I’m in the midst of writing an article about Wireless Banking. I’m actually working two articles: one about the Top Five Risks of Wireless Banking, the other a drill-down on the Compliance Risks of Wireless Banking. In the process, I’m reviewing a few E-banking policies for Clients nice enough to allow my participation in their efforts to mitigate this particular Wireless Banking Compliance Risk.
As I review the policies before me, having reviewed a few already in my auditing experiences, I recognize a common problem in their structure. You see, we auditors see the same policy almost everywhere we go, and whenever we see proposed updates, they still follow the same old structure. E-banking policies, like many other IT related policies, were all born in the late 1990’s, layering iteration after iteration of modification after modification into a document that already has to be banged into shape by the constraints of many different laws and regulations.
Thus, I declare this manifesto:
Re-create a more organic structure. Instead of merging yet another new delivery system into an already hodge-podge policy/procedure document, it’s time to back up and create a policy that more closely conforms to the way technology has evolved, while supporting existing compliance frameworks.
Policy modifications result from the adoption of new technologies. We are going to continue experiencing new electronic banking delivery channels, and we are not going to be able to predict how they materialize.
Our existing E-banking policies are iterations of E-banking policies that originated in the 1990’s, prior to on-line banking, to address ATM’s and telephone banking as well as new payment processing technologies such as electronic wire transfers and electronic funds transfers. As new delivery systems, payment processes, and authentication solutions became available, the E-banking policy evolved into a collection of after-thoughts trying to address new technologies as they emerge.
We should consider rewriting the policy with a new structure, centered around the concept of “Branchless Banking” rather than “E-banking.” The policy would address the three primary asset categories: Payment Processes, Delivery Systems, and Authentication Solutions.
Branchless Banking Policy
- Introductory Stuff (Scope, Author, Date, Approval, etc. depending upon institution)
- Payment Processes
- Electronic Funds Transfer
- Electronic Wire Transfer
- ACH Transactions
- Billpay
- Remote Capture Deposit
- Mobile Payment Processes
- P2P
- Scan and Pay
- Square
- Paypal
- Consumer Capture
- Delivery Systems
- ATMs, Kiosks
- Telephone Banking
- On-line Banking
- Wireless Banking
- Authentication Solutions
- ATM cards.
- Credit cards.
- Debit cards.
- Login Credentials
- Tokens (Hard and Soft)
- Cell or Smart Phone
- GPS Position
- Concluding Stuff (update schedule, related policies and procedures, distribution list, etc. depending on institution)
Within each asset, be it a payment process, delivery system, or authentication solution, the following would be addressed as appropriate:
- Strategy
- Alignment with Business Strategy
- Return on Investment Considerations
- Training Objectives
- Adoption Strategy (Diffusion Theory)
- Deployment Objectives
- Strategic Risk
- Risk Management
- Initial Risk Assessment
- Vendor Due Diligence Requirements
- Ongoing Risk Management
- Data Security Objectives
- Record Retention
- Legal Risk Mitigation
- Compliance Risk
- Applicable Laws
- BSA / AML
- CTF
- ADA
- EFT Act (see Reg E below)
- E-Sign Act
- FACTA (and the Red Flags Rule)
- GLBA
- OFAC
- UCC Article 4A
- US Patriot Act (CIP and KYC)
- ______________________ Next Law Here
- Applicable Regulations
- Regulation B, Equal Credit Opportunity
- Regulation CC, Availability of Funds and Collection of Checks
- Regulation DD, Truth in Savings
- Regulation E, Electronic Fund Transfers
- Regulation M, Consumer Leasing
- Regulation Z, Truth in Lending
- ______________________Next Regulation Here
With this new approach in structuring the policy, as new technologies emerge, new policies can be added without organically ruining existing policies. Meanwhile, these must be high-level policies that establish guidance for the creation of procedures and the creation/acquisition of tools. The Branchless Banking Policy must document POLICY statements rather than procedures or inventories. It must establish goals, objectives, and strategy directives. The actual procedures, tools, and tactics will be documented in separate documents.
This would be a bit of a revolution, but it has happened before. I see the Branchless Banking Policy Revolution as being similar to the day when we finally put our foot down and insisted on one stand-alone Acceptable Use Policy!
Look for a new “Branchless Banking Policy” template to roll out sometime in the near future. I have no clue when, but it’ll probably be a deliverable from one of my articles.
————————-
Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex
————————-
“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”