Appendix 79

IT RISK MANAGEMENT STANDARDS AND GUIDELINES
Area: Electronic Banking, Electronic Payment, Electronic Money and Other Electronic Products and Services
(Appendix to Sec. 148 on Purpose and Scope, and IT Risk Management Systems)

1. INTRODUCTION

1.1. Continuing technological innovation and competition among existing FIs and new entrants have contributed to a wide array of electronic products and services (e-services) available to customers. These products and services have been widely adopted by BSFIs in recent years and are now a component of most institutions’ business strategy. Electronic delivery of services can have many benefits for BSFIs and their customers and can also have implications on financial condition, risk profile, and operating performance. The emergence of e- services may contribute to improving the efficiency of the banking and payment system, reducing the cost of retail transactions nationally and internationally and expanding the target customers beyond those in traditional markets. Consequently, BSFIs are therefore becoming more aggressive in adopting electronic capabilities that include sophisticated marketing systems, remote-banking capabilities, and stored value programs.

1.2. Notwithstanding the significant benefits of technological innovation, the rapid development of electronic capabilities carries risks as well as benefits and it is important that these risks are recognized and managed by BSFIs in a prudent manner to promote safe and secure e-services and operations. The basic types of risks generated by e-services are not new, the specific ways in which some of the risks arise, as well as the magnitude of their impact may be new for BSFIs and supervisors. While existing risk management guidelines remain applicable to e-services, such guidelines must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of such activities. As the industry continues to address technical issues associated with e-services, including security challenges, a variety of innovative and cost efficient risk management solutions are likely to emerge. These solutions are also likely to address issues related to the fact that BSFIs differ in size, complexity and risk management culture and that jurisdictions differ in their legal and regulatory frameworks.

2. ROLES AND RESPONSIBILITIES

2.1. Board of Directors (Board) and Senior Management. The Board is expected to take an explicit, informed and documented strategic decision as to whether and how the BSFI is to provide e-services to their customers. The Board and senior management should establish effective management oversight of the risks associated with these activities, including the establishment of specific accountability, policies and controls to manage these risks. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material systems problems or security breaches that may occur.

The Board should ensure that plans to offer e-services are consistent and clearly integrated within corporate strategic goals. The BSFI should also ensure that it does not offer new e-services or adopt new technologies unless it has the necessary expertise to provide competent risk management oversight. Management and staff expertise should be commensurate with the technical nature and complexity of the BSFI’s applications and underlying technologies.

The Board and senior management should ensure that the operational and security risk dimensions of the BSFI’s business strategies on e-services are appropriately considered and addressed. The provision of e-services may significantly modify and/or even increase traditional business risks. As such management should take appropriate actions to ensure that the BSFI’s existing risk management, security control, due diligence and oversight processes for outsourcing relationships are appropriately evaluated and modified to accommodate e-services.

BSFI management should assess the impact of the implementation and ongoing maintenance of e-services. These areas should be monitored and analyzed on an ongoing basis to ensure that any impact on the BSFI’s financial condition and risk profile resulting from e-services is appropriately managed and controlled. Management should evaluate e-services acceptance vis-à-vis the performance to the its goals and expectations through periodic review of reports tracking customer usage, problems such as complaints and downtime, unreconciled accounts or transactions initiated through the system, and system usage relative to capacity. Insurance policies may also need to be updated or expanded to cover losses due to system security breaches, system downtime, or other risks from e-services.

2.2. Compliance Officer. The compliance officer or its equivalent should be aware and informed of all relevant laws and regulatory requirements relative to the offering of e-services, including those of other countries where they also intend to deliver cross-border e-services. BSFI management should ensure that these requirements are complied with to minimize legal and compliance risks and other negative implications.

3. RISK MANAGEMENT SYSTEM

3.1. The BSFI should carefully evaluate the offering of a new e-service to customers to ensure that Management fully understands the risk characteristics and that there are adequate staffing, expertise, technology and financial resources to launch and maintain the service. A formal business strategy for introducing new service should be in place and form part of the BSFI’s overall strategy. The BSFI should also perform regular assessments to ensure that its controls for managing identified risks remain proper and adequate.

3.2. The underlying risk management processes for e-services should be integrated into the BSFI’s overall risk management framework and the existing risk management policies and processes should be evaluated to ensure that they are robust enough to cover the new risks posed by current or planned activities. Relevant internal controls and audit as required in BSFI’s risk management system should also be enforced and carried out as appropriate for its e-services. Regular review of the relevant policies and controls should be performed to ascertain that these remain appropriate to the risks associated with such activities.

3.3. The BSFI should adjust or update, as appropriate, its information security program in the light of any relevant changes in technology, the sensitivity of its customer information and internal or external threats to information. The BSFI should ensure that the related information security measures and internal control are installed, regularly updated, monitored and are appropriate with the risks associated with their products and services.

4. RISK MANAGEMENT CONTROLS

4.1. Security Controls. The BSFI should recognize that e-services should be secured to achieve a high level of confidence with both customers and business. It is the responsibility of BSFI management to provide adequate assurances that transactions performed and information flowed through the electronic delivery channels are properly protected. For this reason, the BSFI should maintain a strong and comprehensive security control system. As such, in addition to the information security standards in Appendix 75, the BSFI should also provide the following controls specific for e-services:

4.1.1. Account Origination and Customer Verification. The BSFI should use reliable methods for originating new customer accounts. Potentially significant risks may arise when it accepts new customers through the internet or other electronic channels. Thus, the BSFI should ensure that in originating new accounts using electronic channels, the KYC requirement which involves a face-to-face process is strictly adhered to.

