Final versions of two electronic banking publications

17 July 2003

Press release

The Basel Committee on Banking Supervision has issued a final version of its paper Management and supervision of cross-border electronic banking activities. This paper was developed by the Committee's Electronic Banking Group and was initially released for consultation in October 2002. It complements the Committee's Risk management principles for electronic banking initially released for consultation in May 2001, which has also been issued in its final version. The final papers do not show significant changes compared to the consultative versions.

The Committee's Electronic Banking Group formed in November 1999 is chaired by U.S. Comptroller of the Currency John D. Hawke, Jr., and is comprised of bank supervisors from Australia, Belgium, Canada, France, Germany, Hong Kong, Italy, Japan, Luxembourg, The Netherlands, Singapore, Spain, Sweden, Switzerland, the United States, the United Kingdom, and the European Central Bank.

The purpose of the papers is to express supervisory expectations and guidance to promote safety and soundness for electronic banking activities. The first paper identifies 14 risk management principles for electronic banking to help banking institutions expand their existing risk oversight policies and processes to cover their electronic banking activities. These principles focus on the oversight responsibilities of the board of directors and management, the need for appropriate security controls, and the management of legal and reputational risk associated with electronic banking activities.

The second paper identifies additional risk management principles specific to cross-border electronic banking activities. It also stresses the need for effective home country supervision as well as ongoing international cooperation between banking supervisors regarding such activities.

The final Electronic Banking Principles identified in both papers underscore the Committee's view that supervisory expectations should be tailored and adapted to online banking but not fundamentally different to those applied to banking activities delivered through traditional channels. Consequently, the principles are largely derived and adapted from supervisory expectations that have already been expressed by the Committee or national supervisors over a number of years. However, in certain areas, such as the management of outsourcing relationships, security controls and the management of legal and reputational risk, the characteristics of the internet distribution channel call for more detailed principles than those expressed to date.

"Our goal with these electronic banking principles is to promote safe and sound banking industry and supervisory practices without creating undue regulatory burden or impediments to a bank's use of the Internet delivery channel to meet customer needs," said Comptroller Hawke. "At the same time, we expect bankers to be mindful of the need to have in place adequate risk management processes, provide adequate disclosures to customers, and, in the case of cross-border activities, conduct appropriate risk assessment and due diligence."

The Committee stresses through these principles that banks need to develop risk management processes appropriate for their individual risk profile, operational structure and corporate governance culture, as well as in conformance with the specific risk management requirements and policies set forth by the bank supervisors in their particular jurisdiction(s). The Committee recognises the evolutionary nature of technological and customer service innovation in electronic banking. Accordingly, these final principles, while representative of current industry sound practice, do not attempt to dictate specific technical solutions to address particular risks or set technical standards relating to electronic banking. Many electronic security controls and risk management techniques are evolving rapidly to keep pace with new risks, technologies and business applications. Technical issues, including security challenges, will need to be addressed on an ongoing basis by both banking institutions and various standard-setting bodies as the risk environment and technology evolves. However, these papers contain appendices that list some examples of current and widely used risk mitigation practices in the e-banking area that are supportive of the Electronic Banking Principles.

The Committee has particularly taken note that, in Management and supervision of cross-border electronic banking activities, the hybrid nature of electronic banking services covered by the report (ie both retail and wholesale) may necessitate different degrees of bank due diligence and public disclosure depending on the type of customer being served. Nonetheless, the Committee believes that banks' due diligence and disclosure should be performed in a more rigorous way with regard to retail customers.

Both papers should be read in relation to the section on operational risk in the Third consultative document on the New Basel Capital Accord (April 2003), as well as to Sound practices for the management and supervision of operational risk (February 2003), both of which address risks relating, inter alia, to electronic banking activities.