Adequacy of Internal Controls:
1. Are updates and changes to the bank’s public website(s) are made only by authorised staff and subject to dual verification?
2. Are website information and links to other websites regularly verified and reviewed by the bank for:
a. Accuracy and functionality?
b. Potential reputational, compliance, and legal risk?
c. Appropriate disclaimers?
3. Do operating policies and procedures include:
a. Procedures for, and controls, over opening new customer accounts submitted via electronic channels to verify potential customer identity
and financial condition?
b. Procedures for administering access to the electronic banking system (e.g., customer passwords, PINs, account numbers)?
c. Requirements for review of or controls over wire transfers or other large transfers initiated through the electronic banking system for
potentially suspicious activity?
d. Appropriate authorizations for electronic debits initiated against accounts at other institutions, if such transfers are allowed?
e. Depending on the type of account, dollar limits on transactions over a given time period initiated through the electronic banking service?
f. Reconcilement and accounting controls over transactions initiated through the electronic banking system, including electronic bill
payment processing?
4. Do written information security policies and procedures address electronic banking products and services?
5. Are business recovery procedures adequate? Consider whether the procedures address:
a. Events that could affect the availability of the electronic banking system, such as system outages, natural disasters, or other disruptions?
b. Planned recovery times that are consistent with the degree of importance of the electronic banking activities to the institution?
c. Has management established an incident response plan to handle potential system security breaches, website disruptions, malicious tampering with the Web site or other problem situations?
6. Has the bank or service provider implemented a firewall to protect the bank’s web site?
7. Are ongoing monitoring and maintenance arrangements for the firewall in place to ensure the firewall is properly maintained and configured?
8. If the bank uses a turnkey e-Banking software package or outsources to a service provider:
a. Is bank staff familiar with key controls detailed by the vendor’s security and operating manuals and training materials?
b. Are workstations that interface with the service provider’s system for administrative procedures or transfer of files and data are kept in a
secure location with appropriate password or other access control, dual verification procedures, and other controls?
9. Does the bank’s administration of access to the e-Banking system by bank staff and customers include:
a. Procedures to ensure that only appropriate staff is authorised to access e-Banking systems and data, including access to any
workstations connected to a remote system located at a service provider?
b. The length and composition of passwords and PINs?
c. Encryption of passwords and PINs in transit and storage?
d. The number of unsuccessful logon attempts before the password is suspended?
e. Procedures for resetting customer passwords and PINs?
f. Automatic logoff controls for user inactivity?
10. Have security vulnerability assessments and penetration tests of e-Banking systems been conducted and the results reviewed by the bank?
11. Has the bank or its service provider established:
a. An intrusion detection system for e-Banking applications?
b. Procedures to detect changes in e-Banking files and software?
c. Measures to protect the e-Banking system from computer viruses?
d. Procedures for ensuring on an ongoing basis that e-Banking applications, operating systems, and related security infrastructure
incorporate “patches” and upgrades that are issued to address known security vulnerabilities in these systems?
12. If e-mail is used to communicate with customers, are communications encrypted or does the bank advise customers to not send confidential information via e-mail?
13. Are adequate summary-level reports made available to management to allow monitoring of:
a. Web-site usage?
b. Transaction volume?
c. System problem logs?
d. Exceptions?
e. Unreconciled transactions?
f. Other customer or operational issues?
14. Has management established adequate procedures for monitoring and addressing customer problems regarding e-Banking products and services?
15. Does management accurately reports its primary public web-site address on the Report of Condition?
16. Have required Suspicious Activity Reports involving e-Banking, including any computer intrusions, been filed?
17. Is each significant vendor, service provider, consultant, or contractor relationship involved in development and maintenance of the e-Banking
services covered by a written, signed contract? Depending on the nature and criticality of the services, do contracts specify:
a. Minimum service levels and remedies or penalties for nonperformance?
b. Liability for failed, delayed, or erroneous transactions processed by the service provider and other transactions where losses may be incurred (e.g. insufficient funds).
c. Contingency plans, recovery times in the event of a disruption, and responsibility for back-up of programs and data.
d. Data ownership, data usage, and compliance with the bank’s information security policies.
e. Access by the bank to the service provider’s financial information and results of audits and security reviews.
f. Insurance to be maintained by the service provider.
18. Has legal counsel reviewed the contracts to ensure they are legally enforceable and that they reasonably protect the bank from risk?
19. Has the bank ensured that any service provider responsible for hosting or maintaining the bank’s web-site has implemented:
a. Controls to protect the bank’s Web site from unauthorized alteration and malicious attacks?
b. Procedures to notify the bank in the event of such incidents?
c. Regular back-up of the bank’s Web-site information?
20. Depending on the nature and criticality of the services, does the bank conduct initial and periodic due diligence reviews of service providers,
including:
a. Reviewing the service provider’s standards, policies and procedures relating to internal controls, security, and business contingency to
ensure they meet the bank’s minimum standards?
b. Monitoring performance relative to service level agreements and communicating any deficiencies to the service provider and to bank
management?
c. Reviewing reports provided by the service provider relating to response times, availability/ downtime, exception reports, and
capacity reports and communicating any concerns to bank management and the vendor?
d. Periodically reviewing the financial condition of the service provider and determining whether back-up arrangements are warranted as a
result?
e. Conducting on-site audits of the service provider if appropriate based on the level of risk?
f. Ensure that the bank staff receives adequate training and documentation from the vendor or service provider?
21. If the bank operates a turnkey e-banking software package:
a. Is software held under an escrow agreement?
b. Has the bank established procedures to ensure that relevant program files and documentation held under the software escrow
agreements are kept current and complete?
22. If a vendor maintains the bank’s electronic banking system, does the bank monitor on-site or remote access of the bank’s systems by the vendor,
through activity logs or other measures?