Risk Management. Risk Categories Strategic Credit Market Liquidity Operational Compliance/legal/regulatory Reputation.

Risk Management

Risk Categories

Strategic CreditMarketLiquidityOperationalCompliance/legal/regulatoryReputation

Operational Risk

Inadequate Information Systems

Breaches in internal controls

Fraud

Unforeseen catastrophes

The risk of direct of indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.

Inadequate Information Systems

General RisksPhysical access to the hardware

Logical access to the IT systems

Capacity management - prevents bottlenecks in all relevant systems component

Emergency management

Insufficient backup recovery measures-mitigate the consequences of system failures

Inadequate Information Systems

Application-oriented risks

1. Data not correctly recorded due to system errors

2. Data not correctly stored during period of validity

3. Relevant data are not correctly included

4. Calculations which are basis for information are not correct

5. Due to systems failures the information processed by the application is not available in time.

Fraud Management

Categories1. Check Fraud

2. Debit card Fraud

3. Electronic Payment Fraud

4. ATM Deposit Fraud

5. Account Take-over/Identity Theft

From: http://www.newarchitectmag.com

Fraud Management Systems

JAM (Java Agents for Meta Learning)

Obstacles in detecting Fraud

Financial or Human resource shortage

High volumes of claims, transactions or other information to be analyzed

Cookie-cutter detection methods that miss new or unusual instances

Lack of in-house expertise or training

Risk Management in E-Banking

Technology Developments

Advances in communications provide networked global access to information and delivery of products/services

Internet has reached critical mass (60% of U.S. households)

Some banks have 25 percent of customers banking online

Increased competition from other industries and abroad

Greater reliance on third party providers

Advances in technology make the component functions of banking more easily divisible

www.occ.treas.gov

Growth in Number of National Banks that Have Transactional Websites

41%44%

37%

21%

32%

10%

20%

30%

40%

50%

Sep-99 Jul-00 Dec-00 YTD Mar-01 1-Jun

Source: Office of the Comptroller of the Currency. “Transactional web sites” are defined as bank web sites that allow customers to transact business. This may include accessing accounts, transferring funds, applying for a loan, establishing an account, or performing more advanced activities.

Technology-based BankingProducts & ServicesBalance inquiryTransaction informationFunds transferCash ManagementBill paymentBill presentment Loan applicationsStored Value-application: Stored-value cards are a substitute for cash, gift certificates and check payments. Monetary value is added to the stored-value account before the card is used, with the value either being funded by the cardholder directly, or by the card program operator in commercial applications

www.occ.treas.gov

Technology-based BankingProducts & Services

AggregationElectronic FinderAutomated clearinghouse (ACH) TransactionsInternet PaymentsWireless BankingCertification AuthorityData Storage-Digital Data Storage (DDS) is a format for storing and backing up computer data on tape that evolved from the Digital Audio Tape (DAT) technology.

Key Technology Risks

Vendor Risk IssuesSecurity, Data Integrity, and ConfidentialityAuthentication, Identity Verification, and AuthorizationStrategic and Business RisksBusiness Continuity PlanningPermissibility, Compliance, Legal Issues, and Computer CrimesCross Border and International Banking

www.occ.treas.gov

Security and Privacy

Increases in security events and vulnerabilities

According to 2001 FBI/CSI survey, 70% reported that the Internet is the point of cyber attacks, up from 59% in 2000

Gramm-Leach-Bliley Act of 1999 requires banks to establish administrative, technical & physical safeguards to protect the privacy of customers’ nonpublic customer records and information

www.occ.treas.gov

Key Elements of Security Program

Reviewing physical and logical security: Review intrusion detection and response capabilities to ensure that intrusions will be detected and controlledSeek necessary expertise and training, as needed, to protect physical locations and networks from unauthorized accessMaintain knowledge of current threats facing the bank and the vulnerabilities to systemsAssess firewalls and intrusion detection programs at both primary and back-up sites to make sure they are maintained at current industry best practice levels

www.occ.treas.gov

Key Elements of Security Program

Reviewing physical and logical security (cont’d):

Verify the identity of new employees, contractors, or third parties accessing your systems or facilities. If warranted, perform background checks.

Evaluate whether physical access to all facilities is adequate.

Work with service provider(s) and other relevant customers to ensure effective logical and physical security controls.

www.occ.treas.gov

Authentication

Reliable customer authentication is imperative for E-banking Effective authentication can help banks reduce fraud, reputation risk, disclosure of customer information, and promote the legal enforceability of their electronic agreements Methods to authenticate customers:

Passwords & PINSDigital certificates & PKI (Public Key Infrastructure)Physical devices such as tokensBiometric identifiers

www.occ.treas.gov

OCC Technology Risks Supervision Program

The Office of the Comptroller of the Currency charters, regulates, and supervises national banks to ensure a safe, sound, and competitive banking system that supports the citizens, communities, and economy of the United States. Guidance -- Focus on risk analysis, measurement, controls, and monitoring Risk-based examinations of banks and third party service providers (as authorized by the Bank Service Company Act of 1962)Training and Technology Integration ProjectExternal outreach and co-ordinationLicensing process for Internet-primary banks and novel activities

www.occ.treas.gov

References

www.occ.treas.gov

www.newarchitectmag.com

http://www.cs.columbia.edu/~sal/JAM/PROJECT/

Gerrit Jan van den Brink (2002), Operational Risk: The challenge for banks.

http://dinkla.net/fraud/products.html