Clifford wilke


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This presentation focuses on Internet Banking as an extension of a bank’s delivery network for traditional consumer, retail and wholesale/commercial services. This is a baseline presentation designed for banker outreach activities to overview Internet banking trends, highlight key Risk Management practices banks should consider and raise awareness on OCC Internet banking supervisory activities. Due to the rapid evolution of Internet and Electronic banking, the audience may ask specific technical questions that are beyond the scope of this presentation and may require a greater degree of technical expertise to answer. Note: This presentation was last updated May 15, 2000.
  • This slide should be your Presentation Title Slide, the first slide of your presentation. It should also be the last slide of your presentation. To insert a Title, double click on the “Insert Title” box in the template. Highlight the words “Insert Title” by clicking at the beginning of the box and dragging your mouse across the words. With the words highlighted, type in your title. The format allows two lines for a primary title and one for a subtitle. If you only need one title line, delete the top “Insert Title (If Applicable)” box. Also, if you do not use the subtitle box, delete it. Communication Tips: Giving text the right look can have an impact on the appearance of the presentation. Using too many fonts on the same slide looks unprofessional. Choose a font that is easy to read and projects well. Use bold type for titles and medium for subtitles. Design Notes: The “Full OCC Presentation Signature” (Broken Doughnut, Comptroller…, Administrator…, and Column) appears only on the first, last and contact slides. The Column is used on all slides that contain only text. All the slides except for the first and last have the “Faded Broken Doughnut Signature” in the bottom right corner. Slides with graphs, photos and text should not have the Column, only the “Faded Broken Doughnut Signature”.
  • Management’s service provider or software vendor selection process should include: Risk Assessment Due Diligence Contract Requirements Oversight Program FFIEC is developing guidance to outline this process. The driving force behind the development of the Interagency guidance are concerns highlighted by bank’s implementing Internet Banking strategies. These strategies include traditional service providers/software vendors use to working with a regulated institution but also companies that are new to dealing with a regulated entity or just a new company. The newer companies may not have much of a financial history. Also, we are seeing an increasing reliance on strategic alliances. IMPORTANT TO EMPHASIZED PROCESS NATURE.
  • Clifford wilke

    1. 2. Wireless Banking April 1, 2003 Clifford A. Wilke Director of Bank Technology Office of the Comptroller of the Currency Washington, DC
    2. 3. <ul><li>The views and opinions expressed in this presentation do not necessarily represent the views and directives of the Office of the Comptroller of the Currency or the Office of the Director of the Bank Technology Division. </li></ul>
    3. 4. Wireless Banking Motivations <ul><li>Banks and financial service companies are offering wireless account access </li></ul><ul><ul><li>Extension of internet applications </li></ul></ul><ul><ul><li>Delivery to highly portable cell phones & personal digital assistants </li></ul></ul><ul><ul><ul><li>More people getting devices </li></ul></ul></ul><ul><ul><ul><li>Features improving as technologies advance </li></ul></ul></ul><ul><ul><li>Improve customer retention rates, especially technology oriented customer </li></ul></ul>
    4. 5. <ul><li>Retail Delivery </li></ul><ul><ul><li>PCs relying on non-bank owned wireless LANs or cell phone dial-in to access internet banking products </li></ul></ul><ul><ul><li>Mobile devices (e.g., cell phones, PDAs) accessing banking products customized to smaller form factors </li></ul></ul><ul><ul><ul><li>Application support outsourced </li></ul></ul></ul><ul><ul><li>Services range from full internet banking services to limited balance inquiry, funds transfer, bill pay & brokerage </li></ul></ul>Wireless Banking Methods
