oversight

Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities

Published by the Government Accountability Office on 1999-08-03.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Domestic and International
                          Monetary Policy, Committee on Banking and Financial
                          Services, House of Representatives


For Release on Delivery
Expected at
10:00 a.m. EDT
                          ELECTRONIC BANKING
on Tuesday
August 3, 1999

                          Enhancing Federal
                          Oversight of Internet
                          Banking Activities
                          Statement of Richard J. Hillman, Associate Director
                          Financial Institutions and Markets Issues
                          General Government Division




GAO/T-GGD-99-152
Statement

Electronic Banking: Enhancing Federal
Oversight of Internet Banking Activities

                Mr. Chairman and Members of the Subcommittee:

                We are pleased to be here today to discuss regulatory efforts to identify
                and mitigate risks to U.S. depository institutions’ operations introduced by
                the growth in the use of Internet banking systems. This testimony
                                                             1
                summarizes the findings in our July 6, 1999, report, which responded to
                the Committee on Banking and Financial Services’ request asking us to

              • describe risks posed by Internet banking and the extent of any
                industrywide Internet banking problems,
              • assess how the five U.S. financial regulators track institutions’ plans to
                provide Internet banking services,
              • determine how regulators have begun to examine Internet banking
                activities, and
              • determine the extent to which regulators have examined firms providing
                Internet banking support services to institutions.

                To summarize our findings, I will highlight four main points that emerged
                from our work.

                First, we found that Internet banking heightens various types of traditional
                banking risks and our review of 81 examinations showed that roughly 44
                percent of the depository institutions examined had not completely
                implemented risk-management steps that regulators said are needed to
                limit on-line banking risks. Shortcomings included some institutions’ lack
                of approval of strategic plans by their board of directors and a lack of
                policies and procedures at some institutions for Internet banking
                operations. However, I need to point out that too few examinations had
                been conducted at the time of our review to identify the extent of any
                industrywide Internet banking-related problems. Regulators attributed
                their limited number of examinations to a diversion of examiners to
                higher-priority efforts to address the Year 2000 computer problems and to
                                                                                          2
                their limited number of examiners with expertise in information systems.

                Second, our work found that some regulators could use more systematic
                methods for identifying institutions’ plans for new Internet banking

                1
                 See Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities (GAO/GGD-99-91,
                July 6, 1999).
                2
                  The Year 2000 computer problem exists because the data that computers store and process often use
                only the last two digits to designate the year. On January 1, 2000, such systems may mistake data
                referring to 2000 as meaning 1900, possibly leading to errors and disruptions in the processing of
                financial data.




                Page 1                                                                         GAO/T-GGD-99-152
Statement
Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




systems and maintaining this information centrally. We found that
regulators use a variety of methods to identify depository institutions that
already offer Internet banking services, but that only two of the regulators
centrally collected information on plans for new services. The Office of
Thrift Supervision (OTS) requires institutions to notify it in advance of
their plans to establish a transactional Web site. Also, the Federal Deposit
Insurance Corporation (FDIC) requires its examiners to keep abreast of
institutions’ plans to start offering Internet banking service, and it
maintains records of these plans in a central database. We found that the
other regulators could benefit from adopting systems to keep abreast of
institutions’ plans for new Internet banking services and to allow them to
proactively oversee this new and evolving banking activity.

Third, we found variations in the supervisory approaches the regulators
followed to help ensure that institutions mitigate the risks posed by
Internet banking. As I will discuss in greater detail later, some regulators
have been more proactive than others. We found that FDIC has completed
the most examinations of on-line banking operations, and that OTS and
FDIC have been actively issuing policies and procedures for Internet
banking examinations. In contrast, the National Credit Union
Administration (NCUA) had not conducted any Internet banking
examinations at the time of our fieldwork and was the only regulator that
had not developed procedures for Internet banking examinations.

