regulators could help them better understand the extent of the risks posed by Internet banking, develop risk characteristics allowing them to target institutions requiring further attention, and help them allocate limited resources among competing priorities. Regulators use a variety of methods to identify depository institutions that are already offering Internet banking services; however, only two regulators had systematically obtained centralized information on depository institutions’ plans to provide such services and had a database of this information at the time of our review. The Office of Thrift Supervision (OTS), which regulates thrifts, recently established a requirement that depository institutions (1) notify it in advance of plans to establish a transactional Web site and (2) report their Web site address in quarterly Thrift Financial Report filings. Such information is maintained in a centralized electronic database. In addition, the Federal Deposit Insurance Corporation (FDIC) developed a centralized database that contains, among other things, information on a depository institution’s plans to provide Internet banking services. Information in this centralized database is collected as part of the examination process. When FDIC examiners encounter an institution that is not currently conducting Internet banking activities, they are still required to gather minimal information about whether the institution plans to establish Internet banking. These or other methods could be used by other regulators to inform them about Internet banking plans and activities and better enable them to provide specific risk management guidance to individual 2 The Year 2000 computer problem exists because the data that computers store and process often use only the last two digits to designate the year. On January 1, 2000, such systems may mistake data referring to 2000 as meaning 1900, possibly leading to numerous errors and disruptions in processing of financial data. Page 2 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 depository institutions when needed. The information could also be used to help ensure regulatory awareness of the growth of Internet banking, plan the scope and timing of future examinations, and determine the need for additional examiners with information technology expertise. During our review, most regulators were developing, testing, or implementing new on-line banking examination procedures, which included procedures for examinations of Internet banking, and most had conducted at least some examinations of depository institutions’ Internet banking operations. Because Internet banking is a relatively new and evolving banking activity, FDIC and OTS expect their examiners to thoroughly examine an institution’s Internet banking activities during their first examination after those activities are implemented. While the Federal Reserve System (FRS) and the Office of the Comptroller of the Currency (OCC) also consider Internet banking to be an evolving activity, they do not require that an institution’s new Internet banking activity be thoroughly examined. The National Credit Union Administration (NCUA), which reported a significant diversion of resources due to work related to the Year 2000 computer problem, was the only regulator that had not developed requirements and procedures for Internet banking examinations. Because NCUA lacked an effective Internet banking examination program, it could not provide assurances that credit unions with Internet banking were appropriately managing risks that could affect their safety and soundness. Many depository institutions contract with third-party firms for Internet banking support services they choose not to provide themselves. Each regulator has the authority to examine depository institutions’ banking services provided by a third party and to avoid duplication of effort, regulators often cooperate in examining third-party firms. Joint examination of firms providing Internet banking services could better enable regulators to share technical resources and fill expertise gaps in this emerging activity. In late 1998, the five regulators, working under Federal Financial Institutions Examination Council (FFIEC) auspices, cooperatively initiated a joint study of Internet banking services provided by third-party firms. The study is to provide the regulators with a greater understanding of the services and security features provided to depository institutions by third-party firms. While each regulator has the authority to examine third-party firms providing services to depository institutions, NCUA’s authority to examine such firms is temporary. Its authority, which was granted so that NCUA could conduct examinations related to the Year 2000 computer problem, Page 3 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 expires on December 31, 2001. The expiration of this authority would limit NCUA’s future ability to effectively oversee third-party firms that provide Internet banking services to credit unions. We are making recommendations to federal banking regulators and raising a matter for congressional consideration to address these issues. Internet banking is one form of on-line banking; PC direct dial banking is Background another. Before Internet banking, customers using direct-dial PC banking needed to use specialized computer software provided and supported by their depository institution. More recently, these direct-dial connections are being replaced by Internet connections over which customers can use their computers and browser software to connect to their depository institution’s Web site. In general, regulators distinguish three types of Internet banking Web sites: • Purely informational sites, which have information about the depository institution and its products and services but no interactive capability; • Information-exchange sites, which provide information and allow customers to send information to the depository institution or make inquiries about their accounts; and • Fully transactional sites, which offer the previously described capabilities as well as some additional services, such as real-time account queries, transfers of funds among accounts, bill payments, or other banking services. Internet banking services are offered by a rapidly growing number of depository institutions. According to recent data, at least 3,610 federally insured depository institutions—about 17 percent of all U.S. banks, savings associations, and credit unions—offered some form of Internet banking 3 service as of February 1999. About 20 percent of these depository 4 institutions offered fully transactional Web sites. Information available from the banking regulators and industry studies suggest that Internet banking is accelerating. According to FDIC and NCUA statistics, in the 11 3 In February 1999, approximately 2,500 banks and thrifts—about 23 percent of all banks and thrifts— had Web sites, according to FDIC. As of June 30, 1998, 1,110 credit unions had Web sites, according to NCUA. 4 According to FDIC, 436 banks and thrifts offered fully transactional Web sites as of February 4, 1999. According to NCUA, 256 credit unions offered such sites as of June 30, 1998. Page 4 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 months ending February 1999, the number of banks, thrifts, and credit unions with transactional sites almost tripled. According to projections reported by the Department of Commerce, the number of customers who went on-line to perform banking transactions increased by 22 percent, 5 from 4.6 million to 5.6 million, in the 6 months ending April 1998. Five federal regulators—FDIC, FRS, NCUA, OCC, and OTS—supervise and examine all federally insured depository institutions. FDIC, a government corporation, is the primary federal regulator of state-chartered banks that are not members of FRS. FRS, another independent body, shares responsibility with state banking regulators for supervising and examining state-chartered banks that are members of FRS. In addition, FRS supervises bank holding companies and their nonbank subsidiaries. Banks under FRS’ supervision are supervised by 12 regional Reserve Banks that conduct examinations under delegated authority from the Board of Governors in Washington. NCUA is an independent body responsible for examining and supervising federally insured credit unions and works with state regulators to monitor the safety and soundness of state-chartered credit unions. OCC, an agency, that is a bureau of the Department of the Treasury, supervises all national banks. OTS, which is also a bureau of the Department of the Treasury, serves as the primary regulator for thrifts and thrift holding companies. The regulators oversee a mix of large, medium, and small depository institutions, as shown in table 1. Table 1: The Number and Asset Size of Dollars in billions Depository Institutions Overseen by Banking Regulators, as of June 30, 1998 Small and medium a b Large institutions institutions Total institutions Regulator supervised Number Assets Number Assets FDIC 5,449 5 $87 5,444 $822 FRS 989 19 1,013 970 282 OCC 2,546 40 2,160 2,506 819 OTS 1,181 16 374 1,165 412 NCUA 11,130 1 10 11,129 375 Total 21,295 81 $3,644 21,214 $2,710 a $10 billion or more in assets. b Less than $10 billion in assets. Source: GAO analysis of FDIC and NCUA data. Banking regulators also work together through FFIEC, an interagency forum Congress created in 1979 to promote consistency in the examination 5 The Emerging Digital Economy (U.S. Department of Commerce, April 1998). Page 5 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 6 and supervision of depository institutions. In 1996, FFIEC updated its “Information Systems Handbook,” which provides regulators with general guidance on information systems and technology examinations. To help ensure the safety and soundness of federally insured banks, thrifts, and credit unions, banking regulators conduct various types of monitoring activities. They include the following: • Off-site monitoring, which generally consists of reviews and analyses of depository institution-submitted data, including call reports, and 7 discussions with bank management, is carried out to monitor compliance with requirements or enforcement actions; formulate supervisory strategies, especially plans for on-site examinations; and identify trends, areas of concern, and accounting questions. • On-site safety-and-soundness examinations are conducted to assess the safety and soundness of a depository institution’s practices and operations. Specific objectives of these on-site examinations that are common to all the banking regulators include (1) determining the institution’s condition and the risks associated with its current and planned activities; (2) evaluating the institution’s overall integrity and the effectiveness of its risk management by testing the institution’s practices; and (3) determining the institution’s compliance with laws, regulations, and rulings. • Information systems examinations are conducted to identify and correct information and technology-related risk exposures of significance that threaten the depository institution. These examinations focus on various components of an institution’s information system, such as the capabilities of its information technology management; the adequacy of its systems development and programming; and the quality, reliability, availability, and integrity of its information technology operations. 