Unprecedented speed of change, increased dependence on systems architecture, more complex operations, and magnified importance of security -- such are the fruits of e-banking in financial services.
While it does not bring "inherently new risks," electronic banking has changed the overall industry risk profile, according to the Basel Committee on Banking Supervision in a July 2003 report. Therefore, the Committee recommends, banks' senior management and boards of directors should review and modify existing risk policies where necessary, and take a more active role in setting the strategic direction of e-commerce initiatives.
The Basel Committee recently published its "Risk Management Principles for Electronic Banking." Much like the principles-based approach in accounting (versus the rules-based approach as exemplified by GAAP), the principles-based approach in risk management offers "supervisory expectations and guidance" rather than "absolute requirements" or "specific technical solutions or standards relating to e-banking."
The 14 principles fall into three categories: board and management oversight; security controls; and legal and reputational risk management.
Notable among them is the principle that the board of directors and senior management should have joint involvement in technology deployment decisions. The Committee writes: "An explicit strategic decision should be made as to whether the Board wishes the bank to provide e-banking transactional services before beginning to offer such services."
This places corporate leadership, rather than managers in the IT department, squarely in the middle of the decision-making process. The Committee writes: "In light of the unique characteristics of e-banking, new e-banking projects that may have a significant impact on the bank's risk profile and strategy should be reviewed by the Board of Directors and senior management and undergo appropriate strategic and cost/reward analysis."
The responsibility for ensuring a secure enterprise should also escalate into the boardroom. "The Board of Directors and senior management should oversee the development and continued maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats," the Committee writes.
The full report is available at: http://www.bis.org/publ/bcbs98.htm