WASHINGTON The Basel Committee on Banking Supervision has issued guidelines for electronic banking that emphasize how traditional risks translate into the cyber world.
Electronic banking did not create risks but increased and modified some of the traditional risks associated with banking activities, in particular strategic, operational, legal, and reputational risks, thereby influencing the overall risk profile of banking, the committees electronic banking group wrote in a report that spells out 14 risk management principles to guide such activities.
The group, led by Comptroller of the Currency John D. Hawke Jr., issued the guidelines Thursday after working on them since November 1999, and it will now begin developing principles for cross-border cooperation among banking supervisors.
Our goal is to alert financial institutions and their supervisors to the nature of risks in electronic banking, Mr. Hawke said. We expect bankers will put these principles to use as they develop their own customized approaches to risk mitigation.
The guidelines are divided into three categories: board and management oversight, security controls, and legal and reputation risk management.
After all is said and done, management recognition of the risks inherent in e-banking and the need for an integrated risk management system are fundamental if the specific risks that are addressed in the other 13 principles are to be properly controlled, Mr. Hawke said.
He acknowledged that the guidelines are nonbinding but said the committees intent was to amass the collective wisdom and experiences of bankers everywhere.
The 33-page report makes common-sense recommendations such as: Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including customers and internal bank users.
The report also advises: Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.
Finally, the report reminds bankers to ensure that third-party service providers have confidentiality and privacy policies that are consistent with their own.