Electronic Banking: Enhancing Federal Oversight of Internet Banking
Activities (Letter Report, 07/06/1999, GAO/GGD-99-91).
Internet banking heightens traditional banking risks. GAO's review of 81
examinations found that 44 percent of the depository institutions
examined had not completely implemented risk-management steps that
regulators said are needed to limit on-line banking risks. Shortcomings
included some institutions' lack of approval of strategic plans by their
board of directors and a lack of policies and procedures at some
institutions for Internet banking operations. However, too few
examinations had been done at the time of GAO's review to identify the
extent of any industrywide Internet banking-related problems. Regulators
attributed the limited number of examinations to a diversion of
examiners to deal with the Year 2000 computer problems and to the
limited number of examiners with expertise in information systems. GAO
found that some regulators could use more systematic methods for
identifying institutions' plans for new Internet banking systems and
maintaining this information centrally. GAO also found variations in the
supervisory approaches the regulators followed to help ensure that
institutions mitigate the risks posed by Internet banking. Finally, GAO
found that the five regulators are beginning to work together to study
third-party firms providing Internet banking support services. GAO
summarized this report in testimony before Congress; see: Electronic
Banking: Enhancing Federal Oversight of Internet Banking Activities, by
Richard J. Hillman, Associate Director for Financial Institutions and
Markets Issues, before the Subcommittee on Domestic and International
Monetary Policy, House Committee on Banking and Financial Services.
GAO/T-GGD-99-152, Aug. 3 (25 pages).
--------------------------- Indexing Terms -----------------------------
REPORTNUM: GGD-99-91
TITLE: Electronic Banking: Enhancing Federal Oversight of
Internet Banking Activities
DATE: 07/06/1999
SUBJECT: Computer security
Banking regulation
Lending institutions
Bank management
Bank examination
Risk management
Computer networks
Electronic funds transfer
Confidential communication
Credit unions
IDENTIFIER: Internet
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. This text was extracted from a PDF file. **
** Delineations within the text indicating chapter titles, **
** headings, and bullets have not been preserved, and in some **
** cases heading text has been incorrectly merged into **
** body text in the adjacent column. Graphic images have **
** not been reproduced, but figure captions are included. **
** Tables are included, but column deliniations have not been **
** preserved. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
United States General Accounting Office GAO Report to
the Chairman, Committee on Banking and Financial Services, House
of Representatives July 1999 ELECTRONIC BANKING Enhancing
Federal Oversight of Internet Banking Activities GAO/GGD-99-91
United States General Accounting Office GAO
Washington, D.C. 20548 General Government Division B-280366 July
6, 1999 The Honorable James A. Leach Chairman, Committee on
Banking and Financial Services House of Representatives Dear Mr.
Chairman: As you requested, this report discusses federal
oversight of depository institutions' Internet banking activities.
Internet banking involves individuals' use of personal computers
connected to their depository institutions over the Internet to
transfer funds between accounts, make payments, or obtain
information, such as account balances. The recent rapid growth of
Internet banking services has led to congressional concern about
the safety and security of such banking activities and the
preparedness of banking regulators to help ensure safe and sound
Internet banking operations. The objectives of this report are to
(1) describe the risks posed by Internet banking and the extent of
any industrywide Internet banking-related problems, (2) assess the
methods used by regulators to track depository institutions' plans
to provide Internet banking services, (3) determine how regulators
examined Internet banking activities, and (4) determine the extent
to which regulators examined firms providing Internet banking
support services to depository institutions. Internet banking
heightens various types of traditional banking risks of Results In
Brief concern to regulators, including strategic, compliance,
security, reputation, and transactional risks.1 As provided in
regulatory guidance to banks, savings and loan associations
(thrifts), and credit unions, these risks should be managed
through implementation of risk management systems that emphasize,
among other things, active board and senior management oversight,
effective internal controls, and comprehensive and ongoing
internal audit programs. Examinations of Internet banking that we
reviewed found that some depository institutions were not taking
all the necessary precautions to mitigate Internet banking risks.
While deficiencies were found, none of these examinations reported
any financial losses or security breaches. However, during the
time of our review, too few examinations had been completed to
identify the extent of any industrywide Internet banking-related
problems. 1 For a definition of these risks see pages 8 and 9.
Page 1
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 In
general, the regulators said that few examinations had been
completed because Internet banking is a relatively new activity
and implementation of examination programs has required examiner
training and testing of new examination procedures. In addition,
they said that the number of examiners with expertise in
information systems was limited and that some examiners who might
otherwise have been deployed by some regulators to monitor
Internet banking in the past 2 years were diverted by higher-
priority efforts to address the Year 2000 computer problem.2 While
the regulators have shared information on issues of common concern
to them in the past, they have not routinely shared information on
identified Internet banking risks and examination results. As more
examinations are completed, sharing of information among the
regulators could help them better understand the extent of the
risks posed by Internet banking, develop risk characteristics
allowing them to target institutions requiring further attention,
and help them allocate limited resources among competing
priorities. Regulators use a variety of methods to identify
depository institutions that are already offering Internet banking
services; however, only two regulators had systematically obtained
centralized information on depository institutions' plans to
provide such services and had a database of this information at
the time of our review. The Office of Thrift Supervision (OTS),
which regulates thrifts, recently established a requirement that
depository institutions (1) notify it in advance of plans to
establish a transactional Web site and (2) report their Web site
address in quarterly Thrift Financial Report filings. Such
information is maintained in a centralized electronic database. In
addition, the Federal Deposit Insurance Corporation (FDIC)
developed a centralized database that contains, among other
things, information on a depository institution's plans to provide
Internet banking services. Information in this centralized
database is collected as part of the examination process. When
FDIC examiners encounter an institution that is not currently
conducting Internet banking activities, they are still required to
gather minimal information about whether the institution plans to
establish Internet banking. These or other methods could be used