    5. 6. <ul><li>Retail Delivery </li></ul><ul><ul><li>Wireless LANs rely on unlicensed radio frequencies and IEEE 802.11 standards </li></ul></ul><ul><ul><li>Cell phone delivery rely on licensed radio frequencies and evolving voice to data focused delivery standards </li></ul></ul>Wireless Link
    6. 7. <ul><li>Security </li></ul><ul><li>Systems Development and Life Cycle Management </li></ul><ul><li>Performance </li></ul><ul><li>Return on investment </li></ul>Challenges
    7. 8. Reported Data Security Incidents Source: CERT/CC -- statistics are not limited to the banking industory and include all reported incidents
    8. 9. Identity Theft <ul><li>86,200 identity theft incidents last year, up from 31,000 the prior year </li></ul><ul><li>The cost to consumers averaged $1,200 per crime </li></ul><ul><li>Some incidences required victims to spend up to three years communicating with lenders and credit bureaus to straighten out records. </li></ul><ul><li>Source - Issue 771, Sept. 2002, of The Nilson Report, p.9 – FTC Data </li></ul>
    9. 10. Banking Risks <ul><li>Same inherent risk and issues as Internet Banking, primary risks affected </li></ul><ul><ul><li>Strategic </li></ul></ul><ul><ul><li>Transaction </li></ul></ul><ul><ul><li>Reputation </li></ul></ul><ul><ul><li>Compliance </li></ul></ul>
    10. 11. Strategic Risk <ul><li>Determining wireless banking role in delivering products and services </li></ul><ul><li>Defining risk versus reward goals and objectives </li></ul><ul><ul><li>Is the reward added revenue, saving lost revenues, and/or increased efficiency? </li></ul></ul><ul><ul><li>Are capital expenditures (at purchase and retirement), maintenance and operating costs less than the reward (i.e., income)? </li></ul></ul>
    11. 12. Strategic Risk <ul><li>Implementing emerging e-banking strategies </li></ul><ul><ul><li>First Mover (“bleeding edge”) vs. wait and see (permanently lose market share) </li></ul></ul><ul><ul><li>Ease of implementing outsourced solution to keep up with the competition </li></ul></ul><ul><ul><ul><li>Financial stability of vendors </li></ul></ul></ul><ul><ul><li>Uncertain customer acceptance </li></ul></ul><ul><li>Using standards not designed for secure banking environment needs </li></ul><ul><li>Rapidly changing technology standards </li></ul><ul><li>Expertise </li></ul>
    12. 13. Transaction Risk <ul><li>Security Issues </li></ul><ul><li>Wireless transmission encryption </li></ul><ul><ul><li>Standards retro-fitted once security became an issue </li></ul></ul><ul><ul><li>Designed to protect transmitted data from unauthorized access/use </li></ul></ul><ul><ul><li>Early standards 802.11 and Wireless Access Protocols (i.e., WAP) have known vulnerabilities </li></ul></ul><ul><ul><li>Potential need to upgrade equipment as standards change </li></ul></ul>
    13. 14. Transaction Risk <ul><li>Security Issues </li></ul><ul><li>Access codes stored on device may allow account access if device lost or accessed </li></ul><ul><li>User names and passwords may be entered in clear view on the screen </li></ul><ul><li>Customer acceptance of alphanumeric PINs </li></ul><ul><ul><li>Mobile phones require pressing a number key multiple times for certain letters, which may be challenging even if display is not asterisked out (i,.e., ****) </li></ul></ul>
    14. 15. Transaction Risk <ul><li>Security – Lessons Reinforced </li></ul><ul><li>Unproven standards can have security weaknesses </li></ul><ul><ul><li>Risk of external attacks increases as services expand to allow greater access to systems </li></ul></ul><ul><ul><li>Companies need to maintain knowledge of attack techniques, known and newly identified </li></ul></ul><ul><li>End-to-end security is key </li></ul><ul><ul><li>Do not rely on wireless transport layer security for banking application security </li></ul></ul><ul><li>Need effective change management processes </li></ul><ul><li>Encourage customers to use good PIN/Password management practices </li></ul>