In a fourth area, involving another critical oversight responsibility, we
found that the five regulators are beginning to work cooperatively to carry
out a study of third-party firms providing Internet banking support
services. Such a joint study can enable regulators to share scarce technical
resources on issues of mutual interest. The study is expected to provide
the regulators with a greater understanding of the kinds of services and
security features provided to institutions by third-party firms. In addition,
the study should allow regulators to determine what form of additional
oversight is necessary. Although NCUA is part of the joint study, we are
concerned that third-party firms providing services solely to credit unions
are not being reviewed. In addition, we are concerned that NCUA’s
                                                                 3
authority to oversee these firms will sunset in December 2001.

Information discussed in our report was gathered from reviews of
examinations and interviews we had with officials from the five financial
regulators on Internet banking risks and their strategies for overseeing

3
 The Examination Parity and Year 2000 Readiness for Financial Institutions Act, P.L. 105-162, 112 Stat.
32 (1998).




Page 2                                                                           GAO/T-GGD-99-152
                          Statement
                          Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




                          Internet banking activities. We also determined how these regulators
                          identify institutions offering Internet banking, how they conduct safety and
                          soundness and information systems examinations for Internet banking,
                          and what approaches they used to examine third-party firms that provide
                          Internet banking services. We also talked to a number of representatives
                          from selected depository institutions and third-party firms about their
                          views on the scope and frequency of regulators’ examinations and their
                          views of risks posed by Internet banking. As a key part of our work, we
                          also reviewed 81 safety and soundness and information systems
                          examinations that looked at on-line banking operations, and we
                          interviewed 43 examiners who had conducted the examinations. We did
                          this work between April 1998 and May 1999 in accordance with generally
                          accepted government auditing standards.

                          To elaborate on the findings in our report, I want to start by discussing
Internet Banking          growth in Internet banking and the kind of risks it presents. For the most
Heightens Risks that      part, regulators have taken steps to provide guidance to depository
Challenge Regulators      institutions on the need to mitigate risks. However, in some areas, more
                          remains to be done.

Internet Banking Growth   Internet banking services are offered by a fast growing number of
                          depository institutions. When we concluded our fieldwork several months
Continues                 ago, about 3,600 federally insured depository institutions—or about 17
                          percent of all U.S. banks, thrifts, and credit unions—offered some form of
                                                      4
                          Internet banking service. More recent data showed that over 5,100
                          federally insured depository institutions, or about 24 percent, offered some
                                                       5
                          form of Internet banking. About a fourth of these institutions offered fully
                                                    6
                          transactional Web sites. It’s important to differentiate these transactional
                          sites - - which offer a range of interactive banking services, such as
                          transferring of funds among customer accounts - - from Web sites that only
                          give information about the bank and its services. As shown in figure 1, the
                          most recent statistics showed that the number of banks, thrifts, and credit
                          unions with Web sites has increased dramatically from 245 in December
                          1995 to over 5,100. Also, the number of banking Web sites that were
                          transactional were growing as well from 1 in 1995 to over 1,200.
                          4
                           In February 1999, approximately 2,500 banks and thrifts—about 23 percent of all banks and thrifts—
                          had Web sites, according to FDIC. As of June 30, 1998, 1,110 credit unions had Web sites, according to
                          NCUA.
                          5
                           As of June 1999, approximately 3,000 banks and thrifts—about 30 percent of all banks and thrifts—
                          had Web sites, according to FDIC. As of March 1999, 2,174 credit unions had Web sites, according to
                          Callahan and Associates.
                          6
                           According to FDIC, 635 banks and thrifts offered fully transactional Web sites as of June 30, 1999.
                          According to Callahan and Associates, 578 credit unions offered such sites as of March 1999.




                          Page 3                                                                            GAO/T-GGD-99-152
                                       Statement
                                       Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




Figure 1: Growth in Internet Banking




                                       Note: Credit union data was only available for June 1997 to March 1999.
                                       Source: Bank and thrift data are from FDIC, and credit union data are from Callahan and Associates.