by other regulators to inform them about Internet banking plans
and activities and better enable them to provide specific risk
management guidance to individual 2 The Year 2000 computer problem
exists because the data that computers store and process often use
only the last two digits to designate the year. On January 1,
2000, such systems may mistake data referring to 2000 as meaning
1900, possibly leading to numerous errors and disruptions in
processing of financial data. Page 2
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
depository institutions when needed. The information could also be
used to help ensure regulatory awareness of the growth of Internet
banking, plan the scope and timing of future examinations, and
determine the need for additional examiners with information
technology expertise. During our review, most regulators were
developing, testing, or implementing new on-line banking
examination procedures, which included procedures for examinations
of Internet banking, and most had conducted at least some
examinations of depository institutions' Internet banking
operations. Because Internet banking is a relatively new and
evolving banking activity, FDIC and OTS expect their examiners to
thoroughly examine an institution's Internet banking activities
during their first examination after those activities are
implemented. While the Federal Reserve System (FRS) and the Office
of the Comptroller of the Currency (OCC) also consider Internet
banking to be an evolving activity, they do not require that an
institution's new Internet banking activity be thoroughly
examined. The National Credit Union Administration (NCUA), which
reported a significant diversion of resources due to work related
to the Year 2000 computer problem, was the only regulator that had
not developed requirements and procedures for Internet banking
examinations. Because NCUA lacked an effective Internet banking
examination program, it could not provide assurances that credit
unions with Internet banking were appropriately managing risks
that could affect their safety and soundness. Many depository
institutions contract with third-party firms for Internet banking
support services they choose not to provide themselves. Each
regulator has the authority to examine depository institutions'
banking services provided by a third party and to avoid
duplication of effort, regulators often cooperate in examining
third-party firms. Joint examination of firms providing Internet
banking services could better enable regulators to share technical
resources and fill expertise gaps in this emerging activity. In
late 1998, the five regulators, working under Federal Financial
Institutions Examination Council (FFIEC) auspices, cooperatively
initiated a joint study of Internet banking services provided by
third-party firms. The study is to provide the regulators with a
greater understanding of the services and security features
provided to depository institutions by third-party firms. While
each regulator has the authority to examine third-party firms
providing services to depository institutions, NCUA's authority to
examine such firms is temporary. Its authority, which was granted
so that NCUA could conduct examinations related to the Year 2000
computer problem, Page 3 GAO/GGD-99-91
Enhancing Oversight of Internet Banking B-280366 expires on
December 31, 2001. The expiration of this authority would limit
NCUA's future ability to effectively oversee third-party firms
that provide Internet banking services to credit unions. We are
making recommendations to federal banking regulators and raising a
matter for congressional consideration to address these issues.
Internet banking is one form of on-line banking; PC direct dial
banking is Background another. Before Internet banking,
customers using direct-dial PC banking needed to use specialized
computer software provided and supported by their depository
institution. More recently, these direct-dial connections are
being replaced by Internet connections over which customers can
use their computers and browser software to connect to their
depository institution's Web site. In general, regulators
distinguish three types of Internet banking Web sites: * Purely
informational sites, which have information about the depository
institution and its products and services but no interactive
capability; * Information-exchange sites, which provide
information and allow customers to send information to the
depository institution or make inquiries about their accounts; and
* Fully transactional sites, which offer the previously described
capabilities as well as some additional services, such as real-
time account queries, transfers of funds among accounts, bill
payments, or other banking services. Internet banking services are
offered by a rapidly growing number of depository institutions.
According to recent data, at least 3,610 federally insured
depository institutions-about 17 percent of all U.S. banks,
savings associations, and credit unions-offered some form of
Internet banking service as of February 1999.3 About 20 percent of
these depository institutions offered fully transactional Web
sites.4 Information available from the banking regulators and
industry studies suggest that Internet banking is accelerating.
According to FDIC and NCUA statistics, in the 11 3 In February
1999, approximately 2,500 banks and thrifts-about 23 percent of
all banks and thrifts- had Web sites, according to FDIC. As of
June 30, 1998, 1,110 credit unions had Web sites, according to
NCUA. 4 According to FDIC, 436 banks and thrifts offered fully
transactional Web sites as of February 4, 1999. According to NCUA,
256 credit unions offered such sites as of June 30, 1998. Page 4
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
months ending February 1999, the number of banks, thrifts, and
credit unions with transactional sites almost tripled. According
to projections reported by the Department of Commerce, the number
of customers who went on-line to perform banking transactions
increased by 22 percent, from 4.6 million to 5.6 million, in the 6
months ending April 1998.5 Five federal regulators-FDIC, FRS,
NCUA, OCC, and OTS-supervise and examine all federally insured
depository institutions. FDIC, a government corporation, is the
primary federal regulator of state-chartered banks that are not
members of FRS. FRS, another independent body, shares
responsibility with state banking regulators for supervising and
examining state-chartered banks that are members of FRS. In
addition, FRS supervises bank holding companies and their nonbank
subsidiaries. Banks under FRS' supervision are supervised by 12
regional Reserve Banks that conduct examinations under delegated
authority from the Board of Governors in Washington. NCUA is an
independent body responsible for examining and supervising
federally insured credit unions and works with state regulators to
monitor the safety and soundness of state-chartered credit unions.
OCC, an agency, that is a bureau of the Department of the
Treasury, supervises all national banks. OTS, which is also a
bureau of the Department of the Treasury, serves as the primary
regulator for thrifts and thrift holding companies. The regulators
oversee a mix of large, medium, and small depository institutions,
as shown in table 1. Table 1: The Number and Asset Size of
Dollars in billions Depository Institutions Overseen by
Small and medium Banking Regulators, as of June 30, 1998
Large institutionsa
institutionsb Total institutions Regulator
supervised Number
Assets Number Assets FDIC
5,449 5 $87
5,444 $822 FRS
989 19 1,013
970 282 OCC
2,546 40 2,160
2,506 819 OTS
1,181 16 374
1,165 412 NCUA
11,130 1 10
11,129 375 Total
21,295 81 $3,644
21,214 $2,710 a$10 billion or more in assets.
