Date of Examination
City
ELECTRONIC BANKING QUESTIONNAIRE (02/03) This document is to be viewed as a learning tool. Constructive commentary is welcome. If you are already doing everything described in the questionnaire, you probably have a sound e-banking platform. If not, you should take into consideration the items not covered. Please complete and sign the following questionnaire. These pages may be handwritten, typewritten, or completed electronically. For banks with telephone banking only, complete questions 1 - 2. For an informational web site complete questions 1 - 43. An informational site that allows emails with sensitive information complete questions 79 and 80 also. For a transactional web site complete questions 1 - 93. If you have started offering electronic banking services within the last two years also answer questions 94 - 97. Refer to the last page for some terminology explanations.
Name of Bank under examination: Bank's web site address:
1. Which of the following written plans and policies do you have (check the ones that you have)? If policies are available electronically -- please provide electronically (if not, please provide a paper copy). Strategic or business plan Security Contingency and Business Resumption Password (If no policy, provide actual procedures followed. If providing Internet banking refer to question #67) Email/Internet usage (If no policy, provide actual procedures followed) Privacy policy For guidance with what should be included in some of the above plans or policies please refer to the Division of Banking web site under the E-banking tab at www.idob.state.ia.us.
1
TELEPHONE BANKING 2. When did the bank begin offering telephone banking? 2 a. Who is it offered through? b. How does the customer access it? c. What is the customer able to do once they have accessed their accounts? PC BANKING 3. Do you offer?
Yes
No
4. How many customers utilize it? WEB SITE 5. When did the bank’s web site become active? 6. Is the web site address reported on the bank's quarterly call reports? Yes No 7. Where is the bank's web site hosted? In house Off site - Who is the host (name and location)? 8. Who is responsible for maintaining (updating and/or changing information) the bank's web site? 9. Does the bank have a contract with the web site host? Yes No If yes, provide a copy. If yes, does it include the following: Yes No Liability for data and confidential treatment of information. Yes No Reasonable assurances for continuation of service through back up arrangements in the event of a problem situation. Yes No Security precautions on the part of the service provider. Yes No Procedures to notify the bank of any unauthorized alteration and malicious attacks. Yes No Regular back up of web site information. 10. How does the bank connect to the Internet? DSL cable T1 line frame relay
56k dial up 28.8 dial up
11. Is the bank's web site reviewed internally? Yes No If yes, how often is it reviewed? Who reviews it? What do they look at?
2
ISDN other (describe)
12. Does the web site undergo periodic review by any of the following? Yes No Legal Counsel- If yes, provide a copy. Yes No CPA - If yes, provide a copy. 13. Are links and interactive programs checked for accuracy and functionality? Yes No If yes, who checks them and how frequently? 14. If links are included on the web page. Yes No Has the bank taken steps to ensure that the customer understands they are leaving the bank's web site? Yes No Does the bank provide some type of disclaimer of the bank’s liability for transactions or information provided at these linked sites? 15. Are security measures in place to prevent the web site information from being altered? Yes No If yes, what are they? 16. a. How often is virus protection software updated on servers and workstations? How often is it run? Who is responsible for doing the updates? b. Are procedures in place for operating system updates? Yes No If yes, what are the procedures? Who is responsible for implementing the updates? c. Are procedures in place for receipt of software updates/patches? Yes No If yes, describe the procedures. Who is responsible for doing the implementation of the updates/patches? Are they tested before putting into production? Yes No 17. Is penetration testing done? Yes No If yes, how frequently is it done? Who does it? Are they bonded? Yes No Who is responsible for reviewing the results? 18. Is an intrusion detection system in place? Yes No If yes, how frequently is it tested? Who is responsible for testing it? Who is responsible for reviewing it and monitoring the activity? 19. Are controls or procedures in place for any of the following? Yes No Prevention of hackers from accessing the system Yes No Prevention of line tapping Yes No Discovered intrusion attacks Yes No Attacks after hours If any are yes, please explain. 20. Does management keep up-to-date on addressing newly disclosed security threats to the computer operating system and application software? Yes No
3
21. Are firewalls in place? (For any that are yes, please list what type of firewall is in place at that location.) Yes No At the bank - Yes No At the web host - Yes No At the outsource vendor - 22. Firewalls a. Who is responsible for installing, configuring, and updating the firewalls? b.
