Strategic
Credit
Market
Liquidity
Operational
Compliance/legal/regulatory
Reputation

The risk of direct of indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.
Inadequate Information Systems
Breaches in internal controls
Fraud
Unforeseen catastrophes

General Risks
Physical access to the hardware
Logical access to the IT systems
Capacity management - prevents bottlenecks in all relevant systems component
Emergency management
Insufficient backup recovery measures-mitigate the consequences of system failures

Application-oriented risks
1.
Data not correctly recorded due to system errors
2.
Data not correctly stored during period of validity
3.
Relevant data are not correctly included
4.
Calculations which are basis for information are not correct
5.
Due to systems failures the information processed by the application is not available in time.

Categories
1. Check Fraud
2. Debit card Fraud
3. Electronic Payment Fraud
4. ATM Deposit Fraud
5. Account Take-over/Identity Theft

From: http://www.newarchitectmag.com

JAM (Java Agents for Meta Learning)

Financial or Human resource shortage
High volumes of claims, transactions or other information to be analyzed
Cookie-cutter detection methods that miss new or unusual instances
Lack of in-house expertise or training

Advances in communications provide networked global access to information and delivery of products/services
Internet has reached critical mass (60% of U.S. households)
Some banks have 25 percent of customers banking online
Increased competition from other industries and abroad
Greater reliance on third party providers
Advances in technology make the component functions of banking more easily divisible www.occ.treas.gov

Growth in Number of National Banks that
Have Transactional Websites
50%
41%
40%
37%
32%
30%
21%
20%
44%
10%
Sep-99 Jul-00 Dec-00 YTD Mar-01 1-Jun
Source: Office of the Comptroller of the Currency. “Transactional web sites” are defined as bank web sites that allow customers to transact business. This may include accessing accounts, transferring funds, applying for a loan, establishing an account, or performing more advanced activities.

Balance inquiry
Transaction information
Funds transfer
Cash Management
Bill payment
Bill presentment
Loan applications
Stored Value-application: Stored-value cards are a substitute for cash, gift certificates and check payments.
Monetary value is added to the stored-value account before the card is used, with the value either being funded by the cardholder directly, or by the card program operator in commercial applications www.occ.treas.gov

Aggregation
Electronic Finder
Automated clearinghouse (ACH)
Transactions
Internet Payments
Wireless Banking
Certification Authority
Data Storage-Digital Data Storage
(DDS) is a format for storing and backing up computer data on tape that evolved from the Digital Audio
Tape (DAT) technology.

Vendor Risk Issues
Security, Data Integrity, and Confidentiality
Authentication, Identity Verification, and
Authorization
Strategic and Business Risks
Business Continuity Planning
Permissibility, Compliance, Legal Issues, and
Computer Crimes
Cross Border and International Banking www.occ.treas.gov

Increases in security events and vulnerabilities
According to 2001 FBI/CSI survey, 70% reported that the Internet is the point of cyber attacks, up from 59% in 2000
Gramm-Leach-Bliley Act of 1999 requires banks to establish administrative, technical & physical safeguards to protect the privacy of customers’ nonpublic customer records and information www.occ.treas.gov

Reviewing physical and logical security:
Review intrusion detection and response capabilities to ensure that intrusions will be detected and controlled
Seek necessary expertise and training, as needed, to protect physical locations and networks from unauthorized access
Maintain knowledge of current threats facing the bank and the vulnerabilities to systems
Assess firewalls and intrusion detection programs at both primary and back-up sites to make sure they are maintained at current industry best practice levels www.occ.treas.gov

Reviewing physical and logical security (cont’d):
Verify the identity of new employees, contractors, or third parties accessing your systems or facilities. If warranted, perform background checks.
Evaluate whether physical access to all facilities is adequate.
Work with service provider(s) and other relevant customers to ensure effective logical and physical security controls.
www.occ.treas.gov

Reliable customer authentication is imperative for Ebanking
Effective authentication can help banks reduce fraud, reputation risk, disclosure of customer information, and promote the legal enforceability of their electronic agreements
Methods to authenticate customers:
Passwords & PINS
Digital certificates & PKI (Public Key
Infrastructure)
Physical devices such as tokens
Biometric identifiers www.occ.treas.gov

OCC Technology Risks Supervision
Program
The Office of the Comptroller of the Currency charters, regulates, and supervises national banks to ensure a safe, sound, and competitive banking system that supports the citizens, communities, and economy of the
United States.
Guidance -- Focus on risk analysis, measurement, controls, and monitoring
Risk-based examinations of banks and third party service providers (as authorized by the Bank Service
Company Act of 1962)
Training and Technology Integration Project
External outreach and co-ordination
Licensing process for Internet-primary banks and novel activities www.occ.treas.gov

www.occ.treas.gov
www.newarchitectmag.com
http://www.cs.columbia.edu/~sal/JAM/PROJECT/
Gerrit Jan van den Brink (2002), Operational
Risk : The challenge for banks.
http://dinkla.net/fraud/products.html