bLess than $10 billion in assets. Source: GAO analysis of FDIC and
NCUA data. Banking regulators also work together through FFIEC, an
interagency forum Congress created in 1979 to promote consistency
in the examination 5 The Emerging Digital Economy (U.S. Department
of Commerce, April 1998). Page 5
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 and
supervision of depository institutions.6 In 1996, FFIEC updated
its "Information Systems Handbook," which provides regulators with
general guidance on information systems and technology
examinations. To help ensure the safety and soundness of federally
insured banks, thrifts, and credit unions, banking regulators
conduct various types of monitoring activities. They include the
following: * Off-site monitoring, which generally consists of
reviews and analyses of depository institution-submitted data,
including call reports, and discussions with bank management,7 is
carried out to monitor compliance with requirements or enforcement
actions; formulate supervisory strategies, especially plans for
on-site examinations; and identify trends, areas of concern, and
accounting questions. * On-site safety-and-soundness examinations
are conducted to assess the safety and soundness of a depository
institution's practices and operations. Specific objectives of
these on-site examinations that are common to all the banking
regulators include (1) determining the institution's condition and
the risks associated with its current and planned activities; (2)
evaluating the institution's overall integrity and the
effectiveness of its risk management by testing the institution's
practices; and (3) determining the institution's compliance with
laws, regulations, and rulings. * Information systems
examinations are conducted to identify and correct information and
technology-related risk exposures of significance that threaten
the depository institution. These examinations focus on various
components of an institution's information system, such as the
capabilities of its information technology management; the
adequacy of its systems development and programming; and the
quality, reliability, availability, and integrity of its
information technology operations. 6 FFIEC is composed of the
Comptroller of the Currency, one FRS Governor, the OTS Director,
the FDIC Chairman, and the Chairman of the NCUA Board. 7 Call
reports for banks are also called the Consolidated Reports of
Condition and Income. The reports for bank holding companies are
called the Consolidated Financial Statements for Bank Holding
Companies. Similar quarterly reports on thrifts and thrift holding
companies are submitted to OTS. The reports are prepared by
institution management and submitted to the primary regulator on a
quarterly basis. The reports include a balance sheet, income
statement, and various supporting detailed analyses of balances
and related activities. The reports for credit unions are called
Financial and Statistical Reports. Page 6
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 *
Finally, special technical examinations of banking services by
third parties are conducted to ensure that banking operations
performed by third-party firms are consistent with the safety and
soundness of the depository institutions using the services. These
examinations, which often include a review of the management
systems, operations, and financial condition of the service
providers, can provide regulators with greater assurances of the
reliability of services than can be obtained during normal safety
and soundness examinations of a depository institution. The
banking regulators also conduct reviews of on-line banking systems
for compliance with consumer protection laws and regulations.
These include examinations of an institution's obligation to
provide required notices and disclosures on Internet banking
products and services. To address our four objectives, we
interviewed officials and reviewed Scope and available
documents from the five banking regulators. This included
Methodology obtaining information on Internet banking risks
and each regulator's strategy for overseeing Internet banking
activities, the methods used to identify depository institutions
that offer Internet banking, the existence of safety and soundness
and information systems examination procedures for reviewing
Internet banking, and the extent of examinations of third- party
firms. We did not independently verify the accuracy of data that
banking regulators provided. We also interviewed representatives
from selected depository institutions and third-party firms to
obtain their views on the scope and frequency of examinations by
bank regulators and their assessment of risks posed by Internet
banking systems. In addition, we developed a data collection
instrument to document our review of 81 safety and soundness and
information systems examinations that included on-line banking and
we also used a structured questionnaire to interview 43 selected
examiners who had conducted these on-line banking examinations.
(See app. I for a more detailed description of our scope and
methodology.) We did our work from April 1998 to May 1999 in
Washington, D.C.; Los Angeles, CA; San Francisco, CA; Atlanta, GA;
Kansas City, KS; and New York, NY, in accordance with generally
accepted government auditing standards. We requested comments on a
draft of this report from the five banking regulators and FFIEC,
and these comments are discussed near the end of this letter and
are reprinted in appendixes III through VIII. Page 7
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
Internet banking services heighten various types of risks that are
of Regulators Agree concern to banking regulators,
and the regulators have advised institutions Internet Banking
to mitigate these risks through the implementation of risk
management systems that emphasize, among other things, (1) active
board of directors' Presents Risks and oversight, (2)
effective internal controls, and (3) comprehensive internal
Oversight Challenges, audits. Too few examinations that
included a review of Internet banking While Extent of Any
had been conducted at the time of our review for the extent of
Internet Industrywide Problems banking-related problems
industrywide to have been identified. However, Is Unknown
our review of 81 such examinations revealed that some depository
institutions had not always adhered to risk mitigation guidance
provided by the regulators. Few examinations had been conducted
because, according to the regulators, Internet banking was a
relatively new activity, and examination procedures were still
being developed. Other reasons reported by regulators were that
the number of examiners with expertise in information systems was
limited and that some examiners who might otherwise have examined
on-line banking during our study period were diverted by higher
priority efforts to address the Year 2000 computer problem. As
more examinations are completed, sharing of information among the
regulators could help them better understand the extent of risks
posed by Internet banking, develop risk characteristics allowing
them to target institutions requiring further attention, and help
make decisions on how best to allocate information technology
expertise among competing priorities. Internet banking heightens
various types of traditional banking risks that Internet Banking
Risks are of concern to banking regulators. These risks,
which are discussed in regulatory guidance provided to depository
institutions, include the following: * Security risk is the risk
of potential unauthorized access to a depository institution's
networks, systems, and databases that could compromise internal
systems and customer data and result in financial losses. The use
of an electronic channel, such as the Internet, to deliver
products and services introduces unique risks for a depository
institution due to the speed at which systems operate and the
broad access in terms of geography, users, applications,
databases, and peripheral systems. * Transactional risk is the
risk of financial losses arising from problems with service or
product delivery. Transactional risk often results from
deficiencies in computer system design, implementation, or ongoing
maintenance. Page 8 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking B-280366 * Strategic risk is the
risk to earnings or capital arising from adverse business
decisions or adverse implementation of those decisions. Depository
institutions face strategic risk whenever they introduce a new
product or service, such as Internet banking. * Reputation risk
is the risk of significant negative public opinion that results in
a critical loss of funding or customers. This risk can also expose
the depository institution to costly litigation. Failure of
Internet banking products to perform as promised, such as a
communication failure that prevents customers from accessing their
accounts, could expose a depository institution to reputation
risk. * Lastly, compliance risk is the risk arising from
violations of, or nonconformance with, laws, rules, regulations,
required practices, or ethical standards. This risk may arise if a
depository institution fails to comply with regulatory guidance or
an enforcement action. Banking regulators have provided depository
institutions with advisory Regulators Have Provided
guidance on how to mitigate risks posed by Internet banking,
including Guidance on Risk Mitigation risks related to services
provided by third-party firms. In their guidance, regulators
describe how depository institutions in general should plan for,
manage, and monitor risks associated with the use of technology.
