The General Accounting Office said financial institutions and their regulators have been insufficiently attentive to the security risks of their Internet operations.
In a yearlong study released on Tuesday to a subcommittee of the House Banking Committee, the congressional auditing body analyzed federal examination reports of 81 banks, thrifts, and credit unions.
Of the 81, 44% were found to have at least one major shortcoming in their management of on-line banking risks.
Some had no formal procedure in place to address on-line security concerns, the GAO said. Others failed to get board approval before going on-line. Still others had no written contracts with third-party firms they hired to provide on-line services for customers.
"We don't want government to get in the way of a new technology and retard it unduly," said Rep. Spencer Bachus, R-Ala., at a hearing of the subcommittee on monetary policy, which he heads. But he cautioned that "new safety and security considerations" associated with on-line banking must be addressed.
Problems were especially prevalent among smaller banks, the GAO said. It said 36% of the institutions with $1 billion or less of assets had no security policy in place, compared with about 22% of institutions above $1 billion.
The study painted a far less rosy picture than that presented by banks and their technology vendors in marketing materials and public statements.
"As a third-party (processing) firm, (we welcome) the regulatory oversight of our operations," said Michael Haskel Vaughn, executive vice president of SBS Corp. in Birmingham, Ala. "We view examinations by regulators almost as a service provided to us."
Richard J. Hillman, associate director for financial institutions and markets issues at the GAO, said government efforts to regulate on-line banking have been uneven. He said the Office of Thrift Supervision is the only regulator that requires institutions to notify it before creating a transactional Web site.
The OTS and the Federal Deposit Insurance Corp. were the only agencies that maintained central data bases of their respective constituencies' on- line efforts.
The National Credit Union Administration was portrayed especially harshly. As of May, it had not conducted a single on-line banking exam, Mr. Hillman reported. Like other agencies, it blamed the year-2000 computer problem for depleting its human resources, he added.
The report comes at a time of explosive growth in the delivery of interactive banking services.
In June 1995, 245 institutions offered on-line banking via either the World Wide Web or direct phone connections. Virtually none were fully transactional, meaning customers could not transfer funds or make payments, the GAO said.
By June 1999 more than 5,100 banks, thrifts, and credit unions were offering on-line banking, and 25% of those sites were transactional.
The GAO said an estimated 6.6 million households conducted on-line banking transactions in 1998. International Data Corp. of Framingham, Mass., projects that will rise to 32 million by 2003.
No bank has reported a serious security breach or loss of customer funds in on-line banking services, said Catherine A. Allen, chief executive officer of the Banking Industry Technology Secretariat.
Her group, known as BITS, is a division of the Financial Services Roundtable that has been encouraging banks to take proactive steps to assure security and privacy.
Ms. Allen and other industry representatives at Tuesday's hearing did not deny that there are vulnerabilities. Last week BITS formally opened its Financial Services Security Laboratory in Reston, Va., to certify, and offer seals of approval of, Web-based financial services technologies.
"It is reasonable to expect that financial institutions will give favorable consideration to (these) products" when they see a BITS seal, said Peter A. Browne, senior vice president of First Union Corp. and one of the leaders of the lab project.
The GAO study was requested by the House Banking Committee chairman, Rep. James A. Leach, R-Iowa.
Mr. Hillman cautioned that the study's results do not necessarily reflect the industry as a whole.
"Too few examinations had been conducted at the time of our review to identify the extent of any industrywide Internet banking-related problems," he said.
Mr. Browne also warned against reading too much into the statistics. He said in an interview after the hearing that almost every bank's strategic plans have holes. But viewed broadly, he said, most plans would pass muster.