    15. 16. Transaction and Reputation Risk <ul><li>Outsourcing </li></ul><ul><li>Access to expertise </li></ul><ul><ul><li>Knowledge of wireless communication standards and encryption methods </li></ul></ul><ul><ul><li>Developing and converting existing products and services for wireless transmission and use </li></ul></ul><ul><ul><li>Effect of device characteristics </li></ul></ul><ul><ul><ul><li>Smaller screens </li></ul></ul></ul><ul><ul><ul><li>Button or stylus commands </li></ul></ul></ul>
    16. 17. Reputation Risk <ul><li>Reliability of delivery network </li></ul><ul><ul><li>Customer acceptance of no-service due to telecommunications issues when they are in areas they expect service - Consumer Expectations </li></ul></ul><ul><ul><li>Processing and handling of interrupted transactions </li></ul></ul><ul><li>Integration of wireless applications with existing products and services </li></ul>
    17. 18. Compliance Issues <ul><li>Disclosures </li></ul><ul><li>Wireless banking devices are easier to lose and may increase potential of unauthorized usage </li></ul><ul><ul><li>Types of services offered affects level of risk (e.g., P2P payments increase risk) </li></ul></ul><ul><li>Privacy concerns from location based services </li></ul>
    18. 19. GLBA Compliance <ul><li>Primary Elements of Information Security Program </li></ul><ul><ul><li>Involve Board of Directors </li></ul></ul><ul><ul><li>Assess Risk </li></ul></ul><ul><ul><li>Manage and Control Risk (including testing) </li></ul></ul><ul><ul><li>Oversee Service Providers </li></ul></ul><ul><ul><li>Adjust Program </li></ul></ul>
    19. 20. Characteristics of Good Risk Management <ul><li>Sound definitions of acceptable risk </li></ul><ul><li>Ownership of the risk assessment </li></ul><ul><li>Explicitly accept risks </li></ul><ul><li>Identify key controls </li></ul><ul><li>Create a test plan and follow up of results </li></ul><ul><li>Ongoing Board involvement </li></ul><ul><li>Active Vendor Management </li></ul><ul><li>Sufficient Technical Expertise </li></ul><ul><li>Appropriate Business Continuity Planning </li></ul>
    20. 21. Industry Initiatives <ul><li>Many companies have strong policies in place to maintain their position of trust </li></ul><ul><li>The reputational risk of the company and loss of market share is at stake </li></ul><ul><li>Financial exposure is real </li></ul>
    21. 22. Best Practices <ul><li>Secure architecture </li></ul><ul><li>Vulnerability management </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Information sharing </li></ul><ul><li>Training and awareness </li></ul><ul><li>Regular testing, reporting, improving </li></ul>
    22. 23. What’s Next - We Need to Focus On <ul><li>Security </li></ul><ul><li>Authentication and Verification </li></ul><ul><li>Proper Due Diligence and Complete Understanding of the Issues </li></ul><ul><li>Prepare now for what is ahead </li></ul><ul><li>New Entrants into the Marketplace </li></ul><ul><li>International Perspective in the New World </li></ul>
    23. 24. <ul><li>FFIEC Information Security Booklet (February 2003) </li></ul><ul><li>Electronic Banking Final Rule (May 2002) </li></ul><ul><li>Bank Use of Foreign-Based Service Providers (May 2002) </li></ul><ul><li>ACH Transactions Involving the Internet (January 2002) </li></ul><ul><li>Authentication in an E-Banking Environment (July 2001) </li></ul><ul><li>Weblinking - (July 2001) </li></ul><ul><li>Alert - Network Security (April 2001) </li></ul><ul><li>GLBA Guidelines to Safeguard Customer Information (Feb 2001) </li></ul><ul><li>Risk Management of Outsourced Technology Services (Nov 2000) </li></ul><ul><li>Infrastructure Threats--Intrusion Detection (May 2000) </li></ul><ul><li>Alert - Distributed Denial of Service (February 2000) </li></ul><ul><li>Alert - Internet Domain Names (July 2000) </li></ul><ul><li>Infrastructure Threats from Cyber-Terrorists (99-9) </li></ul><ul><li>Technology Risk Management: PC Banking (98-38) </li></ul><ul><li>Technology Risk Management (98-3) </li></ul>OCC Technology Issuances
    24. 26. Summary <ul><li>Safety, Soundness and Responsibility will remain the primary driver </li></ul>