Who is responsible for monitoring firewall activity?
c.
How frequently are the firewalls being monitored?
d.
What type of activity is being monitored?
e.
Are reports available on the activity?
f.
If someone other than the bank is monitoring the firewalls are there monitoring and maintenance agreements in place? Yes No
23. Are all unused services blocked at the firewall? Yes No If yes, what ports are left open at the firewall? 24. Are controls in place restricting physical access to computer hardware, software, and communication equipment? Yes No If yes, explain. 25. Are loan and certificate of deposit rates posted to the bank's web site? Yes No If yes, how often are they updated and who is responsible for updating? 26. Are any application forms available on the web site? Yes No If yes, provide copies. 27. If applications are available on the web site, how does the customer submit them? Fax Online Mail In-person Other (explain) 28. Does the bank verify the legitimacy of the customer who has submitted the application? Yes No If yes, how is it verified? 29. If accepting customers over the Internet are OFAC restrictions being considered? (OFAC stands for Office of Foreign Asset Control) Yes No 30. List all personnel involved with electronic banking and their duties. (If available, provide an organizational chart.) Indicate the individual(s) responsible for the electronic banking area. 31. Does the bank have an Electronic Banking Committee (or something similar)? Yes No If yes, list the members and their responsibilities. How often do they meet? 32. What incentives does the bank provide for obtaining and retaining key IT personnel?
4
33. What is discussed with the Board of Directors regarding the bank's web site and services offered? (Provide copies if not already provided for the examination.) 34. Is the Board fully informed of the risks involved with electronic banking and do they understand those risks? (strategic, reputation, transaction, compliance) Yes No Yes No Is it noted in the minutes? 35. Is a review of electronic banking included in the annual Directors’ exam (or a separate exam)? Yes No Yes No Were any exceptions found? Yes No Have they been addressed? Provide a copy of exceptions noted and management’s response. 36. Does the bank have legal counsel review literature distributed to the public? Yes No If yes, provide a copy of any opinion received. 37. Please provide a copy of the bank's topology map (schematic diagram) 38. Electronic banking insurance policy - provide copy if separate from financial institution crime bond a. What company is it with? a b. What type of occurrence does the policy cover? b c. How many occurrences does it stipulate must take place before coverage applies? c d. What directors, officers, or employees are covered? e. What is the dollar amount of coverage? d f. What is the deductible amount? g. What is the expiration date? h. Does it adequately cover the bank's capital? i. Is it approved by the board of directors? Yes No 39. Are the bank's hardware and phone lines protected from power surges, lightning strikes, etc.? Yes No If yes, how? 40. Are there any pending lawsuits/contingent liabilities relating to electronic banking activities? Yes No If yes, describe and provide an attorney's letter indicating the bank's liability and potential for loss. 41. Has the bank encountered any computer-related crime? Yes No If yes, what was the nature of the crime and was a suspicious activity report filed? 42. Has the bank checked into similar domain names? (web addresses that are similar or could be mistaken for the banks) Refer to FDIC Bank Technology Bulletin dated November 8, 2000. Yes No 43. What future plans, changes or other services are you contemplating offering on your web site within the next twelve months? (i.e. IT personnel, additional services, new or change in vendors, software, hardware, or operating procedures.)
