The Office of Thrift Supervision issued exam guidelines this week for Internet banking and other electronic services that focus heavily on an institution's internal policies and controls.
The guidelines, released late Wednesday, emphasize that thrifts should adopt risk management programs to monitor threats posed by faster transactions, the anonymity of on-line customers, and other unique characteristics of electronic banking.
"Without properly focused control procedures, questionable activities conducted over an electronic channel might not be discovered by traditional review and audit procedures," according to the guidelines, which replace narrower 1994 guidance from the agency on use of outside data processors.
Inadequate risk management policies expose a thrift to "significant losses" from fraud or interruptions in service, the guidelines say.
They also warn examiners that disgruntled employees and inadvertent errors pose as much threat as hackers.
Electronic mail containing confidential information could be sent accidentally to the wrong parties, or employees using networked computer systems might be able to peek inside sensitive data bases.
As a result, the guidelines direct examiners to scrutinize staff training, security of internal computer systems, and relationships with data processing firms in addition to on-line services for customers.
OTS examiners-some of whom could start applying the guidelines by late November-will conduct an abbreviated initial test that primarily determines whether a thrift has proper auditing procedures to monitor its technologies.
"If you are in good shape, then this should be a very quick assessment," said Paul R. Reymann, an OTS supervision policy analyst.
But if their initial review raises concerns, examiners will use more detailed checks in up to seven areas including strategic planning, operating controls, business insurance coverage, and information security.
For example, questions about the adequacy of security will prompt a review of monitoring of attempted break-ins, firewalls between its Web site and internal computers, and other protective efforts.
The Federal Deposit Insurance Corp. in January became the first regulator to issue exam guidelines for electronic banking. The Federal Reserve Board began testing new exam procedures for technology this year, and the Office of the Comptroller of the Currency plans to unveil risk management guidelines for Internet and phone banking by the end of 1997.
