risk management fore-banking

23
Risk Management Principles for Electronic Banking

description

 

Transcript of risk management fore-banking

Page 1: risk management fore-banking

Risk ManagementPrinciples for Electronic

Banking

Todayrsquos presentation will cover

Risk Management Principles for Electronic Banking (BIS Jul 2003)

1048714 Board and Management Oversight

1048714 Security Controls1048714 Legal and Reputational Risk Management

Risk management challenges

middot the unprecedented speed of change related to technological and customer service innovation

middot the ubiquitous and global nature of open electronic network

middot the integration of e-banking applications with legacy computer systems and

middot the increasing dependence of banks on third parties that provide the necessary information technology

Risk Management Principles for Electronic Banking

3 Broad Principle categories

Board and Management Oversight (Principles 1 to 3)

Security Controls (Principles 4 to 10)

Legal and Reputational Risk Management (Principles 11 to 14)

Board and Management Oversight (Principles 1 to 3)

Board and Management Oversight ldquoBoard of Directors and senior management hellip are

expected to take an explicit informed and documented strategic decision as to whether and how the bank is to provide e-banking servicesrdquo

[1] Effective Management oversight of e-banking activities

[2] Establishment of a comprehensive security control process

[3] Comprehensive due(مطلوب) diligence(اجتهاد) and management oversight process for outsourcing relationships and other 3rd party dependencies

Security Controls (Principles 4 to 10)

The areas that require ldquospecial management attentionrdquo

4 Authentication of e-banking customers5 Non-repudiation and accountability for e-banking

transactions6 Appropriate measures to ensure segregation of duties7 Proper authorisation controls within e-banking

systems databases and applications8 Data integrity of e-banking transactions records and

information9 Establishment of clear audit trails for e-banking

transactions10 Confidentiality of key bank information

ldquoBanks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts over the Internetrdquo ldquoBanks should

use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactionsldquoBanks should

ensure that clear audit trails exist for all e-banking transactions

ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted andor stored in databases

Basel Principles of Risk Management for Electronic Banking

Authentication

Privacy

Integrity

Non-Repudiation

Legal and Reputational Risk Management (Principles 11 to 14) The indirect risk areas that must be

addressed11 Appropriate disclosures for e-banking

services12 Privacy of customer information13 Capacity business continuity and

contingency planning to ensure availability of e-banking systems and services

14 Incident response planning

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 2: risk management fore-banking

Todayrsquos presentation will cover

Risk Management Principles for Electronic Banking (BIS Jul 2003)

1048714 Board and Management Oversight

1048714 Security Controls1048714 Legal and Reputational Risk Management

Risk management challenges

middot the unprecedented speed of change related to technological and customer service innovation

middot the ubiquitous and global nature of open electronic network

middot the integration of e-banking applications with legacy computer systems and

middot the increasing dependence of banks on third parties that provide the necessary information technology

Risk Management Principles for Electronic Banking

3 Broad Principle categories

Board and Management Oversight (Principles 1 to 3)

Security Controls (Principles 4 to 10)

Legal and Reputational Risk Management (Principles 11 to 14)

Board and Management Oversight (Principles 1 to 3)

Board and Management Oversight ldquoBoard of Directors and senior management hellip are

expected to take an explicit informed and documented strategic decision as to whether and how the bank is to provide e-banking servicesrdquo

[1] Effective Management oversight of e-banking activities

[2] Establishment of a comprehensive security control process

[3] Comprehensive due(مطلوب) diligence(اجتهاد) and management oversight process for outsourcing relationships and other 3rd party dependencies

Security Controls (Principles 4 to 10)

The areas that require ldquospecial management attentionrdquo

4 Authentication of e-banking customers5 Non-repudiation and accountability for e-banking

transactions6 Appropriate measures to ensure segregation of duties7 Proper authorisation controls within e-banking

systems databases and applications8 Data integrity of e-banking transactions records and

information9 Establishment of clear audit trails for e-banking

transactions10 Confidentiality of key bank information

ldquoBanks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts over the Internetrdquo ldquoBanks should

use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactionsldquoBanks should

ensure that clear audit trails exist for all e-banking transactions

ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted andor stored in databases

