Federal regulators on Wednesday laid out the steps national banks should take to protect their businesses when offering services via personal computers.
"The on-line environment gives rise to a new set of risks which banks must learn to manage effectively if they are to maintain customer confidence and assure the development of safe and sound electronic banking systems," said acting Comptroller of the Currency Julie L. Williams.
The safeguards are aimed at protecting banks from a variety of risks, including software that fails to implement transactions correctly, security breaches that allow unauthorized individuals to tap into data centers, and snafus that may damage an institution's reputation.
The guidelines, under development by the Office of the Comptroller of the Currency since early this year, apply to services offered on the Internet or through telephone links. The Federal Reserve Board and the Federal Deposit Insurance Corp. issued similar advice late last year.
Ralph E. Sharpe, the OCC's senior adviser for bank supervision policy, estimated that as many as 650 banks now offer on-line services or provide information to customers over the Internet with little problem. But the agency wants to head off trouble before the bulk of the industry gets into the business.
"This is a developing area that we expect to grow substantially, and we want to get the guidance out there before most banks are really involved," Mr. Sharpe said.
William M. Randall, executive vice president at Huntington Bancshares in Columbus, Ohio, agreed. "At the end of the day the industry must protect customers' trust. A lot of banks today may not be that familiar with issues surrounding this new type of business."
Mr. Sharpe said the biggest risk to banks is that on-line transactions could be plagued by unreliable performance, inaccurate data, or accidental disclosure of confidential information. The likelihood of problems may be increased because most bank management, lacking the necessary expertise to design secure systems, will rely on outside vendors to provide technology.
Consequently, examiners will determine whether banks have taken steps to ensure that third parties are capable of providing reliable and secure systems and are performing these services properly.
"The OCC is saying, and rightly so, that banks are responsible for the integrity of their on-line services and can't hand off that obligation to vendors," said John Burke, counsel to the Bankers Roundtable's Banking Information Technology Secretariat.
To prevent security breaches, banks must clearly define individual responsibilities and identify who has access to sensitive data. Bank managers also should establish specific reporting requirements for security breaches.
Passwords assigned to customers should be sufficiently long to prevent on-line "hackers" from guessing correctly. Passwords should also be combinations of numerals and letters rather than specific words. Banks should also require passwords to be changed periodically and establish fixed procedures for resetting the codes. Software programs should not store passwords automatically, the OCC said.
Also, sensitive data should be stored in an encrypted form, and computer links to customers should be automatically disconnected after long periods of inactivity.
The OCC said examiners will also evaluate a bank's ability to manage other risks created by on-line banking. For instance, banks may face strategic risk, Mr. Sharpe said, by failing to plan for the impact on their overall operations. Possible oversights include neglecting to plan for ongoing maintenance and continued growth.
Management must also be prepared to stem reputation damage that occurs if technology breaks down or private customer information is compromised. Bank officials should be ready to respond to operational failures have in place a customer service operation to minimize the impact of occasional system breakdowns.
To reduce the risk of compliance violations, banks should consult with their lawyers to ensure that valid and enforceable contracts exist with customers and vendors.