Electronic Banking:

Enhancing Federal Oversight of Internet Banking Activities

GGD-99-91: Published: Jul 6, 1999. Publicly Released: Aug 3, 1999.

Additional Materials:

Contact:

Thomas J. McCool
(202) 512-8678
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed federal oversight of depository institutions' Internet banking activities, focusing on: (1) the risks posed by Internet banking and the extent of any industrywide Internet banking-related problems; (2) the methods used by regulators to track depository institutions' plans to provide Internet banking services; (3) how regulators examined Internet banking activities; and (4) the extent to which regulators examined firms providing Internet banking support services to depository institutions.

GAO noted that: (1) Internet banking heightens various types of traditional banking risks of concern to regulators, including strategic, compliance, security, reputation, and transactional risks; (2) as provided in regulatory guidance to banks, savings and loan associations, and credit unions, these risks should be managed through implementation of risk management systems that emphasize active board and senior management oversight, effective internal controls, and comprehensive and ongoing internal audit programs; (3) examinations of Internet banking that GAO reviewed found that some depository institutions were not taking all the necessary precautions to mitigate Internet banking risks; (4) while deficiencies were found, none of these examinations reported any financial losses or security breaches; (5) during GAO's review, too few examinations had been completed to identify the extent of any industrywide Internet banking-related problems; (6) regulators use a variety of methods to identify depository institutions that are already offering Internet banking services, however, only two regulators had systematically obtained centralized information on depository institutions' plans to provide such services and had a database of this information at the time of GAO's review; (7) the Office of Thrift Supervision recently established a requirement that depository institutions: (a) notify it in advance of plans to establish a transactional Web site; and (b) report their Web site address in quarterly Thrift Financial Report filings; (8) the Federal Deposit Insurance Corporation developed a centralized database that contains information on a depository institution's plans to provide Internet banking services; (9) most regulators were developing, testing, or implementing new on-line banking examination procedures, which included procedures for examinations of Internet banking, and most had conducted at least some examinations of depository institutions' Internet banking operations; (10) the Federal Reserve System (FRS) and the Office of the Comptroller of the Currency do not require that an institution's new Internet banking activity be thoroughly examined; (11) the National Credit Union Administration (NCUA) was the only regulator that had not developed requirements and procedures for Internet banking examinations; and (12) each regulator has the authority to examine depository institutions' banking services provided by a third party and to avoid duplication of effort, regulators often cooperate in examining third-party firms.

Matter for Congressional Consideration

  1. Status: Closed - Not Implemented

    Comments: No action has been initiated.

    Matter: Congress may wish to consider whether NCUA's authority to examine the performance of services provided to credit unions by third-party firms is needed to ensure the safety and soundness of credit unions and, thus, should be extended beyond December 31, 2001.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help regulators better understand the extent of risks posed by Internet banking and to more effectively evaluate examination methods and procedures, as more experience is gained in conducting examinations of Internet banking services, the heads of the banking regulatory agencies should share information on the problems depository institutions have had in operating Internet banking activities as well as which Internet banking examinations methods and procedures they find to be most efficient and effective.

    Agency Affected: Federal Deposit Insurance Corporation

  2. Status: Closed - Implemented

    Comments: In commenting on a draft of this report, the Director of the Office of Thrift Supervision agreed with the recommendation. OTS has shared its Internet banking examination procedures with FFIEC's Information Systems Subcommittee. OTS is having ongoing discussions with the other FFIEC agencies, and is sharing its Internet banking examination findings with the other FFIEC agencies on an informal basis.

    Recommendation: To help regulators better understand the extent of risks posed by Internet banking and to more effectively evaluate examination methods and procedures, as more experience is gained in conducting examinations of Internet banking services, the heads of the banking regulatory agencies should share information on the problems depository institutions have had in operating Internet banking activities as well as which Internet banking examinations methods and procedures they find to be most efficient and effective.

    Agency Affected: Federal Deposit Insurance Corporation

  3. Status: Closed - Implemented

    Comments: In commenting on a draft of this report, the NCUA stated that the report effectively described the risks imposed by Internet Financial Services. NCUA participates in the FFIEC Information System Subcommittee that is updating the FFIEC Information System Examination Handbook to include procedures on examining Internet banking activities. NCUA also participates in an FFIEC ad hoc committee that conducts joint examinations of Internet banking vendors.

    Recommendation: To help regulators better understand the extent of risks posed by Internet banking and to more effectively evaluate examination methods and procedures, as more experience is gained in conducting examinations of Internet banking services, the heads of the banking regulatory agencies should share information on the problems depository institutions have had in operating Internet banking activities as well as which Internet banking examinations methods and procedures they find to be most efficient and effective.

    Agency Affected: Department of the Treasury: Office of the Comptroller of the Currency

  4. Status: Closed - Implemented

    Comments: In commenting on a draft of this report, the FDIC agreed with the recommendation. FDIC has shared its Internet banking examination procedures with FFIEC's Information Systems Subcommittee. FDIC has also shared its Internet banking examination findings with the other FFIEC agencies on an informal basis.

    Recommendation: To help regulators better understand the extent of risks posed by Internet banking and to more effectively evaluate examination methods and procedures, as more experience is gained in conducting examinations of Internet banking services, the heads of the banking regulatory agencies should share information on the problems depository institutions have had in operating Internet banking activities as well as which Internet banking examinations methods and procedures they find to be most efficient and effective.