Basel Principles of Risk Management for Electronic Banking

Authentication

Privacy

Integrity

Non-Repudiation

Legal and Reputational Risk Management (Principles 11 to 14) The indirect risk areas that must be

addressed11 Appropriate disclosures for e-banking

services12 Privacy of customer information13 Capacity business continuity and

contingency planning to ensure availability of e-banking systems and services

14 Incident response planning

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 3: risk management fore-banking

Risk management challenges

middot the unprecedented speed of change related to technological and customer service innovation

middot the ubiquitous and global nature of open electronic network

middot the integration of e-banking applications with legacy computer systems and

middot the increasing dependence of banks on third parties that provide the necessary information technology

Risk Management Principles for Electronic Banking

3 Broad Principle categories

Board and Management Oversight (Principles 1 to 3)

Security Controls (Principles 4 to 10)

Legal and Reputational Risk Management (Principles 11 to 14)

Board and Management Oversight (Principles 1 to 3)

Board and Management Oversight ldquoBoard of Directors and senior management hellip are

expected to take an explicit informed and documented strategic decision as to whether and how the bank is to provide e-banking servicesrdquo

[1] Effective Management oversight of e-banking activities

[2] Establishment of a comprehensive security control process

[3] Comprehensive due(مطلوب) diligence(اجتهاد) and management oversight process for outsourcing relationships and other 3rd party dependencies

Security Controls (Principles 4 to 10)

The areas that require ldquospecial management attentionrdquo

4 Authentication of e-banking customers5 Non-repudiation and accountability for e-banking

transactions6 Appropriate measures to ensure segregation of duties7 Proper authorisation controls within e-banking

systems databases and applications8 Data integrity of e-banking transactions records and

information9 Establishment of clear audit trails for e-banking

transactions10 Confidentiality of key bank information

ldquoBanks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts over the Internetrdquo ldquoBanks should

use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactionsldquoBanks should

ensure that clear audit trails exist for all e-banking transactions

ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted andor stored in databases

Basel Principles of Risk Management for Electronic Banking

Authentication

Privacy

Integrity

Non-Repudiation

Legal and Reputational Risk Management (Principles 11 to 14) The indirect risk areas that must be

addressed11 Appropriate disclosures for e-banking

services12 Privacy of customer information13 Capacity business continuity and

contingency planning to ensure availability of e-banking systems and services

14 Incident response planning

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 4: risk management fore-banking

Risk Management Principles for Electronic Banking

3 Broad Principle categories

Board and Management Oversight (Principles 1 to 3)

Security Controls (Principles 4 to 10)

Legal and Reputational Risk Management (Principles 11 to 14)

Board and Management Oversight (Principles 1 to 3)

Board and Management Oversight ldquoBoard of Directors and senior management hellip are

expected to take an explicit informed and documented strategic decision as to whether and how the bank is to provide e-banking servicesrdquo

[1] Effective Management oversight of e-banking activities

[2] Establishment of a comprehensive security control process

[3] Comprehensive due(مطلوب) diligence(اجتهاد) and management oversight process for outsourcing relationships and other 3rd party dependencies

Security Controls (Principles 4 to 10)

The areas that require ldquospecial management attentionrdquo

4 Authentication of e-banking customers5 Non-repudiation and accountability for e-banking

transactions6 Appropriate measures to ensure segregation of duties7 Proper authorisation controls within e-banking

systems databases and applications8 Data integrity of e-banking transactions records and

information9 Establishment of clear audit trails for e-banking

transactions10 Confidentiality of key bank information

ldquoBanks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts over the Internetrdquo ldquoBanks should

use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactionsldquoBanks should

ensure that clear audit trails exist for all e-banking transactions

ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted andor stored in databases