4.1.2. Authentication1. The BSFI should use reliable and appropriate authentication methods to validate and verify the identity and authorization of customers. Authentication is facilitated by the use of factors, which are generally classified into three (3) basic groups:

a. Knowledge – Something the user knows (e.g., username, password, mobile PIN, card number account number);

b. Possession – Something the user has (e.g., payment card, token, one-time password); and

c. Inherence – Something the user is (e.g., biometrics)

As the number of factors increases, the window of compromise becomes more difficult. The use of single factor authentication alone is considered inadequate to address the risks inherent in sensitive communications and/or high-risk transactions. Thus, BSFIs should adopt multi-factor authentication (MFA) or use a minimum of two (2) factors in such instances. This requirement shall apply to online transactions where the risk of compromise is heightened. Sensitive communications and/or high-risk transactions requiring MFA include, among others, the following:

a. Enrollment in transactional e-services;

b. Payments and transfers to third parties;

c. Online remittance, including those for pick-up at the BSFI branches or via door- to-door delivery;

d. Account maintenance, including change in account information and contact details; and

e. Use of payment cards (e.g., ATM, credit and debit cards) in e-commerce websites.

For transactions that do not require real- time or near real-time authentication/ authorization, BSFIs may also opt to use positive confirmation in lieu of MFA. Positive confirmation refers to any form of communication that will enable the BSFI to timely and accurately verify the identity of the requesting customer. The BSFI should use a different communication channel other than the one where the request originated from when confirming sensitive communications and/or high-risk transactions.

The adoption of MFA techniques or positive confirmations for sensitive communications and/or high-risk transactions can increase customer confidence in e-services. In addition, it provides an opportunity for the customers to assist the BSFI in preventing and detecting fraudulent activity. Nevertheless, alternative and less stringent authentication procedures may be considered for the following:

a. Small-value payment or other low- risk transactions, provided the same are justified by a transaction risk analysis2 and bounded by prudent thresholds established by the BSFI. The BSFI’s methodology for setting the threshold should be adequately documented and independently validated at least annually;

b. Payments and transfers made to pre-enrolled merchants in the bills payment facility and those pre-registered recipients by the customer: Provided, That the BSFI employs a robust and reliable enrollment process for third party merchants and recipients; and

c. Transaction between two (2) accounts of the same customer at the same BSFI.

As authentication methods continue to evolve, the BSFI should monitor, evaluate, and adopt sound industry practices to address current and changing risk factors. The authentication process should be consistent with and support the BSFI’s overall security and risk management programs. An effective authentication process should have customer acceptance, reliable performance, scalability to accommodate growth and interoperability with existing systems and future plans as well as appropriate policies, procedures and controls

4.1.3. Non-Repudiation3. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions. In such cases, the BSFI should consider implementing non-repudiation controls in the form of digital signatures, collision-free hash value of the entire transaction or unique authorization code that will provide conclusive proof of participation of both the sender and receiver in an online transaction environment. Public key infrastructure4, digital signature5, digital certificate6and certification authority7arrangements can be used to impart an enhanced level of security, authentication and authorization which can uniquely identify the person initiating transaction, detect unauthorized modifications and prevent subsequent disavowal.

4.1.4. Authorization Controls and Access Privileges. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct activities on e-services. No individual agent or system should have the authority to change his or her own authority or access privileges in the e-services authorization database. Any addition of an individual, agent or system or changes to access privileges should be duly authorized by an authenticated source empowered with adequate authority and subject to suitable and timely oversight and audit trails.

All systems that support e-services should be designed to ensure that they interact with a valid authorization database. Appropriate measures should be in place in order to make authorization databases reasonably resistant to tampering. Authenticated e-services sessions should remain secure throughout the full duration of the session. In the event of a security lapse, the session should require re-authentication. Controls should also be in place to prevent changes to authorization levels during e-services sessions and any attempts to alter authorization should be logged and brought to the attention of management.

No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities. Only employees with proper authorization and whose official duties necessitate access to such data, applications, system resources or facilities should be allowed to access confidential information and use system resources solely for legitimate purposes.

4.1.5. Confidentiality and Integrity of Information, Transactions and Records. The BSFI should ensure that appropriate measures are in place to ascertain the accuracy, completeness and reliability of e-services transactions, records and information that are either transmitted over the internal and external networks or stored in BSFI’s internal systems. Common practices used to maintain data integrity include the following:

a. E-services transactions should be conducted in a manner that make them highly resistant to tampering throughout the entire process;

b. E-services records should be stored, accessed and modified in a manner that make them highly resistant to tampering;

c. E-services transaction and record- keeping processes should be designed in a manner as to make it virtually impossible to circumvent detection of unauthorized changes.

d. Adequate change control policies, including monitoring and testing procedures, should be in place to protect against any system changes that may erroneously or unintentionally compromise controls or data reliability; and

e. Any tampering with e-services transactions or records should be detected by transaction processing, monitoring and record keeping functions.

The BSFI should take appropriate measures to preserve the confidentiality of key e-services information commensurate with the sensitivity of the information being transmitted and/or stored in databases. It should ensure that all intelligent electronic devices that capture information do not expose/store information such as the PIN number or other information classified as confidential and must also ensure that a customer’s PIN number cannot be printed for any reason whatsoever. In addition, the BSFI must provide safe-to-use intelligent electronic devices and ensure that customers are able to make safe use of these devises at all times.

The BSFI should implement appropriate technologies to maintain confidentiality and integrity of sensitive information, in particular customer information. Cryptographic technologies can be used to protect the confidentiality and integrity of sensitive information. The BSFI should choose cryptographic technologies that are appropriate to the sensitivity and importance of information and the extent of protection needed and, only those that are making use of internationally recognized cryptographic algorithms where the strengths of the algorithms have been subjected to extensive tests. In cases when the information is transmitted over public network, the BSFI should consider the need to apply strong end-to-end encryption to the transmission of sensitive information.

To ensure adequate protection and secrecy of cryptographic keys whether they are master keys, key encrypting keys or data encrypting keys, no single individual should know entirely what the keys are or have access to all the constituents making up these keys. All keys should be created, stored, distributed or changed under the most stringent conditions. Likewise, use of these keys should be logged and provided with timely oversight.

4.1.6. Application Security. The BSFI should ensure an appropriate level of application security in its electronic delivery systems. In selecting system development tools or programming languages for developing e-services application systems, it should evaluate the security features that can be provided by different tools or languages to ensure that effective application security can be implemented. In selecting an e-services system developed by a third party, the BSFI should take into account the appropriateness of the application security of the system. It should test new or enhanced applications thoroughly using a general accepted test methodology in a test environment prior to implementation.

Comprehensive and effective validation of input parameters (including user-supplied data and database queries that may be submitted by the users’ computers) should be performed on server side. This prevents intentional invalid input parameters from being processed by the e-services system that may result in unauthorized access to data, execution of commands embedded in the parameters or a buffer overflow attack8. Moreover, e-services systems should operate with the least possible system privileges.

Error messages generated by the application system for e-services customers should not reveal details of the system which are sensitive. Errors should be appropriately logged. Similarly, the HTML9source code on the production web server should not contain sensitive information such as any references or comments that relate to the design features of the web application code.

The mechanism for managing an active e-services session should be secure. Web pages containing sensitive information should not be cached in the temporary files of browsers. The application should ideally prohibit the customers’ browsers from memorizing or displaying the user IDs and passwords previously entered by customers and the web pages previously accessed by customers.

When a known vulnerability related to the e-services application system is identified or reported, a review of the relevant program source code should be conducted as appropriate to ensure that the vulnerability is appropriately addressed. A security standard may be defined for the purpose of system development and code review. For third-party developed systems, the patches provided by vendors from time to time should be appropriately applied to these systems.

Hidden directories that contain administrative pages or sensitive information of the web site should either be removed from the production web server or protected by effective authentication and access control mechanisms. Back-up files and common files should be removed from the production servers or the structure of file directories to prevent access by unauthorized users. A periodic security review of the structure of file directories and access controls of the files is necessary to ensure that all sensitive files are appropriately protected and not exposed through the web applications.

4.1.7. Infrastructure and Security Monitoring. The BSFI should establish an appropriate operating environment that supports and protects systems on e-services. It should proactively monitor systems and infrastructure on an ongoing basis to detect and record any security breaches, suspected intrusions, or weaknesses. The BSFI should ensure that adequate controls are in place to detect and protect against unauthorized access to all critical e-services systems, servers, databases, and applications. The attached Annex “A” provides for the minimum security measures for e-services facilities.

The BSFI should put in place effective monitoring mechanisms to detect in a timely manner suspicious online transactions and unusual activities. A sound monitoring system should include audit features that can assist in the detection of fraud, money laundering, compromised passwords or other unauthorized activities. In particular, the monitoring mechanism for personal e-services should be able to detect cases similar to the following:

a. False or erroneous application information, large check deposits on new e-services accounts, unusual volume or size of funds transfers, multiple new accounts with similar account information or originating from the same internet address, and unusual account activity initiated from a foreign internet address;

b. Multiple online transfers are made to the same unregistered third-party account within a short period of time especially if the amount transferred is close to the maximum amount allowed or the value exceeds a certain amount; and

c. Change of a customer’s correspondence address shortly followed by transactions which may indicate potential fraudulent activities such as opening of an e-service account online, a request for important documents (e.g., cheque book, new e-banking password, credit card/ATM PIN) to be mailed to that address, increase of fund transfer limits, or a sudden increase of fund transfers made to unregistered third parties.

The BSFI’s monitoring staff should be promptly alerted by its monitoring mechanism if suspicious online transfers and unusual activities are initiated. In these cases, the BSFI should, as soon as practicable, check with the account holders of these transactions or activities. Consideration should also be given to notifying personal customers immediately through an alternative automated channel (such as messages sent to mobile phones or e-mail accounts of customers) of online transfers made to unregistered third parties, online transfers exceeding certain amount limits, or detected unusual activities related to their accounts.

4.1.8. Audit Trail. The BSFI should ensure that comprehensive logs are maintained to record all critical e-services transactions to help establish a clear audit trail and promote employee and user accountability. Audit logs should be protected against unauthorized manipulation and retained for a reasonable period [e.g., three (3) months] to facilitate any fraud investigation and any dispute resolution if necessary. In instances where processing systems and related audit trails are the responsibility of a third-party service provider, the BSFI should ensure that it has access to relevant audit trails maintained by the service provider in accordance with existing standards. In particular, clear audit trails should exist under the following types of e-services transactions:

a. the opening, modification or closing of a customer’s account;

b. any transaction with financial consequences;

c. any authorization granted to a customer to exceed a limit; and

d. any granting, modification or revocation of systems access right or privileges.

4.1.9. Segregation of Duties. As in any traditional process, segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems. The BSFI management should ensure that duties are adequately separated and transaction processes are designed in a manner that no single person could initiate, approve, execute and enter transactions into a system that would enable fraudulent actions to be perpetrated and concealed. Segregation should also be maintained between (a) those developing and those administering the systems; and (b) those initiating static data (including web page content) and those responsible for verifying its integrity. E-services systems should be tested to ensure that segregation of duties cannot be bypassed.

4.1.10. Website Information and Maintenance. Because the BSFI’s website is available on an ongoing basis to the general public, appropriate procedures should be established to ensure accuracy and appropriateness of its information. Key information changes and updates (such as deposit, loan and foreign exchange rates), are normally subject to documented authorization and dual verification. Procedures and controls to monitor and verify website information frequently may help prevent any inadvertent or unauthorized modifications or content that could lead to reputational damage or violations of advertising, disclosure, or other compliance requirements.

In addition, some BSFIs provide various tools and other interactive programs to enable customers to submit online application or provide resources for them to research available options associated with BSFI’s products and services on-line. To protect the BSFI from potential liability or reputational harm, it should test or otherwise verify the accuracy and appropriateness of these tools and programs.

The BSFI should carefully consider how links to third-party Internet Web sites are presented. “Hyperlinks10” may imply an endorsement of third-party products, services, or information that could lead to implicit liability for the BSFI. The BSFI should provide disclaimers when such links take the customer to a third-party web site to ensure that they clearly understand any potential liabilities arising out of any such cross-marketing arrangements or other agreements with third parties. Any links to sites offering non-deposit, investment or insurance products must comply with existing regulations. Links to other sites should be verified regularly for accuracy, functionality, and appropriateness.

The BSFI should manage the risk associated with fraudulent emails or websites which are designed to trick its customers into revealing private details such as account numbers or e-services passwords. To this end, the BSFI should consider educating customers the ways to ensure that they are communicating with the official website and that they will not be required to access the BSFI’s transactional e-services portal through hyperlinks embedded in e-mails unless the website is validated by legitimate digital certificate.

Additionally, the BSFI should exercise care in selecting its website name(s) in order to reduce possible confusion with those of other Internet sites. It should periodically scan the Internet to identify sites with similar names and investigate any that appear to be posing as the institution. Suspicious sites should be reported to appropriate law enforcement agencies and regulatory authorities.

4.2. Administrative and Management Controls

4.2.1. Service Availability and Business Continuity. The BSFI should have the ability to deliver e-services to all end-users and be able to maintain such availability in all circumstances within a reasonable system response time in accordance with its terms and conditions and anticipated customer expectations. Performance criteria for each critical e-service should be established and service levels should be monitored against these criteria. Appropriate measures should be taken to ensure that e-services systems and the interfaces with the internal systems can handle the projected transaction volume and future growth in transactions.

Appropriate business continuity and contingency plans for critical e-services processing and delivery systems should be in place and regularly tested. Contingency plans should set out a process for restoring or replacing e-services processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-services systems and applications in the event of a business disruption.

4.2.2. Incident Response and Management. The BSFI should put in place formal incident response and management procedures for timely reporting and handling of suspected or actual security breaches, fraud, or service interruptions of their e-services during or outside office hours. A communication strategy should be developed to adequately address the reported concerns and an incident response team should be established to manage and respond to the incident in accordance with existing standards enumerated in Appendix 75.

4.2.3. Outsourcing Management. Increased reliance upon partners and third party service providers to perform critical e-services functions lessens BSFI management’s direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary to ensure that:

a. The BSFI fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-services systems or applications;

b. An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-services;

c. The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined;

d. All outsourced e-services systems and operations are subject to risk management, security and privacy policies that meet the BSFI’s own standards;

e. Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house; and

f. Appropriate contingency plans for outsourced e-services activities exist.

Complete guidelines for managing outsourcing relationships and third party dependencies are enumerated in Appendix 78.

4.3. Consumer Protection.

4.3.1. Customer Privacy and Confidentiality. The BSFI should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the institution is providing electronic products and services. Misuse or unauthorized disclosure of confidential customer data exposes the entity to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, the BSFI should make reasonable endeavours to ensure that:

a. The BSFI’s customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-services;

b. Customers are made aware of the BSFI’s privacy policies and relevant privacy issues concerning use of e-services;

c. Customers may decline (“opt out”) from permitting the BSFI to share with a third party for cross-marketing purposes any information about the customer’s personal needs, interests, financial position or banking activity; and

d. Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized. The BSFI’s standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.

4.3.2. Information Disclosure for E-Services. The BSFI should comply with all legal requirements relating to e-services, including the responsibility to provide its customers with appropriate disclosures and to protect customer data. Failure to comply with these responsibilities could result in significant compliance, legal, or reputation risk for the BSFI.

The BSFI should set out clearly in its terms and conditions the respective rights and obligations between the BSFI and its customers. These terms and conditions should be fair and balanced to both parties. In addition, it is required to provide its customers with a level of comfort regarding information disclosures or transparencies, protection of customer data and business availability that they can expect when using traditional banking services. To minimize operational, legal and reputational risks associated with e-services activities, the BSFI should make adequate disclosures of information and take appropriate measures to ensure adherence to customer privacy and protection requirements. Annex “B” provides for the minimum disclosure requirements of BSFIs.

4.3.3. Consumer Awareness. Customer education is a key defense against fraud, identity theft and security breach. Therefore, the BSFI should pay special attention to the provision of easy to understand and prominent advice to its customers on security precautions for e-services. To be effective, the BSFI should maintain and continuously evaluate its consumer awareness program. Methods to evaluate a program’s effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials, the number of clicks on information security links on websites, the number of inquiries, etc. “Annex “C” provides for the minimum Consumer Awareness Program that the BSFI should convey to its customers.

4.3.4. Complaints Resolution. The BSFI may receive customer complaint either through an electronic medium or otherwise, concerning an unauthorized transactions, loss or theft in the e-services account. Therefore, it should ensure that controls are in place to review these notifications and that an investigation is initiated as required. The BSFI should also establish procedures to resolve disputes arising from the use of the e-services.

4.3. Cross-Border E-Banking Activities.

4.4.1. Before a BSFI initiates cross-border e-services, its management should conduct appropriate risk assessment and due diligence to ensure that it can adequately manage the attendant risks. It must also comply with any applicable laws and regulations, both the home country as well as those of any foreign country that may assert jurisdiction over e-services that are directed at its residents. Further, the BSFI should ensure that it has an effective and ongoing risk management program for its cross-border e-services activities;

4.4.2. Before engaging in transactions involving cross-border e-services with foreign customers, the BSFI should ensure that adequate information is disclosed on its Web site to allow potential customers to make a determination of the BSFI’s identity, home country, and whether it has the relevant regulatory license(s) before it establishes the relationship. This information will help improve transparency and minimize legal and reputational risk associated with the offering of cross border e-services.

5. INDEPENDENT ASSESSMENT

5.1. An appropriate independent audit function is also an important component of a BSI’s monitoring mechanisms. The audit coverage should be expanded commensurate with the increased complexity and risks inherent in e-services and should include the entire process as applicable (i.e., network configuration and security, interfaces to legacy systems, regulatory compliance, internal controls, support activities performed by third-party providers etc.).

5.2. The BSFI should also make arrangements for independent assessments to be conducted on its systems before the launch of the relevant services or major enhancements to existing services. The person(s) (i.e., the assessor) contracted by the BSFI to perform independent assessment should have, and be able to demonstrate, the necessary expertise in the relevant fields. He/she should be independent from the parties that develop or administer the system and should not be involved in the operations to be reviewed or in selecting or implementing the relevant control measures to be reviewed. He/she should be able to report findings freely and directly to the authorized BSFI senior management.

5.3. Subsequent to an initial independent assessment, the BSFI should conduct risk assessment at least every two (2) years or when there are substantial changes to determine if further independent assessment should be required and the frequency and scope of such independent assessment. Any substantial changes to the risk profile of the services being provided, significant modifications of the network infrastructure and applications, material system vulnerabilities or major security breaches are to be taken into consideration in the risk assessment.

6. APPLICABILITY

6.1. These guidelines are intended for all electronic products and services offered by BSFIs to their customers. These are focused on the risks and risk management techniques associated with electronic delivery channels to protect customers and general public. It should be understood, however, that not all the customer protection issues that have arisen in connection with new technologies are specifically addressed in subject guidelines. Additional issuances may be issued in the future to address other aspects of consumer protection as the financial service environment through e-services evolves.

____________________________________________________________________________

ANNEX A

SECURITY CONTROLS ON SPECIFIC ELECTRONIC SERVICES AND CHANNELS

In providing banking/financial services via electronic channels, such as ATM, internet and mobile devices, the BSFI must consider customer’s convenience in using the facilities, including the effectiveness of the display on electronic menu, particularly on customer’s instructions selection menu in order to avoid any error and loss in transactions. In electronic services which involve physical equipment like ATMs, the BSFI must implement physical security control on equipments and rooms from the danger of theft, sabotage and other criminal actions by unauthorized parties. It must perform routine monitoring to ensure security and comfort of customers using electronic service.

Automated Teller Machine (ATM)

1. To minimize/prevent ATM frauds and crimes, the BSFI, at a minimum, implement the following security measures with respect to its ATM facilities:

a. Locate ATM’s in highly visible areas;

b. Provide sufficient lighting at and around the ATMs;

c. Where ATM crimes (e.g., robbery, vandalism, skimming) are high in a specific area or location, the BSFI should install surveillance camera or cameras which shall view and record all persons entering the facility. Such recordings shall be preserved by the BSFI for at least thirty (30) days;

d. Implement ATM programming enhancements like masking/non-printing of card numbers;

e. Educate customers by advising them regularly of risks associated with using the ATM and how to avoid these risks;

f. Conduct and document periodic security inspection at the ATM location;

g. Educate BSFI personnel to be responsive and sensitive to customer concerns; and

h. Post a clearly visible sign near the ATM facility which, at a minimum, provides the telephone numbers of the BSFI as well as other BSFIs’ hotline numbers for other cardholders who are allowed to transact business in the ATM, and police hotlines for emergency cases.

2. The BSFI must study and assess ATM crimes to determine the primary problem areas. Procedures for reporting ATM crimes should also be established. Knowing what crimes have occurred will aid the BSFI in recognizing the particular problem and to what degree it exists so that it can implement the necessary preventive measures. In this connection, all BSFIs are encouraged to share information involving ATM fraud cases to deter and prevent proliferation of the crime.

Online Internet Financial Services

1. Assurance should be provided that online login access and transactions performed over the internet are adequately protected and authenticated. In addition, customers should be adequately educated on security measures that must be put in place to uphold their interests in the online environment.

2. With internet connection to internal networks, financial systems and devices may now be potentially accessed by anyone from anywhere at any time. The BSFI should implement physical and logical access security to allow only authorized personnel to access its systems. Appropriate processing and transmission controls should also be implemented to protect the integrity of systems and data.

3. There should be a mechanism to authenticate official website to protect customers from spoofed or faked websites. The BSFI should determine what authentication technique to adopt to provide protection against these attacks. For wireless applications, it should adopt authentication protocols that are separate and distinct from those provided by the wireless network operator.

4. Monitoring or surveillance systems should be implemented to alert BSFI of any erratic system activities, transmission errors or unusual online transactions. A follow-up process should be established to verify that these issues or errors are adequately addressed subsequently. High resiliency and availability of online systems and supporting systems (such as interface systems, backend host systems and network equipment) should be maintained to meet customers’ expectations. Measures to plan and track capacity utilization as well as guard against online attacks should be established.

5. As more customers log into BSFI’s website to access their accounts and conduct a wide range of financial transactions for personal and business purposes, a suite of measures must be established to protect customers’ interests in using online systems. Furthermore, customers should be educated on the risks of using online financial services before they subscribe to such services. Ongoing education must be available to raise the security awareness of customers to protect their systems and online transactions.

Mobile and Phone Financial Services

1. For electronic services using mobile phone, the BSFIs must ensure the security of transactions by implementing the following, among others:

a. Employment of a SIM Toolkit with end-to-end encryption feature from hand phones to m-banking servers, to protect data transmission in m-banking; and

b. Adoption of dual authentication process (i.e., MPIN) to ensure that the party initiating the transaction is the owner of the device and is authorized to perform such transaction.

2. For phone banking and other financial services, the BSFI must ensure the security of transactions, by implementing the following, among others:

a. The service shall not be used for transactions with high value or risk;

b. All IVR conversations shall be recorded, including customer’s phone number, transaction detail, etc;

c. The service shall use reliable and secure authentication methods; and

d. The use of customer authentication method such as PIN and password for financial transactions.

Other Mobile Online and Payment Services

1. Mobile online and payment services are extensions of the online financial services which are offered by the BSFI and accessible from the internet via computers, laptops and similar devices. Security measures which are similar to those of online financial and payment systems should also be implemented on the mobile online services and payment systems. A risk assessment should be conducted to identify possible fraud scenarios and appropriate measures should be established to counteract payment card fraud via mobile devices.

2. The BSFI may require customers to download its mobile online services and payment applications directly from third party repositories (e.g., Apple store, Google Play and Windows Market Place) on to mobile devices. Customers must be able to verify the integrity and authenticity of the application prior to its download. The BSFI should also be able to check the authenticity and integrity of the software being used by the customers.

3. As mobile devices are susceptible to theft and loss, there must be adequate protection of sensitive data used for mobile online services and payments. Sensitive data should be encrypted to ensure the confidentiality and integrity of these data in storage, transmission and during processing.

4. Customers should be educated on security measures to protect their own mobile devices from theft and loss as well as viruses and other errant software which cause malicious damage and harmful consequences.

Point of Sale Devices

1. Point of Sale (POS)/Electronic Data Capture (EDC) enable electronic fund transfer from customer’s account to acquirer’s or merchant’s account for payment of a transaction. The party providing POS terminal must always increase the physical security around the vicinity of such POS terminal and on the POS terminal itself, among others, by using POS terminal that minimizes the possibility of interception on such terminal or in its communication network.

2. The BSFI deploying POS devices at merchant locations must familiarize the merchant with the safe operation of the device. The acquiring institution must ensure that the POS devices as well as other devices that capture information do not expose/store information such as the PIN number or other information classified as confidential. It must also ensure that a customer’s PIN number cannot be printed at the point of sale for any reason whatsoever.

3. Operators of point of sale devices are encouraged to work towards interoperability of cards from other schemes.

Electronic Payment Cards (ATM, Credit and Debit Cards)

1. Payment cards allow cardholders the flexibility to make purchases wherever they are. Payment cards exist in many forms; with magnetic stripe cards posing the highest security risks. Sensitive payment card data stored on magnetic stripe cards is vulnerable to card skimming attacks. Card skimming attacks can happen at various points of the payment card processing, including payment kiosks and POS terminals. In addition to counterfeit/ skimmed cards, fraudulent activities associated with payment cards include lost/ stolen cards, card-not-received and card-not-present transactions.

2. The BSFI providing payment card services should implement adequate safeguards to protect sensitive payment card data. Sensitive payment card data should be encrypted to ensure the confidentiality and integrity of these data in storage, transmission and during processing. Pending the required adoption of EMV chip-cards by 01 January 2017, all BSFIs engaged in the payment card business should consider implementing the following measures to mitigate exposure from skimming attacks:

a. Installation of anti-skimming solutions on ATM and POS machines to detect the presence of foreign devices placed over or near a card entry slot;

b. Establishment of detection and alert mechanisms to appropriate personnel for follow-up response and action;

c. Implementation of tamper-resistant keypads to ensure that no one can identify which buttons are being pressed by customers;

d. Implementation of appropriate measures to prevent shoulder surfing of customers’ PINs; and

e. Conduct video surveillance of activities at these machines and maintain the quality of CCTV footage.

3. New payment cards sent to customers via courier should only be activated upon obtaining the customer’s instruction. Online transactions should only be allowed if authorized by the customers. Authentication of customers’ sensitive static information, such as personal identification number (PIN) or passwords, should be performed by the card issuer and not by third party payment processing service providers. Appropriate security mechanisms should also be implemented for card-not- present transactions via internet to reduce fraud risk associated with this type of transaction.

4. To enhance payment card security, cardholders should be notified promptly via transaction alerts on withdrawals/charges exceeding customer-defined thresholds made on their payment cards. The transaction alert should include information such as source and amount of the transaction to assist customers in identifying a genuine transaction.

5. Fraud detection systems with behavioral scoring and correlation capabilities should be implemented to identify and curb fraudulent activities. Risk management parameters should be calibrated according to risks posed by cardholders, nature of transactions or other risk factors to enhance fraud detection capabilities. Follow-up actions for transactions exhibiting behavior which deviates significantly from a cardholder’s usual card usage patterns should be instituted. These transactions should be investigated into and the cardholder’s authorization obtained prior to completing the transaction.

____________________________________________________________________________

ANNEX B

DISCLOSURE REQUIREMENTS

1. General Requirement

BSFIs offering electronic products and services (e-services) should adopt responsible privacy policies and information practices. They should provide disclosures that are clear and readily understandable, in writing, or in a form the consumers may print and keep.