6 FFIEC is composed of the Comptroller of the Currency, one FRS Governor, the OTS Director, the FDIC Chairman, and the Chairman of the NCUA Board. 7 Call reports for banks are also called the Consolidated Reports of Condition and Income. The reports for bank holding companies are called the Consolidated Financial Statements for Bank Holding Companies. Similar quarterly reports on thrifts and thrift holding companies are submitted to OTS. The reports are prepared by institution management and submitted to the primary regulator on a quarterly basis. The reports include a balance sheet, income statement, and various supporting detailed analyses of balances and related activities. The reports for credit unions are called Financial and Statistical Reports. Page 6 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 • Finally, special technical examinations of banking services by third parties are conducted to ensure that banking operations performed by third-party firms are consistent with the safety and soundness of the depository institutions using the services. These examinations, which often include a review of the management systems, operations, and financial condition of the service providers, can provide regulators with greater assurances of the reliability of services than can be obtained during normal safety and soundness examinations of a depository institution. The banking regulators also conduct reviews of on-line banking systems for compliance with consumer protection laws and regulations. These include examinations of an institution’s obligation to provide required notices and disclosures on Internet banking products and services. To address our four objectives, we interviewed officials and reviewed Scope and available documents from the five banking regulators. This included Methodology obtaining information on Internet banking risks and each regulator’s strategy for overseeing Internet banking activities, the methods used to identify depository institutions that offer Internet banking, the existence of safety and soundness and information systems examination procedures for reviewing Internet banking, and the extent of examinations of third- party firms. We did not independently verify the accuracy of data that banking regulators provided. We also interviewed representatives from selected depository institutions and third-party firms to obtain their views on the scope and frequency of examinations by bank regulators and their assessment of risks posed by Internet banking systems. In addition, we developed a data collection instrument to document our review of 81 safety and soundness and information systems examinations that included on-line banking and we also used a structured questionnaire to interview 43 selected examiners who had conducted these on-line banking examinations. (See app. I for a more detailed description of our scope and methodology.) We did our work from April 1998 to May 1999 in Washington, D.C.; Los Angeles, CA; San Francisco, CA; Atlanta, GA; Kansas City, KS; and New York, NY, in accordance with generally accepted government auditing standards. We requested comments on a draft of this report from the five banking regulators and FFIEC, and these comments are discussed near the end of this letter and are reprinted in appendixes III through VIII. Page 7 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 Internet banking services heighten various types of risks that are of Regulators Agree concern to banking regulators, and the regulators have advised institutions Internet Banking to mitigate these risks through the implementation of risk management Presents Risks and systems that emphasize, among other things, (1) active board of directors’ oversight, (2) effective internal controls, and (3) comprehensive internal Oversight Challenges, audits. Too few examinations that included a review of Internet banking While Extent of Any had been conducted at the time of our review for the extent of Internet Industrywide Problems banking-related problems industrywide to have been identified. However, Is Unknown our review of 81 such examinations revealed that some depository institutions had not always adhered to risk mitigation guidance provided by the regulators. Few examinations had been conducted because, according to the regulators, Internet banking was a relatively new activity, and examination procedures were still being developed. Other reasons reported by regulators were that the number of examiners with expertise in information systems was limited and that some examiners who might otherwise have examined on-line banking during our study period were diverted by higher priority efforts to address the Year 2000 computer problem. As more examinations are completed, sharing of information among the regulators could help them better understand the extent of risks posed by Internet banking, develop risk characteristics allowing them to target institutions requiring further attention, and help make decisions on how best to allocate information technology expertise among competing priorities. Internet Banking Risks Internet banking heightens various types of traditional banking risks that are of concern to banking regulators. These risks, which are discussed in regulatory guidance provided to depository institutions, include the following: • Security risk is the risk of potential unauthorized access to a depository institution’s networks, systems, and databases that could compromise internal systems and customer data and result in financial losses. The use of an electronic channel, such as the Internet, to deliver products and services introduces unique risks for a depository institution due to the speed at which systems operate and the broad access in terms of geography, users, applications, databases, and peripheral systems. • Transactional risk is the risk of financial losses arising from problems with service or product delivery. Transactional risk often results from deficiencies in computer system design, implementation, or ongoing maintenance. Page 8 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 • Strategic risk is the risk to earnings or capital arising from adverse business decisions or adverse implementation of those decisions. Depository institutions face strategic risk whenever they introduce a new product or service, such as Internet banking. • Reputation risk is the risk of significant negative public opinion that results in a critical loss of funding or customers. This risk can also expose the depository institution to costly litigation. Failure of Internet banking products to perform as promised, such as a communication failure that prevents customers from accessing their accounts, could expose a depository institution to reputation risk. • Lastly, compliance risk is the risk arising from violations of, or nonconformance with, laws, rules, regulations, required practices, or ethical standards. This risk may arise if a depository institution fails to comply with regulatory guidance or an enforcement action. Regulators Have Provided Banking regulators have provided depository institutions with advisory guidance on how to mitigate risks posed by Internet banking, including Guidance on Risk Mitigation risks related to services provided by third-party firms. In their guidance, regulators describe how depository institutions in general should plan for, manage, and monitor risks associated with the use of technology. Most regulators provided such guidance in advisory letters to all covered depository institutions. FRS provided its guidance in a “sound practices paper” released at a FRS information security conference in September 1997. The guidance was not tailored to fit individual institutions. (See app. II for descriptions of guidance provided by each regulator.) As discussed in these advisory guidance, risk management systems include the following critical components. • Active board and senior management oversight: Boards of directors have ultimate responsibility for on-line banking systems, including Internet banking systems, offered by their depository institutions. The guidance points out that the Internet facilitates broad access to confidential or proprietary information, and deficiencies in planning and deployment can significantly increase the risk posed to a depository institution and decrease its ability to respond satisfactorily to problems that arise. For this reason, directors, senior managers, and line officers are to be fully informed of the significant investments, opportunities, and risks involved in deploying such technology. Boards of directors should approve the overall business and technology strategies, and senior management should ensure that adequate risk management systems are in place. Page 9 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 • Effective internal controls: Internal controls are the means by which the board of directors, management, and other personnel obtain reasonable assurance that an institution’s assets are safeguarded and that its systems and operations are reliable and efficient. Regulators’ guidance describes a variety of internal controls to help mitigate risks involving such areas as systems security, management of third-party firms, and various operating policies and procedures that should be considered to keep pace with new technological developments. • Adequate internal audits: Regulators’ guidance points out that an objective review of on-line banking should identify and quantify risk, and detect possible weaknesses in a depository institution’s risk management system as it pertains to on-line banking. When coupled with a strong risk management program, a comprehensive, ongoing audit program allows the institution to protect its interests as well as those of its customers and other participants. Too Few Examinations Had While examiners found that some depository institutions were not taking all of the prescribed precautions to mitigate risks, too few examinations Been Conducted to Identify with documented on-line banking assessments were available at the time the Extent of Any of our review to identify the extent of any industrywide Internet banking- Industrywide Internet related problems. According to the regulators, few examinations had been Banking-Related Problems conducted because Internet banking is a relatively new activity and regulators have had to develop and implement new policies and procedures and related training programs to assess this activity. In addition, regulatory examinations required to address the higher priority Year 2000 computer problem were contemporaneous with our review, and some regulators reported that limited information systems resources prevented them from conducting both Year 2000 and on-line banking examinations. Between March 1998 and August 1998, we asked each regulator to provide us with information on safety and soundness and information systems examinations in which (1) examiners applied their agency’s on-line banking examination procedures written for both direct-dial and Internet banking systems or (2) where the examination’s scope included on-line banking. It was difficult for most regulators to provide such information because, with the exception of FDIC, information was not maintained centrally to identify examinations that included on-line banking assessments. We reviewed 81 examinations that regulators were able to provide. The 81 examinations