Basel Principles of Risk Management for Electronic Banking

Authentication

Privacy

Integrity

Non-Repudiation

Legal and Reputational Risk Management (Principles 11 to 14) The indirect risk areas that must be

addressed11 Appropriate disclosures for e-banking

services12 Privacy of customer information13 Capacity business continuity and

contingency planning to ensure availability of e-banking systems and services

14 Incident response planning

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 5: risk management fore-banking

Board and Management Oversight (Principles 1 to 3)

Board and Management Oversight ldquoBoard of Directors and senior management hellip are

expected to take an explicit informed and documented strategic decision as to whether and how the bank is to provide e-banking servicesrdquo

[1] Effective Management oversight of e-banking activities

[2] Establishment of a comprehensive security control process

[3] Comprehensive due(مطلوب) diligence(اجتهاد) and management oversight process for outsourcing relationships and other 3rd party dependencies

Security Controls (Principles 4 to 10)

The areas that require ldquospecial management attentionrdquo

4 Authentication of e-banking customers5 Non-repudiation and accountability for e-banking

transactions6 Appropriate measures to ensure segregation of duties7 Proper authorisation controls within e-banking

systems databases and applications8 Data integrity of e-banking transactions records and

information9 Establishment of clear audit trails for e-banking

transactions10 Confidentiality of key bank information

ldquoBanks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts over the Internetrdquo ldquoBanks should

use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactionsldquoBanks should

ensure that clear audit trails exist for all e-banking transactions

ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted andor stored in databases

Basel Principles of Risk Management for Electronic Banking

Authentication

Privacy

Integrity

Non-Repudiation

Legal and Reputational Risk Management (Principles 11 to 14) The indirect risk areas that must be

addressed11 Appropriate disclosures for e-banking

services12 Privacy of customer information13 Capacity business continuity and

contingency planning to ensure availability of e-banking systems and services

14 Incident response planning

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 6: risk management fore-banking

Security Controls (Principles 4 to 10)

The areas that require ldquospecial management attentionrdquo

4 Authentication of e-banking customers5 Non-repudiation and accountability for e-banking

transactions6 Appropriate measures to ensure segregation of duties7 Proper authorisation controls within e-banking

systems databases and applications8 Data integrity of e-banking transactions records and

information9 Establishment of clear audit trails for e-banking

transactions10 Confidentiality of key bank information

ldquoBanks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts over the Internetrdquo ldquoBanks should

use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactionsldquoBanks should

ensure that clear audit trails exist for all e-banking transactions

ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted andor stored in databases

Basel Principles of Risk Management for Electronic Banking

Authentication

Privacy

Integrity

Non-Repudiation

Legal and Reputational Risk Management (Principles 11 to 14) The indirect risk areas that must be

addressed11 Appropriate disclosures for e-banking

services12 Privacy of customer information13 Capacity business continuity and

contingency planning to ensure availability of e-banking systems and services

14 Incident response planning

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 7: risk management fore-banking

ldquoBanks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts over the Internetrdquo ldquoBanks should

use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactionsldquoBanks should

ensure that clear audit trails exist for all e-banking transactions

ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted andor stored in databases

Basel Principles of Risk Management for Electronic Banking

Authentication

Privacy

Integrity

Non-Repudiation

Legal and Reputational Risk Management (Principles 11 to 14) The indirect risk areas that must be

addressed11 Appropriate disclosures for e-banking

services12 Privacy of customer information13 Capacity business continuity and

contingency planning to ensure availability of e-banking systems and services

14 Incident response planning

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 8: risk management fore-banking

Legal and Reputational Risk Management (Principles 11 to 14) The indirect risk areas that must be

addressed11 Appropriate disclosures for e-banking

services12 Privacy of customer information13 Capacity business continuity and

contingency planning to ensure availability of e-banking systems and services

14 Incident response planning

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 9: risk management fore-banking

