An influential international banking committee issued a report Tuesday calling for better security and management of electronic banking (e-banking) by the world's financial institutions.
The report, "Risk Management Principles for Electronic Banking," was released by the Basel Committee on Banking Supervision and published on the Web at http://www.bis.org/publ/bcbs98.pdf.
The rapid growth of e-banking in recent years has created a wealth of new banking products and services, but has also increased banks' exposure to financial and legal risks, the committee said.
Banks need to re-evaluate their risk management strategies and policies to account for e-banking activity, the committee said.
The committee refrained from issuing technological requirements or "best practices" in the report, saying that the pace of technological change would quickly make any such recommendations outdated and that banks have different risk profiles and needs. However, the report did list 14 risk management principles that banks' boards of directors should consider when planning and deploying e-banking services, or evaluating existing services.
Among those recommendations are calls for boards of directors to secure logical and physical access to sensitive systems and to build an adequate infrastructure to ensure the integrity of data transactions, records and information.
Third-party contractors used to support e-banking services should be closely monitored and audited, and administrative access to sensitive e-banking databases and applications should be segregated, the committee said.
On the hot issue of information privacy, the committee said that banks have a "clear responsibility" to provide customers with e-banking service that is comparable to traditional banking in terms of providing customers with reliable services and protecting customer data.
At the same time, steps should be taken to authenticate users in e-banking transactions, insulating both the bank and its customer from repudiation, where one party on either side of a transaction denies having received the data.
To protect their customers and their own reputations, banks should also develop robust business continuity plans and the capacity to handle high-traffic volumes that may coincide with unexpected events. Banks should ensure that their customers can access e-banking services in all circumstances, the committee said.
Founded in 1974, the Basel Committee is made up of central banking officials from leading industrial nations including the U.S., Canada, France, Germany, Italy, Japan and the U.K.
The committee does not have any enforcement powers. Instead, it recommends broad standards, guidelines and best practices that central banks in member nations can use as the foundation for their own policies or statutes.
The policy recommendations from Basel will probably not prompt radical changes in the way U.S. banks do business, according to Gary Lynch, vice president of commercial enterprise resilience at Booz Allen Hamilton Inc. That said, the new report will add to Basel's ongoing effort to get banks to address the issue of operational risk management, he said.
Squeezed by finite financial reserves and insurance companies that are offering less coverage at higher premiums, banks are being forced to take on more risk and are looking for creative ways to mitigate that risk.
While perimeter and database security are common, banks will have to follow the model created in the credit card industry of using behavior pattern recognition, behavior analysis and threat simulation to reduce their exposure to fraud and financial loss, Lynch said.
"Banks don't have unlimited money to deal with risks, so they're going to be forced to step up and enhance their controls," he said.
The report might also prompt the boards of directors to demand more accountability for security from banks, according to Eitan Bauch, chief executive officer of application firewall company MagniFire Websystems Inc.
"Most of the time when you come to an establishment and ask 'Who owns (the security) problem,' you won't get one answer," he said.
"This report may force boards to ask 'Who owns this? Is it the security folks? The network guys? Who?' The impact will be that there will be a designated entity who has full responsibility to deal with the security issue," Bauch said.