The Banking Sector Internet Risk Management

Internet Risk Management in the Banking Sector

Executive Summary

Technological advancement in the banking industry, like in other economic sectors, has continued to increase. Banking organizations have allowed a wide array of products and services to become accessible and offered to customers via an electronic channel commonly known as e-banking or internet banking. According to Uppal, internet banking can be defined as a system that allows bank customers to access their accounts and available bank products and services information through a personal computer or other intelligent devices (39). E-banking offers numerous benefits to banks, businesses, and customers.

For instance, customers can access any service they want without visiting a bank’s branch office. The technology is also convenient, easy-to-operate, time-efficient, and always available (it is not time restrictive). For banks, it has contributed to increased efficiency and competitiveness and reduced customer service time. The creation of new services for customers and small businesses, such as operational accounting, taxation, online accounting, and profit forecasting, are among the reasons for banks’ involvement in internet banking. Even so, while it offers great benefits, internet banking carries with it technology risks.

Nzevela describes risks as events, expected or unexpected, which adversely affect a bank’s capital or income (24). Most banks are not new to internet risk management. One analysis found that 22% of banks worldwide have invested over 25% of their yearly budget in digital risk management. They are aware of the different types of risks in e-banking. Therefore, they must employ a regulatory framework that will allow them to manage the internet banking risk. They should have internet banking technology risk management guidelines and know the strategies to follow in managing the risks.

Types of Internet Banking

Three basic kinds of internet banking exist: communicative, transactional, and informational internet banking (Muneesh et al. 84). Informational is the lowest level or most basic form and involves the bank having marketing data about its services on a stand-alone server. Banks providing only this service may experience relatively low risk but may suffer reputational harm if the information on the website is mutilated. Communicative or interactive internet banking allows some degree of interaction between a bank’s system and the customers.

The interaction of communicative internet financial services can be limited to account opening or inquiry, electronic mail, loan applications, or updates (Nasim n.p). The risk level ranges from low to moderate based on whether the website links directly to the bank’s internal network. Finally, transactional internet banking is the top-most level of e-banking, and it allows customers to execute transactions such as accounts access, bills payment, and funds transfer. It poses the highest risk; thus, banks must impose the most stringent measures to curb them.

Categories of Internet Banking Risks

Digitization of banking has several risks. Internet banking risks can be categorized into; - operational/transactional, credit, interest rate, liquidity, foreign exchange, compliance, strategic, reputation, and security risk (Solanki 166). All these risks can occur because of some flaws in the design, unauthorized system access, and insufficient technology.

Figure 1: How Digital Transformation Exposes Any Organization to Risks

Operational risk

Transactional or Operational risk is the most common and involves incorrect transaction processing, unauthorized access to the bank’s system, and compromises in data privacy and integrity. Also, human causes such as negligence, frauds, hackers, and the inability to deliver products or services and retain a competitive position can be a source of this risk (Virlanuta et al. 3). It is clear from each product and service and may exist with internet banking products, especially if they are not efficiently planned, implemented, and monitored.

Reputation risk

It is another risk impacting a bank’s capital and earnings and arises from negative public opinion (Carol n.p). It affects a bank’s ability to form new relationships or continue servicing existing ones. The risk may expose the financial institution to litigation, reduction in customer base, and financial loss. The institution needs to exercise an abundance of caution in handling the customers and community. The reputation can suffer if it does not deliver on marketing claims or offer accurate, timely services. It can also happen if it fails to adequately meet customer credit requirements, provide unreliable delivery systems, or violate customer privacy.

Strategic risk

This risk results from inefficient business decisions, inappropriate implementation of the decisions, or lack of strategic goals and business strategies and resources to achieve them (Dmitri 101). The resources required to carry out the goals can be tangible and intangible, and they include; - operating systems, communication channels, delivery networks, and managerial capabilities.

Security risk

The security and confidentiality of customer transactions are very critical. But, since all information is online, there is always a probability that someone might access the information and misuse it. The security risk also arises from hacking threats.

Compliance/legal risk

This is the risk that arises from violations of or non-compliance with laws, regulations, and stipulated practices or ethical standards (Ganesh 48). It can also result from situations where laws or regulations governing some banks’ products or services may be vague. Internet banking customers will keep using other service delivery channels; so, banks will have to disclose on the internet banking channels like websites and synchronize them with such channels.

Foreign exchange risk

It occurs when a foreign currency dominates a loan or portfolio of loans. Sometimes, banks will enter into multi-currency credit commitments that allow borrowers to choose the currency they prefer to use. They may be exposed to foreign exchange risk if they allow deposits or account creation in foreign currencies on internet banking.

Liquidity risk

Internet banking can accelerate deposit liquidity for customers who maintain accounts fully on a rate or terms basis. Liquidity risk arises when banks cannot meet their due obligations without incurring undesirable losses and managing unplanned funding sources changes. Enhanced liquidity and changes in deposits monitoring may be guaranteed depending on the nature and volume of internet account activities.

Credit risk

With internet banking, banks can have the chance to expand their geographical range, and that means that customers can reach any particular institution from any part of the world (Mircea n.p). Dealing with such customers online without any personal contact can be challenging regarding credentials verification – which is a significant element for banks to make sound credit decisions. Hence, unless properly managed, internet banking could lead to an increase in out-of-area credits.

Risk Management Framework

Managing internet banking risk requires a robust risk management framework that requires the Board and senior management to be accountable and responsible for controlling technology risks. This means they should oversee all risk management functions, and to do that, they need to follow a risk management framework. The framework calls for banks to perform a risk analysis – the process of scrutinizing the technology infrastructures and systems to identify possible exposures to risks and weighing the pros and cons of varying risk mitigation actions (Samer et al. 52). The risk management framework can include the steps below:

· Recognizing, characterizing, and evaluating risks that are pertinent to the bank’s operations

· Determining how to treat each type of risk in terms of the risk mitigations and control measures that should be used

· Creating a documented plan having policies, practices, and procedures that address and regulate the risks

· Executing and regularly testing the plan

· Monitoring risks and the plan’s effectiveness on an ongoing basis so that performance and efficiency of the risk management process can be constantly ascertained and updated when risk parameters change, and

· Periodically updating the plan to consider technological changes, legal developments, and business environment transformation, including external and internal threats to information safety.

The risk analysis of the framework identifies information systems assets, security threats, and vulnerabilities and estimates the likelihood of exploitation or attacks (Bolda & Verma 49). It requires a valuation of what damage might occur to assets and from what sources or causes. Appropriate information system security controls are essential for guaranteeing the integrity, privacy, and availability of information technology resources and associated data. The information systems assets should be properly protected from unauthorized access, deliberate misuse, or fraudulent modification, deletion, substitution, insertion, or disclosure.

Figure 2: Risk Management Cycle

Internet Banking Risk Management Guidelines and Principles

After risks have been identified and evaluated, all techniques to manage them are now put in place. These can fall into four major groups: risk allocation, risk avoidance, risk abatement, and retention (Dorfman n.p). Risk management guidelines apply to all financial institutions that offer online financial services and products on the internet. They set out the principles and risk management process for such institutions to identify, access, measure, and respond to technology risks.

The technology risks of internet banking will certainly increase as banks continue to rely more on information technology and the internet to carry out their business and interact with the market (Shapoor 134). Identifying the serious risks that internet banking poses, the objectives of the management guidelines is to require the banks to 1) develop a sound and robust technology risk management process, 2) enhance system availability, security, and recovery ability, and 3) set up strong cryptography to protect customer data and transactions. The guidelines are meant to address various technology risks which arise from the use or dependence on computer software or hardware, online networks, or telecommunication systems.

Existing risk management principles applicable to e-banking activities must be tailored, adapted, and, if possible, expanded to address the particular risk management challenges. To some extent, the Board of Directors and banks’ senior management should take the needed steps to ensure their institutions have revised and modified their existing risk management policies and processes to cater to their current or planned internet banking activities. Each bank’s risk profile is varied and needs a tailored risk management approach fit for the e-banking operations scale, the materiality of the risks present, and the readiness and capability of the bank to mitigate these risks (Tarantino 53). The risk management principles can be broadly grouped into three classes to provide clarity: Management and Board oversight, Security Controls, and reputational and legal risk management.

Management and Board Oversight

The Senior Management and Board of Directors should have the skills to evaluate the technology employed, and risks assumed. They are expected to take a clear and informed decision about whether and how the bank offers e-banking services. Such a decision should entail the specific accountabilities, policies, and controls to address risks, including those resulting from a cross-border context. They should be diligent in handling the effective management of e-banking activities.

Security Controls

Internet banking poses enhanced security challenges, hence ensuring appropriate security control processes are put in place. This should encompass creating sufficient authorization privileges and authentication measures, sufficient infrastructure security to maintain proper boundaries and restrictions on internal and external user activities, and data integrity of records, transactions, and information. There should also be explicit audit trails for all e-banking transactions and measures to preserve the confidentiality of key e-banking information.

Legal and Reputational Risk Management

Internet banking services must be provided regularly and timely according to high customer expectations to protect banks against legal and reputation risk (Derek et al. n.p). An institution must deploy e-banking services to all end-users and maintain such availability in all circumstances. Banks must have effective capacity, business continuity, and contingency planning and develop appropriate incident response plans that control reputation risk and limit liability associated with disruptions in their internet banking services.

Figure 3: How Bank Reputations Fell in 2019

Customer Education

Banks need to also educate their customers on the security and dependability of e-banking and online transactions (Hema & Rahmath 1). Even if the management applies all the risk management principles, they might not eliminate all the risks. When banks introduce new operating features, especially those concerned with security, they should give enough instructions and information so that customers can properly use them. For instance, regarding PINs, banks can provide customers with advice on the minimum number of digits that a PIN should have, the common combinations to be avoided when setting up a PIN, and not using the same one for various applications or websites. Further, banks can encourage customers to adopt the following: