RBAP G-Cash ServicesTraining

e-Banking Risk Management

Rural Bankers Association of the Philippines& Micro enterprise Access to Banking Services

PURPOSE & ORGANIZATION

This risk management manual mitigates the potential and significant risks to the financial institution related to the bank employing technology and electronic banking facilities for its products and services. This manual focuses on • definitions of electronic banking • risk identification and analysis of the complexity and

sophistication of the activities in which electronic banking is present

• outlining the major steps in a risk management process for the electronic banking activities of the bank, namely, assessing risks, implementing measures to control risk exposures, and monitoring risks.

Regardless of the level of sophistication, risks are inherent in all electronic capabilities. The objective of this manual is to help mitigate those risks.

ELECTRONIC BANKING

• the increasing competition from non-bank financial services companies, the telecommunications industry, and systems or software developers;

• the demand for more efficient and convenient capabilities; and

• the widening cost and delivery differentials between electronic capabilities and traditional delivery channels.

Electronic banking is a broad term applied to activities involving updating banking and on-line accounts over a computer network or automated system. This area is highly dynamic as emerging technologies yield a variety of delivery alternatives that are becoming increasingly important due to:

Electronic delivery and payment systems involve a wide range of potential risk exposures. The use of an electronic channel to deliver products and services introduces unique risks due to the increased speed at which systems operate and the broad access in terms of geography, user group, applications, databases, and peripheral systems. In addition to the unique risks, traditional risks which are similar to those in customary banking activities are also present.

ELECTRONIC BANKING

RISK IDENTIFICATION AND ANALYSIS

Because of rapid changes in information technology, no list of risks can be exhaustive. However, the most important risk categories for electronic banking activities are operational risk, reputational risk and legal risk.

Since banking is inherently a business in risk taking, it follows that bank’s involvement in electronic banking and other forms of electronic transmission places the bank at risk. In addition to functional risks, a bank’s assets are also exposed to risks of loss or destruction from intentional or unforeseen events.

The following risks are identified as the most common in the electronic banking environment:

• Operational Risk

• Reputational Risk

• Legal Risk

• Other Risk

RISK IDENTIFICATION AND ANALYSIS

OPERATIONAL RISK

Operational risk arises from the potential for loss due to significant deficiencies in system reliability or integrity.

Security considerations are paramount, as banks may be subject to external or internal attacks on their systems or products.

Operational risk can also arise from customer misuse, and from inadequately designed or implemented electronic banking and electronic payment systems.

Security Concerns Systems Design, Implementation, and Maintenance Customer Misuse of Products and Services

Operational risk can be further attributed to the following:

OPERATIONAL RISK

Security Concerns Controls over access to bank’s manual &

computerized system within the bank External attacks by hackers through electronic

banking systems

Systems Design, Implementation & Maintenance ConcernsIf the banking system is not well designed and problems on compatibility with electronic banking “middle-ware” softwareReliance on outsourcing development & maintenance posts risks as it expose the bank to potential infiltration and unauthorized access.

OPERATIONAL RISK

Customer Misuse of Products & ServicesAs with traditional banking services, customer misuse, intentional or otherwise, is another source of operational risk. Risk may be heightened when the bank does not adequately educate its customers about security precautions. In the absence of adequate measures to verify transactions, customers may repudiate transactions they previously authorized thus imposing financial losses for the bank. Customers using personal information, user-ID and access codes in a non-secure electronic transmission could allow unlawful access to customer accounts. Subsequently, the bank may incur financial losses because of transactions that customers did not authorize. Money laundering may be another source of concern.

OPERATIONAL RISK

REPUTATIONAL RISK

Reputational risk means the risk for the bank to experience significant negative public opinion that may result in “losing popularity” with existing and potential customers.

Reputational risk may result in creating a negative image of overall bank operations and may impair the bank’s ability to establish and maintain customer relationships.

There is a loss of public confidence Bank products do not work as expected and cause

widespread negative pubic reaction Customers who experienced problems with a product

or service were not given adequate attention A breakdown in communications prevents the bank

from responding timely to a customer’s concern News spread out that hackers have penetrated the

bank’s network even though no damage has been done

Reputational risk arises when:

REPUTATIONAL RISK

Reputational risk is not limited to a particular bank but for the whole electronic banking industry. Attacks to the banking system utilizing the electronic banking technology are far more damaging as it may heavily disrupt the banking system as a whole.

REPUTATIONAL RISK

LEGAL RISK

Legal risk arises from violations of, or non-conformance with laws, rules, regulations, or prescribed practices, or when the legal rights and obligations of parties to a transaction are not well established.

Given the relatively new nature of many retail electronic banking activities, rights and obligations of parties to such transactions are, in some cases, uncertain. For example, application of some consumer protection rules to electronic banking activities may not be clear. In addition, legal risk may arise from uncertainty about the validity of some agreements formed via electronic media.

The bank is exposed to a money laundering scheme

Customers are not adequately informed of characteristics of electronic banking that may affect their rights to privacy

The bank participates in providing electronic authentication and digital certification services and may be liable for financial losses incurred on the parties relying much on the digital certification.

Legal risk arise when:

LEGAL RISK

OTHER RISKS

Traditional banking risks such as credit risk, liquidity risk, interest rate risk, and market risk may also arise from electronic banking activities, though their practical consequences may be of different magnitude for the bank as opposed to operational, reputational, and legal risks.

RISK MANAGEMENT

The Risk Management System Risk Identification Risk Management and Control Risk Assessment

RISK MANAGEMENT SYSTEM

BOARD OF DIRECTORS

RISK MANAGEMENT COMMITTEE

RISK OFFICER

REPORTING STRUCTURE

RISK MANAGEMENT SYSTEM

Board of Directors

The Board of Directors has the responsibility to adopt policies and guidelines to govern the safe and prudent operational activities of the bank. This includes operations involving electronic banking.

RISK MANAGEMENT SYSTEM

Risk Management Committee

This Committee shall have the function of overall supervision and control over the risk management system of the Bank. Its mission is to protect the bank’s scarce capital from losses arising from activities that expose the bank to all types of risk involving electronic banking activities. The committee shall be tasked with reviewing electronic banking facilities used and employed by the bank, information security policies and procedures and other efforts necessary to ensure that the bank is protected against all kinds of penetration of other parties that will compromise the security of the bank in providing products and services electronically.

RISK MANAGEMENT SYSTEM

To see to it that the provisions of the Risk Management Manual are complied with by all concerned.

To conduct familiarization seminars on the provisions of the Manual.

To conduct a discovery process to identity risks that are not covered by the existing risk management provisions and submits appropriate recommendations for their control.

To provide the Risk Management Committee with monthly monitoring report whether all policies and procedures written on the Manual have been adhered to.

To submit to the Board of Directors, thru the Risk Management Committee, monthly reports on the implementation of, and compliance by all concerned with, the Manual, including his recommendations.

Tasks of the Risk Officer

RISK MANAGEMENT SYSTEM

The bank system’s internal controls and procedure The audit and testing of risk management process The depth and frequency of internal audit The development of adequate controls during product

development at the early stage The continuous evaluation of the independence and

overall effectiveness of the bank’s risk management functions

Together with the Internal Auditor, the Risk Officer shall conduct functional review over:

RISK MANAGEMENT SYSTEM

One of the keys to risk management is risk identification.

The two distinct dimensions being faced by banks are the type of risk and the bank function that is at risk.

To identify bank risk is to look at the various types of risk and determine which function is potentially vulnerable to that type of risk.

RISK MANAGEMENT AND CONTROL The BOD shall approve all significant policies on risk

management related to e-Banking The Chairman of the BOD shall be responsible in

ensuring that there are clear delineation of responsibilities in managing risk

The Chairman shall ensure that all approvals are in place and are adequate

Risk Management Committee shall constantly review and update risk management guidelines

BOD shall review and approve recommendations Development of new products shall have to be

approved by the BOD

RISK ASSESSMENT

Risk management should be included on the bank’s audit program

The auditor shall accomplish the Risk Assessment report

The auditor shall discuss the Risk Assessment Report to the department head or officer-in-charge

The internal auditor and the risk management team shall recommend appropriate actions to address the risk

Targets shall have to be set in reducing bank’s exposure to the risk, monitor accomplishment of these targets, and report results to top management

THANK YOU