Most regulators provided such guidance in advisory letters to all
covered depository institutions. FRS provided its guidance in a
"sound practices paper" released at a FRS information security
conference in September 1997. The guidance was not tailored to fit
individual institutions. (See app. II for descriptions of guidance
provided by each regulator.) As discussed in these advisory
guidance, risk management systems include the following critical
components. * Active board and senior management oversight:
Boards of directors have ultimate responsibility for on-line
banking systems, including Internet banking systems, offered by
their depository institutions. The guidance points out that the
Internet facilitates broad access to confidential or proprietary
information, and deficiencies in planning and deployment can
significantly increase the risk posed to a depository institution
and decrease its ability to respond satisfactorily to problems
that arise. For this reason, directors, senior managers, and line
officers are to be fully informed of the significant investments,
opportunities, and risks involved in deploying such technology.
Boards of directors should approve the overall business and
technology strategies, and senior management should ensure that
adequate risk management systems are in place. Page 9
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 *
Effective internal controls: Internal controls are the means by
which the board of directors, management, and other personnel
obtain reasonable assurance that an institution's assets are
safeguarded and that its systems and operations are reliable and
efficient. Regulators' guidance describes a variety of internal
controls to help mitigate risks involving such areas as systems
security, management of third-party firms, and various operating
policies and procedures that should be considered to keep pace
with new technological developments. * Adequate internal audits:
Regulators' guidance points out that an objective review of on-
line banking should identify and quantify risk, and detect
possible weaknesses in a depository institution's risk management
system as it pertains to on-line banking. When coupled with a
strong risk management program, a comprehensive, ongoing audit
program allows the institution to protect its interests as well as
those of its customers and other participants. While examiners
found that some depository institutions were not taking Too Few
Examinations Had all of the prescribed precautions to mitigate
risks, too few examinations Been Conducted to Identify with
documented on-line banking assessments were available at the time
the Extent of Any of our review to identify the
extent of any industrywide Internet banking- Industrywide Internet
related problems. According to the regulators, few examinations
had been conducted because Internet banking is a relatively new
activity and Banking-Related Problems regulators have had
to develop and implement new policies and procedures and related
training programs to assess this activity. In addition, regulatory
examinations required to address the higher priority Year 2000
computer problem were contemporaneous with our review, and some
regulators reported that limited information systems resources
prevented them from conducting both Year 2000 and on-line banking
examinations. Between March 1998 and August 1998, we asked each
regulator to provide us with information on safety and soundness
and information systems examinations in which (1) examiners
applied their agency's on-line banking examination procedures
written for both direct-dial and Internet banking systems or (2)
where the examination's scope included on-line banking. It was
difficult for most regulators to provide such information because,
with the exception of FDIC, information was not maintained
centrally to identify examinations that included on-line banking
assessments. We reviewed 81 examinations that regulators were able
to provide. The 81 examinations included 58 small-, 18 medium-,
and 5 large- Page 10 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking B-280366 sized depository
institutions.8 The Internet banking activities examined by the
regulators included informational sites, information-exchange
sites, and transactional sites. In the examinations we reviewed,
examiners noted that the on-line banking risk mitigation systems
had various types of weaknesses. None of the examined depository
institutions, including those whose risk management systems
evidenced weaknesses, were reported to have experienced financial
losses or security breaches due to Internet banking activities.
However, in the 81 depository institutions examinations we
reviewed, regulators found that 36 (44 percent) had not completely
implemented the on-line banking risk mitigation steps outlined by
the regulator. As summarized in table 2, in 20 of the 81
examinations (25 percent), strategic planning deficiencies were
discovered. For example, the regulators found that some
institutions had not prepared strategic plans or had not obtained
board of directors' approval before initiating on- line banking.
In 26 of the examinations (32 percent), the regulators found that
the institution did not have policies and procedures in place to
guide its on-line banking operations. In 29 of the examinations
(36 percent), the regulators found that the institution lacked
adequate audit coverage of its on-line operations. Fifteen
examinations (18 percent) disclosed that the institution had not
taken steps to evaluate its third-party firm or lacked a written
contract with the firm. Examiners whom we interviewed expressed
concerns about deficiencies similar to those revealed in the
examinations we reviewed. For example, examiners were concerned
that some smaller institutions were implementing Internet banking
systems before they had established operating policies and
procedures and that bank management had to be reminded that
operating policies and procedures were not optional. 8 The
examinations we reviewed included 62 that were conducted by FDIC,
6 by FRS, 8 by OCC, and 5 by OTS. FDIC also provided some
examinations that were conducted between June 1997 and February
1998. Page 11
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
Table 2: On-line Banking-Related Weaknesses in Risk Mitigation
Systems, as Reported in 81 Examinations Completed From June 1997
to August 1998 Size of banks and thrifts offering
on-line banking services with reported weaknesses Smalla
Mediuma Largea
Total Type of weakness Number Percentb
Number Percentb Number Percentb Number
Percentb Deficiencies in strategic planning
18 31 2 11
0 0 20 25 No policies and
procedures to address security concerns and standard operating
practices 21 36
4 22 1 20 26
32 Insufficient audit coverage of on-line banking activities
25 43 4 22
0 0 29 36 Management had not
properly initiated or documented agreements with third-party firms
12 21 2 11
1 20 15 18 Note: The number of
weaknesses reported exceeds the number of institutions examined
(81) because some depository institutions were reported to have
more than one type of weakness. aSmall depository institutions are
defined as institutions with less than $1 billion in assets.