included 58 small-, 18 medium-, and 5 large- Page 10 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 8 sized depository institutions. The Internet banking activities examined by the regulators included informational sites, information-exchange sites, and transactional sites. In the examinations we reviewed, examiners noted that the on-line banking risk mitigation systems had various types of weaknesses. None of the examined depository institutions, including those whose risk management systems evidenced weaknesses, were reported to have experienced financial losses or security breaches due to Internet banking activities. However, in the 81 depository institutions examinations we reviewed, regulators found that 36 (44 percent) had not completely implemented the on-line banking risk mitigation steps outlined by the regulator. As summarized in table 2, in 20 of the 81 examinations (25 percent), strategic planning deficiencies were discovered. For example, the regulators found that some institutions had not prepared strategic plans or had not obtained board of directors’ approval before initiating on- line banking. In 26 of the examinations (32 percent), the regulators found that the institution did not have policies and procedures in place to guide its on-line banking operations. In 29 of the examinations (36 percent), the regulators found that the institution lacked adequate audit coverage of its on-line operations. Fifteen examinations (18 percent) disclosed that the institution had not taken steps to evaluate its third-party firm or lacked a written contract with the firm. Examiners whom we interviewed expressed concerns about deficiencies similar to those revealed in the examinations we reviewed. For example, examiners were concerned that some smaller institutions were implementing Internet banking systems before they had established operating policies and procedures and that bank management had to be reminded that operating policies and procedures were not optional. 8 The examinations we reviewed included 62 that were conducted by FDIC, 6 by FRS, 8 by OCC, and 5 by OTS. FDIC also provided some examinations that were conducted between June 1997 and February 1998. Page 11 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 Table 2: On-line Banking-Related Weaknesses in Risk Mitigation Systems, as Reported in 81 Examinations Completed From June 1997 to August 1998 Size of banks and thrifts offering on-line banking services with reported weaknesses a a a Small Medium Large Total b b b b Type of weakness Number Percent Number Percent Number Percent Number Percent Deficiencies in strategic planning 18 31 2 11 0 0 20 25 No policies and procedures to address security concerns and standard operating practices 21 36 4 22 1 20 26 32 Insufficient audit coverage of on-line banking activities 25 43 4 22 0 0 29 36 Management had not properly initiated or documented agreements with third-party firms 12 21 2 11 1 20 15 18 Note: The number of weaknesses reported exceeds the number of institutions examined (81) because some depository institutions were reported to have more than one type of weakness. a Small depository institutions are defined as institutions with less than $1 billion in assets. Medium- sized institutions have $1 billion to $10 billion in assets, and large institutions have more than $10 billion in assets. b Percent of institutions examined in the size group with identified weaknesses. Source: GAO analysis of FDIC, FRS, OCC, and OTS data. Because the examinations we reviewed did not represent a statistically valid sample, we are unable to project the number of weaknesses beyond the institutions reviewed. However, the extent of problems identified at smaller institutions is consistent with views expressed by some banking industry officials that smaller institutions have the potential to encounter Internet banking-related problems. These officials generally believed that smaller institutions may have insufficient in-house expertise to operate an Internet banking system or lack the ability to adequately evaluate the Internet banking services offered by third-party firms to ensure that such systems operate as intended. In particular, NCUA officials observed that smaller institutions might move too quickly into Internet banking because of the relatively low costs of providing such services through third-party firms and the desire to remain competitive. Regulators Face Human Banking regulators have told us that depository institutions’ increasing use of information technology—such as that employed in Internet banking— Capital Challenges Because and the growth forecast for Internet banking, present them with human of Internet Banking Growth capital management challenges. The adequacy of regulatory efforts to ensure safe and sound operations of complex transactional Internet Page 12 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 banking systems will depend increasingly upon the availability of examiners with appropriate expertise or training in information technology management. During our review, banking regulators expressed concern about their ability to address technological changes in the banking industry with their existing resources. Information about depository institutions’ plans to provide Internet Awareness of Internet banking services could help ensure that regulators are aware of growth Banking Plans Could and technological trends in Internet banking. This information could be Help Regulators instrumental in enabling regulators to provide individual depository institutions with more timely and specific risk-management guidance and Provide Timely advice before such institutions enter into contracts with third-party firms Guidance and Manage or independently develop their own Internet banking services. Awareness Existing Resources of an institution’s Internet banking plans could also provide regulators with useful information to plan the scope and timing of future examinations as well as to identify the need for examiners with the appropriate information technology expertise. OTS recently established a requirement that it receive advance notice of an institution’s plans to establish a transactional Web site. OTS and FDIC were the only regulators that captured Internet banking information gathered during examinations, including information about institutions’ plans to offer Internet banking, in a centralized database that could be used in planning examinations and monitoring Internet banking activities. Other methods used by regulators to identify depository institutions that are already offering Internet banking do not allow the regulators the opportunity to evaluate the effectiveness of an institution’s Internet risk mitigation plans or to provide institutions with more timely and specific risk management guidance and advice prior to implementation. OTS Requires Advance OTS regulations, effective January 1999, require thrifts to provide a written notice to OTS before establishing a transactional Web site. The regulations Notification of Institutions’ state that the notice must describe the transactional Web site; indicate the Plans to Offer Internet date the site will become operational; and list a contact familiar with the Banking 9 deployment, operation, and security of the site. According to OTS officials, the one-time notification requirement will enable the agency to better monitor technological innovations and thus assess emerging security and compliance risks. OTS officials said they believed that this monitoring would also enable the agency to more proactively provide guidance to thrifts as they plan for or begin to conduct Internet operations. 9 12 C.F.R. 555.310(a). Page 13 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 At the time of our review, OTS was beginning to develop procedures for providing such guidance. If, after receiving the notice OTS informs the thrift of any concerns, the thrift must follow any procedures that OTS imposes. If the thrift does not receive any comments from OTS, it is free to go on-line 30 days from the filing date of its notice with OTS. Before adoption of the final proposal, OTS recognized that this notice requirement would impose some burden on thrifts. However, it determined that the one-time expenditure by a thrift of an estimated 2 hours to report its plans represented a minimal burden. Before January 1999, the effective date of the reporting requirement, OTS officials told us that OTS identified thrifts’ Internet banking activities primarily during examinations, although some of its regional offices used other means to identify Web sites. For example, the western region periodically had surveyed thrifts, and the Atlanta region used the Internet to identify thrifts’ Web sites. In August 1998, OTS asked for public comment on its advance notice proposal. The agency received nine comments in response—six from thrifts, two from trade associations, and one from a public interest organization. Seven commenters supported the proposal’s overall flexible regulatory approach. Two commenters argued for even greater flexibility and opposed the proposed notification requirement. Four commenters also argued that the notice requirement would place thrifts at a competitive disadvantage, because other banking regulators did not impose a similar requirement. OTS’ response was that it did not anticipate that the notification requirement would place thrifts at a significant competitive disadvantage because, once a thrift has addressed any follow-up questions from OTS’ regional office or the 30-day period has expired, the thrift would be free to operate the transactional Web site. Finally, one commenter questioned whether requiring regulatory notice 30 days prior to installing a transactional site would mitigate the risks mentioned by OTS. The commenter noted that developing a system requires substantial advance planning, possibly across multiple departments, and perhaps a contract with an outside third-party firm. Thus, at the time of notice, according to the commenter, the work essentially would be completed, and the financial costs of development already would have been absorbed by the institution. The commenter pointed out that, for this reason, an advance notice after the financial risk had been assumed would not substantially protect the institution. OTS’ response was that it encourages thrifts concerned with such expenditures of resources to consult their regional office in the early stages of development, even before filing a notice. Page 14 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 FDIC and OTS Maintain Currently FDIC and OTS are the only regulators that maintain a centralized database on Internet banking information gathered during banking Centralized Databases on examinations. In regards to FDIC, if an examiner identifies an institution Internet Banking that plans to offer Internet banking, this information is to be entered into Information the centralized system along with other on-line banking data collected. In addition to data on institutions offering or planning to offer Internet banking, this database includes information on third-party firms supplying Internet banking services. According to FDIC officials, information captured in the centralized system facilitates the creation of uniform records of all examined institutions with on-line banking and avoids capturing redundant information across FDIC’s eight regions. They said