                                       Projections suggest that households using Internet banking systems will
                                                                                                          7
                                       increase from 6.6 million at the end of 1998 to 32 million by 2003. This
                                       anticipated fast-paced growth makes it crucial that depository institutions
                                       and regulators understand various types of Internet banking risks and that
                                       institutions with these systems have procedures in place to mitigate these
                                       risks.

Regulators Need to Ensure              An underlying cause for the regulators’ concerns in this area has been that
                                       many traditional banking risks are heightened by the access the Internet
Institutions Mitigate Risks            provides to anyone with a compatible computer and the resulting potential
                                       vulnerability to security breaches. We reviewed the guidance that

                                       7
                                           Household projections developed by International Data Corporation.




                                       Page 4                                                                         GAO/T-GGD-99-152
                             Statement
                             Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




                             regulators have provided to depository institutions, concerning various
                             types of Internet banking risks, including security risk, transactional risk,
                             and various types of strategic risk. Regulators are also concerned about
                             risks associated with an institution’s reputation, such as a possible loss of
                             public confidence in an institution or the banking system caused by, for
                             example, an Internet banking systems failure that prevents customers from
                             accessing their accounts.

                             Our work assessing what regulators are doing to help ensure that
                                                                                                        8
                             institutions with on-line systems mitigate risks follows our earlier report
                             issued in 1998. In that report, we discussed information obtained from 93
                             banks about what they were doing to mitigate risks arising from their on-
                             line and Internet banking services. An important step in ensuring the
                             integrity of an on-line banking system is identifying vulnerabilities and
                             threats potentially affecting individual on-line banking systems and
                             establishing internal controls to mitigate these risks. Survey results
                             discussed in our 1998 report indicated that 42 percent of the surveyed
                             banks had not conducted formal risk assessments or did not know if they
                             had performed one.

                             Since our 1998 report, we have found that the regulators issued varying
                             amounts of guidance on how institutions can prepare for and mitigate
                             risks, and we found that the limited number of examinations done so far
                             have shown that many, but not all, institutions followed this guidance.

Limited Examinations Do      Before I go into what we found in looking at examinations, I need to point
                             out that, we found too few examinations had been completed to identify
Not Indicate the Extent of   the extent of any industrywide Internet banking-related problems.
                                                                                                9

Any Industrywide Problems    Reasons the regulators gave for the small number of examinations done to
                             date included examiners being diverted to mitigation efforts concerning
                             the Year 2000 computer problem and a shortage of trained examiners to
                             carry out Internet banking examinations. I also want to point out that
                             while examiners found deficiencies, none of the examinations we
                             reviewed reported any financial losses or security breaches.

                             In the 81 depository institution examinations we reviewed, regulators
                             found that 36, or about 44 percent, of those institutions had not completely

                             8
                              Electronic Banking: Experiences Reported by Banks in Implementing On-line Banking (GAO/GGD-98-
                             34, Jan. 15, 1998).
                             9
                              The examinations we reviewed included 62 that were conducted by FDIC, 6 by the Federal Reserve
                             System(FRS), 8 by the Office of the Comptroller of the Currency (OCC), and 5 by the Office of Thrift
                             Supervision (OTS).




                             Page 5                                                                           GAO/T-GGD-99-152
                                        Statement
                                        Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




                                        implemented the on-line banking risk mitigation steps outlined by the
                                        regulator. These instances involved institutions’ failure to implement,
                                        among other things, (1) active board and senior management oversight, (2)
                                        effective internal controls, and (3) comprehensive and ongoing internal
                                        audit programs.

                                        As summarized in table 1, in 20 of the 81 examinations, or 25 percent of
                                        them, examiners discovered strategic planning deficiencies. For example,
                                        regulators found that some institutions had not prepared strategic plans or
                                        had not obtained board of directors’ approval before initiating on-line
                                        banking. In 26 of the examinations, or 32 percent, regulators found that the
                                        institution did not have policies and procedures in place to guide its on-
                                        line banking operations.