BSFIs should also ensure that consumers who sign-up for a new e-service are provided with disclosures (e.g., pamphlet) informing him of his rights as a consumer.

At a minimum, the following disclosures should be provided to protect consumers and inform them of their rights and responsibilities:

a. Information on the duties of the BSFI and customers;

b. Information on who will be liable for unauthorized or fraudulent transactions;

c. Mode by which customers will be notified of changes in terms and conditions;

d. Information relating to how customers can lodge a complaint, and how a complaint may be investigated and resolved;

e. Disclosures that will help consumers in their decision-making (e.g., PDIC insured, etc.);

f. For internet environment, information that prompt in the BSFI’s website to notify customers that they are leaving the BSFI’s website and hence they are not protected by the privacy policies and security measures of the BSFI when they hyperlink to third party’s website.

2. Disclosure Responsibility

a. Compliance officers should review BSFI’s disclosure statements to determine whether they have been designed to meet the general and specific requirements set in the regulation;

b. For BSFIs that advertise deposit products and services on-line, they must verify that proper advertising disclosures are made (e.g., whether the product is insured or not by the PDIC; fees and charges associated with the product or services, etc.). Advertisements should be monitored to determine whether they are current, accurate, and compliant;

c. For BSFIs that issue various products like stored value cards, e-wallets, debit cards and credit cards, they must provide information to consumers regarding the features of each of these products to enable consumers to meaningfully distinguish them. Additionally, consumers would find it beneficial to receive information about the terms and conditions associated with their usage. Example of these disclosures include:

 – PDIC insured or non-insured status of the product;

 – Fees and charges associated with the purchase, use or redemption of the product;

 – Liability for loss;

 – Expiration dates, or limits on redemption; and

 – Toll-free telephone number for customer service, malfunction and error resolution.

d. Whenever e-services are outsourced to third parties or service providers, the BSFI should ensure that the vendors comply with the disclosure requirements of the Bangko Sentral.

____________________________________________________________________________

ANNEX C

ELECTRONIC SERVICES CONSUMER AWARENESS PROGRAM

To ensure security of transactions and personal information in electronic delivery channels, consumers should be oriented of their roles and responsibilities which, at a minimum, include the following:

1. Internet Products and Services

a) Secure Login ID and Password or PIN.

i. Do not disclose Login ID and Password or PIN.

ii. Do not store Login ID and Password or PIN on the computer.

iii. Regularly change password or PIN and avoid using easy-to-guess passwords such as names or birthdays. Password should be a combination of characters (uppercase and lowercase) and numbers and should be at least six (6) digits in length.

b) Keep personal information private.

i. Do not disclose personal information such as address, mother’s maiden name, telephone number, social security number, bank account number or e-mail address — unless the one collecting the information is reliable and trustworthy.

c) Keep records of online transactions.

i. Regularly check transaction history details and statements to make sure that there are no unauthorized transactions.

ii. Review and reconcile monthly credit card and bank statements for any errors or unauthorized transactions promptly and thoroughly.

iii. Check e-mail for contacts by merchants with whom one is doing business. Merchants may send important information about transaction histories.

iv. Immediately notify the BSFI if there are unauthorized entries or transactions in the account.

d) Check for the right and secure website.

i. Before doing any online transactions or sending personal information, make sure that correct website has been accessed. Beware of bogus or “look alike” websites which are designed to deceive consumers.

ii. Check if the website is “secure” by checking the Universal Resource Locators (URLs) which should begin with “https” and a closed padlock icon on the status bar in the browser is displayed. To confirm authenticity of the site, double-click on the lock icon to display a security certificate information of the site.

iii. Always enter the URL of the website directly into the web browser. Avoid being re-directed to the website, or hyperlink to it from a website that may not be as secure.

iv. If possible, use software that encrypts or scrambles the information when sending sensitive information or performing e-banking transactions online.

e) Protect personal computer from hackers, viruses and malicious programs.

i. Install a personal firewall and a reputable anti-virus program to protect personal computer from virus attacks or malicious programs.

ii. Ensure that the anti-virus program is updated and runs at all times.

iii. Always keep the operating system and the web browser updated with the latest security patches, in order to protect against weaknesses or vulnerabilities.

iv. Always check with an updated anti- virus program when downloading a program or opening an attachment to ensure that it does not contain any virus.

v. Install updated scanner softwares to detect and eliminate malicious programs capable of capturing personal or financial information online.

vi. Never download any file or software from sites or sources, which are not familiar or hyperlinks sent by strangers. Opening such files could expose the system to a computer virus that could hijack personal information, including password or PIN.

f) Do not leave computer unattended when logged-in.

i. Log-off from the internet banking site when computer is unattended, even if it is for a short while.

ii. Always remember to log-off when e-banking transactions have been completed.

iii. Clear the memory cache and transaction history after logging out from the website to remove account information. This would avoid incidents of the stored information being retrieved by unwanted parties.

g) Check the site’s privacy policy and disclosures.

i. Read and understand website disclosures specifically on refund, shipping, account debit/credit policies and other terms and conditions.

ii. Before providing any personal financial information to a website, determine how the information will be used or shared with others.

iii. Check the site’s statements about the security provided for the information divulged.

iv. Some websites’ disclosures are easier to find than others — look at the bottom of the home page, on order forms or in the “About” or “FAQs” section of a site. If the customer is not comfortable with the policy, consider doing business elsewhere.

h) Other internet security measures:

i. Do not send any personal information particularly password or PIN via ordinary e-mail.

ii. Do not open other browser windows while doing online transactions.

iii. Avoid using shared or public personal computers in conducting financial transactions.

iv. Disable the “file and printer sharing” feature on the operating system if conducting financial transactions online.

v. Contact the BSFI concerned to discuss security concerns and remedies to any online e-services account issues.