Medium- sized institutions have $1 billion to $10 billion in
assets, and large institutions have more than $10 billion in
assets. bPercent of institutions examined in the size group with
identified weaknesses. Source: GAO analysis of FDIC, FRS, OCC, and
OTS data. Because the examinations we reviewed did not represent a
statistically valid sample, we are unable to project the number of
weaknesses beyond the institutions reviewed. However, the extent
of problems identified at smaller institutions is consistent with
views expressed by some banking industry officials that smaller
institutions have the potential to encounter Internet banking-
related problems. These officials generally believed that smaller
institutions may have insufficient in-house expertise to operate
an Internet banking system or lack the ability to adequately
evaluate the Internet banking services offered by third-party
firms to ensure that such systems operate as intended. In
particular, NCUA officials observed that smaller institutions
might move too quickly into Internet banking because of the
relatively low costs of providing such services through third-
party firms and the desire to remain competitive. Banking
regulators have told us that depository institutions' increasing
use Regulators Face Human of information
technology-such as that employed in Internet banking- Capital
Challenges Because and the growth forecast for Internet banking,
present them with human of Internet Banking Growth capital
management challenges. The adequacy of regulatory efforts to
ensure safe and sound operations of complex transactional Internet
Page 12 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking B-280366 banking systems will depend
increasingly upon the availability of examiners with appropriate
expertise or training in information technology management. During
our review, banking regulators expressed concern about their
ability to address technological changes in the banking industry
with their existing resources. Information about depository
institutions' plans to provide Internet Awareness of Internet
banking services could help ensure that regulators are aware of
growth Banking Plans Could and technological trends
in Internet banking. This information could be instrumental in
enabling regulators to provide individual depository Help
Regulators institutions with more timely and
specific risk-management guidance and Provide Timely
advice before such institutions enter into contracts with third-
party firms Guidance and Manage or independently develop their own
Internet banking services. Awareness Existing Resources
of an institution's Internet banking plans could also provide
regulators with useful information to plan the scope and timing of
future examinations as well as to identify the need for examiners
with the appropriate information technology expertise. OTS
recently established a requirement that it receive advance notice
of an institution's plans to establish a transactional Web site.
OTS and FDIC were the only regulators that captured Internet
banking information gathered during examinations, including
information about institutions' plans to offer Internet banking,
in a centralized database that could be used in planning
examinations and monitoring Internet banking activities. Other
methods used by regulators to identify depository institutions
that are already offering Internet banking do not allow the
regulators the opportunity to evaluate the effectiveness of an
institution's Internet risk mitigation plans or to provide
institutions with more timely and specific risk management
guidance and advice prior to implementation. OTS regulations,
effective January 1999, require thrifts to provide a written OTS
Requires Advance notice to OTS before establishing a
transactional Web site. The regulations Notification of
Institutions' state that the notice must describe the
transactional Web site; indicate the Plans to Offer Internet
date the site will become operational; and list a contact familiar
with the Banking deployment, operation,
and security of the site.9 According to OTS officials, the one-
time notification requirement will enable the agency to better
monitor technological innovations and thus assess emerging
security and compliance risks. OTS officials said they believed
that this monitoring would also enable the agency to more
proactively provide guidance to thrifts as they plan for or begin
to conduct Internet operations. 9 12 C.F.R. 555.310(a). Page 13
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366 At
the time of our review, OTS was beginning to develop procedures
for providing such guidance. If, after receiving the notice OTS
informs the thrift of any concerns, the thrift must follow any
procedures that OTS imposes. If the thrift does not receive any
comments from OTS, it is free to go on-line 30 days from the
filing date of its notice with OTS. Before adoption of the final
proposal, OTS recognized that this notice requirement would impose
some burden on thrifts. However, it determined that the one-time
expenditure by a thrift of an estimated 2 hours to report its
plans represented a minimal burden. Before January 1999, the
effective date of the reporting requirement, OTS officials told us
that OTS identified thrifts' Internet banking activities primarily
during examinations, although some of its regional offices used
other means to identify Web sites. For example, the western region
periodically had surveyed thrifts, and the Atlanta region used the
Internet to identify thrifts' Web sites. In August 1998, OTS asked
for public comment on its advance notice proposal. The agency
received nine comments in response-six from thrifts, two from
trade associations, and one from a public interest organization.
Seven commenters supported the proposal's overall flexible
regulatory approach. Two commenters argued for even greater
flexibility and opposed the proposed notification requirement.
Four commenters also argued that the notice requirement would
place thrifts at a competitive disadvantage, because other banking
regulators did not impose a similar requirement. OTS' response was
that it did not anticipate that the notification requirement would
place thrifts at a significant competitive disadvantage because,
once a thrift has addressed any follow-up questions from OTS'
regional office or the 30-day period has expired, the thrift would
be free to operate the transactional Web site. Finally, one
commenter questioned whether requiring regulatory notice 30 days
prior to installing a transactional site would mitigate the risks
mentioned by OTS. The commenter noted that developing a system
requires substantial advance planning, possibly across multiple
departments, and perhaps a contract with an outside third-party
firm. Thus, at the time of notice, according to the commenter, the
work essentially would be completed, and the financial costs of
development already would have been absorbed by the institution.
The commenter pointed out that, for this reason, an advance notice
after the financial risk had been assumed would not substantially
protect the institution. OTS' response was that it encourages
thrifts concerned with such expenditures of resources to consult
their regional office in the early stages of development, even
before filing a notice. Page 14 GAO/GGD-99-91
Enhancing Oversight of Internet Banking B-280366 Currently FDIC
and OTS are the only regulators that maintain a centralized FDIC
and OTS Maintain database on Internet banking information
gathered during banking Centralized Databases on examinations.
