Pursuant to a congressional request GAO reviewed: (1) the channels used
to deliver online banking services; (2) the reasons for implementing
online banking; (3) whether online banking met or exceeded expectations;
and(4) the electronic links that banks had with other payment systems.
GAO noted that: (1) as of June 1997, an estimated 7 percent of U.S.
banks offered online banking services, which most typically allow
customers to access account information and transfer funds between their
accounts; (2) on the basis of plans reported to GAO by surveyed banks,
GAO projected rapid growth in online banking over the next year and a
half as the number of U.S. banks implementing online systems is expected
to increase about fivefold nationwide; (3) bank officials identified
three primary reasons for their banks' offering online banking: keeping
existing customers, remaining competitive, and attracting new customers;
(4) officials of 170 of the 185 surveyed banks offering online services
said their online banking systems had met or exceeded their
expectations; (5) although an estimated 47 percent of U.S. banks
reported that they expect to offer online banking services by the end of
1998, introduction of this technology brings with it some attendant
risks; (6) responses from 93 of the banks GAO surveyed indicated that
some had not performed risk assessments, which can serve as a tool to
protect the integrity, confidentiality, and availability of their online
operations; (7) although 65 of the banks responded that their banks had
assessed the potential risk exposure of their systems, 12 banks reported
that they had not assessed these types of security risks, and another 16
banks said that they did not know if they had assessed such risks; (8)
risk assessments are an important step in protecting an online system so
that appropriate controls can be implemented to mitigate risks; (9)
although many of the 93 banks that responded to this question reported
they had implemented controls to prevent unauthorized access to their
online systems, 9 banks said they lacked firewalls for restricting
access between computer networks; (10) 10 banks reported that they did
not have such basic security features as detection software for computer
viruses and worms; (11) many of the 93 banks that responded indicated
they had experienced lapses in service, security problems, or system
operation difficulties; and (12) with the projected rapid growth in
online banking, it is important that banks take those steps necessary to
ensure they protect their online banking operations.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: GGD-98-34
TITLE: Electronic Banking: Experiences Reported by Banks in
Implementing On-line Banking
DATE: 01/15/98
SUBJECT: Electronic funds transfer
Financial institutions
Clearinghouses (banking)
Computer security
Bank management
Internal controls
Computer software
IDENTIFIER: Fedwire
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** <info@www.gao.gov> **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Report to the Chairman, Committee on Banking and Financial Services,
House of Representatives
January 1998
ELECTRONIC BANKING - EXPERIENCES
REPORTED BY BANKS IN IMPLEMENTING
ON-LINE BANKING
GAO/GGD-98-34
Electronic Banking
(233501)
Abbreviations
=============================================================== ABBREV
CHIPS - Clearing House Interbank Payment System
FBI - Federal Bureau of Investigation
FDIC - Federal Deposit Insurance Corporation
FRS - Federal Reserve System
OCC - Office of the Comptroller of the Currency
OTS - Office of Thrift Supervision
S.W.I.F.T. - Society for Worldwide Interbank Financial
Telecommunications
Letter
=============================================================== LETTER
B-275222
January 15, 1998
The Honorable James A. Leach
Chairman, Banking and Financial Services
Committee
House of Representatives
Dear Mr. Chairman:
Information technology has increased the ability of bank customers to
review their account balances, pay bills, or transfer funds between
accounts while at home or work. This growing accessibility of
on-line banking services through computers with direct dial-up or
Internet connections, however, has led to heightened concerns about
the vulnerability of bank and electronic payment systems.
Accordingly, you requested that we examine the extent of on-line
banking, federal regulatory efforts pertaining to on-line banking,
and any problems posed by on-line banking for the security of
Fedwire.\1
As agreed with your office, we are studying these issues under
separate reviews. This report summarizes the results of the first of
these reviews, which addressed our objectives of identifying (1) the
number of banks and thrifts (referred to as banks in this report)
that reported they offer or plan to offer on-line banking and the
types of services they reported\2
and (2) experiences reported by banks in implementing their on-line
banking systems as well as efforts to mitigate associated risks. Our
subsequent review will examine federal regulatory efforts pertaining
to on-line banking and the security of Fedwire.
To gather this information, we surveyed 349 banks from May 1997 to
June 1997, which included 219 banks that available information
suggested were offering on-line banking services and 130 banks
selected at random from the remaining banks in the United States.
(See app. I for our telephone survey instrument.) We used this
information to project to the total population of U.S. banks in two
instances: (1) the number of banks offering and planning to offer
on-line banking and (2) the number of banks offering specific types
of on-line banking services.
In conducting our survey, we found that 185 of the banks were
providing on-line banking services. We also found that many of the
banks providing on-line banking were affiliated and that a single
official was able to provide on-line banking information on more than
one bank in our survey. Hence, 93 bank officials provided certain
information on 185 banks offering on-line banking. Information
provided on the 185 banks allowed us to determine (1) the channels
used to deliver on-line banking services, (2) the reasons for
implementing on-line banking, (3) whether on-line banking met or
exceeded expectations, and (4) the electronic links that banks had
with other payment systems. Certain information obtained from these
93 officials was limited to the banks that they directly represented.
Specifically, we collected information for 93 banks on (1) problems
experienced, (2) risk identification, and (3) risk mitigation
efforts.
We also interviewed information security experts and federal agency
and banking regulatory officials to identify potential risks and
problems associated with on-line banking as well as basic security
features that could help prevent such problems. In addition, we
reviewed relevant technical literature and documents pertaining to
these issues. We did not attempt to determine the effectiveness of
security measures adopted by banks to prevent on-line banking-
related problems, nor did we verify the information they provided.
(See app. II for our detailed objectives, scope, and methodology.)
Our review was conducted between October 1996 and October 1997 in
accordance with generally accepted government auditing standards. We
provided a draft of this report to the Federal Reserve System (FRS),
Office of Comptroller of the Currency (OCC), Federal Deposit
Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), and
the Department of Justice for comment. The four regulatory agencies'
written comments are discussed at the end of this letter and are
reprinted in appendixes III through VI. The Department of Justice's
Federal Bureau of Investigation (FBI) provided technical comments,
which we incorporated, where appropriate.