2. Other Electronic Products/Channels

a) Automated Teller Machine (ATM) and debit cards

i. Use ATMs that are familiar or that are in well-lit locations where one feels comfortable. If the machine is poorly lit or is in a hidden area, use another ATM.

ii. Have card ready before approaching the ATM. Avoid having to go through the wallet or purse to find the card.

iii. Do not use ATMs that appear to have been tampered with or otherwise altered. Report such condition to the BSFI.

iv. Memorize ATM card PIN and never disclose it with anyone. Do not keep those numbers or passwords in the wallet or purse. Never write them on the cards themselves. And avoid using easily available personal information like a birthday, nickname, mother’s maiden name or consecutive numbers.

v. Be mindful of “shoulder surfers” when using ATMs. Stand close to the ATM and shield the keypad with hand when keying in the PIN and transaction amount.

vi. If the ATM is not working correctly, cancel the transaction and use a different ATM. If possible, report the problem to the BSFI.

vii. Carefully secure card and cash in the wallet, handbag, or pocket before leaving the ATM.

viii. Do not leave the receipt behind. Compare ATM receipts to monthly statement. It is the best way to guard against fraud and it makes record-keeping easier.

ix. Do not let other people use your card. If card is lost or stolen, report the incident immediately to the BSFI.

b) Credit cards

i. Never disclose credit card information to anyone. The fraudulent use of credit cards is not limited to the loss or theft of actual credit cards. A capable criminal only needs to know the credit card number to fraudulently make numerous charges against the account.

ii. Endorse or sign all credit cards as soon as they are received from the BSFI.

iii. Like ATM card PINs, secure credit card PINs. Do not keep those numbers or passwords in the wallet or purse and never write them on the cards themselves.

iv. Photocopy both the front and back of all credit cards and keep the copies in a safe and secure location. This will facilitate in the immediate cancellation of the card if lost or stolen.

v. Carry only the minimum number of credit cards actually needed and never leave them unattended.

vi. Never allow credit card to use as reference (credit card number) or as an identification card.

vii. Never give your credit card account number over the telephone unless dealing with a reputable company or institution.

viii. When using credit cards, keep a constant eye on the card and the one handling it. Be aware of the “swipe and theft” scam using card skimmers. A skimmer is a machine that records the information from the magnetic stripe on a credit card to be downloaded onto a personal computer later. The card can be swiped on a skimmer by a dishonest person and that data can then be used to make duplicate copies of the credit card.

ix. Do not leave documents like bills, bank and credit card statements in an unsecure place since these documents have direct access to credit card and/or deposit account information. Consider shredding sensitive documents rather than simply throwing them away. (Some people will go through the garbage to find this information).

x. Notify the BSFI in advance of a change in address.

xi. Open billing statements promptly and reconcile card amounts each month.

xii. Do not let other people use your card. If card is lost or stolen, report the incident immediately to the BSFI.

c) Mobile Phones/Devices

i. Do not disclose your Mobile Banking Pin (MPIN) to anyone.

ii. Regularly change the MPIN.

iii. Do not let other people use your mobile phone enrolled in a mobile banking service. If the phone is lost or stolen, report the incident immediately to the BSFI.

iv. Be vigilant. Refrain from doing mobile banking transactions in a place where you observe the presence of “shoulder surfers”.

v. Keep a copy of the transaction reference number provided by the Bank whenever you perform a mobile banking transaction as an evidence that the specific transaction was actually executed.

Since customers may find it difficult to take in lengthy and complex advice, BSFIs should devise effective methods and channels for communicating with them on security precautions. They may make use of multiple channels (e.g., BSFI websites, alert messages on customers mobile phone, messages printed on customer statements, promotional leaflets, circumstances when BSFI’s frontline staff communicate with their customers) to enforce these precautionary measures.

(Circular No. 958 dated 25 April 2017)

Footnotes

  1. BSFIs shall comply with the foregoing requirements on customer authentication by 30 September 2017. In this regard, a BSFI should be able to show its plan of actions with specific timelines, as well as the status of initiatives being undertaken to fully comply with the provisions of Item “4.1.2” of Appendix 78, upon request of the Bangko Sentral starting May 2017. This transitory period, however, should not excuse BSFIs from immediately complying with the MFA requirements imposed by affiliated payment networks.
  2. Transaction risk analysis refers to the evaluation of risk related to a specific transaction taking into account various criteria including, but not limited to, customer behavioral transaction   pattern, payee profile, nature of product/service to be acquired and transition value.
  3. Non-repudiation is a means of ensuring that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
  4. Public Key Infrastructure (PKI) refers to the use of public key cryptography in which each customer has a key pair (i.e. unique electronic value called a public key and a mathematically-related private key). The private key is used to encrypt (sign) a message that can only be decrypted by the corresponding public key or to decrypt message previously encrypted with the public key. The public key is used to decrypt message previously encrypted (signed) using an individual’s private key or to encrypt a message so that it can only be decrypted (read) using the intended recipient’s private key.
  5. Digital certificate is a digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be.
  6. Digital Certificate is the electronic equivalent of an ID card that authenticates the originator of digital signature.
  7. Certification Authority (CA) is the organization that attests using a digital certificate that a particular electronic message comes from a specific individual or system.
  8. Buffer overflow attack is a method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt memory in data.
  9. Hypertext Markup Language (HTML) is a set of codes that can be inserted into text files to indicate special interfaces, inserted images, and links to the hypertext documents.
  10. Hyperlink is an item on a webpage, that, when selected, transfers the user directly to another location in a hypertext document or to another webpage, perhaps on a different machine.