Table 1: On-line Banking-Related
Weaknesses in Risk Mitigation Systems                                        Number of banks and      Percent of 81 institutions
                                        Type of weaknesses                                 thrifts                    reviewed
                                        Deficiencies in strategic                              20                           25%
                                        planning
                                        No policies and procedures                               26                          32
                                        to address security concerns
                                        and standard operating
                                        practices
                                        Insufficient audit coverage of                           29                          36
                                        on-line banking activities
                                        Management had not                                       15                        18%
                                        properly initiated or
                                        documented agreements with
                                        third-party firms
                                        Source: GAO analysis of FDIC, FRS, OCC, and OTS data.


                                        Another weakness involved institutions’ audit coverage of their on-line
                                        banking operations. In 29 of the examinations, or 36 percent of them,
                                        regulators found that the institution lacked adequate audit coverage of its
                                        on-line banking operations. Fifteen examinations, or 18 percent of the ones
                                        we reviewed, disclosed that the institution had not taken steps to evaluate
                                        its third-party firm that was providing the on-line banking services or
                                        lacked a written contract with their firm. Examiners we interviewed
                                        expressed concerns about deficiencies that were similar to those we found
                                        in the examinations we reviewed. For example, examiners were concerned
                                        that some smaller institutions were implementing Internet banking
                                        systems before they had established operating policies and procedures and
                                        that bank management had to be reminded that operating policies and
                                        procedures were not optional.




                                        Page 6                                                                 GAO/T-GGD-99-152
                            Statement
                            Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




Regulators Need to Share    As I noted earlier, too few examinations had been done at the time of our
                            review to draw conclusions about patterns of problems emerging in the
Examination Results to      industry, and we are not able to generalize from the results of our review
Benefit From Each Other’s   of these examinations. At the same time, we believe that as they continue
Experiences                 to examine Internet banking, the regulators can and should learn from
                            these examinations; and we believe that they need to begin sharing the
                            results of their Internet banking examinations with each other.

                            As more examinations are completed, information sharing among the
                            regulators could help them better understand the extent of the risks posed
                            by Internet banking, develop risk profiles that would allow them to target
                            institutions requiring further attention, and help them allocate limited
                            resources among competing priorities.

                            Before discussing how regulators supervise Internet banking, I want to
Some Regulators Do          touch on a problem we found in how some regulators identify depository
Not Identify New            institutions planning new Internet banking services.
Internet Banking
                            We found that regulators used a variety of methods to identify institutions
Systems Plans               that were already offering Internet banking services, such as Internet Web
                            site searches and examiners’ preexamination planning information
                            gathering. However, we found that only two regulators were systematically
                            obtaining information on institutions’ plans to provide such services and
                            had a centralized database of this information at the time of our review.
                            One of them, OTS, recently established a requirement that institutions
                            notify it in advance of plans to establish a transactional Web site. The
                            agency estimated that it would take an institution about 2 hours to prepare
                            the notification, which in its judgment represented a minimal burden. OTS
                            maintains this information in a centralized electronic database.

                            The other institution, FDIC, similarly gathers information on institutions’
                            plans, but it relies on requirements it places on its examiners rather than
                            placing them on the institutions it supervises. For instance, we found that
                            during examinations of institutions not offering Internet banking, FDIC
                            requires its examiners to find out whether the institution plans to establish
                            Internet banking. Like OTS, FDIC collects this information in a central
                            database.

                            With the number of institutions offering Internet banking services
                            significantly increasing, it is critically important for the regulators to stay
                            abreast of which institutions are beginning to offer new Internet banking
                            services—both to head off problems and to be able to furnish guidance to
                            institutions at an early point when they are still installing and fine-tuning



                            Page 7                                                                 GAO/T-GGD-99-152
                         Statement
                         Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




                         their systems. Methods, such as those used by OTS and FDIC, could be
                         used by the other regulators to inform them about Internet banking plans
                         and activities and better enable them to provide tailored risk-management
                         guidance to individual depository institutions when needed. Regulators
                         could also use this information to plan the scope and timing of future
                         examinations and to determine the need for additional examiners who
                         have information technology expertise.