5
TRANSACTIONAL WEB SITE 44. What is included on your transactional web site? Internet banking Insurance services Brokerage services Small business services Commercial business services Portal services Aggregation services
Trust services Bill payment Other (explain)
45. When did you start offering Internet banking? 46. What options are available to the customer once they have accessed Internet banking? Viewing of account balances Transfer of funds between accounts Bill payment Bill presentment 24/7 customer service by phone or email Online application for checking and savings accounts Online mortgage and CD applications Viewing of loan status and credit card account information IRA and brokerage account information Checkbook reconciliation access Viewing of account history Viewing of digital checks online Ordering checks online Issuing stop payment orders online Other 47. What vendor is used for Internet banking? 48. What ongoing expenses are incurred - purpose and amount? 49. Have letters of assurance been obtained as required by Section 524.218 of the Code of Iowa? Yes No 50. Has the FDIC been notified in relation to Section 7(c)(2) of the Bank Service Company Act? (this form is not required if the bank is a Federal Reserve member) Yes No 51. What services (if any) are customers being charged for and how much? 52. Does the bank have a written contract with the vendor? Yes No At a minimum, does it include the following: Yes No Access, ownership and control of customer data and other confidential information. Yes No Liability for data and confidential treatment of information. Yes No Reasonable assurances for continuation of service through back up arrangements in the event of a problem situation. Yes No Subcontractors and other supporting vendors, if applicable, including their roles and responsibilities. Yes No Privacy of information with subcontractors. Yes No Reasonable control and update of content and capabilities in a timely manner. Yes No Opportunities to review financial information, independent annual audits and similar reports. (SAS 70) Yes No Security precautions on the part of the service provider. Yes No Does it prohibit assignment? Yes No Hardware and software upgrades
6
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
No Price changes. No Reasonable penalty and cancellation provisions. No Training. No Problem resolution. No The bank’s ability to monitor, store and retrieve electronic transmissions (including messages and data) between the bank and its customers. No Initial pricing, including down payments, and continuing costs. No Description of the work to be performed or service to be provided. No Provisions for handling disputes. No Protection if the vendor exits the business No Specify insurance is to be maintained by the vendor.
53. Did legal counsel review the vendor contract? Yes No 54. Does the expiration date of the contract coincide with that of any subcontractors? Yes No 55. Has management received assurance that the vendor has conducted due diligence reviews of any subcontractors? Yes No 56. Have you checked what insurance coverage the vendor has? Yes No If yes, what do they have? 57. Has the bank reviewed the vendor's contingency plan and procedures? Yes No If yes, are you comfortable with the plan and/or procedures?
Yes
No
58. Are there stress (volume) testing procedures in place to determine the capacity of the vendor's system? Yes No If yes, give details. 59. Have you had any problems with the vendor? Yes No If yes, give details. 60. Do you obtain financial information on the vendor? Yes No If yes, how frequently do you receive it and when did you last get it? Who reviews it? 61. Did you receive a copy of the most recent audit report on the vendor (SAS 70)? Yes No If yes, please provide the report. Yes No Was the management letter also requested and received? If yes, please provide a copy. 62. Does the bank belong to any vendor user groups? Yes No 63. How is the bank's internal network connected to the outsourcing vendor? DSL Cable 56k dial up ISDN T1 line Frame relay 28.8 dial up Other (describe) 64. What type of environment does the Internet banking site operate in? real time (is the main frame updated immediately?) batch processing memo post
7
65. If using batch processing, how and when is information transferred between the vendor and the bank? 66. List personnel authorized to access the management side of the bank's Internet banking system and their levels of access. Who reviews this for appropriateness and how often is it reviewed? 67. Provide password procedures on the following: EXTERNAL (customers) e a. Authentication of user f b. Customer locked out of account g c. Initially issuing password h d. Frequency of password change and is it required e. Automatic log-off controls for user inactivity i f. Do excessive failed access attempts disable access and how many failed attempts is excessive j g. Requirement for make-up of password k h. Customer loses or forgets password i. Any other procedure not listed above: l m n o p
INTERNAL (bank personnel) a. Frequency of password change and is it required? b. Log off procedure when leaving station c. Do excessive failed access attempts disable access and how many failed attempts is excessive d. Requirement for make-up of password e. Any other procedure not listed above:
