In a report which lays out fourteen risk management principles for electronic banking, the Basel Committee on Banking Supervision says the rapid development of e-banking capabilities carries risks as well as benefits. The Committee cites the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems and the increasing dependence of banks on third party IT suppliers.

The Committee notes that these characteristics increase and modify some of the traditional risks associated with banking activities, in particular strategic, operational, legal and reputational risks.

The Basel Committee says it is "incumbent" upon the boards of directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified their existing risk management policies and processes to cover their current or planned e-banking activities. The Committee also believes that the integration of e-banking applications with legacy systems implies an integrated risk management approach for all banking activities of a banking institution.

In some areas, the guidelines reflect established practice; in others, such as the management of outsourcing relationships, security controls and legal and reputational risk management, fresh attempts have been made to address the implications of the Internet distribution channel.

Effective management oversight is expected to include the development and maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. It also should include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions, says the BIS.

Security measures should include establishing appropriate authorisation privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures implemented to preserve confidentiality of customer data.

To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand states the BIS.

"The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances," states the report. "To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning."

Effective incident response mechanisms are "critical" to minimise operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services, states the BIS.

Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, the report concludes.