--------------------
\1 Fedwire is one of the nation's primary electronic funds transfer
systems. Its network is used by participating banks to transfer the
payments banks make to each other and their customers within the
United States.
\2 For this study, a bank was considered to offer on-line banking if
its customers, either retail or corporate, had access to bank
services through computers equipped with dial-up or Internet access.
Banks were not considered to offer on-line banking if they
established Web pages on the World Wide Web solely to provide
information on bank services and products.
RESULTS IN BRIEF
------------------------------------------------------------ Letter :1
As of June 1997, we projected that an estimated 7 percent of U.S.
banks
( 3 percent sampling error\3 ) offered on-line banking services,
which most typically allow customers to access account information
and transfer funds between their accounts. On the basis of plans
reported to us by surveyed banks, we projected rapid growth in
on-line banking over the next year and a half as the number of U.S.
banks implementing on-line systems is expected to increase about
fivefold nationwide. Bank officials identified three primary reasons
for their banks' offering on-line banking: keeping existing
customers, remaining competitive, and attracting new customers.
Officials of 170 of the 185 surveyed banks (92 percent) currently
offering on-line services said their on-line banking systems had met
or exceeded their expectations.
Although an estimated 47 percent of U.S. banks ( 15 percent)
reported that they expect to offer on-line banking services by the
end of 1998, introduction of this technology brings with it some
attendant risks. Responses from 93 of the banks we surveyed
indicated that some had not performed risk assessments, which can
serve as a tool to protect the integrity, confidentiality, and
availability of their on-line operations. Although 65 of the banks
(70 percent) responded that their banks had assessed the potential
risk exposure of their systems, 12 banks (13 percent) reported that
they had not assessed these types of security risks, and another 16
banks (17 percent) said they did not know if they had assessed such
risks. Risk assessments are an important step in protecting an
on-line system so that appropriate controls can be implemented to
mitigate risks.
Although many of the 93 banks that responded to this question
reported they had implemented controls to prevent unauthorized access
to their on-line systems, 9 banks (10 percent) said they lacked
firewalls for restricting access between computer networks. Ten
banks (11 percent) reported that they did not have such basic
security features as detection software for computer viruses and
worms. Many of the 93 banks that responded indicated they had
experienced lapses in service (38 percent), security problems (30
percent), or system operation difficulties (36 percent). With the
projected rapid growth in on-line banking, it is important that banks
take those steps necessary to ensure they protect their on-line
banking operations.
--------------------
\3 All of the projected estimates made in this report have sampling
errors which are calculated at the 95 percent confidence level.
BACKGROUND
------------------------------------------------------------ Letter :2
Banks have provided electronic banking services to customers for a
number of years using such familiar access devices as telephones and
automated teller machines. Corporate customers also have had access
to on-line banking features by dialing into a bank's system using
proprietary software. More recently, retail customers have been able
to access their bank accounts from computers in their homes or
workplaces by connecting to on-line banking systems. Such systems
offer services that enable individuals or businesses to verify their
account balances, apply for loans, authorize bill payments, or
transfer funds between their accounts and from other banks. Some
on-line banking systems also let customers reorder checks, review
their account histories, stop check payments, or facilitate wire
transfers.
Customers with computer modems can access their banks' on-line
banking computer systems in one of several ways. Some of them can
use banking software installed on their personal computers, local
area networks, or mainframe computers to connect to the banks'
on-line banking systems. Other customers may be able to access their
banks' on-line banking systems by dialing into an Internet service
provider and accessing the banks' World Wide Web\4 sites. Banks may
operate their on-line banking systems in-house or contract out the
operation of these systems to third-party vendors.
After connecting to an on-line banking system, a customer generally
enters a personal identification number and a password. Typically,
customers must go through this step to identify themselves every time
they sign on to the on-line banking system. According to bank
officials, once customers have confirmed that they are legitimate
account holders, they can proceed to use their computers to initiate
the desired transactions, and the on-line banking system processes
and routes the transaction data as needed to carry it out.
--------------------
\4 The World Wide Web is a portion of the Internet through which
information is exchanged via text, graphics, audio, and video that
can be accessed with the use of a browser or search engine software.
NUMBER OF BANKS IMPLEMENTING
ON-LINE BANKING SYSTEMS GROWING
RAPIDLY
------------------------------------------------------------ Letter :3
Our survey results indicated that the number of banks implementing
on-line banking systems is planned to grow about fivefold by December
1998. We estimate that about 770 banks, or 7 percent ( 3 percent)
of the approximately 10,520 banks active in the United States at the
time of our survey, had implemented on-line banking as of June 1997.
According to the responses to our survey results, an estimated 4,990
banks, or about 47 percent ( 15 percent) of the banks in the United
States, plan to offer some type of on-line banking service to their
customers by the end of 1998. This estimate of 4,990 banks includes
the 770 banks offering on-line services in June 1997 as well as 4,220
banks projected to begin offering such services by December 1998 (see
fig. 1).
Figure 1: Projected Rapid
Growth of On-line Banking
Between June 1997 and December
1998
(See figure in printed
edition.)
Note 1: The above numbers do not include banks establishing Web
pages on the World Wide Web solely to provide information on bank
services and products, rather than to allow customers to access
banking services.
Note 2: The sampling error for the estimate of banks currently
offering on-line banking is 3 percent. Sampling errors for the other
two estimates (4,220 and 4,990) are both 15 percent.
Source: GAO analysis of survey results.
Although U.S. banks offer a wide range of services on-line, reviews
of account information and funds transfers between a customer's
accounts were the most common services reported to be available to
bank customers at the time we conducted our survey in June 1997. Our
analysis indicated that over 99 percent ( 1 percent) of the
estimated 770 banks offering on-line banking allowed their customers
to check their balances, and the same percentage allowed customers to
transfer funds between their own accounts. In comparison, 54 percent
( 24 percent) of these banks reported allowing their customers to
transfer funds to other banks (see table 1).