68. Do employees have access to customer passwords? Yes No 69. Other than applications, are any types of lending or loan advances done over the Internet? Yes No If yes, provide procedures followed. 70. Are procedures in place to prevent transfers of uncollected funds? Yes No If yes, describe procedures. 71. Are safeguards in place to detect and prevent duplicate transactions? Yes No If yes, describe. 72. Are there procedures for verifying the legitimacy of customer requests for changes to their accounts or customer information? Yes No If yes, describe the procedures. 73. What vendor(s) is utilized for the bill payment function? 74. How many customers are signed up for Internet banking and/or bill payment? 75. Does the bank provide a guarantee or warranty when a payment is not properly made through the bill payment system? Yes No NA If yes, what is the guarantee or warranty? Yes No NA Has it been reviewed by legal counsel? 76. Other than Internet banking or bill payment, has the bank contracted with any other vendors for services on the web site? (list vendor name, location, and service)
8
77. What exception reports are received for any transactional functions on the bank's web site? (provide a sample of reports received) a. How often are they reviewed and by who? 78. What activity reports are received? (provide a sample of reports received) a. How often are they reviewed and by who? b. Do they track the nature, volume, speed, and trends? c. How do the results compare to bank projections? 79. Is the bank using digital signatures and/or digital certificates? Yes No Digital signatures Yes No Digital certificates (or ID) 80. At what level is sensitive data encrypted? 40-bit 128-bit
other (describe)
81. Does the bank have procedures in place for when there is an interruption in service of Internet banking for the customer (contingency plan)? Yes No Due to disaster (natural, human, technological) at the bank level. Yes No Due to disaster (natural, human, technological) or lack of capacity at the vendor level. 82. Do IT personnel participate in training programs? Yes No If yes, what types of programs? 83. Is electronic banking training provided to other officers and employees of the bank? Yes No 84. Does the bank or outsource vendor have a software escrow agreement in place? Yes No If yes, how often is the escrowed software independently verified as being current and complete? 85. Does the bank have a target market or trade area for the Internet? Yes No Target market - If yes, what is it? Yes No Trade area - If yes, what is it? 86. Are any policies and procedures in place to address activities beyond the traditional trade area? Yes No If yes, what are they? 87. Did the bank do a cost analysis specifically on electronic banking? Yes No If yes, provide a copy. 88. Are income and expense items, related to electronic banking, included in the annual budget? Yes No 89. Are guidelines for retention of source documents supporting electronic banking activities in place? Yes No
9
90. Has management established programs and/or procedures for the following? Yes No Customer service, support, and education - If yes, describe. Yes No Customer demands, problems, and complaints - If yes, describe. 91. Where nondeposit investment products are offered or promoted on the bank's web site are the following disclosures included (at a minimum)? Yes No Not FDIC insured Yes No Not a bank deposit, bank obligation, or guaranteed by the bank Yes No Subject to investment risk, including potential loss of principal Yes No NA If required, was approval received from the Superintendent of Banking? 92. Are you allowing customers to advertise on the bank's web site? Yes No If yes, what disclosures are included on the page? 93. Have steps been taken to safeguard information in regards to Graham-Leach-Bliley (GLBA) 501(b)? Yes No IF THE BANK BEGAN OFFERING ELECTRONIC BANKING SERVICES WITHIN THE LAST TWO YEARS - PLEASE ANSWER THE QUESTIONS BELOW: 94. What was your reasoning for offering Internet banking and/or any other electronic banking services? Profit Convenience Retain customers Competition New customers Customers' request Other (explain) 95. How did you choose which vendor to use? 96. What was the initial set-up cost? 97. Was testing done with employees before offering to customers? Yes No If yes, what date did testing with employees start? What date did you start offering to customers?
Signature of person in charge of electronic banking: ______________________________________________________ Date signed: _________________
10
DEFINITIONS: Web site - The bank's home page and other proprietary pages located on the World Wide Web Three types of web sites: LEVEL 1 - site is informational only and may allow nonsensitive emails (informational). LEVEL 2 - level one with the addition of allowing sensitive information emails (interactive). LEVEL 3 - fully transactional, including facilitating electronic funds transfer and other financial transactions (If you offer Internet banking, you are a transactional site) (transactional) Electronic banking - Delivery of banking services through the use of electronic communications, primarily the Internet. Electronic banking may include: Internet banking, ATM's, wire transfer, telephone banking, EFT, and debit cards. Internet banking - Banking services available through the bank's web site Security administrator - Person directly responsible for the security controls. System administrator - Individual responsible for managing a multi-user computer system. Software escrow agreement - Many vendors do not release the source code to the purchaser. This is intended to protect their system's integrity and copyright. The application system is installed in object code. An alternative to receiving the source programs is to establish an escrow agreement. In this agreement, which should be part of the service contract or exist as a separate document, the financial institution would be allowed to access source programs under certain conditions, such as discontinued product support or financial insolvency by the vendor. Adequate programming and system documentation should also be required. A third party would retain these programs and documents in "escrow". Financial institutions should determine periodically that the source code maintained in escrow is up-to-date. This can be done by a third party independently verifying the version number of the software.
11