that the system also provides an improved means across separate regional systems for headquarters’ staff and examiners to understand how electronic banking is changing and to more effectively plan the scope, timing, and staffing of future examinations. As of April 1, 1999, the FDIC centralized system included information from 391 on-line banking 10 examinations. OTS began collecting information centrally in November 1998. OTS officials told us that their centralized database includes on-line banking information from all examined thrifts. In addition, the database includes the Web site address of over 400 thrifts that reported this information on their quarterly filings as well as information gathered as part of OTS’ advanced notification requirement. Other Monitoring Methods Regulators use a variety of other methods to identify depository institutions that are already offering Internet banking services. All of the to Identify Depository regulators said that they gathered information on institutions’ Internet Institutions Offering banking services during pre-examination planning activities. The Internet Banking regulators also said that they periodically searched the Internet for Internet banking Web sites. In March 1998, NCUA began requiring credit unions to report their electronic mail addresses and the type of Web site offered on their periodic financial and statistical reports. In addition, at the close of our review, FRS said it was beginning to centrally collect examination and survey information on the types of Internet banking services being offered by its regulated entities (e.g., account balance inquiries, bill payment, and loan application) as well as the names of third- party firms and software vendors. OCC plans to centrally collect similar information on institutions that are already providing Internet banking services. However, such “after-the-fact” methods do not give the regulators the opportunity to provide individual institutions with more timely and 10 This figure includes examinations of transactional sites, both direct-dial and Internet. Page 15 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 specific risk mitigation guidance and advice before they go on-line, and these methods do not give regulators the opportunity to evaluate an institution’s risk mitigation plans before an institution’s Internet banking services are operational. With the exception of NCUA, the regulators were developing, testing, or Most Regulators Were implementing on-line banking examination procedures, which included Developing or those for examinations of Internet banking. NCUA said that it had not Implementing established procedures for Internet banking examinations or conducted Internet banking examinations because of the need to conduct Year 2000 Examination reviews. In addition, we found that regulators’ examination programs used Procedures differing methods in conducting and staffing Internet banking examinations. For example, because Internet banking is a new and evolving activity, FDIC and OTS required their examiners to thoroughly examine an institution’s Internet banking activities during the first examination after those activities were implemented, while FRS and OCC did not. We also found variations in the level of expertise and training required of examiners who reviewed Internet banking systems. The regulators have shared information on issues of common concern to them in the past but have not routinely shared information on Internet banking risks and examination results. As each regulator gains experience in applying their examination methods and procedures, it would be useful for the regulators to share their expertise to help determine which methods and procedures are the most efficient and effective. Examination Procedures Each of the regulators had implemented similar examination policies that reflected the regulators’ overall risk-based approach to supervision. These Were in Differing Stages of policies required examiners to determine how various existing or emerging Development issues facing an institution or the banking industry affected the nature and extent of risks at particular institutions. Based on a risk evaluation, examiners are expected to develop supervisory plans and actions that would direct their resources to the issues presenting the greatest risks, especially those risks that present material, actual, or potential risks to the banking system. While the banking regulators’ examination policies were established, their procedures for examining on-line banking activities were in differing stages of development. Generally, FDIC, FRS, OCC, and OTS had already implemented or were testing examination procedures for conducting on- line banking examinations. FDIC and OTS had both issued final examination procedures and were using the procedures to conduct examinations that included Internet banking activities. FDIC was the first to implement an on-line banking examination program in 1997 and had Page 16 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 identified more examinations for our review than any other banking regulator. In commenting on a draft of this report, FDIC said that it had also developed three technical work programs that it is field-testing and has shared with the other regulators. In addition, FDIC said that it had increased the number of information systems examiners. OTS was the next regulator to issue final examination procedures. FRS and OCC were still developing their on-line banking examination programs and were field 11 testing their examination procedures at the close of our review. NCUA Had Not Developed At the time of our review, NCUA had not established procedures for Internet banking examinations or conducted such examinations. The or Implemented an Internet primary reasons for this, according to NCUA officials, were that the agency Banking Examination did not have the necessary expertise to develop Internet banking Program procedures and that its examination resources were dedicated to examinations geared to averting the Year 2000 computer problems. According to NCUA, as work related to the Year 2000 computer problem diminishes, the agency is beginning to focus attention on Internet banking activities. NCUA first began to consider the need for Internet banking examinations in 1997, when it informally distributed a white paper on “cyber credit union services.” This paper was distributed to NCUA examiners who had attended a specific training course and was also provided to each regional director, who had the option of making the paper more widely available to regional staff. NCUA officials told us the agency now expects to develop new Internet examination procedures that will be closely aligned to FFIEC’s guidance on supervisory oversight of information systems, but no time frames have been established for developing or implementing these procedures. In 1998, NCUA filled three new information systems officer positions. While these individuals have been primarily devoted to the Year 2000 project, agency officials told us that these individuals will begin to develop Internet banking examination procedures and train agency examiners. Regulators’ Approaches to While FDIC, FRS, OCC, and OTS on-line banking examination policies were similar, their approaches to examining an institution’s on-line Examining an Institution’s banking activity varied. For example, because Internet banking is a new On-line Banking Activity banking activity that can potentially introduce new risks to an institution, Varied FDIC and OTS expect their examiners to thoroughly examine an institution’s Internet banking activities during the first examination after 11 While still developing their program, FRS officials told us that the agency had begun to use the FDIC developed computerized examination procedures and standard forms. Page 17 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 those activities are implemented. In contrast, FRS and OCC do not require that an institution’s new Internet banking activity be thoroughly examined. Instead, these regulators permit safety and soundness or information systems examiners to exercise discretion in determining the relative risk and the need for and scope of their examinations of new banking activities, including the establishment of Internet banking services. In this regard, examiners may decide not to devote further resources to examining Internet banking if they determine after an initial assessment that Internet banking is a small segment of an institution’s overall business, posing little risk to the safety and soundness of the institution. We also found differences in the type of examiners used to perform on-line banking examinations. Two regulators, FDIC and FRS, designed their examination procedures to mainly assess the safety and soundness aspects of Internet banking, such as the appropriateness of an institution’s strategic planning, internal controls, and operating policies and procedures. These regulators said that, due to the orientation of the examination procedures, safety and soundness examiners generally conducted examinations that included a review of Internet banking. If, in the judgment of the safety and soundness examiner, a more sophisticated assessment of an institution’s Internet banking activities were needed, more technically proficient information system specialists were to be called in to perform a separate assessment. In contrast, OCC said that information system specialists conducted most of its Internet banking examinations, utilizing procedures that included more technical aspects of an institution’s Internet banking activities, such as policies addressing passwords, firewalls, encryption, and physical security. OCC requires that most Internet banking examinations be conducted by information system specialists because it believes that the technology-related aspects of Internet banking require examiners with expertise in information systems. OTS also requires the use of information systems examiners for examinations of complex or large institutions. Small or less complex institutions are to be examined by safety and soundness examiners. Regulators also differed in the degree to which their examiners were trained in on-line banking systems. FDIC, FRS, and OTS initiated training programs for their safety and soundness examiners on electronic-banking issues. Topics in the training programs included electronic banking trends and developments, risks and vulnerabilities, and regulatory concerns. At the close of our review, FDIC said that it had trained nearly all of its safety and soundness examiners, and OTS said that it expected to complete their training for safety and soundness examiners by the end of 1999. FRS officials also said that they expected to complete an initial training Page 18 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 program for safety and soundness examiners by the end of 1999. These officials added that additional training would likely be required as Internet banking activities evolve and a greater understanding of the risks is developed. FDIC also had developed a training program that provided more in-depth information systems training to a group of information systems examiners and certain safety and soundness examiners. After the training, these examiners were expected to provide services that ranged from providing verbal consultation to other safety and soundness examiners who were conducting an examination of an institution’s Internet banking activities, to independently performing information system reviews of complex on-line banking systems. OCC planned no on- line banking training of its safety and soundness examiners because on- line banking examinations were performed by information system specialists. Rather than establishing an in-house training program for these specialists, OCC said that it relied solely on external training opportunities, such as seminars and conferences hosted by FFIEC and the Bank Administration Institute. The differing methods and approaches utilized by the regulators were too new for their overall effectiveness to be evaluated. Over time, sharing of information among the regulators on the success of these varying methods and approaches could help them assess the strengths and weaknesses of their individual programs. Joint regulatory examinations of the operations of third-party firms Joint Regulatory providing depository institutions’ Internet banking support services might Examinations of Third- increase the economy and efficiency of federal oversight of Internet Party Firms Could banking activities. This would be particularly true if regulators could share technical expertise in developing and conducting examinations. In late Enhance Internet 1998, the five regulators initiated a joint research project to study Internet Banking Oversight banking support services provided by third-party firms. However, the extent to which this interagency group will be able to commit the necessary resources to this effort is unclear. Also, NCUA’s authority to conduct examinations of third-party firms is set to expire on December 31, 2001, and the lack of such authority in the future could limit the effectiveness of the oversight provided to firms providing services to credit unions. According to NCUA, third-party firms providing credit union services are not likely to be included in any joint regulatory examinations because these firms typically only provide services to credit unions, and other regulators thus have little incentive to select these firms for a joint review. Page 19 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 Regulators Studying Third- Joint interagency examinations of traditional third-party data-processing firms, such as check-processing centers, have tended to focus on large Party Firm Support Services multiregional data-processing providers serving banks and thrifts and 12 supervised by more than one supervisory agency. Regulators determined that it was more effective and efficient to conduct one interagency information systems examination instead of several separate examinations by each regulator. The regulators said that these examinations, for the most part, are conducted by examiners with expertise in information systems. In conducting these examinations, examiners and specialists from the participating regulators are to examine the policies, procedures, and practices of the third-party firm and make suggestions to the firm for improvements, if necessary. According to one regulator, two of these examinations have also included a partial review of two firms’ Internet banking operations. In late 1998, the banking regulatory agencies that comprise FFIEC initiated a special research project to study third-party firms that provide Internet banking software or services to banks and thrifts. The objectives of the project are to develop an understanding of the products and services offered by such third-party firms, identify risks and supervisory issues, and develop recommendations regarding supervisory oversight. The regulators said that the outputs from the project have not been determined but that they could include background materials to aid bank examiners, internal policy papers, supervisory guidance for institutions, or recommendations for development of examination programs or procedures. They added that the scope of the project and timetable for its completion are contingent upon available resources, which have been significantly curtailed due to the agencies’ Year 2000 supervision program. As of March 1999, agency staff were gathering information on third-party firms that provided Internet banking services and preparing invitations to selected firms to discuss their services. At this initial stage of the project, regulators said they were not examining the firms but instead obtaining background information. 12 Regulators also have conducted similar interagency examinations of third-party firms on a regional basis. Page 20 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 Credit Union Third-Party While NCUA has recently begun to participate in the joint agency study of third-party firms, it had not participated in any joint reviews of third-party Firms Might Not Be Internet banking firms or independently conducted any reviews of third- Subjects of Joint party firms serving credit unions. About 13 firms provide the bulk of these Examinations services to credit unions. One of these firms provides services to about 51 13 percent of the credit unions offering Internet banking. NCUA officials cited the lack of technical expertise as a key reason for their inactivity. Further, NCUA officials said that, on the basis of discussions at a January 1999 FFIEC planning meeting, it appeared unlikely that other regulators would participate with NCUA in joint reviews of third-party firms servicing credit unions. The NCUA officials explained that regulators typically provide staff and resources to a particular joint review when there is a regulatory overlap involving firms that provided services to both banks and thrifts. In the case of third-party firms servicing credit unions, other types of depository institutions have received few if any services from these firms. Regulators’ Authority to Since 1962, FDIC, FRS, and OCC have had the authority through the Bank 14 Service Company Act to examine the performance of certain services Examine Third-Party Firms provided by third-party firms that affect the safety and soundness of bank Providing Banking Services operations. In deliberations prior to enacting the Bank Service Company Act, Congress made it clear that banks could not avoid examinations of banking functions by outsourcing the functions to third-party firms. The legislative history shows that Congress intended that banking regulators be able to examine all bank records and that they must be able to exercise proper supervision over all banking activities, whether performed by bank employees on the bank’s premises or by anyone else on or off their premises. Regulators generally believe that this authority is important because it allows them to take a broader approach to examining the services of banks or thrifts and their providers. These examinations are not intended to replace a depository institution’s oversight and monitoring of its third-party firms, which remains the responsibility of the depository institution. Instead of examining particular services that a third-party firm provides to a single bank or thrift, regulators can assess the entire broad range of services a third-party firm provides to the banking industry. In addition to being a more direct approach, most regulators believe such examinations also may be more efficient and effective. Over time, the 13 In February 1999, this firm announced marketing agreements with traditional processing firms to offer Internet banking. These processing firms provide core services to about 1,500 depository institutions. 14 The Bank Service Company Act, 12 U.S.C. 1861-1867. Page 21 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 authority to examine third-party firms has become even more important, as depository institutions have contracted out an increasing proportion of their operations. FRS officials noted, however, that such examinations (1) extend bank supervision outside the banking industry, (2) may unnecessarily consume scarce government resources unless effectively risk focused, and (3) may create a moral hazard by undermining the incentive for banks and thrifts to manage their service provider relationships effectively. In March 1998, NCUA and OTS were given authority to examine certain third-party firms through the Examination Parity and Year 2000 Readiness 15 for Financial Institutions Act (the Parity Act). Specifically, the Parity Act gave NCUA and OTS independent authority to examine services provided by service providers to credit unions and thrifts by amending the Federal 16 Credit Union Act and the Homeowners’ Loan Act, respectively. The acts primarily focus on ongoing computer services and turnkey operations in which transactions are transmitted at the end of the day to a central location. Specifically, NCUA and OTS are authorized to examine data processing, information system management, and the maintenance of computer systems that are used to track everything from day-to-day deposit and loan activity to portfolio management at a depository institution. Expiration of NCUA’s While NCUA and OTS have the same authority under the Parity Act, the act specifically sunsets NCUA’s authority on December 31, 2001. According to Authority to Examine Third- NCUA officials, and a review of the legislative history surrounding this Party Firms Could Limit action, NCUA’ s authority was sunset because the Parity Act focused NCUA’s Ability to primarily on Year 2000 computer problems that for the most part were Effectively Oversee Internet expected to be resolved by the Year 2000. In addition, at the time the Parity Act legislation was being considered, one credit union trade association Banking strenuously objected to strengthening NCUA’s examination authority. As a result a compromise was reached that NCUA’s authority would be sunsetted. Unless Congress amends the sunset provision, NCUA will not have the third-party oversight authority already provided to all other banking regulators. This is of particular concern because NCUA officials said that most credit unions offering Internet banking services lack in- house expertise and rely in part or totally on third-party firms to provide such services. In its comments on a draft of this report, NCUA officials 15 The Parity Act, P.L. 105-162, 112 Stat. 32 (1998). 