    Agency Affected: Federal Reserve System

  5. Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help regulators better understand the extent of risks posed by Internet banking and to more effectively evaluate examination methods and procedures, as more experience is gained in conducting examinations of Internet banking services, the heads of the banking regulatory agencies should share information on the problems depository institutions have had in operating Internet banking activities as well as which Internet banking examinations methods and procedures they find to be most efficient and effective.

    Agency Affected: National Credit Union Administration

  6. Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help regulators better understand the extent of risks posed by Internet banking and to more effectively evaluate examination methods and procedures, as more experience is gained in conducting examinations of Internet banking services, the heads of the banking regulatory agencies should share information on the problems depository institutions have had in operating Internet banking activities as well as which Internet banking examinations methods and procedures they find to be most efficient and effective.

    Agency Affected: Federal Financial Institutions Examination Council

  7. Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Comptroller of the Currency and the Chairmen of the Board of Governors of the FRS and NCUA should establish procedures to obtain centralized information on institutions' plans to offer Internet banking. They should use this information to: (1) enhance monitoring of technological trends and innovations and thus their ability to assess emerging security and compliance issues; (2) provide more timely and specific risk management guidance to individual depository institutions, as necessary; and (3) augment the information used to plan for the availability of examiners with appropriate information systems expertise.

    Agency Affected: National Credit Union Administration

  8. Status: Closed - Implemented

    Comments: In commenting on a draft of this report, the NCUA stated that the report effectively described the risks imposed by Internet Financial Services. As of September 8, 2000, NCUA had made final changes to its call report for December 2000 publication to include line items for Internet banking activities. Information requested from credit unions include e-mail address, World Wide Website address, and whether the website is interactive or not.

    Recommendation: The Comptroller of the Currency and the Chairmen of the Board of Governors of the FRS and NCUA should establish procedures to obtain centralized information on institutions' plans to offer Internet banking. They should use this information to: (1) enhance monitoring of technological trends and innovations and thus their ability to assess emerging security and compliance issues; (2) provide more timely and specific risk management guidance to individual depository institutions, as necessary; and (3) augment the information used to plan for the availability of examiners with appropriate information systems expertise.

    Agency Affected: Congress

  9. Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Comptroller of the Currency and the Chairmen of the Board of Governors of the FRS and NCUA should establish procedures to obtain centralized information on institutions' plans to offer Internet banking. They should use this information to: (1) enhance monitoring of technological trends and innovations and thus their ability to assess emerging security and compliance issues; (2) provide more timely and specific risk management guidance to individual depository institutions, as necessary; and (3) augment the information used to plan for the availability of examiners with appropriate information systems expertise.

    Agency Affected: Federal Financial Institutions Examination Council

  10. Status: Closed - Implemented

    Comments: In commenting on a draft of this report, the FFIEC agreed with the need to ensure effective oversight of third party vendors that provide Internet Banking services. The agencies have completed a preliminary review of Internet banking vendors. Selected vendors have been subject to interagency examinations with each agency alternating as the lead agency. Ongoing review of this industry by the FFIEC is continuing.

    Recommendation: To help ensure that reviews of the adequacy of Internet banking services provided by third-party firms are conducted in a cost-efficient manner, on the basis of the results of its research project, the Chairman, Federal Financial Institutions Examination Council (FFIEC), through the FFIEC Task Force on Supervision should, develop plans and a timetable for the regulators' oversight of third-party firms.

    Agency Affected: Department of the Treasury: Office of the Comptroller of the Currency

  11. Status: Closed - Implemented

    Comments: In commenting on a draft of this report, the NCUA stated that the report effectively described the risks imposed by Internet Financial Services. NCUA's Strategic Plan for 2000-2005 has a goal dedicated to e-commerce. Phase one of the strategy is to issue a bulletin to its examiners on NCUA's Information Systems and Technology Safety and Soundness Examination Program, which has been implemented. This bulletin, which deals with high level issues such as risk assessment, was issued on July 13, 2000, along with an e-commerce questionnaire for its examiners. The second phase is more technically oriented, and serves to identify important issues related to the technology. In this second phase, NCUA plans to train 60 subject matter experts in information system and technology issues (NCUA only has 3 IT examiners). Phase three of the plan is to gain deeper knowledge of the technology, and provide more specific training to examiners. This strategic plan has been presented to the NCUA Board for review and is rolled into the budget package. NCUA has provided IT training to over 60 examiners in 2001 and 2002. This group of examiners received Level 1 training on March 26, 2001, Level 2 training on May 18, 2001, and level 3 training on March 25, 2002. NCUA also provided IT training to state examiners in February 2001.

    Recommendation: To help ensure the safety and soundness of Internet banking at credit unions, as work related to the year 2000 computer problem diminishes, the Chairman, NCUA, should expeditiously develop Internet banking examination procedures and begin to examine Internet banking-related activities offered by credit unions.

    Agency Affected: Federal Reserve System

 

Explore the full database of GAO's Open Recommendations »

Nov 20, 2014

Oct 6, 2014

Sep 17, 2014

Aug 5, 2014

Jul 31, 2014

Jun 18, 2014

Apr 29, 2014

Apr 7, 2014

Jan 8, 2014

Looking for more? Browse all our products here