|Title:||Basel Committee on Banking Supervision – Risk Management Principles for Electronic Banking
Note: an earlier version of this document was released in May 2001, but has since been superseded.
(For the superseded version of May 2001 see:
|Topic:||Risk Management principles issued by the Basel Committee, specifically with regard to e-banking applications being offered.|
|Direct / indirect relevance||Direct. The text focuses on financial RM/RA practices, with a specific emphasis on the resulting obligations with regard to information/network security.|
|Scope:||The document is a statement of principles from the Basel Committee, whose members hail from Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, Spain, Sweden, Switzerland, the United Kingdom and the United States. However, the Committee has no formal authority (not even to banking institutions within these countries), and its decisions are not legally binding.|
|Legal force:||Not legally binding, but considered highly authoritative|
|Affected sectors:||e-Banking sector|
|Relevant provision(s):||The document is relevant in its entirety, and states a number of guiding principles on how general rules of RM/RA (as already formulated and applied by banks) apply to e-banking. It calls upon the banks’ management to ensure that the principles are observed in practice.
The document states fourteen high level RM/RA principles, but does not define specific rules, technologies or standards, to ensure that the principles can be applied throughout the sector, regardless of an institute’s risk profile.
The principles are divided into three broad categories: Board and Management Oversight; Security Controls; and Legal and Reputational Risk Management:
“Board and Management Oversight
Because the Board of Directors and senior management are responsible for developing the institution's business strategy and establishing an effective management oversight over risks, they are expected to take an explicit, informed and documented strategic decision as to whether and how the bank is to provide e-banking services. The initial decision should include the specific accountabilities, policies and controls to address risks, including those arising in a cross-border context. Effective management oversight is expected to encompass the review and approval of the key aspects of the bank's security control process, such as the development and maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. It also should include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.
While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorisation privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information.
Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort regarding information disclosures, protection of customer data and business availability that approaches the level they can expect when using traditional banking distribution channels. To minimise legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their web sites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimise operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.”
(Source: see http://www.bis.org/publ/bcbs98.htm)
|Relevance to RM/RA:||The document is not legally binding as such. However, due to its authoritative source, public renown and general applicability, failure to pay sufficient attention to any of the fourteen principles or to any of the three categories should be considered indicative of serious negligence in RM/RA practices.|