Before the Subcommittee on Domestic and International Monetary Policy, Committee on Banking and Financial Services, House of Representatives

Statement of Michael Haskel Vaughn
Executive Vice President
SBS Corporation

Mr. Chairman and Members of the Subcommittee:

Thank you for inviting me here today. I welcome the opportunity to share my assessment of the challenges of Internet banking and the necessary steps to protect the safety and privacy of the public in using this technology.

SBS Corporation is a "third-party firm" providing "Internet banking support services" as referenced in the General Accounting Office testimony given today. Most of our clients are community banks having assets of less than one billion dollars. In the context of this testimony, I am referring to these community banks when I use the term "bank".

When assessing the challenges of Internet banking, I break the risks down by three categories – Overt, Common, and Strategic. All of these risks can be mitigated through the implementation of proper technology, coupled with diligent and professional operation following safe and sound practices.

Internet banking combines private financial data, including monetary transactions, with complex technology and communication through a public medium - the Internet. There are many overt sensationalized yet legitimate risks in doing this. Overt risks tend to involve security issues. Some of these risks include:

• Theft of private information in transit on the Internet.
• Unauthorized access of the bank’s database.
• Criminal creation of fraudulent monetary transactions.
• Vandalism of the bank web site with electronic graffiti.
• Disruption of the accurate functioning of the web site.
• A complete shutdown of the web site and a denial of service to customers.
• The creation of a totally fraudulent bank or the usurpation of a legitimate bank site by criminals.

Sources of these risks range from the casual voyeur or thrill seeker with no intent of harm to entities intending a truly malicious attack. They include for example:

• Determined hackers¹ bent on cracking a site just as a "trophy".
• Children with freely available and automated "hacking" tools.
• People who would deface or disrupt a site, for reasons we may never understand.
• Traditional yet technologically savvy Criminals.
• Terrorists seeking new forms of attack and seeing American financial institutions as highly visible targets.

The implementation and proper use of today’s encryption, firewall, and intrusion detection technologies mitigates these overt risks.

Common risks are those associated with any computer operation such as:

• Year 2000 issues.
• Mechanical failure.
• Software bugs.
• Human operator error.
• Loss of trained personnel through employee turnover.
• Computer viruses.
• Lack of system capacity to handle the workload.
• Power failure.
• Disruption of communication lines.
• Lack of disaster recovery capability in the case of a catastrophic event such as a fire, tornado, hurricane or earthquake.

These common risks can be mitigated, with proper management and by following professional information systems guidelines for operating mission critical systems.

Strategic risks are usually ongoing or indirect, and are harder to define and measure. These risks include:

• Software for the customer that lacks intuitiveness and is frustrating to use.
• Rapid obsolescence of hardware and software requiring unplanned upgrades.
• Keeping up with the emergence of new of security risks and their counter measures.
• The ongoing rapid pace of development in hardware and software, creating significant education and training challenges.
• Lack of knowledge to manage this complex environment.
• Law enforcement preparedness.

In addition to the obvious potential for direct financial loss from any of these types of risk, the bank also risks damage to its reputation and the erosion of its customer base.

Privacy loss is the single greatest risk facing the public on the Internet. A cornerstone of ensuring privacy is the use of data encryption. Employing encryption is straightforward and to the best of my knowledge, used in all Internet banking applications.

Beyond addressing privacy issues by ensuring a secure Internet banking environment for the public:

• The bank should assess third parties involved in Internet banking for trustworthiness. All third parties with access to confidential customer information should be under contractual obligation to keep such information confidential, and to restrict its use to the fulfillment of the contract.

To ensure the proper implementation of Internet banking, there must be independent validation and ongoing verification. Let me describe some of the steps SBS has taken along these lines.

SBS has received an ICSA³ TruSecure Web Host Compliance certification. The ICSA is a worldwide provider of Internet security assurance services. To receive this certification, SBS had to meet stringent guidelines verified by external electronic analysis that tested our security vulnerabilities as well as undergo an on site physical audit. The ICSA continues this electronic analysis on an ongoing basis.

To verify that we follow adequate and sound practices in our operations, we contract with an external auditor to perform a SAS 70 audit. To verify that our systems are available to customers, we contract with an external web site monitoring service, which accesses our systems through the Internet 24 hours a day. We are notified immediately if it is detected that our service becomes unavailable or even has a slow response.

As a third party provider of services to banks, SBS is subject to regulatory examination under the Bank Service Company Act. In April of this year during a joint regulatory Year 2000 readiness examination lead by the OCC, a brief overview of our Internet banking system was conducted.

As a third party firm, SBS welcomes the regulatory oversight of our operations. We view examinations by regulators almost as a service provided to us, and as assurance to my clients that SBS is following safe and sound policies and procedures.

In June of this year, we participated in an FFIEC⁴ study of third party providers of Internet banking services. We appreciated the opportunity to present a detailed overview of SBS’ Internet banking and receive feedback from a room full of examiners representing all five regulatory agencies. This study was primarily concerned with identifying risks to the supervised institutions and developing "best practices" for risk management, examination and supervisory oversight. One of the challenges to Internet banking is the readiness of regulators to meet the goals of this study. Given the accelerating pace of growth in Internet banking and the rightful allocation of limited regulator resources to the higher priority Year 2000 computer problem, I hope there is continued cooperation between the regulators under the auspices of the FFIEC. I would recommend the joint development of "best practices" to help ensure the timely implementation of consistent practices in all financial institutions regardless of the supervising regulatory agency.

Another challenge to Internet banking will be finding examiners with the appropriate expertise and training in information systems to perform detailed examinations. This issue can only be addressed with the proper allocation of personnel and time. My understanding is that the OCC uses information system specialists in this role. I applaud this approach, but I think it would be wise that all examiners are familiar in general with the appropriate "best practices" being developed.

The acceptance of Internet banking by both banks and the public has already reached statistically significant levels. The technology and expertise exist to mitigate the risks involved and assure the public’s safety and privacy, if properly implemented. Due to the significant resources required to achieve this assurance, I predict that most community banks will outsource Internet banking to a trusted third party. There will be additional benefits from this practice such as allowing for concentrated and coordinated examinations by regulatory agencies. Another benefit will be that when a given bank rolls out its Internet banking offering to the public for the first time, it will actually be rolling out a system well tested and in general use by other banks.

Even when using a third party service, a bank has responsibilities that it can not outsource. The four types of weakness in risk mitigation, discussed in the GAO testimony, involve responsibilities that the bank must retain.

Mr. Chairman, this concludes my prepared statement. I will be pleased to answer any questions you or other members of the committee may have.

4. Federal Financial Institutions Examination Council