In regards to FDIC, if an examiner identifies an institution
Internet Banking that plans to offer Internet banking,
this information is to be entered into Information
the centralized system along with other on-line banking data
collected. In addition to data on institutions offering or
planning to offer Internet banking, this database includes
information on third-party firms supplying Internet banking
services. According to FDIC officials, information captured in the
centralized system facilitates the creation of uniform records of
all examined institutions with on-line banking and avoids
capturing redundant information across FDIC's eight regions. They
said that the system also provides an improved means across
separate regional systems for headquarters' staff and examiners to
understand how electronic banking is changing and to more
effectively plan the scope, timing, and staffing of future
examinations. As of April 1, 1999, the FDIC centralized system
included information from 391 on-line banking examinations.10 OTS
began collecting information centrally in November 1998. OTS
officials told us that their centralized database includes on-line
banking information from all examined thrifts. In addition, the
database includes the Web site address of over 400 thrifts that
reported this information on their quarterly filings as well as
information gathered as part of OTS' advanced notification
requirement. Regulators use a variety of other methods to identify
depository Other Monitoring Methods institutions that are
already offering Internet banking services. All of the to Identify
Depository regulators said that they gathered information on
institutions' Internet Institutions Offering banking
services during pre-examination planning activities. The Internet
Banking regulators also said that they periodically
searched the Internet for Internet banking Web sites. In March
1998, NCUA began requiring credit unions to report their
electronic mail addresses and the type of Web site offered on
their periodic financial and statistical reports. In addition, at
the close of our review, FRS said it was beginning to centrally
collect examination and survey information on the types of
Internet banking services being offered by its regulated entities
(e.g., account balance inquiries, bill payment, and loan
application) as well as the names of third- party firms and
software vendors. OCC plans to centrally collect similar
information on institutions that are already providing Internet
banking services. However, such "after-the-fact" methods do not
give the regulators the opportunity to provide individual
institutions with more timely and 10 This figure includes
examinations of transactional sites, both direct-dial and
Internet. Page 15
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
specific risk mitigation guidance and advice before they go on-
line, and these methods do not give regulators the opportunity to
evaluate an institution's risk mitigation plans before an
institution's Internet banking services are operational. With the
exception of NCUA, the regulators were developing, testing, or
Most Regulators Were implementing on-line banking
examination procedures, which included Developing or
those for examinations of Internet banking. NCUA said that it had
not established procedures for Internet banking examinations or
conducted Implementing Internet banking
examinations because of the need to conduct Year 2000 Examination
reviews. In addition, we found that regulators' examination
programs used Procedures differing methods in
conducting and staffing Internet banking examinations. For
example, because Internet banking is a new and evolving activity,
FDIC and OTS required their examiners to thoroughly examine an
institution's Internet banking activities during the first
examination after those activities were implemented, while FRS and
OCC did not. We also found variations in the level of expertise
and training required of examiners who reviewed Internet banking
systems. The regulators have shared information on issues of
common concern to them in the past but have not routinely shared
information on Internet banking risks and examination results. As
each regulator gains experience in applying their examination
methods and procedures, it would be useful for the regulators to
share their expertise to help determine which methods and
procedures are the most efficient and effective. Each of the
regulators had implemented similar examination policies that
Examination Procedures reflected the regulators' overall
risk-based approach to supervision. These Were in Differing Stages
of policies required examiners to determine how various
existing or emerging Development issues facing
an institution or the banking industry affected the nature and
extent of risks at particular institutions. Based on a risk
evaluation, examiners are expected to develop supervisory plans
and actions that would direct their resources to the issues
presenting the greatest risks, especially those risks that present
material, actual, or potential risks to the banking system. While
the banking regulators' examination policies were established,
their procedures for examining on-line banking activities were in
differing stages of development. Generally, FDIC, FRS, OCC, and
OTS had already implemented or were testing examination procedures
for conducting on- line banking examinations. FDIC and OTS had
both issued final examination procedures and were using the
procedures to conduct examinations that included Internet banking
activities. FDIC was the first to implement an on-line banking
examination program in 1997 and had Page 16
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
identified more examinations for our review than any other banking
regulator. In commenting on a draft of this report, FDIC said that
it had also developed three technical work programs that it is
field-testing and has shared with the other regulators. In
addition, FDIC said that it had increased the number of
information systems examiners. OTS was the next regulator to issue
final examination procedures. FRS and OCC were still developing
their on-line banking examination programs and were field testing
their examination procedures at the close of our review.11 At the
time of our review, NCUA had not established procedures for NCUA
Had Not Developed Internet banking examinations or
conducted such examinations. The or Implemented an Internet
primary reasons for this, according to NCUA officials, were that
the agency Banking Examination did not have the
necessary expertise to develop Internet banking Program
procedures and that its examination resources were dedicated to
examinations geared to averting the Year 2000 computer problems.
According to NCUA, as work related to the Year 2000 computer
problem diminishes, the agency is beginning to focus attention on
Internet banking activities. NCUA first began to consider the need
for Internet banking examinations in 1997, when it informally
distributed a white paper on "cyber credit union services." This
paper was distributed to NCUA examiners who had attended a
specific training course and was also provided to each regional
director, who had the option of making the paper more widely
available to regional staff. NCUA officials told us the agency now
expects to develop new Internet examination procedures that will
be closely aligned to FFIEC's guidance on supervisory oversight of
information systems, but no time frames have been established for
developing or implementing these procedures. In 1998, NCUA filled
three new information systems officer positions. While these
individuals have been primarily devoted to the Year 2000 project,
agency officials told us that these individuals will begin to
develop Internet banking examination procedures and train agency
examiners. While FDIC, FRS, OCC, and OTS on-line banking
examination policies Regulators' Approaches to were
similar, their approaches to examining an institution's on-line
Examining an Institution's banking activity varied. For
example, because Internet banking is a new On-line Banking
Activity banking activity that can potentially introduce
new risks to an institution, Varied
FDIC and OTS expect their examiners to thoroughly examine an
institution's Internet banking activities during the first
examination after 11 While still developing their program, FRS
officials told us that the agency had begun to use the FDIC
developed computerized examination procedures and standard forms.
Page 17
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
those activities are implemented. In contrast, FRS and OCC do not
require that an institution's new Internet banking activity be
thoroughly examined. Instead, these regulators permit safety and
soundness or information systems examiners to exercise discretion
in determining the relative risk and the need for and scope of
their examinations of new banking activities, including the
establishment of Internet banking services. In this regard,
examiners may decide not to devote further resources to examining
Internet banking if they determine after an initial assessment
that Internet banking is a small segment of an institution's
overall business, posing little risk to the safety and soundness
of the institution. We also found differences in the type of
examiners used to perform on-line banking examinations. Two
regulators, FDIC and FRS, designed their examination procedures to
mainly assess the safety and soundness aspects of Internet
banking, such as the appropriateness of an institution's strategic
planning, internal controls, and operating policies and
procedures. These regulators said that, due to the orientation of
the examination procedures, safety and soundness examiners
generally conducted examinations that included a review of
Internet banking. If, in the judgment of the safety and soundness
examiner, a more sophisticated assessment of an institution's
Internet banking activities were needed, more technically
proficient information system specialists were to be called in to
perform a separate assessment. In contrast, OCC said that
information system specialists conducted most of its Internet
banking examinations, utilizing procedures that included more
technical aspects of an institution's Internet banking activities,
such as policies addressing passwords, firewalls, encryption, and
physical security. OCC requires that most Internet banking
examinations be conducted by information system specialists
because it believes that the technology-related aspects of
Internet banking require examiners with expertise in information
systems. OTS also requires the use of information systems
examiners for examinations of complex or large institutions. Small
or less complex institutions are to be examined by safety and
soundness examiners. Regulators also differed in the degree to
which their examiners were trained in on-line banking systems.
FDIC, FRS, and OTS initiated training programs for their safety
and soundness examiners on electronic-banking issues. Topics in
the training programs included electronic banking trends and
developments, risks and vulnerabilities, and regulatory concerns.
At the close of our review, FDIC said that it had trained nearly
all of its safety and soundness examiners, and OTS said that it
expected to complete their training for safety and soundness
examiners by the end of 1999. FRS officials also said that they
expected to complete an initial training Page 18
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
program for safety and soundness examiners by the end of 1999.
These officials added that additional training would likely be
required as Internet banking activities evolve and a greater
understanding of the risks is developed. FDIC also had developed a
training program that provided more in-depth information systems
training to a group of information systems examiners and certain
safety and soundness examiners. After the training, these
examiners were expected to provide services that ranged from
providing verbal consultation to other safety and soundness
examiners who were conducting an examination of an institution's
Internet banking activities, to independently performing
information system reviews of complex on-line banking systems. OCC
planned no on- line banking training of its safety and soundness
examiners because on- line banking examinations were performed by
information system specialists. Rather than establishing an in-
house training program for these specialists, OCC said that it
relied solely on external training opportunities, such as seminars
and conferences hosted by FFIEC and the Bank Administration
Institute. The differing methods and approaches utilized by the
regulators were too new for their overall effectiveness to be
evaluated. Over time, sharing of information among the regulators
on the success of these varying methods and approaches could help
them assess the strengths and weaknesses of their individual
programs. Joint regulatory examinations of the operations of
third-party firms Joint Regulatory providing
depository institutions' Internet banking support services might
Examinations of Third- increase the economy and efficiency of
federal oversight of Internet banking activities. This would be
particularly true if regulators could share Party Firms Could
technical expertise in developing and conducting examinations. In
late Enhance Internet 1998, the five regulators
initiated a joint research project to study Internet Banking
Oversight banking support services provided by
third-party firms. However, the extent to which this interagency
group will be able to commit the necessary resources to this
effort is unclear. Also, NCUA's authority to conduct examinations
of third-party firms is set to expire on December 31, 2001, and
the lack of such authority in the future could limit the
effectiveness of the oversight provided to firms providing
services to credit unions. According to NCUA, third-party firms
providing credit union services are not likely to be included in
any joint regulatory examinations because these firms typically
only provide services to credit unions, and other regulators thus
have little incentive to select these firms for a joint review.
Page 19 GAO/GGD-99-91 Enhancing Oversight of
Internet Banking B-280366 Joint interagency examinations of
traditional third-party data-processing Regulators Studying Third-
firms, such as check-processing centers, have tended to focus on
large Party Firm Support Services multiregional data-processing
providers serving banks and thrifts and supervised by more than
one supervisory agency.12 Regulators determined that it was more
effective and efficient to conduct one interagency information
systems examination instead of several separate examinations by
each regulator. The regulators said that these examinations, for
the most part, are conducted by examiners with expertise in
information systems. In conducting these examinations, examiners
and specialists from the participating regulators are to examine
the policies, procedures, and practices of the third-party firm
and make suggestions to the firm for improvements, if necessary.
According to one regulator, two of these examinations have also
included a partial review of two firms' Internet banking
operations. In late 1998, the banking regulatory agencies that
comprise FFIEC initiated a special research project to study
third-party firms that provide Internet banking software or
services to banks and thrifts. The objectives of the project are
to develop an understanding of the products and services offered
by such third-party firms, identify risks and supervisory issues,
and develop recommendations regarding supervisory oversight. The
regulators said that the outputs from the project have not been
determined but that they could include background materials to aid
bank examiners, internal policy papers, supervisory guidance for
institutions, or recommendations for development of examination
programs or procedures. They added that the scope of the project
and timetable for its completion are contingent upon available
resources, which have been significantly curtailed due to the
agencies' Year 2000 supervision program. As of March 1999, agency
staff were gathering information on third-party firms that
provided Internet banking services and preparing invitations to
selected firms to discuss their services. At this initial stage of
the project, regulators said they were not examining the firms but
instead obtaining background information. 12Regulators also have
conducted similar interagency examinations of third-party firms on
a regional basis. Page 20
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
While NCUA has recently begun to participate in the joint agency
study of Credit Union Third-Party third-party firms, it
had not participated in any joint reviews of third-party Firms
Might Not Be Internet banking firms or
independently conducted any reviews of third- Subjects of Joint
party firms serving credit unions. About 13 firms provide the bulk
of these Examinations services to credit
unions. One of these firms provides services to about 51 percent
of the credit unions offering Internet banking.13 NCUA officials
cited the lack of technical expertise as a key reason for their
inactivity. Further, NCUA officials said that, on the basis of
discussions at a January 1999 FFIEC planning meeting, it appeared
unlikely that other regulators would participate with NCUA in
joint reviews of third-party firms servicing credit unions. The
NCUA officials explained that regulators typically provide staff
and resources to a particular joint review when there is a
regulatory overlap involving firms that provided services to both
banks and thrifts. In the case of third-party firms servicing
credit unions, other types of depository institutions have
received few if any services from these firms. Since 1962, FDIC,
FRS, and OCC have had the authority through the Bank Regulators'
Authority to Service Company Act14 to examine the
performance of certain services Examine Third-Party Firms
provided by third-party firms that affect the safety and soundness
of bank Providing Banking Services operations. In deliberations
prior to enacting the Bank Service Company Act, Congress made it
clear that banks could not avoid examinations of banking functions
by outsourcing the functions to third-party firms. The legislative
history shows that Congress intended that banking regulators be
able to examine all bank records and that they must be able to
exercise proper supervision over all banking activities, whether
performed by bank employees on the bank's premises or by anyone
else on or off their premises. Regulators generally believe that
this authority is important because it allows them to take a
broader approach to examining the services of banks or thrifts and
their providers. These examinations are not intended to replace a
depository institution's oversight and monitoring of its third-
party firms, which remains the responsibility of the depository
institution. Instead of examining particular services that a
third-party firm provides to a single bank or thrift, regulators
can assess the entire broad range of services a third-party firm
provides to the banking industry. In addition to being a more
direct approach, most regulators believe such examinations also
may be more efficient and effective. Over time, the 13 In February
1999, this firm announced marketing agreements with traditional
processing firms to offer Internet banking. These processing firms
provide core services to about 1,500 depository institutions.
