About Us | Contact Us
View Cart

Manifesto: Time to Revolutionize our E-banking Policies

By Dan Hadaway | Tuesday, May 3, 2011 - Leave a Comment

I’m in the midst of writing an article about Wireless Banking.  I’m actually working two articles: one about the Top Five Risks of Wireless Banking, the other a drill-down on the Compliance Risks of Wireless Banking.  In the process, I’m reviewing a few E-banking policies for Clients nice enough to allow my participation in their efforts to mitigate this particular Wireless Banking Compliance Risk.

As I review the policies before me, having reviewed a few already in my auditing experiences, I recognize a common problem in their structure.  You see, we auditors see the same policy almost everywhere we go, and whenever we see proposed updates, they still follow the same old structure.  E-banking policies, like many other IT related policies, were all born in the late 1990’s, layering iteration after iteration of modification after modification into a document that already has to be banged into shape by the constraints of many different laws and regulations.

Thus, I declare this manifesto:

Re-create a more organic structure.  Instead of merging yet another new delivery system into an already hodge-podge policy/procedure document, it’s time to back up and create a policy that more closely conforms to the way technology has evolved, while supporting existing compliance frameworks.

Policy modifications result from the adoption of new technologies.  We are going to continue experiencing new electronic banking delivery channels, and we are not going to be able to predict how they materialize.

Our existing E-banking policies are iterations of E-banking policies that originated in the 1990’s, prior to on-line banking, to address ATM’s and telephone banking as well as new payment processing technologies such as electronic wire transfers and electronic funds transfers.  As new delivery systems, payment processes, and authentication solutions became available, the E-banking policy evolved into a collection of after-thoughts trying to address new technologies as they emerge.

We should consider rewriting the policy with a new structure, centered around the concept of “Branchless Banking” rather than “E-banking.”   The policy would address the three primary asset categories:  Payment Processes, Delivery Systems, and Authentication Solutions.

Branchless Banking Policy

  • Introductory Stuff (Scope, Author, Date, Approval, etc. depending upon institution)
  • Payment Processes
    • Electronic Funds Transfer
    • Electronic Wire Transfer
    • ACH Transactions
    • Billpay
    • Remote Capture Deposit
  • Mobile Payment Processes
    • P2P
    • Scan and Pay
    • Square
    • Paypal
    • Consumer Capture
  • Delivery Systems
    • ATMs, Kiosks
    • Telephone Banking
    • On-line Banking
    • Wireless Banking
  • Authentication Solutions
    • ATM cards.
    • Credit cards.
    • Debit cards.
    • Login Credentials
    • Tokens (Hard and Soft)
    • Cell or Smart Phone
    • GPS Position
  • Concluding Stuff (update schedule, related policies and procedures, distribution list, etc. depending on institution)

Within each asset, be it a payment process, delivery system, or authentication solution, the following would be addressed as appropriate:

  • Strategy
    • Alignment with Business Strategy
    • Return on Investment Considerations
    • Training Objectives
    • Adoption Strategy (Diffusion Theory)
    • Deployment Objectives
    • Strategic Risk
  • Risk Management
    • Initial Risk Assessment
    • Vendor Due Diligence Requirements
    • Ongoing Risk Management
    • Data Security Objectives
    • Record Retention
    • Legal Risk Mitigation
    • Compliance Risk
  • Applicable Laws
    • BSA / AML
    • CTF
    • ADA
    • EFT Act (see Reg E below)
    • E-Sign Act
    • FACTA (and the Red Flags Rule)
    • GLBA
    • OFAC
    • UCC Article 4A
    • US Patriot Act (CIP and KYC)
    • ______________________ Next Law Here
  • Applicable Regulations
    • Regulation B, Equal Credit Opportunity
    • Regulation CC, Availability of Funds and Collection of Checks
    • Regulation DD, Truth in Savings
    • Regulation E, Electronic Fund Transfers
    • Regulation M, Consumer Leasing
    • Regulation Z, Truth in Lending
    • ______________________Next Regulation Here

With this new approach in structuring the policy, as new technologies emerge, new policies can be added without organically ruining existing policies.  Meanwhile, these must be high-level policies that establish guidance for the creation of procedures and the creation/acquisition of tools.   The Branchless Banking Policy must document POLICY statements rather than procedures or inventories.  It must establish goals, objectives, and strategy directives.  The actual procedures, tools, and tactics will be documented in separate documents.

This would be a bit of a revolution, but it has happened before.  I see the Branchless Banking Policy Revolution as being similar to the day when we finally put our foot down and insisted on one stand-alone Acceptable Use Policy!

Look for a new “Branchless Banking Policy” template to roll out sometime in the near future.  I have no clue when, but it’ll probably be a deliverable from one of my articles.

————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”



Latest News
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]
    Dubious app store subscriptions bring in hundreds of millions of dollars in revenue… An article review. When it comes to malicious applications you’re probably familiar with things like malware and ransomware, and you have ways to avoid them.  Modern desktop and smartphone operating systems have built-in malware detection tools, and some web browsers even automatically […]
    Another Manifesto A supply-chain manifesto by the author of Never Say Never: A Password Manifesto! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . [Sssshh.  Turn out the lights.  Let’s lower our inner voices, as I have something to propose that might be a bit […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    While malware and security exploits continue to make headlines, the majority of reported security incidents involve phishing… An article review. With all the attention given recently to security incidents involving software exploits and high-profile malware attacks, it would be easy to believe that they represented the most likely incidents you may encounter in the wild.  […]
    Implementing Protective DNS could help your organization avoid attack… An article review. Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS). The guidance, released in […]