Table 1
Projected On-line Banking Services
Offered by Banks as of June 1997
Weighted
estimate of
banks saying
"yes"
--------------
Percen
Services t Number
------------------------------------------------------ ------ ------
Review account balance 99% 768
Transfer funds between customer's accounts 99 762
Bill payment 37 281
Transfer funds to other banks 54 413
Accept loan applications 14 106
Other\a 64 496
----------------------------------------------------------------------
Note 1: Based on GAO's estimate that 770 banks offered on-line
banking as of June 1997.
Note 2: Sampling errors by offered services are: review account
balance (<1 percent), transfer funds between customer's accounts (<1
percent), bill payment ( 19 percent), funds transfers to other banks
( 24 percent), accept loan applications ( 7 percent), and other (
22 percent).
\a Other on-line services included check reordering and stop check
payment orders.
Source: GAO analysis of survey results.
As part of our survey, we asked officials from all 185 banks we
surveyed that reported offering on-line banking for more detailed
information on the channels they used to deliver on-line services.
Their survey responses indicated that most banks used software that
enables customers to directly connect to the banks' own on-line
systems or a vendor's system. Of the 185 banks, 116 (63 percent)
reported using software that provides for a direct connection to a
vendor's system, and 79 (43 percent) reported using software that
allowed customers to directly connect to their banks' on-line
computer systems. More than half of the banks reported they offered
on-line banking by allowing customers to connect with their on-line
systems through the Internet (see table 2).
Table 2
Surveyed Banks Reporting Use of Various
Delivery Channels for Their On-line
Banking Operations
Delivery channel Percent Number
---------------------------------------------- ---------- ----------
Direct connection 91% 168
Personal computer banking software allowing 63 116
for direct dial-in to on-line banking system
operated by third-party vendor
Personal computer banking software allowing 43 79
for direct dial-in to bank's on-line banking
system
Internet 54 100
Internet Web site maintained by bank, third- 49 91
party vendor, or affiliated bank
Internet service provider (e.g., Prodigy, 31 57
America OnLine)
----------------------------------------------------------------------
Note 1: Banks may use more than one delivery channel in offering
on-line services.
Note 2: Based on information for 185 banks.
Source: GAO analysis of survey results.
We also asked officials who represented the 185 banks that reported
offering on-line banking for their reasons for implementing their
on-line banking systems. Key reasons bank officials cited for their
banks' decisions to offer on-line banking involved the intention to
remain competitive with other banks, retain customers, attract new
customers, reduce operating expenses, or generate fee income.
Although 133 banks (72 percent) indicated they implemented on-line
banking to retain customers, two other motivating factors--remaining
competitive and attracting new customers--were cited almost as often.
Other motivating factors, such as keeping up with banking
technologies and the desire to offer customers alternative delivery
channels, were cited by some banks (see fig. 2). Banks planning to
offer on-line banking responded similarly to questions about
motivating factors. Among the 36 banks planning to implement on-line
banking by December 1998, the desires to remain competitive and to
retain their customers were the most frequently cited motivating
factors.
Figure 2: Reasons Cited by
Surveyed Banks for Implementing
On-line Banking
(See figure in printed
edition.)
Note: Based on information for 185 banks.
Source: GAO analysis of survey results.
Survey responses for 185 banks indicated that their on-line banking
systems generally met or exceeded their expectations (see table 3).
Half of the banks reported that their expectations were met, and
another 77 banks (42 percent) said that their expectations were
exceeded. Bank officials commonly reported that customer usage of
on-line banking systems met or surpassed initial targets. One bank
official told us that about 400 new employees were hired to meet the
customer demand for on-line banking.
In a few instances, banks' experiences fell short of expectations.
In one case, a bank official told us that customer use was much lower
than expected. The official said that the rural location of the bank
may have been a contributing factor.
Table 3
Extent to Which Surveyed Banks That
Reported On-line Banking Said Their
Expectations Were Met
Expectations Percent Number
---------------------------------------------- ---------- ----------
Exceeded 42% 77
Met 50 93
Fell short 3 6
Too early to tell 4 7
Don't know 1 2
----------------------------------------------------------------------
Note: Based on information for 185 banks.
Source: GAO analysis of survey results.
SOME BANKS THAT REPORTED
OFFERING ON-LINE BANKING SAID
THEY DID NOT CONDUCT RISK
ASSESSMENTS
------------------------------------------------------------ Letter :4
On-line banking presents a wide range of potential risks, according
to information security experts and banking regulators. On-line
banking can expose bank and customer information and transactions to
risks from electronic interception, data corruption, or fraud because
of the widespread access characterizing these systems. An important
step in ensuring the integrity of an on-line system is ascertaining
the vulnerabilities and threats potentially affecting individual
on-line systems and establishing compensating internal controls to
mitigate risks. Accordingly, information security experts and
federal banking regulators suggest that banks analyze risks
associated with their on-line banking systems and evaluate whether
their security policies protect the integrity, confidentiality, and
availability of their on-line operations and are capable of limiting
or mitigating identified risks.\5
Information security experts and federal regulators stated that
although risk assessments specific to on-line banking are not a
federal banking requirement, such assessments are a useful tool for
identifying, measuring, monitoring, and managing potential risks.
Assessments can help banks evaluate the seriousness of such potential
problems as viruses, unauthorized access into banking systems, and
lost transactions.
Our survey results indicated that 54 of the 93 banks (58 percent)
that reported having on-line systems had conducted formal risk
assessments of their on-line banking systems. However, 12 banks (13
percent) said they had not performed such assessments. Another 16
banks (17 percent) did not know if they had performed risk
assessments of their on-line banking systems. The remaining 11 banks
(12 percent) reported holding limited or informal discussions about
potential risks of on-line banking. Two bank officials we
interviewed explained that their banks did not perform a risk
assessment because the latest industry information their banks had
obtained on the security of on-line banking systems suggested that
such systems were secure.
To help prevent unauthorized access to on-line banking systems,
information security experts and regulatory officials emphasize the
importance of banks' implementing mitigating controls, such as
restrictions on access, secure firewalls that restrict access between
computer networks, intrusion detection software, and tests of on-line
banking system vulnerability. The risk mitigation process can be
used to not only identify controls necessary to protect an on-line
system, but also to weigh the cost of implementing controls against
their benefits. The Federal Reserve Bank of New York notes that the
level of protection of an Internet site should be commensurate with
the degree of risk associated with the level of services offered and
the value of assets at risk. For example, the cost of implementing
strong authentication controls, through techniques such as digital
signatures, would tend to be more appropriate for a bank that offers
extensive on-line banking services, such as bill payment and funds
transfers to other banks, than for a bank that limits its on-line
banking services to the review of account balances.
--------------------
\5 The Federal Reserve System and the Office of Thrift Supervision
have indicated that they expect financial institutions that provide
services over the Internet to analyze risks related to the security
of customer information and other data and to use the results of
their risk analyses to make appropriate modifications to their
on-line systems and implement necessary controls and monitoring tools
to mitigate risks.
SOME BANKS REPORTED PROBLEMS
WITH THEIR ON-LINE BANKING
SYSTEMS
------------------------------------------------------------ Letter :5
For the 93 banks that they directly represented, we asked bank
officials for information on the types of problems they had
experienced with their systems, whether other banking systems were
connected to their systems, and the types of controls they had in
place to mitigate risks. Many of the 93 reported that they had
experienced service availability lapses (38 percent), security
problems (30 percent), or operational problems (36 percent) with
their systems (see table 4). We could not assess the significance or
underlying causes of these apparent problems because we did not
examine individual banks' systems and processes. Moreover, we did
not determine the appropriateness of a bank's mitigating features,
which could vary depending on the complexity of the on-line banking
system as well as the types of services offered.
Table 4
Extent to Which Banks Reported Various
On-line Banking Problems
Problems Percent Number
---------------------------------------------- ---------- ----------
======================================================================
Service availability difficulties 38% 35
Denial/disruption of system 35 33
Difficulties in tracking on-line banking
transactions as 4 4
transmission volume increases
======================================================================
Security difficulties 30 28
Unauthorized access attempts\a 19 18
Transactions lost during transmission 15 14
Proving valid customers are using on-line 4 4
banking system
Employee sabotage of on-line banking system\b 1 1
Theft of PINs or passwords 1 1
Viruses and worms\c 1 1
======================================================================
Operational difficulties 36 33
Upgrade or replacement of software 22 20
Staffing & training 29 27
======================================================================
Other difficulties\d 22 20
----------------------------------------------------------------------
Note 1: The list of problems is not comprehensive, and some reported
problems could be classified under more than one category.
Note 2: Based on information from 93 banks.
\a Only 1 of the 93 banks reported an instance of successful
unauthorized entry into its on-line banking system.
\b According to the National Institute of Standards and Technology,
examples of computer-related employee sabotage include theft of
customer data, destruction of hardware, incorrect data entry, and
deletion or alteration of data.
\c A virus is a computer program that replicates itself by attaching
copies of itself to existing computer programs. The new copy of the
virus is executed when a user loads a program or opens an electronic
mail message attachment. A worm, which does not require a host
program, is a self-replicating computer program that commonly uses
network systems to propagate to other host systems.
\d Other problems reported by bank officials include software or
hardware not working as designed and customers attempting to
fraudulently transfer funds between their accounts.
Source: GAO analysis of survey results.
SERVICE AVAILABILITY
PROBLEMS
---------------------------------------------------------- Letter :5.1
One category of on-line banking problems reported by banks involved
lapses in the availability of services. Thirty-three of the 93 banks
(35 percent) reported that their on-line banking systems had
experienced service availability problems involving the denial or
disruption of service (see table 4). Such problems frequently can be
caused by a breakdown in the hardware or software supporting the
system, which in turn may be the result of a design defect,
insufficient system capacity, or a mechanical breakdown. Almost half
of the 33 banks that reported experiencing denial or disruption of
service indicated that some type of damage resulted, such as loss of
customer confidence or customers closing their accounts.
Banks should be able to prevent or at least partly mitigate service
availability problems by monitoring vendor systems and by adopting
emergency or contingency plans, which are designed to allow banks to
continue their on-line banking operations after a system failure.
Forty-one of the 58 surveyed banks (71 percent) that relied on
vendors to operate their on-line systems said that they monitored
vendor systems as a mitigation measure. Two of the 58 banks (3
percent) said that they request certifications or guarantees from
vendors that proper controls are in place to mitigate potential
risks. A few other banks that reported they did not monitor their
vendors' systems said that they relied on the vendors to ensure that
emergency or contingency plans were in place to guard against, among
other things, lapses in the availability of services. Seventy-nine
of the 93 banks (85 percent) we surveyed said they had emergency or
contingency plans in place (see table 5).
Table 5
Percent of 93 Banks That Reported Having
Implemented Various Features Designed to
Mitigate Problems
Not
Mitigating feature Don't applicab
Problem in place Yes No know le
------------------- ------------------- -------- -------- -------- --------
Unauthorized access Access restricted 89% 7% 4%
attempts after at least 3
failed entry
attempts 79 10 12
Firewalls in 45 23 32
place\a
51 27 23
Intrusion
detection
software
Penetration
testing
Staffing and On-line banking 88 9 3
training guidelines
established
96 1 3
On-line banking
training provided
Denial/disruption Emergency or 85 11 4
of service contingency
plans\b 44 10 9 38%
Bank oversight of
vendor\c
Employee sabotage Separation of 86 5 8 1
system control
duties
Viruses and worms Detection software 70 11 18 1
Transactions lost Audit logs and/or 90 4 5
during reports generated
transmission
Difficulty in Audit logs 85 5 0 10
tracking on-line routinely reviewed
banking
transactions as
volumes increase
Outdated software Software update 66 15 7 13
control program
Theft of PINs or Codes or encryption 83 9 9
passwords used
Proving authorized Digital signature\d 8 81 12
customers are
using on-line
banking systems
--------------------------------------------------------------------------------
Note 1: Based on information from 93 banks.
Note 2: Row percentages do not always sum to 100 due to rounding.
Note 3: This table contains examples of features that banks can use
to mitigate potential problems and is not meant to be an
all-inclusive list.
\a Fifty-five of the 73 survey banks (75 percent) that had firewalls
reported that their firewalls distinguished among customers, vendors,
and/or internal systems.
\b Emergency or contingency plans can be used to respond to natural
disasters, acts of terrorism, sabotage, or power disruptions of an
electronic banking system.
\c The percentages for this mitigation feature were calculated on the
basis of the responses of the 58 surveyed banks that provided their
on-line banking services through third-party vendors.
\d Digital signatures are generally recognized as being a more secure
and sophisticated authentication method than personal identification
numbers and passwords.
Source: GAO analysis of survey results.
SECURITY PROBLEMS
---------------------------------------------------------- Letter :5.2
Of the 28 surveyed banks that reported experiencing security
problems, almost two-thirds involved attempts at unauthorized access
(see table 4). Experts described a number of methods that can be
used to try to gain unauthorized entry for illicit purposes. For
instance, personal computer banking software may be taken apart to
find its vulnerabilities or may be used to access the bank system to
decipher the bank's payment protocol. Another method involves the
use of devices to capture bank information as it travels across
telecommunication lines.
Two of the 18 banks that reported there had been attempts at
unauthorized access could not tell us how many attempts had been made
on their systems, because they did not have systems in place for
monitoring such attempts. However, 1 bank reported that up to 50
attempts at unauthorized access had been made on its system. One
bank we surveyed reported a successful unauthorized access into its
internal systems.
The number of successful unauthorized access attempts involving the
banking industry has been difficult to determine. According to the
FBI, cross-industry sector surveys indicate that the number of
computer intrusions and the amount of financial losses resulting from
those intrusions are rapidly increasing. Although segments of the
financial services industry are included in many of these studies,
none focus solely on financial institutions or the banking industry.
Nonetheless, a FBI official told us that he knew of many alleged
attempts at unauthorized entry into on-line banking systems.
However, the FBI has not been able to substantiate through the
banking industry or other intelligence sources whether successful
unauthorized entries are actually occurring either. He attributed
the difficulty his agency and others have had confirming whether
unauthorized entries are occurring to various factors, including
banks' reluctance to disclose unauthorized entry incidents, the
inability of banks to detect or recognize such incidents, and the
lack of a separate category for banks to report successful or
attempted unauthorized entries on the forms required to be filed on
known or suspected violations of federal criminal law. To improve
the reporting of computer-related crimes, the FBI, working with the
federal banking agencies and other federal law enforcement agencies,
recently issued guidance providing further definitions and specific
examples for financial institutions to assist them in reporting
unauthorized computer entries.
Eighty-three of the banks (89 percent) we contacted reported that
they restricted access after three unsuccessful entry attempts into
their systems (see table 5). Although 73 of the 93 banks (79
percent) indicated that either their systems or the vendors' systems
had firewalls in place, 12 of the 73 (16 percent) reported that their
firewalls did not distinguish among customers, vendors, and/or
internal systems.
Fewer of the banks reported that they had conducted vulnerability
tests or had installed intrusion detection software. Twenty-five of
the 93 banks (27 percent) reported that tests were not performed to
see whether their on-line systems were subject to penetration. Fewer
than half said that intrusion detection software was in place.
Problems involving transactions that were lost by the bank or by the
vendor operating the bank's on-line banking system reportedly
occurred less frequently than unauthorized access attempts. Fourteen
of the 93 banks (15 percent) indicated that on-line banking
transactions have been lost (see table 4). Officials reported a
variety of reasons for these losses, such as customers not knowing
how to use their on-line banking software and system failures. One
bank official told us that lost transactions had led to a financial
loss, and two others reported reduced customer confidence in the
banks' on-line systems as a consequence.
To help prevent losses of on-line banking transactions, Federal
Deposit Insurance Corporation guidelines and security experts
recommend that audit logs and reports be generated and subsequently
routinely reviewed. Monitoring these reports can provide bank
officials with an indication of problems requiring their attention,
according to security experts. As shown in table 5, 79 of the 93
banks (85 percent) reported that audit reports were both generated
and routinely monitored.
Some federal agencies and information security experts have pointed
out that unauthorized entries into a bank's on-line banking system
can also entail risks for other financial institutions with which the
bank has electronic links. They point out that an individual gaining
access into one bank's system could potentially also gain access to
other systems for illicit purposes if the bank's on-line banking
system is electronically linked to other financial institutions and
computer systems. Recently issued guidance by the Federal Reserve
Bank of New York\6 warns that the Internet potentially exposes a
bank's on-line system, and in turn its internal computer network, to
worldwide attack and compromise.
Many of the 185 banks in our survey with on-line systems reported
having electronic links with various other computer systems (see
table 6). Most said their on-line systems were linked to a vendor's
system or to the banks' business partners. To a lesser extent, they
reported their on-line systems were electronically linked to the
Fedwire or other computer systems. At one bank we contacted, an
individual was able to break into the bank's on-line system and use
its electronic connection to transfer funds fraudulently to other
financial institutions.
Table 6
Surveyed On-line Banks Reporting
Electronic Links Between Their On-line
Banking System and Other Computer
Systems\a
Links to other computer systems Percent Number
---------------------------------------------- ---------- ----------
Fedwire\b 15% 28
Clearing House Interbank Payment System 16 29
(CHIPS)\c
Society for Worldwide Interbank Financial 17 31
Telecommunications (S.W.I.F.T.)\d
Vendor systems\e 65 120
Other financial institutions 17 31
Bank's business partners 32 59
----------------------------------------------------------------------
Note: Based on information for 185 banks.
\a For more information about computer systems mentioned in this
table, see Payments, Clearance, and Settlement: A Guide to the
Systems, Risks, and Issues (GAO/GGD-97-73, June 20, 1997).
\b Fedwire serves approximately 9,500 depository institutions.
\c CHIPS is the main U.S. wire transfer system for processing
international U.S. dollar transfers. CHIPS is operated by the New
York Clearing House Association and serves 95 foreign and domestic
banks representing 28 countries.
\d S.W.I.F.T. is an international financial payment cooperative
organization that operates a network that facilitates the exchange of
payment and other financial messages between financial institutions
throughout the world.
\e Vendor systems are on-line banking systems operated by a third
party under contract to a bank.
Source: GAO analysis of survey results.
--------------------
\6 Sound Practices Guidance on Information Security, Federal Reserve
Bank of New York, September 1997.
OPERATIONAL PROBLEMS
---------------------------------------------------------- Letter :5.3
The third category of problems reported by the 93 banks involved
operational problems, most of which involved staffing or training
problems or difficulties in upgrading or replacing outdated software.
Twenty-seven of the 93 banks (29 percent) reported that they had
experienced staffing and training problems (see table 4). Some banks
reported that their employees lacked the computer-related technical
backgrounds needed to handle on-line banking problems. One bank
official said that the volume of customer inquiries far exceeded the
ability of his bank's current staff to handle them promptly. Another
bank said that staffing and training problems led to a loss of
customer confidence.
To reduce difficulties stemming from inadequate or limited staffing
or training, information security experts and federal regulators have
suggested that banks should equip their staffs to respond to problems
affecting on-line systems by establishing guidelines or providing
associated training. Nearly all of the 93 banks reported providing
training to staff (see table 5). One bank that attributed its
staffing problems to the newness of its on-line banking system
believed that such problems would decrease over time.
Twenty of the 93 banks (22 percent) reported operational difficulties
relating to the need to upgrade and replace outdated software (see
table 4). One bank explained that it must at least partly rely on
its customers to buy banking software upgrades on their own.
According to information security experts, problems stemming from a
failure to upgrade and replace software can pose a risk to banks.
For instance, as software becomes dated, it becomes easier for
someone to exploit the vulnerabilities of software programs.
Information security experts stated that software update control
programs can identify which customers have not updated their software
and automatically upgrade the access software installed on a
customer's personal computer. Sixty-one of the 93 banks (66 percent)
reported that they had installed some type of a software update
control program (see table 5). A few banks told us that they had not
yet implemented this type of measure because of the newness of their
banks' systems.
CONCLUSIONS
------------------------------------------------------------ Letter :6
Our analysis indicated that the number of banks implementing on-line
banking systems is planned to increase about fivefold by December
1998. Although responses of most of the banks we contacted indicated
that their on-line banking systems had met or exceeded their
expectations, the introduction of on-line banking technology exposes
banks and their customers to risks from electronic interception, data
corruption, and fraud. Accordingly, information security experts and
federal banking regulators suggest that banks assess risks associated
with their on-line banking systems and take measures to protect
against them. Although many of the banks we surveyed had conducted
such assessments, others had not and, thus, lacked assurance that
they were taking appropriate mitigating measures to protect their
on-line banking systems. Moreover, over two-thirds of the banks
reported some combination of service availability, security, or
operational problems with their on-line banking systems. Although
difficulties such as these can be expected with the introduction of
new banking technology, our work suggests that banks will face
considerable challenges implementing and maintaining secure and
dependable banking services as on-line banking in the United States
continues to grow.
AGENCY COMMENTS AND OUR
EVALUATION
------------------------------------------------------------ Letter :7
The Federal Reserve System, Office of the Comptroller of the
Currency, Federal Deposit Insurance Corporation, and Office of Thrift
Supervision provided written comments on a draft of this report, and
their comments and our additional responses are reprinted in
appendixes III through VI. In addition, these four agencies and the
FBI provided technical comments, which we have incorporated where
appropriate.
The four regulatory agencies generally found that the report provided
useful information and insights on the challenges faced by banks and
thrifts when implementing and maintaining on-line banking services.
FRS and OCC expressed concerns about the presentation of certain data
in the report. Specifically, FRS believed it would be useful to
differentiate between problems caused by hardware, software, or
operational failures and those caused by attacks on systems and felt
that presentation problems prohibited it from being able to interpret
the data sufficiently to determine the underlying causes of the
issues identified in the report. OCC was concerned that the report
did not sufficiently distinguish between significant and relatively
minor problems. We amended the report to reflect the actual
percentage of problems experienced for each category discussed,
rather than aggregating the problems into a single category.
However, the purpose of our survey was to obtain information on the
problems experienced by banks and thrifts that offered on-line
banking, and the scope of this work did not include an assessment of
the significance or underlying causes of the problems each
institution experienced. Moreover, information security experts we
spoke with emphasized that each of the problems identified was
considered to be a serious issue warranting attention.
OTS and FDIC stated that our projection that 47 percent of all U.S.
banks will be offering on-line banking by the end of 1998 appeared
high. This projection is based on the responses of randomly selected
banks that we surveyed and represents what they reported to us about
their future plans. Due to the size and characteristics of our
sample, our projection of the percentage of banks offering on-line
banking by the end of 1998 is subject to a sampling error of 15
percent, resulting in a confidence interval which ranges between 32
percent and 62 percent. We incorporated additional material in
appendix II to provide greater detail on our sampling and projection
methodology. In addition, we now show the sampling error for each
projection presented in the report.
---------------------------------------------------------- Letter :7.1
As agreed with your office, unless you announce the contents of this
report earlier, we plan no further distribution until 30 days after
the date of this letter. At that time, we will send copies of the
report to the Ranking Minority Member of your Committee, the Chairmen
and Ranking Minority Members of other interested congressional
committees, and individual Members. Copies will also be made
available to others on request.
This report was prepared under the direction of Kane Wong, Assistant
Director, Financial Institutions and Markets Issues. Other major
contributors are listed in appendix VII. Please contact either Mr.
Wong on (415) 904-2000 or me on (202) 512-8678 if you have any
questions about this report.
Sincerely yours,
Thomas J. McCool
Director, Financial Institutions
and Markets Issues
(See figure in printed edition.)Appendix I
TELEPHONE SURVEY INSTRUMENT
============================================================== Letter
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
OBJECTIVES, SCOPE, AND METHODOLOGY
========================================================== Appendix II
Our objectives for this assignment were to determine (1) the number
of banks and thrifts (referred to as banks in this report) that
reported they offer, or plan to offer, on-line banking and the types
of services they reported; and (2) the experiences reported by banks
in implementing their on-line banking systems as well as their
efforts to mitigate associated risks. We focused our work on those
U.S. banks and thrifts that accepted retail deposits or provided
retail services.
To accomplish our objectives, we conducted a telephone survey between
May 1997 to mid-June 1997 of 349 banks, which included 219 banks that
available information suggested were offering on-line banking
services\7 and 130 randomly selected banks that were representative
of the remaining banks and thrifts in the United States. The random
sample of 130, stratified across 7 size categories, was drawn from a
population of 11,288 banks and thrifts that remained in a database of
the September 1996 Federal Financial Institutions Examination
Council's Call Reports and the Office of Thrift Supervision's Thrift
Financial Reports after the banks and thrifts previously identified
as on-line banking providers were removed, as shown in table I.1.
Although neither GAO nor the agencies that produced the source data
have fully assessed the reliability of this database, Call Report
data are widely used by researchers in academia, government, and
private industry.
Table II.1
Disposition of Bank and Thrift Survey
Sample
Sample disposition
----------------------------------
Refusals/
Sample Original Ineligible no Usable Response
source population Sample \a response response rate\b
-------- ---------- ---------- ---------- ---------- ---------- ----------
Previous 219 219 42 16 161 91%
ly
known
on-
line
banking
offeror
s
Stratifi 11,288 130 12 2 116 98%
ed
random
sample
of
remaini
ng
banks
and
thrifts
================================================================================
Totals 11,507 349 54 18 277 94%
--------------------------------------------------------------------------------
\a No longer in business, acquired or merged with another
institution, or duplicate listings.
\b Response rate was calculated as the number of banks and thrifts
completing usable questionnaires divided by the number of eligible
banks and thrifts in the sample (original sample minus ineligibles).
Source: GAO survey.
We contacted officials representing the 349 institutions in our
sample by telephone to determine whether the institution was
currently an active bank eligible for our survey and found that 295
banks were eligible. For those eligible banks, we asked the bank to
identify the most appropriate respondent, and we then mailed that
person a letter requesting his or her participation in our telephone
survey. We also faxed the telephone questionnaire to 10 banks that
could not respond to our questionnaire by telephone and asked them to
return the questionnaire by fax. When we completed our fieldwork in
mid-June 1997, 277 of the 295 eligible banks (94 percent) from our
original sample of 349 had provided complete responses. We did not
verify the information provided by survey respondents.
To accomplish our first objective, we asked each respondent whether
the bank offered or planned to offer on-line banking to retail or
corporate customers and the reasons for offering or not offering
on-line banking. In addition, we asked these officials about the
types of on-line banking services their banks offered. We found that
185 of the 277 banks we contacted reported they offered on-line
banking services. We found that many of those banks were affiliated
and a single official was able to provide on-line banking information
on several banks in our survey. Thus, we interviewed only 93 bank
officials who were able to provide information for the 185 banks that
reported offering on-line banking in our survey.
Our estimates of the (1) overall numbers of U.S. banks offering or
intending to offer on-line banking and (2) specific services offered
are projected to the entire population of approximately 10,520 U.S.
banks we estimate to have been active at the time of our survey. To
arrive at 10,520 banks from the original population of 11,507, we
adjusted the original number on the basis of the number of ineligible
banks we found during our review. To make such estimates, we
assigned each completed survey questionnaire a mathematical weight
proportional to the number of other unsampled banks in the stratum
that the sampled bank was to represent. We assigned a weight of 1 to
banks previously identified with on-line banking systems, as they
were not drawn at random to represent a larger stratum of nonsampled
banks. For example, to arrive at our population estimate of 4,220
banks that do not currently offer any on-line banking services but
plan to offer at least 1 such service by December 1998 (see app. I,
ques. 3), we multiplied each of the 36 sampled banks that gave us
this answer by a weight, ranging from 1 to 336, depending on which
size stratum each was drawn from. Because we surveyed only a sample
of banks, these estimates have a sampling error, which is a measure
of the precision with which the estimated value approximates the
actual value. Sampling errors are calculated at the 95 percent
confidence level for each weighted estimate made and are reported in
the text.
To accomplish our second objective, to determine the experiences
reported by banks in implementing their on-line banking systems as
well as efforts to mitigate associated risks, we based our results on
the responses of the officials we interviewed and did not project the
results to all active banks in the United States. We obtained
information for 185 banks on (1) the channels used to deliver on-line
banking services, (2) the reasons for implementing on-line banking,
(3) whether on-line banking met or exceeded expectations, and (4) the
electronic links that banks had with other payment systems. We
limited certain information obtained from these officials to the
banks they directly represented. Specifically, these officials
provided information for 93 banks on (1) problems experienced, (2)
risk identification, and (3) risk mitigation efforts.
The difficulties of conducting any survey may introduce other types
of "nonsampling" errors that affect both the weighted and unweighted
estimates. For example, differences in how a particular question is
interpreted, or in the sources of information that are available to
respondents, can introduce unwanted variability into the survey
results. Although we did not verify the survey results, we took
various steps to reduce nonsampling errors. Prior to designing our
telephone questionnaire, we interviewed information security experts
and federal agency officials to identify the types of potential risks
and problems that could be associated with on-line banking as well as
basic security features that could help prevent the occurrence of
such problems. We also reviewed relevant documents and technical
literature on these issues. We then solicited expert opinions on the
wording and structure of our questions, and we pretested the survey
instrument with several banks.
All data collected during our survey were keypunched and verified
during data entry, and computer analyses were performed to identify
additional inconsistencies or other indications of errors. All
computer analyses were checked by an independent analyst.
In this study, we did not attempt to determine the effectiveness of
security measures that banks implemented to prevent the occurrence of
on-line banking problems. To do so would have required us to look at
numerous factors, such as particular computer system architectures
and banks' policies and guidance.
In addition, we interviewed information security experts from
Lawrence Livermore Laboratory; Science Applications International
Corporation; Advanced Programming and Development, Inc; the
Department of Defense; and the National Institute of Standards and
Technology to identify potential risks and problems associated with
on-line banking as well as basic security features that could help
prevent such problems. We also discussed these issues with officials
from the Federal Reserve System, Federal Deposit Insurance
Corporation, Office of the Comptroller of the Currency, Office of
Thrift Supervision, and the Department of the Treasury. We further
contacted officials from the Federal Bureau of Investigation, the
President's Commission on Critical Infrastructure Protection, the
American Bankers Association, the Bankers Roundtable, and the
California Bankers Association.
We conducted our review between October 1996 and October 1997 in
accordance with generally accepted government auditing standards. We
provided a draft of this report to the Federal Reserve System, Office
of the Comptroller of the Currency, Federal Deposit Insurance
Corporation, Office of Thrift Supervision, and the Department of
Justice for comment. The four regulatory agencies provided written
comments, which are reprinted in appendixes III through VII. In
addition, these four regulatory agencies and the Department of
Justice's Federal Bureau of Investigation provided technical
comments, which we have incorporated where appropriate in the report.
(See figure in printed edition.)Appendix III
--------------------
\7 We consulted an Internet-based directory of North American banks
that offered on-line banking, maintained by the Online Resources &
Communications Corporation. We did not validate the coverage or
content of the directory.
COMMENTS FROM THE FEDERAL RESERVE
SYSTEM
========================================================== Appendix II
(See figure in printed edition.)
The following are GAO's comments on the Federal Reserve System's
letter dated November 14, 1997.
GAO COMMENTS
1. FRS commented that the draft report overstates the extent to
which real security problems may exist due to the inclusion of
unsuccessful unauthorized attempts to access a system or inadvertent
errors by authorized users. In order to eliminate any confusion, our
discussion was changed to comment only on the number of banks
reporting unauthorized access attempts and, thus, excludes the one
bank that classified a customer error as an unauthorized access
attempt. The purpose of our survey was to obtain information on the
problems reported by banks and thrifts that offered on-line banking,
and the scope of the work did not include an assessment of the
significance or underlying causes of the problems each institution
experienced.
2. FRS suggested that we clarify our use of the terms "denial of
service" and "disruptions in service." We did not differentiate these
terms in the question we posed to the banks. Our question was
directed to whether the bank was unable to provide service regardless
of whether it was due to a malicious intent or breakdown in the
hardware or software supporting the system and thus cannot be used to
determine underlying causes.
(See figure in printed edition.)Appendix IV
COMMENTS FROM THE COMPTROLLER OF
THE CURRENCY
========================================================== Appendix II
(See figure in printed edition.)
(See figure in printed edition.)Appendix V
COMMENTS FROM THE FEDERAL DEPOSIT
INSURANCE CORPORATION
========================================================== Appendix II
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
The following are GAO's comments on the Federal Deposit Insurance
Corporation's letter dated November 17, 1997.
GAO COMMENTS
1. FDIC stated that the survey results in our draft report did not
include telephone banking or the experiences or efforts of the credit
union industry. Although we agree that these are important subjects
to cover, they were beyond the scope of our work.
2. FDIC commented that it would be useful to provide an analysis of
the survey results by bank asset size. An analysis of survey results
organized by asset size of the banks would be helpful. However, we
were not able to project distinctions between asset size categories
because of the size of our sample.
3. FDIC commented that it had rarely encountered an electronic link
between banks under its review and other systems, including Fedwire.
It commented that it may be possible that the survey question may
have been ambiguous. In addition, FDIC said it has seen very few
banks offer their customers the ability to directly transfer funds to
other banks. We specifically asked the banks whether their on-line
banking services were electronically linked to Fedwire and other
systems. In addition, we recontacted one bank that examiners told us
they believed was not linked to Fedwire, and bank officials told us
that in fact the bank did have an electronic link to the Fedwire
system. In regard to transferring funds between banks, we
specifically asked the banks whether their on-line systems allowed
customers to authorize or perform interbank funds transfers. We did
not validate whether customers could actually perform these
transfers, and we presented the information as it was reported to us.
4. FDIC stated that the number of reported experiences of employee
sabotage and internal attacks was low and contrary to other recent
reports. We recognize that internal attack is one of the biggest
threats to on-line banking. However, we were limited to presenting
the number of experiences that the banks reported to us. Although
the FBI had information that insider attacks constitute a large
number of computer crimes, FBI officials told us the information is
not specific to the banking industry. See page 14.
(See figure in printed edition.)Appendix VI
COMMENTS FROM THE OFFICE OF THRIFT
SUPERVISION
========================================================== Appendix II
(See figure in printed edition.)
the attachment.
The following is GAO's comment on the Office of Thrift Supervision's
letter dated November 17, 1997.
GAO COMMENT
1. The Office of Thrift Supervision described its agency's efforts
in providing guidance to thrift institutions on retail on-line
personal computer banking. We have added to the report OTS'
expectations that thrifts providing services over the Internet
evaluate and mitigate risks to their on-line systems. See page 9.
MAJOR CONTRIBUTORS TO THIS REPORT
========================================================= Appendix VII
GENERAL GOVERNMENT DIVISION,
WASHINGTON, D.C.
Carl Ramirez, Senior Social Science Analyst
Delois Richardson, Computer Specialist
SAN FRANCISCO OFFICE
Denise Callahan, Evaluator-in-Charge
Grace Sakoda, Evaluator
May Lee, Evaluator
Gerhard C. Brostrom, Communications Analyst
OFFICE OF THE GENERAL COUNSEL,
WASHINGTON, D.C. BN PAUL G.
THOMPSON, ATTORNEY
*** End of document. ***
|
