Electronic Banking

Internet banking heightens traditional banking risks. GAO's review of 81 examinations found that 44 percent of the depository institutions examined had not completely implemented risk-management steps that regulators said are needed to limit on-line banking risks. Shortcomings included some institutions' lack of approval of strategic plans by their board of directors and a lack of policies and procedures at some institutions for Internet banking operations. However, too few examinations had been done at the time of GAO's review to identify the extent of any industrywide Internet banking-related problems. Regulators attributed the limited number of examinations to a diversion of examiners to deal with the Year 2000 computer problems and to the limited number of examiners with expertise in information systems. GAO found that some regulators could use more systematic methods for identifying institutions' plans for new Internet banking systems and maintaining this information centrally. GAO also found variations in the supervisory approaches the regulators followed to help ensure that institutions mitigate the risks posed by Internet banking. Finally, GAO found that the five regulators are beginning to work together to study third-party firms providing Internet banking support services. GAO summarized this report in testimony before Congress; see: Electronic Banking: Enhancing Federal Oversight of Internet Banking Activities, by Richard J. Hillman, Associate Director for Financial Institutions and Markets Issues, before the Subcommittee on Domestic and International Monetary Policy, House Committee on Banking and Financial Services. GAO/T-GGD-99-152, Aug. 3 (25 pages).

GAO noted that: (1) Internet banking heightens various types of traditional banking risks of concern to regulators, including strategic, compliance, security, reputation, and transactional risks; (2) as provided in regulatory guidance to banks, savings and loan associations, and credit unions, these risks should be managed through implementation of risk management systems that emphasize active board and senior management oversight, effective internal controls, and comprehensive and ongoing internal audit programs; (3) examinations of Internet banking that GAO reviewed found that some depository institutions were not taking all the necessary precautions to mitigate Internet banking risks; (4) while deficiencies were found, none of these examinations reported any financial losses or security breaches; (5) during GAO's review, too few examinations had been completed to identify the extent of any industrywide Internet banking-related problems; (6) regulators use a variety of methods to identify depository institutions that are already offering Internet banking services, however, only two regulators had systematically obtained centralized information on depository institutions' plans to provide such services and had a database of this information at the time of GAO's review; (7) the Office of Thrift Supervision recently established a requirement that depository institutions: (a) notify it in advance of plans to establish a transactional Web site; and (b) report their Web site address in quarterly Thrift Financial Report filings; (8) the Federal Deposit Insurance Corporation developed a centralized database that contains information on a depository institution's plans to provide Internet banking services; (9) most regulators were developing, testing, or implementing new on-line banking examination procedures, which included procedures for examinations of Internet banking, and most had conducted at least some examinations of depository institutions' Internet banking operations; (10) the Federal Reserve System (FRS) and the Office of the Comptroller of the Currency do not require that an institution's new Internet banking activity be thoroughly examined; (11) the National Credit Union Administration (NCUA) was the only regulator that had not developed requirements and procedures for Internet banking examinations; and (12) each regulator has the authority to examine depository institutions' banking services provided by a third party and to avoid duplication of effort, regulators often cooperate in examining third-party firms.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: