|
In Focus This Quarter
Banking on the Internet
New Technologies, New Opportunities, New Risks
- Despite the potential for lower transaction costs, increased efficiency, and greater
asset diversification, few banks do business through the Internet.
- Although competitive risks are pushing banks to create an Internet presence, operational
risks remain an obstacle to actually using those sites for moving information or
money.
- The FDIC's Division of Supervision recently released examiner guidance on Internet
banking and is developing training programs for its examiners.
The Allure of Cyberbanking
On-line Banking is a comprehensive term for transactions conducted over wires or
from remote locations. It includes banking by telephone, banking by personal
computer through a dial-up connection and, more recently, banking over the Internet.
Internet banking, frequently referred to as cyberbanking, is of particular interest
to banks because it exploits an existing and geographically extensive public network
infrastructure and promises a range of new operating and marketing benefits. One
such benefit is the ability for an institution to expand its trade area to include other
cities, states, regions -- or even countries -- without a commensurate expansion of its
branch structure. This greater geographic reach can do more than simply increase
volume. It also can offer institutions -- particularly smaller ones -- the potential
to diversify their asset portfolios across multiple regions, leaving them less exposed to
the economic volatility of any single one. Another benefit is the lower cost of
Internet delivery. A March 1996, study by Booz, Allen & Hamilton Inc.
estimated an average Internet transaction cost of $0.01 compared to $0.27 for an ATM,
$0.54 for a telephone, and $1.07 for a full-service branch.
Slow Migration to the Future
Another 1996 study, this one by Grant Thornton in July (see Chart 1), found that despite these potential benefits, most banks
established an Internet presence for appearance's sake -- being perceived as a leader,
advertising bank services or staying abreast of competitors -- rather than with an
intent to grow deposits or capture the transaction economies that cyberbanking could
provide. Of the 44 Internet institutions surveyed, only one in three expressed
intentions to begin offering bill payment or funds transfer over the Internet by the end
of the second quarter of this year. Even this subdued enthusiasm now appears
optimistic. Despite the perceived benefits and the scarcity of competition, few banks have
to date ventured into this area in a meaningful way. According to the Bankweb
world-wide web site, only 800 or so banks -- less than 1 percent of the industry -- have
an Internet site and only 18 of those permit transactions. In the San
Francisco Region, 120 institutions have an Internet presence but only three allow
customers to pay bills or transfer funds. A major question, then, is why so few
institutions have chosen to exploit this medium?
Chart 1
Source: Grant Thornton ''Banking on Cybercommerce: A Survey of
Internet Bank Product Plans'' |
Risk
The reason is risk. Banks are familiar with the control of exposures found in
proprietary or private payment channels, but they are less comfortable with the new risks
attendant to a public network. On one hand, there are operational exposures that
convincingly argue against rushing headlong into cyberspace. On the other hand, there are competitive
risks. Nonbank competitors with strong foundations in cybertechnology pose a budding
threat to the banks' historical payment-services monopoly and argue with equal authority
for an immediate Internet presence to gain or preserve market share. These opposing
forces help explain the large numbers of banks establishing web sites that stop short of
actually moving information or money.
Of these two types, operational risks are the most immediate and command the most
attention. They derive from the formative state of both the technology supporting
on-line commerce, and the legal and regulatory structure governing its use. These
risks include theft or misappropriation of internal data or external transmissions,
transaction fraud, errors in underwriting virtual transactions, liquidity shortfalls,
changing technical standards, inadequate or geographically inconsistent regulatory and
legal infrastructure, noncompliance with existing laws or regulations that were not
designed for an on-line world, and damage to an institution's reputation from the
realization of any or all of these risks (see Some Concerns for
the CyberBanker).
Systemic Threats and a New Payments Model
In addition to bank-specific risks there are the systemic threats that a public
domain payments model could bring. One of the key features of the Internet is
redundancy. Any one of a large number of possible paths can be used for a given
transaction and therefore the failure of any one path or node will not affect the
functionality of the network as a whole. This feature presents a multitude of new
and -- from a banker's perspective -- previously unconsidered points of vulnerability to
technologically-sophisticated miscreants. In a cyberworld of small value transactions, the
effects of an attack may not be much more severe than those which accompany credit card
crime. However, there is good reason to expect that Internet transaction sizes will
continue to grow. According to one software vendor, interbranch
payments on the Internet are likely to begin in 1997 with interbank activity to
follow a year or so later. This development would be a significant evolution because
wholesale transactions are generally large relative to bank liquidity. An attack or
disruption of the Internet payments mechanism for a single large transaction could
conceivably pass liquidity shocks to other banks in the same way that bad weather at a
major airport can disrupt air traffic throughout the country.
Some Concerns for the
CyberBanker
Internal Data Security. The
Internet cannot distinguish between customers and criminals. Invasive attacks can
range from simple vandalism to theft or destruction of proprietary operating or customer
data. Firewall software, data encryption, specialized hardware configurations and
commercial insurance can limit such exposures.
External Transmission Security. Because the Internet is an open network,
transaction messages are completely exposed, rendering them vulnerable to theft or
tampering. Message encryption is a common response, but hardware or implementation
flaws can circumvent it. This threat will increase greatly if large value or interbank
transactions migrate to the Internet.
Transaction Fraud. Fraud takes two forms: misrepresentation during a
transaction or repudiation following it. This problem takes new dimensions in
cyberspace because no physical relationship with a customer exists. Encryption
protocols which include digital signatures are one response. Biometric
authentication schemes, the most commonly proposed being fingerprint or retinal
verification, are another.
Difficulties with Virtual Underwriting. Even if your cyberborrowers are who
they claim to be, there remain difficulties in establishing their creditworthiness.
The lack of a personal relationship is one factor. The limited knowledge of local
employers and credit grantors that appear on applications is another. Such
difficulties could hasten and heighten dependency upon credit scoring models.
Liquidity Risks. Internet transaction volume and velocity are expected to
increase rapidly, potentially creating transactions which occur so rapidly as to exceed
immediate bank liquidity. Denial of service attacks, where a site is intentionally
deluged with transactions in order to shut it down, also can affect liquidity if affected
customers decide to close their accounts.
Lack of Technical Standards. An institution building an early presence on the
Internet is making a financial bet as to which standards will endure.
Lack of Regulatory and Legal Infrastructure. Regulators are waiting and
observing. Future promulgated "best practices" may not be those which an
institution has already adopted. Similarly, a lack of legal precedent hinders
criminal and civil prosecution of cybercriminals. Even where precedent exists, it is
frequently inconsistent across jurisdictions.
Reputation Risk. An image of solidity is a cornerstone of banking. Internet
banking confronts banks with more exposure and potentially greater publicity about losses.
Competitive Risks. Unlike the operational risks discussed above, competitive
risks accrue to institutions not securing an Internet foothold. They involve the
threat of lost market share or payment system position to more aggressive peers and
nonbank competitors. |
New Technologies, Old Reporting
The advent of fully transactional web sites also could heat up bank competition for low
cost deposits and frustrate regulatory oversight in the process. One possibility is
a "deposit arbitrageur," a hybrid of brokered deposits and program trading in
which a computer program could search the Internet for the highest deposit rates and
immediately reallocate deposits accordingly. In the long run, such activities could
harmonize local interest rates. In the short run, however, this rapid turnover could
mean substantial liquidity drains on institutions accustomed to local deposit
monopolies. From the regulatory perspective, this transaction velocity -- and its
potential to rapidly alter bank balance sheets -- could present new challenges in a world
of quarterly Call Reports and examination intervals that can exceed one year.
FDIC -- the CyberRegulator
New risks demand new supervision techniques and the FDIC's Division of Supervision
(DOS) has responded with their recently-released electronic banking safety and soundness
examination guidance. Under that guidance, institutions having Internet sites are
placed into one of three tiers based upon the "maturity" of their site.
Safety and soundness examination procedures focus on bank policies, procedures and
planning. The examination procedures are cumulative -- meaning that each successive
tier adds an additional level of scrutiny to the tiers below -- and do not require a
technical knowledge of Internet systems. "Information Specialist"
involvement also varies by tier (see Table 1). A DOS training
program for all safety and soundness examiners already has begun, and technical training
for information systems specialists is being developed. A new specialty, the
electronic banking Subject Matter Expert, also is being established.
Table 1
Measured Steps in a New Environment
Banks increasingly are becoming distributors of commodity-like products. As
such, profitability may become dependent upon both cost efficiencies and high volume -- a
combination sometimes argued as inconsistent with high-cost branch structures.
Internet banking offers institutions a means to compete in this new environment. It
also offers new risks. Recognizing this tradeoff, many banks have entered this realm
with measured steps. Those who have not face risk of a different sort. They
face instead the risk that their competitive position will pass to more innovative
competitors -- competitors with new technologies and the drive to accomplish old business
in thoroughly new ways.
Gary Ternullo, Senior Financial Analyst
gternullo@fdic.gov
For More Information:
|
| Division of
Supervision |
DOS currently is
implementing examination guidance for safety and soundness examiners and developing
training for technical specialists.
Cynthia Bonnette, Examiner
Chairman, New Banking Technologies Task Force
(202) 898-6583
Stephen White, Information Systems Review Examiner
Chairman, Information Systems Subcommittee
Federal Financial Institutions Examination Council Task Force on Supervision
(202) 898-6923
|
| Division of
Compliance and Consumer Affairs |
DCA is reviewing new
banking technologies from a consumer protection, fair lending and CRA perspective to
provide guidance on compliance matters. DCA also is coordinating outreach efforts with
consumer community groups.
John Jackwood, Special Assistant to the Director
(202) 942-3854
|
| Regional Office
Contacts |
J. Richard Mayher,
Assistant Regional Director
Division of Supervision
San Francisco Regional Office
(415) 546-0160
Charles Hasman, Review Examiner
Division of Compliance and Consumer Affairs
San Francisco Regional Office
(415) 947-4476
|
| Office of Policy
Development |
OPD provides leadership
in developing FDIC policies, including those addressing new banking technologies. The
office coordinates several interdivisional electronic banking efforts and represents the
FDIC on the interagency U. S. Treasury Consumer Electronic Payments Task Force.
Sharon Powers Sivertsen, Director
(202) 898-8710
|
| Related Web Sites
|
|
Regional Outlook main page
|