Board and Management OversightPrinciple 1 management oversight The Board of Directors and senior

management should establish effective management oversight over the risks associated with e-banking activities including the establishment of specific accountability policies and controls to manage these risks

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 10: risk management fore-banking

Board and Management Oversight

Principle 2 Establishment of a comprehensive security control process

The Board of Directors and senior management should review and approve the key aspects of the banks security control process

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 11: risk management fore-banking

Board and Management Oversight

Principle 3management oversight process for outsourcing relationships and other third-party dependencies

The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the banks outsourcing relationships and other third-party dependencies supporting e-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 12: risk management fore-banking

Security ControlsPrinciple 4 Authentication ldquoBanks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internetrdquo

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 13: risk management fore-banking

Security Controls

Principle 5 Non-repudiation and accountability

ldquoBanks should use transaction authentication methods that promote) encourage support actively (a cause process desired result etc)(non-repudiation and establish accountability for e-banking transactionsrdquo

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 14: risk management fore-banking

Security ControlsPrinciple 6 Segregation of duties

ldquoBanks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems databases and applicationsrdquo

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 15: risk management fore-banking

Security Controls

Principle 7 Authorisation controls

ldquoBanks should ensure that proper authorisation controls and access privileges) a monopoly or patentامتياز granted to an individual corporation etc( are in place for e-banking systems databases and applicationsrdquo

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 16: risk management fore-banking

Security ControlsPrinciple 8 Data Integrity ldquoBanks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions records and informationrdquo

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 17: risk management fore-banking

Security ControlsPrinciple 9 Audit trails ldquoBanks should ensure that clear audit trails exist for all e-banking transactionsrdquo

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 18: risk management fore-banking

Security Controls

Principle 10 Confidentiality ldquoBanks should take appropriate measures to preserve the confidentiality of key e-banking information Measures taken to preserve confidentiality should be commensurate( مع with the (متناسبsensitivity of the information being transmitted andor stored in databasesrdquo

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 19: risk management fore-banking

Legal and Reputational Risk Management

Principle 11 Appropriate disclosures for e-banking services

Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the banks identity and regulatory status of the bank prior to entering into e-banking transactions

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 20: risk management fore-banking

Legal and Reputational Risk Management

Principle 12 Privacy of customer information

Banks should take appropriate measures to ensure adherence to( اخالص customer privacy (والءrequirements applicable to the jurisdictions to which the bank is providing e-banking products and services

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 21: risk management fore-banking

Legal and Reputational Risk Management

Principle 13 Capacity business continuity and contingency planning to ensure the availability of e-banking systems and services

Banks should have effective capacity business continuity and contingency planning processes to help ensure the availability of e-banking systems and services

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 22: risk management fore-banking

Legal and Reputational Risk Management

Principle 14 Incident response planning

Banks should develop appropriate incident response plans to manage contain and minimize problems arising from unexpected events including internal and external attacks that may hamper(يعرقل) the provision of e-banking systems and services

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary
Page 23: risk management fore-banking

SummaryThe rapid development of e-banking

capabilities carries risks as well as benefitsthe Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities

These Risk Management Principles are not put forth as absolute requirements or even best practiceldquo

These Principles issued by the Committee do not attempt to set specific technical solutions or standards relating to e-banking

  • Risk Management Principles for Electronic Banking
  • Todayrsquos presentation will cover
  • Risk management challenges
  • Slide 4
  • Board and Management Oversight (Principles 1 to 3)
  • Security Controls (Principles 4 to 10)
  • Slide 7
  • Legal and Reputational Risk Management (Principles 11 to 14)
  • Board and Management Oversight
  • Slide 10
  • Slide 11
  • Security Controls
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Slide 17
  • Slide 18
  • Legal and Reputational Risk Management
  • Slide 20
  • Slide 21
  • Slide 22
  • Summary