TABLE OF CONTENTS
Foreword Section 1: Section 2: Section 3: Section 4: Tables Appendix I Appendix II Risk Management of Outsourced Technology Services Brief Overview of Digital Signatures and Certificate Authorities Introduction and Background Electronic Banking Risks and Controls Electronic Payment Systems E-banking and Examination Procedures 2 3 8 13 19 22 23 25 26 29 31
Appendix III Online Privacy of Consumer Personal Information Appendix IV Overview of Widely-Used Basic Security Safeguards Appendix V Some E-Banking Terms
GUIDELINES FOR ELECTRONIC BANKING
This document is intended to provide guidance on the promotion of safe and sound ebanking1 activities, while preserving the flexibility necessary to accommodate future technological and other changes. The guidelines are general since the Central Bank of Barbados is of the view that setting too detailed requirements in the area of e-banking could lead to their becoming rapidly outdated. The document is not intended to create new examination standards, impose regulatory requirements or represent an exclusive description of the various ways that banks can implement effective information security programs. Whether financial institutions contract with third-party providers2 for e-
banking services (such as Internet banking) or maintain computer services in-house, bank management is responsible for ensuring that systems and data are protected against risks associated with emerging technologies and computer networks.
We advocate that if a bank is relying on third-party providers in this regard, management must generally understand the provider's information security program to effectively evaluate the security system's ability to protect bank and customer data. Furthermore, while these guidelines are representative of current sound industry practice, they should not be considered unchangeable, since many security controls and other risk management techniques will continue to evolve rapidly in order to keep pace with new technologies and business applications.
1 Refers to banking activity being facilitated electronically, i.e. through a computer or some other intelligent device. 2 For the purposes of this guidance, "third-party provider" is broadly defined as suppliers that may provide the following services or products to institutions: system design, development, administration, and maintenance services, data processing services; and system solutions.
1. INTRODUCTION AND BACKGROUND
In many ways, e-banking is not unlike traditional payment, inquiry, and information processing systems, differing only in that it utilises a different delivery channel. Any decision to adopt e-banking is normally influenced by a number of factors. These include customer service enhancement and competitive costs, all of which motivate banks to assess their electronic commerce strategies. The benefits of e-banking are widely known and will only be summarised briefly in this document.
E-banking can improve a bank’s efficiency and competitiveness, so that existing and potential customers can benefit from a greater degree of convenience in effecting transactions. This increased level of convenience offered by the bank, when combined with new services, can expand the bank’s target customers beyond those in traditiona l markets. Consequently, financial institutions are therefore becoming more aggressive in adopting electronic banking capabilities that include sophisticated marketing systems, remote-banking capabilities, and stored value programs. Internationally, familiar
examples include telephone banking, automated teller networks, and automated clearinghouse systems. Such technological advances have brought greater sophistication to all users, commercial and “the man in the street”.
A bank may be faced with different levels of risks and expectations arising from electronic...