16 The Federal Credit Union Act, (12 U.S.C. 1781 et seq.); Homeowners’ Loan Act (12 U.S.C. 1464(d)). Page 22 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 stated that the agency plans to request Congress to amend the Parity Act to provide permanent supervisory authority over service providers. Internet banking is a relatively new and rapidly growing activity that Conclusions presents various types of risks that are of concern to banking regulators. At the time of our review, too few examinations of Internet banking had been conducted to identify the extent of potential Internet banking-related problems industrywide. Nonetheless, the examinations we reviewed revealed that some depository institutions had not taken all the necessary precautions to mitigate on-line banking risks. As banking regulators conduct more Internet banking examinations, they could usefully pool and share their findings to establish the extent of such problems industrywide. Sharing information on such findings could provide regulators with information to better understand the risks posed by Internet banking, allow regulators to better monitor industry trends, make more informed decisions on the scope and timing of examinations, and allocate limited resources among competing priorities. At a time when Internet banking appears to be accelerating rapidly, banking regulators either have or plan to utilize a variety of means to identify depository institutions that are already offering Internet banking services. However, OTS and FDIC were the only regulators with procedures to gather centralized information on depository institutions’ plans to offer Internet banking. OTS required that it receive advance notification of a depository institution’s intentions, and FDIC required its examiners to collect information on an institution’s Internet banking plans for inclusion in a centralized database. Such early identification procedures could enable regulators to provide more timely and specific risk management guidance and advice to depository institutions, and the procedures could also provide the regulators useful information to assess the scope and timing of future examinations and determine the need for examiners with information technology expertise. Given concerns that some institutions, particularly smaller ones, might move too quickly into Internet banking because of a desire to remain competitive, regulatory procedures that provide advance notification could be an effective means for regulators to proactively oversee this new and evolving banking activity. With the exception of NCUA, the banking regulators were developing, testing, or implementing new on-line banking examination procedures and had conducted at least some examinations of institutions’ Internet banking services. However, regulators’ examination programs used differing methods in conducting and staffing Internet banking examinations. In Page 23 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 addition, differences exist in the degree to which examiners received training on how to examine such activities. As each regulator gains experience in the application of its examination procedures, it could be useful for the regulators to share their findings and approaches to help determine which methods yield the most effective and efficient results. In addition, NCUA, which has reported resource constraints due to the Year 2000 computer problem, has an obligation to help ensure the safety and soundness of credit unions’ Internet banking operations and needs a reasonable strategy to do so once work on the Year 2000 computer problem diminishes. The banking regulators’ joint study of third-party firms providing Internet banking service is a good first step toward providing efficient and effective oversight, because it has the potential to lead to single coordinated examinations. However, it is too early to tell whether the study will result in a proposal to jointly examine third-party firms. Also, NCUA’s authority to examine firms providing Internet banking services expires on December 31, 2001. If this authority is not extended, NCUA will not have the third-party oversight authority provided to other federal banking regulators. Given the expected growth of Internet banking and its attended risks, the lack of such authority in the future could limit NCUA’s effectiveness in ensuring the safety and soundness of the credit unions’ Internet banking activities. Congress may wish to consider whether NCUA’s current authority to Matter for examine the performance of services provided to credit unions by third- Congressional party firms is needed to ensure the safety and soundness of credit unions Consideration and, thus, should be extended beyond December 31, 2001. To help regulators better understand the extent of risks posed by Internet Recommendations banking and to more effectively evaluate examination methods and procedures, we recommend that, as more experience is gained in conducting examinations of Internet banking services, the heads of the banking regulatory agencies share information on the problems depository institutions have had in operating Internet banking activities as well as which Internet banking examinations methods and procedures they find to be most efficient and effective. We also recommend that the Comptroller of the Currency and the Chairmen of the Board of Governors of the Federal Reserve System and the National Credit Union Administration establish procedures to obtain centralized information on institutions’ plans to offer Internet banking. Page 24 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 They should use this information to (1) enhance monitoring of technological trends and innovations and thus their ability to assess emerging security and compliance issues; (2) provide more timely and specific risk management guidance to individual depository institutions, as necessary; and (3) augment the information used to plan the scope and timing of future examinations as well as to plan for the availability of examiners with appropriate information systems expertise. To help ensure that reviews of the adequacy of Internet banking services provided by third-party firms are conducted in a cost-efficient manner, we recommend that, on the basis of the results of its research project, the Chairman of FFIEC through the FFIEC Task Force on Supervision develop plans and a timetable for the regulators’ oversight of third-party firms. To help ensure the safety and soundness of Internet banking at credit unions, we recommend that, as work related to the Year 2000 computer problem diminishes, the Chairman of NCUA expeditiously develop Internet banking examination procedures and begin to examine Internet banking- related activities offered by credit unions. FDIC, FRS, NCUA, OCC, OTS, and FFIEC provided written comments on a Agency Comments and draft of this report, and their comments are reprinted in appendixes III Our Evaluation through VIII. We also received written or oral technical comments and suggestions from these agencies that we have incorporated where appropriate. In general, the five regulators and FFIEC concurred with the majority of the report’s findings, conclusions, and recommendations. Three specific comments are discussed more fully below, and other more technical comments are discussed in the appendixes. In response to our recommendation that it gather more timely information on institutions’ plans to implement Internet banking, FRS commented that it has enhanced its monitoring and information gathering efforts through routine supervisory contacts, on-site examinations, and informal surveys. The agency also said that it was developing more powerful automation tools to aid more generally in examination planning, review, and reporting. However, FRS did not believe it had seen sufficient evidence on the need for a formal advance notification procedure or preimplementation regulatory reviews for Internet banking, which it said our report appeared to favor. We did not intend to prescribe the specific method(s) for gathering information on depository institutions’ plans to offer Internet banking and have made some changes to clarify this point in our report. Page 25 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 The report describes two different methods employed by FDIC and OTS that provide them with useful information on depository institutions’ plans to offer Internet banking. We continue to believe that implementation of one of these methods or an alternative method for obtaining centralized information on depository institutions’ plans is necessary for regulators to (1) enhance monitoring of Internet banking technological trends and innovations and thus their ability to assess emerging security and compliance issues; (2) provide timely and specific risk management guidance to individual depository institutions, as necessary; and (3) augment the information used to plan the scope and timing of future examinations as well as to plan for the availability of examiners with appropriate information systems expertise. FDIC and OTS also disagreed with an inference in the report that smaller institutions were more likely to encounter Internet banking-related problems. FDIC commented that it had observed numerous examples of small banks successfully employing sophisticated technology and believed that it is up to bank management, regardless of the size of the bank, to properly manage any new technology. OTS similarly commented that it did not believe that it is inherently more difficult for smaller banks to properly manage on-line and Internet banking activities and believed that such technology should not be exclusively the province of large institutions. We did not intend to broadly characterize small banks as being technologically deficient and agree that a bank’s success in managing new technology depends on the strength of its management. Our review of 81 examinations of on-line banking assessments showed that examiners found that some small- and medium-sized depository institutions were not taking all of the prescribed precautions to mitigate Internet banking risks. However, the report specifically notes that too few examinations had been conducted to identify the extent of any industrywide Internet banking-related problems. Finally, FRS concurred with the need for the regulators to develop supervisory plans with respect to outsourcing of Internet banking operations by depository institutions. However, it commented that it was not clear whether we were recommending a change in the current policies and practices regarding interagency examinations of service providers or some other form of regulatory oversight. Further, FRS stated that the report provided no evidence of problems at Internet vendor firms that would indicate the need to expand the regulators’ responsibility to oversee directly all providers of Internet banking products and services, and it suggested that the report emphasize that banks, and not bank supervisors, bear the responsibility for monitoring and overseeing their service providers. Page 26 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 We are encouraged by the banking regulatory agencies’ efforts to conduct a joint research project designed to develop a greater understanding of the oversight issues associated with assessments of Internet banking products and services offered to banks and thrifts by third-party firms. We believe that joint regulatory examinations of the operations of third-party firms providing depository institutions’ Internet banking support services could increase the economy and efficiency of federal oversight of Internet banking activities. In this regard, our recommendation is intended to ensure that an interagency strategy, instead of individual agency strategies, is developed to examine those third-party firms. We also agree with FRS that banks, and not banking supervisors, are responsible for overseeing their service providers and have added language to the report to emphasize the responsibilities of the depository institutions. However, that does not negate the need for bank regulatory agencies to exercise proper supervision over Internet banking activities, whether performed by bank employees on the bank’s premises or by a third-party firm off the bank’s premises. As arranged with your office, unless you announce the contents of this report earlier, we plan no further distribution until 30 days after the date of this letter. At that time, we will provide copies of this report to Representative John J. LaFalce, Ranking Minority Member of the House Committee on Banking and Financial Services; the Honorable John D. Hawke, Jr., Comptroller of the Currency; the Honorable Alan Greenspan, Chairman, Board of Governors of the Federal Reserve System; the Honorable Donna A. Tanoue, Chairman, Federal Deposit Insurance Corporation; the Honorable Norman E. D’Amours, Chairman, National Credit Union Administration; the Honorable Ellen S. Seidman, Director, Office of Thrift Supervision; the Honorable Laurence H. Meyer, Chairman, Federal Financial Institutions Examination Council; and other interested parties. We will also make copies available to others on request. Page 27 GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 This report was prepared under the direction of Richard J. Hillman, Associate Director, Financial Institutions and Markets Issues, who may be reached on (202)-512-8678 if you or your office has any questions. Key contributors to this assignment are listed in appendix IX. Sincerely yours, Nancy R. Kingsbury Acting Assistant Comptroller General Page 28 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Page 29 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Contents Letter 1 Appendix I 32 Objectives, Scope, and Methodology Appendix II 35 Banking Regulators Guidance on On-line Banking Appendix III 37 GAO Comments 40 Comments From the Federal Deposit Insurance Corporation Appendix IV 41 GAO Comments 44 Comments From the Board of Governors of the Federal Reserve System Appendix V 45 GAO Comments 47 Comments From the National Credit Union Administration Appendix VI 48 GAO Comments 51 Comments From the Comptroller of the Currency Page 30 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Contents Appendix VII 52 GAO Comments 55 Comments From the Office of Thrift Supervision Appendix VIII 56 Comments From the Federal Financial Institutions Examination Council Appendix IX 58 GAO Contacts and Staff Acknowledgments Tables Table 1: The Number and Asset Size of Depository 5 Institutions Overseen by Banking Regulators, as of June 30, 1998 Table 2: On-line Banking-Related Weaknesses in Risk 12 Mitigation Systems, as Reported in 81 Examinations Completed From June 1997 to August 1998 Table II.1: Regulatory Guidance on On-line Banking 35 Abbreviations FDIC Federal Deposit Insurance Corporation FFIEC Federal Financial Institutions Examination Council FRS Federal Reserve System NCUA National Credit Union Administration OCC Office of the Comptroller of the Currency OTS Office of Thrift Supervision Page 31 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix I Objectives, Scope, and Methodology Our objectives were to (1) describe risks posed by Internet banking and any identified industrywide Internet banking-related problems, (2) assess the methods used by regulators to track depository institutions’ plans to provide Internet banking services, (3) determine how regulators examined Internet banking activities, and (4) determine the extent to which regulators examined firms providing Internet banking support services to depository institutions. To identify the risks posed by Internet banking, we interviewed officials from the Federal Deposit Insurance Corporation (FDIC), Federal Reserve System (FRS), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA). We also obtained and reviewed agency documents, including advisory guidance provided to the industry and examiners on risks posed by Internet banking. We also interviewed 8 representatives from selected small-, medium-, and large-sized depository institutions and 11 representatives from related third-party firms to obtain their views on the scope and frequency of examinations and their assessment of risks posed by Internet banking. We selected these depository institutions based on their size and also on the probability that they would offer Internet banking. We identified the third-party firms from the examinations of Internet banking that we reviewed. To determine the methods regulators used to identify depository institutions’ plans to offer Internet banking services and to track growth and technological trends in Internet banking, we reviewed the five agencies’ off-site monitoring procedures and interviewed their officials about the requirements each places on the institutions to provide Internet banking information. We also discussed with FDIC officials both their database on banks and thrifts with transactional Web sites and their Electronic Banking Data Entry System. In addition, we reviewed OTS’ recently established requirement on advance notice of a thrift’s plans to implement a transactional Web site. To understand the regulators’ safety and soundness and information systems on-line banking examination programs, which included Internet banking, we reviewed the on-line banking examination policies and procedures from each agency. In addition, we contacted the banking regulators to obtain their safety and soundness and information systems examination reports and workpapers pertaining to on-line banking. Since not all regulators track examinations of on-line banking operations, we could not ascertain how many on-line banking examinations had been conducted. FDIC was the only regulator that was able to tell us the number Page 32 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix I Objectives, Scope, and Methodology of on-line banking examinations it completed during the period of our review. FRS did not maintain centrally on-line banking examinations conducted by the various Federal Reserve districts at the time of our review. As such, FRS officials directed us to the Reserve Banks, which maintain examination workpapers and are responsible for scheduling and conducting examinations. We discussed with the San Francisco District Bank staff their on-line banking procedures and related examiner training and obtained copies of examination work papers. We then contacted the New York District Bank, which was field testing the on-line banking procedures. To review additional examinations, we contacted the Atlanta and Kansas City District Banks. OCC was not able to provide the number of on-line banking examinations conducted by its district offices. To obtain this information, we obtained OCC’s listing of national banks with electronic activities and compared the names of the banks on this listing to a list of information system examinations conducted by OCC examiners during our review period. For those banks that appeared on both lists, we then requested a Profile Extract Report for each bank to determine the scope of examination activities. This method resulted in our identifying eight examinations with a scope that included Internet banking. Initially, OTS was also not able to tell us with certainty the number of on-line banking safety and soundness and information systems examinations conducted by its regional offices. To obtain this information, OTS contacted each office for the information because each office maintains its own information and determines its own examination schedule. We were able to identify 81 on-line banking safety and soundness and information systems examinations conducted during the period June 1997 to August 1998. These examinations consisted of 62 FDIC examinations, 6 FRS examinations, 8 OCC examinations, and 5 OTS examinations. We reviewed available on-line banking examinations using a data collection instrument that allowed us to collect information on the extent and scope of Internet banking examinations and any exceptions noted in the workpapers. We then compiled this information in a database, determined the nature of the exceptions, and grouped them by type. Because the examination sample size was small, it was not possible to determine the adequacy of examination procedures, nor could we make any statistical generalizations regarding the safety and security of on-line banking operations. To determine the extent to which regulators examined third-party firms that provided Internet banking services to depository institutions, we Page 33 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix I Objectives, Scope, and Methodology interviewed regulatory officials and examiners involved with the examinations we reviewed, as well as 11 selected third-party firms. In particular, we gathered information on the authority regulators have to examine these third-party firms and the nature and extent of joint interagency examinations of traditional third-party data processing firms. With the assistance of our Office of the General Counsel, we researched the Bank Service Company Act and the Examination Parity and Year 2000 Readiness for Financial Institutions Act to determine the regulators’ authority to examine and regulate third-party firms that provide Internet banking services. Our early work on this assignment focused on PC banking, which included both direct-dial computer banking systems and Internet computer banking systems. As our work progressed, it became evident that institutions were moving from proprietary direct-dial to Internet banking and that many institutions initiating on-line banking were offering access via the Internet. We did our work from April 1998 to May 1999 in Washington, D.C.; San Francisco, CA; Los Angeles, CA; Atlanta, GA; Kansas City, KS; and New York, NY, in accordance with generally accepted government auditing standards. Page 34 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix II Banking Regulators Guidance on On-line Banking Banking regulators have issued guidance to depository institutions on on- line banking. The guidance advises depository institutions that, before implementing on-line banking, including Internet banking, management should exercise due diligence and develop comprehensive plans to identify, assess, and mitigate potential risks and establish prudent controls. Most regulators have also issued policies and procedures to examiners. Table II.1 lists the guidance and policies and procedures published by the regulators. Table II.1: Regulatory Guidance on On- line Banking Regulator Date Guidance Policies and procedures FDIC February 1997 N/A Electronic Banking Safety and Soundness Examination Procedures December 1997 Security Risks Associated with N/A the Internet August 1998 Electronic Commerce and N/A Consumer Policy FFIEC December 1997 Guidance for Financial N/A Institutions on Reporting Computer-Related Crimes July 1998 Guidance on Electronic Financial N/A Services and Consumer Compliance FRS September 1997 Sound Practices Guidance for N/A Information Security for Networks March 1998 N/A Draft examination module on Retail Banking Via Personal Computers April 1998 Assessment of Information N/A Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations NCUA April 1997 Interagency Statement on Retail N/A On-line PC Banking OCC February 1998 Technology Risk Management N/A August 1998 Technology Risk Management: N/A PC Banking August 1998 N/A Draft General PC Procedures March 1999 Infrastructure Threats From N/A Cyber-Terrorists Page 35 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix II Banking Regulators Guidance on On-line Banking Regulator Date Guidance Policies and procedures OTS June 1997 Statement on Retail On-line N/A Personal Computer Banking October 1997 N/A Updated bulletin on information technology examination guidelines that include the evaluation and control of risks associated with the Internet August 1998 N/A Notice of modified proposed rulemaking regarding electronic banking operations January 1999 Regulation Requiring A Thrift’s N/A Written Notice Before Establishing A Transactional Web Site Note: N/A equals not applicable. Source: GAO analysis of information provided by FDIC, FRS, NCUA, OCC, and OTS. Page 36 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix III Comments From the Federal Deposit Insurance Corporation Note: GAO comments supplementing those in the report text appear at the end of this appendix. Page 37 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix III Comments From the Federal Deposit Insurance Corporation Page 38 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix III Comments From the Federal Deposit Insurance Corporation See comment 1. Now on p. 12. See Comments p. 26. Now on p. 12. See comment 2. Now on p. 16. Now on p. 18. Now on p. 22. See comment 3. Page 39 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix III Comments From the Federal Deposit Insurance Corporation The following are GAO’s comments on the Federal Deposit Insurance Corporation’s letter dated June 1, 1999. 1. FDIC said that it understood the scope of our review to include both PC GAO Comments direct-dial and Internet banking. It suggested that the evolution of the report’s scope be explained in more detail in the background section. We further discuss in appendix I why this report focused on Internet banking instead of reporting on PC banking which also includes direct dial-up computer banking systems. 2. FDIC stated that it has taken several additional steps to address the challenges facing Internet banking supervision, including developing new procedures, increasing the number of information systems examiners, and expanding agency training. A reference to these efforts, which occurred after the completion of our fieldwork, has been added to this report. 3. FDIC requested that the report attribute to the specific regulator the statement that examinations of third-party service providers may be unnecessary and may create “moral hazard.” FDIC said that it did not agree with the statement because it raised questions about the need for examinations of third-party providers. While we believe that regulatory oversight of banking activities outsourced to third-party firms is essential, we also believe the referred-to statement reflects a useful observation— that depository institutions still have the basic responsibility to oversee their third-party firms. In the report, we have attributed the statement to FRS officials. Page 40 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix IV Comments From the Board of Governors of the Federal Reserve System Note: GAO comments supplementing those in the report text appear at the end of this appendix. See comment 1. Page 41 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix IV Comments From the Board of Governors of the Federal Reserve System See Comments pp. 25-26. See Comments pp. 26-27. Page 42 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix IV Comments From the Board of Governors of the Federal Reserve System Page 43 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix IV Comments From the Board of Governors of the Federal Reserve System The following are GAO’s comments on the Board of Governors of the Federal Reserve System’s letter dated June 11, 1999. 1. FRS agreed with our recommendation on sharing of experience and GAO Comments expertise and added that FFIEC member agencies have traditionally developed coordinated procedures and guidance in the information technology area. While our recommendation did not specifically address the mechanism to be used to share experience and expertise, we agree with FRS’ suggestion that having FFIEC member agencies develop coordinated examination procedures and guidance would be one way to do this. Such interagency coordination could not only develop a more effective and efficient oversight program but also provide common guidance to the industry. Page 44 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix V Comments From the National Credit Union Administration Note: GAO comments supplementing those in the report text appear at the end of this appendix. See comment 1. See comment 2. See comment 3. nd Now on p. 3, 2 paragraph. See comment 4. Page 45 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix V Comments From the National Credit Union Administration nd Now on p. 5, 2 paragraph. See comment 5. th Now on p. 9, 4 paragraph. See comment 6. Page 46 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix V Comments From the National Credit Union Administration The following are GAO’s comments on NCUA’s letter dated June 3, 1999. 1. NCUA commented that the draft of this report did not recognize the GAO Comments agency’s on-line banking training in 1997 and 1999. The draft report did mention NCUA’s 1997 training. We have added language to this report to recognize NCUA’s planned training in 1999. 2. NCUA commented that the draft of this report did not recognize its development of a draft Electronic Financial Services Questionnaire. We did not specifically mention the questionnaire because it was included in the white paper on “cyber credit union services” that was mentioned in the draft report. 3. NCUA commented that the draft of this report did not recognize its creation of three information systems officer positions. We have added a discussion of these positions to this report. 4. While stating that the agency did not have formalized examination procedures specifically tailored to Internet banking, NCUA commented that the report should recognize that examiners did review Internet banking processes when they became aware of a credit union’s Internet banking program. In the report we state that each of the regulators had policies requiring examiners to determine how various existing or emerging issues facing an institution or the banking industry affected the nature and extent of risks at particular institutions. Since NCUA lacked Internet examination policies and procedures and its examiners lacked training in Internet risks and mitigation controls, we do not believe that NCUA’s approach adequately addresses the Internet banking risks facing credit unions. 5. NCUA commented that the draft of this report should be expanded to recognize its work with state regulators. We have made this change. 6. NCUA commented that the report seems to imply that guidance initiated to date by regulators is missing the mark. We did not intend to imply this. To the contrary, as NCUA said, regulatory guidance to the entire industry on risks posed by Internet banking is a necessary first step. However, as noted in a later section of the report, we encourage regulators to take the next step, which is to work with individual institutions that examiners find are not sufficiently prepared to mitigate risks posed by Internet banking. Page 47 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VI Comments From the Comptroller of the Currency Note: GAO comments supplementing those in the report text appear at the end of this appendix. Page 48 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VI Comments From the Comptroller of the Currency See Comment 1. Page 49 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VI Comments From the Comptroller of the Currency Page 50 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VI Comments From the Comptroller of the Currency The following are GAO’s comments on the Office of the Comptroller of the Currency’s letter dated June 3, 1999. 1. While stating that the agency did not collect information centrally for GAO Comments banks planning to offer Internet banking or require advance notification, OCC commented that it does conduct a quarterly review of a bank’s risk profile, which would include significant changes in bank products or services. According to OCC’s guidance to examiners, examiners are to assess the overall condition and risk profile of the bank, but they need not answer or complete optional steps. Assessing changes in technology, such as Internet banking, is an optional step in the guidance. OCC’s efforts to use other methods to collect information on a bank’s Internet banking plans will enhance information gathered during its quarterly reviews and achieve the intent of our recommendation. Page 51 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VII Comments From the Office of Thrift Supervision Note: GAO comments supplementing those in the report text appear at the end of this appendix. Page 52 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VII Comments From the Office of Thrift Supervision Now on pp. 2 and 15. See comment 1. Now on pp. 6 and 7. See comment 2. Now on pp. 11 and 12. See Comments p. 26. Now on pp. 15 and 16. See comment 3. Page 53 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VII Comments From the Office of Thrift Supervision Now on p. 18. See comment 4. Page 54 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VII Comments From the Office of Thrift Supervision The following are GAO’s comments on OTS’ letter dated June 3, 1999. 1. OTS commented that the draft of this report did not include information GAO Comments on its Web site reporting requirement and the agency’s national database. We added language to this report discussing both points. 2. OTS commented that the draft of this report did not discuss compliance examinations that are conducted to assess an institution’s compliance with consumer protection laws and regulations. We have added to this report a discussion of compliance examinations. 3. OTS referred to a section of the report that discusses after-the-fact methods used by other regulators to obtain information that OTS gathers through its advance notice requirement. OTS commented that it was proactively supervising thrifts as evidenced by its thrift notice requirement. We agree and believe that the report clearly reflects that. 4. OTS commented that the draft of this report suggested that the agency only examined Internet banking activities through its safety and soundness examination program. We added language to this report discussing compliance examinations. We also have added language to clarify that we are referring to safety and soundness and information systems examinations. Page 55 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VIII Comments From the Federal Financial Institutions Examination Council Page 56 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VIII Comments From the Federal Financial Institutions Examination Council Page 57 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix IX GAO Contacts and Staff Acknowledgments Richard J. Hillman, (202) 512-8678 GAO Contacts Kane Wong, (415) 904-2123 In addition to those named above, Abiud Amaro, Bruce Engle, Robert Acknowledgments Pollard, Nolani Traylor, and Karen Tremba made key contributions to this report. Page 58 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Page 59 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Page 60 GAO/GGD-99-91 Enhancing Oversight of Internet Banking Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Order by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 th th 700 4 St. NW (corner of 4 and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touch-tone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested (233562)
Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities
Published by the Government Accountability Office on 1999-07-06.
Below is a raw (and likely hideous) rendition of the original report. (PDF)