                         During our review, most regulators were developing, testing, or
Regulators’              implementing new on-line banking examination procedures, including
Approaches to Internet   procedures for examinations of Internet banking. However, their
Banking Supervision      approaches varied on whether (1) examinations of new Internet banking
                         activities were required or discretionary and, (2) safety and soundness
Vary                     examiners or information system examiners conducted the examinations.
                         The regulators also varied in their approaches to training.

Regulators’ Efforts to   We found that regulators’ policies differed in the discretion examiners had
                         to decide whether to examine an institution’s new Internet banking
Supervise New Internet   activity. FDIC and OTS expected their examiners to review an institution’s
Banking Systems Differ   Internet banking activities during the first examination of the institution
                         after it has gone on-line. FRS and OCC, in contrast, did not require that an
                         institution’s new Internet banking activities be examined. They permitted
                         their examiners to determine whether they should examine an institution’s
                         new Internet banking activity. They reasoned that although Internet
                         banking is an evolving activity that may warrant scrutiny, its small size,
                         relative to an institution’s overall assets in most cases does not present a
                         safety and soundness concern to the bank; and therefore, examinations of
                         new Internet banking activities are considered optional for their
                         examiners.

                         We found that NCUA was the only regulator that had not established
                         procedures for Internet banking examinations or conducted such
                         examinations. NCUA officials explained that the agency had not conducted
                         Internet banking examinations (1) because the number of NCUA
                         examiners with expertise in information systems was limited and (2)
                         because some examiners who might have been looking at credit unions’
                         Internet banking services in the past 2 years had been diverted to higher-
                         priority efforts concerning the Year 2000 computer problem. We concluded
                         from our fieldwork that NCUA’s lack of an Internet banking examination
                         program meant it could not provide adequate assurances that credit unions
                         with Internet banking were appropriately managing risks. This is
                         particularly troublesome given concerns expressed by some that smaller
                         institutions might be moving too quickly into Internet banking because of



                         Page 8                                                                 GAO/T-GGD-99-152
                         Statement
                         Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




                         the relatively low costs of providing such services through third-party
                         firms and the desire to remain competitive.

                         In other areas, we found differences in the types of examiners assigned to
                         Internet banking examinations. While FRS and FDIC predominantly relied
                         on their safety and soundness examiners for examinations of Internet
                         banking, two other regulators relied entirely or primarily on information
                         systems specialists. OCC relied entirely on specialized examiners because
                         it believed the technology-related aspects of Internet banking required
                         their expertise. OTS relied primarily on information systems specialists for
                         examinations of Internet banking services offered by complex or large
                         institutions.

                         We also found that regulators were at different stages of training their
                         examiners to carry out Internet banking examinations. At the time of our
                         fieldwork, FDIC had largely completed its basic training for its safety and
                         soundness examiners, but it planned additional training for subject matter
                         experts. OTS told us that it would be finished training its examiners by the
                         end of the year, and FRS said it also expected to complete an initial
                         training program for its safety and soundness examiners by the end of this
                         year. OCC had no plans for in-house training of its safety and soundness
                         examiners in on-line banking examinations, because its on-line banking
                         examinations are performed by information system specialists who receive
                         specialized external training. At the time of our review, NCUA had not yet
                         provided its examiners with special training on conducting examinations
                         of Internet banking.

                         The final area of our review involved regulatory oversight of third-party
Third-Party Firms        firms. These firms supply Internet banking support services under contract
Providing Internet       to many depository institutions which cannot or choose not to provide
Banking Services Pose    these services themselves. Each regulator has the authority to examine
                         institutions’ banking services provided by third-party firms. Laws enacted
a Regulatory Challenge   in 1962 and 1998 show that Congress intended that banking services
                         outsourced to third-party firms should be subjected to the same level of
                                                                                               10
                         supervisory attention as services provided by the banks themselves. Over
                         time, this authority to examine third-party firms has grown in importance,
                         as institutions have contracted out an increasing proportion of their
                         operations. However, our work indicated that regulators are in the early
                         stages of determining their role in overseeing third-party firms that provide
                         Internet banking services.

                         10
                           The Bank Service Company Act, 12 U.S.C. 1861-1867 (1962), and the Examination Parity and Year
                         2000 Readiness for Financial Institutions Act, P.L. 105-162, 112 Stat. 32 (1998).




                         Page 9                                                                        GAO/T-GGD-99-152
                              Statement
                              Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




Joint Reviews By              We found that to avoid duplicating efforts, regulators often cooperated in
                              reviewing third-party firms. Joint reviews of firms providing Internet
Regulators Could Enhance      banking services could enable regulators to share technical resources and
Oversight Of Third-Party      fill gaps in their expertise. In late 1998, the five regulators, working under
Firms                         the auspices of the Federal Financial Institutions Examination Council
                              (FFIEC), cooperatively initiated a joint study of Internet banking services
                              provided by third-party firms. The study is expected to provide the
                              regulators with a greater understanding of the services and security
                              features provided to institutions by third-party firms. In addition, the study
                              should allow regulators to determine what form of additional oversight is
                              necessary.

                              In updating our information for this testimony, we were told that as part of
                              the joint study, regulators have met with five of the largest third-party
                              firms to discuss risks associated with Internet banking, to gain a better
                              understanding of available products and services and the associated
                              security features of those products and services, and to obtain information
                              on these firms’ contingency plans. A spokesperson for the study said that
                              the group plans to summarize its findings in a report to FFIEC, and that it
                              is considering issuing new guidance to its member regulators and to their
                              examiners.

Sunsetting of NCUA            Before leaving the oversight of third-party firms, I want to mention a
                              potential problem involving the pending expiration of NCUA’s authority to
Authority Hinders Oversight   examine third-party firms, and a matter that the Congress may wish to
of Third-Party Firms          consider so as to ensure that NCUA has the authority it needs to maintain
                              its oversight over third-party firms.

                              Although each regulator has the authority to examine third-party firms
                              providing services to depository institutions, NCUA’s authority to examine
                              such firms expires in 17 months on December 31, 2001. According to the
                              NCUA officials that we talked with, its authority originally was granted so
                              that NCUA could conduct examinations related to the Year 2000 computer
                              problem. At the time of our fieldwork NCUA had not examined any third-
                              party firm’s Internet banking services; but NCUA officials recognized the
                              need to begin to conduct such examinations. However, the expiration of
                              NCUA’s authority to carry out these examinations on December 31, 2001,
                              would seriously compromise NCUA’s future ability to effectively oversee
                              third-party firms. This is of particular concern because most credit unions
                              offering Internet banking services lack the necessary in-house expertise
                              and rely heavily on third-party firms to provide support services, according
                              to NCUA officials.




                              Page 10                                                                GAO/T-GGD-99-152
                           Statement
                           Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




                           NCUA staff have recently been discussing the agency’s sunset provision
                           contained in the Examination Parity and Year 2000 Readiness For
                           Financial Institutions Act, and plan to request that Congress amend the
                           provision to provide permanent supervisory authority over service
                           providers.

                           In response to the concerns I have touched on, we raised a matter for
Recommended                congressional consideration and made a number of recommendations to
Changes to Improve         banking regulators. In general, banking regulators concurred with the
Internet Banking           thrust of our findings, conclusions, and recommendations.
Supervision

Matter for Congressional   Specifically, as a matter for congressional consideration, our report
                           suggested that Congress may wish to consider whether NCUA’s current
Consideration              authority to examine the performance of services provided to credit
                           unions by third-party firms needs to be extended to ensure the safety and
                           soundness of credit unions. As I noted earlier, NCUA also believes it needs
                           to maintain its authority to examine third-party firms providing support
                           services to credit unions.

Recommendations to         In our report, we recommended that as regulators gain experience in
                           examining Internet banking services, the heads of the banking regulatory
Banking Regulators         agencies should share information on the problems institutions are having
                           in their Internet banking operations. As part of this effort, we also
                           recommended that the heads of the banking regulatory agencies share
                           information on Internet banking examination methods that they find work
                           best. The regulators concurred with this recommendation.

                           We recommended that the Comptroller of the Currency, the Chairman of
                           the Board of Governors of the Federal Reserve System, and the Chairman
                           of the National Credit Union Administration establish procedures to obtain
                           more timely information on institutions’ plans to offer Internet banking.
                           We proposed that they use this information to (1) assess technological
                           trends and emerging security and compliance issues, (2) provide timely
                           and specific risk-management guidance to institutions, and (3) plan the
                           scope and timing of future examinations as well as plan for the availability
                           of examiners with appropriate information systems expertise. The three
                           regulators generally agreed with the thrust of this recommendation and
                           discussed ways to obtain more timely information.

                           To help ensure that reviews of the adequacy of Internet banking services
                           provided by third-party firms are conducted in a cost-efficient manner, we



                           Page 11                                                                GAO/T-GGD-99-152
                  Statement
                  Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities




                  recommended that the Chairman of FFIEC, through the FFIEC Task Force
                  on Supervision, develop plans and a timetable for the regulators’ joint
                  oversight of third-party firms. The regulators generally concurred with the
                  need to develop supervisory plans, with respect to the outsourcing of
                  Internet banking operations of depository institutions. However, FRS
                  commented that it was not clear whether we were recommending a change
                  in the regulators’ current regulatory approach. We believe that joint
                  regulatory examinations of the operations of third-party firms providing
                  depository institutions’ Internet banking services could lead to more
                  economical and efficient oversight. In this regard, our recommendation is
                  intended to ensure that an interagency strategy, instead of individual
                  agency strategies, is developed to examine third-party firms.

                  Finally, we recommended that, as work related to the Year 2000 computer
                  problem diminishes, the Chairman of NCUA expeditiously develop Internet
                  banking examination procedures and begin to examine credit unions’
                  Internet banking-related activities. NCUA agreed with this
                  recommendation and expressed its intention to increase its efforts on
                  Internet banking-related examinations. In this regard, we are hopeful that
                  the agency’s stated intention to examine Internet banking activities
                  represents an important step towards providing assurances that
                  institutions with Internet banking are appropriately managing risks that
                  could affect their safety and soundness.

                  This concludes my prepared statement. If you or other members of the
                  Committee have any questions, I will be pleased to answer them.

                  For future contacts regarding this testimony, please contact Richard J.
Contact and       Hillman at (202) 512-8678. Individuals making key contributions to this
Acknowledgments   testimony included Gerhard Brostrom, Robert Pollard, Karen Tremba, and
                  Kane Wong.




                  Page 12                                                                GAO/T-GGD-99-152
Ordering Information

The first copy of each GAO report and testimony is free. Additional
copies are $2 each. Orders should be sent to the following address,
accompanied by a check or money order made out to the
Superintendent of Documents, when necessary. VISA and
MasterCard credit cards are accepted, also. Orders for 100 or more
copies to be mailed to a single address are discounted 25 percent.

Order by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
     th                  th
700 4 St. NW (corner of 4 and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000 or by using fax
number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and testimony.
To receive facsimile copies of the daily list or any list from the past
30 days, please call (202) 512-6000 using a touch-tone phone. A
recorded menu will provide information on how to obtain these
lists.

For information on how to access GAO reports on the INTERNET,
send e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested




(233622)