14The Bank Service Company Act, 12 U.S.C. 1861-1867. Page 21
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
authority to examine third-party firms has become even more
important, as depository institutions have contracted out an
increasing proportion of their operations. FRS officials noted,
however, that such examinations (1) extend bank supervision
outside the banking industry, (2) may unnecessarily consume scarce
government resources unless effectively risk focused, and (3) may
create a moral hazard by undermining the incentive for banks and
thrifts to manage their service provider relationships
effectively. In March 1998, NCUA and OTS were given authority to
examine certain third-party firms through the Examination Parity
and Year 2000 Readiness for Financial Institutions Act (the Parity
Act).15 Specifically, the Parity Act gave NCUA and OTS independent
authority to examine services provided by service providers to
credit unions and thrifts by amending the Federal Credit Union Act
and the Homeowners' Loan Act, respectively.16 The acts primarily
focus on ongoing computer services and turnkey operations in which
transactions are transmitted at the end of the day to a central
location. Specifically, NCUA and OTS are authorized to examine
data processing, information system management, and the
maintenance of computer systems that are used to track everything
from day-to-day deposit and loan activity to portfolio management
at a depository institution. While NCUA and OTS have the same
authority under the Parity Act, the act Expiration of NCUA's
specifically sunsets NCUA's authority on December 31, 2001.
According to Authority to Examine Third- NCUA officials, and a
review of the legislative history surrounding this Party Firms
Could Limit action, NCUA' s authority was sunset
because the Parity Act focused NCUA's Ability to
primarily on Year 2000 computer problems that for the most part
were expected to be resolved by the Year 2000. In addition, at the
time the Parity Effectively Oversee Internet Act legislation was
being considered, one credit union trade association Banking
strenuously objected to strengthening NCUA's examination
authority. As a result a compromise was reached that NCUA's
authority would be sunsetted. Unless Congress amends the sunset
provision, NCUA will not have the third-party oversight authority
already provided to all other banking regulators. This is of
particular concern because NCUA officials said that most credit
unions offering Internet banking services lack in- house expertise
and rely in part or totally on third-party firms to provide such
services. In its comments on a draft of this report, NCUA
officials 15 The Parity Act, P.L. 105-162, 112 Stat. 32 (1998). 16
The Federal Credit Union Act, (12 U.S.C. 1781 et seq.);
Homeowners' Loan Act (12 U.S.C. 1464(d)). Page 22
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
stated that the agency plans to request Congress to amend the
Parity Act to provide permanent supervisory authority over service
providers. Internet banking is a relatively new and rapidly
growing activity that Conclusions presents various types of
risks that are of concern to banking regulators. At the time of
our review, too few examinations of Internet banking had been
conducted to identify the extent of potential Internet banking-
related problems industrywide. Nonetheless, the examinations we
reviewed revealed that some depository institutions had not taken
all the necessary precautions to mitigate on-line banking risks.
As banking regulators conduct more Internet banking examinations,
they could usefully pool and share their findings to establish the
extent of such problems industrywide. Sharing information on such
findings could provide regulators with information to better
understand the risks posed by Internet banking, allow regulators
to better monitor industry trends, make more informed decisions on
the scope and timing of examinations, and allocate limited
resources among competing priorities. At a time when Internet
banking appears to be accelerating rapidly, banking regulators
either have or plan to utilize a variety of means to identify
depository institutions that are already offering Internet banking
services. However, OTS and FDIC were the only regulators with
procedures to gather centralized information on depository
institutions' plans to offer Internet banking. OTS required that
it receive advance notification of a depository institution's
intentions, and FDIC required its examiners to collect information
on an institution's Internet banking plans for inclusion in a
centralized database. Such early identification procedures could
enable regulators to provide more timely and specific risk
management guidance and advice to depository institutions, and the
procedures could also provide the regulators useful information to
assess the scope and timing of future examinations and determine
the need for examiners with information technology expertise.
Given concerns that some institutions, particularly smaller ones,
might move too quickly into Internet banking because of a desire
to remain competitive, regulatory procedures that provide advance
notification could be an effective means for regulators to
proactively oversee this new and evolving banking activity. With
the exception of NCUA, the banking regulators were developing,
testing, or implementing new on-line banking examination
procedures and had conducted at least some examinations of
institutions' Internet banking services. However, regulators'
examination programs used differing methods in conducting and
staffing Internet banking examinations. In Page 23
GAO/GGD-99-91 Enhancing Oversight of Internet Banking B-280366
addition, differences exist in the degree to which examiners
received training on how to examine such activities. As each
regulator gains experience in the application of its examination
procedures, it could be useful for the regulators to share their
findings and approaches to help determine which methods yield the
most effective and efficient results. In addition, NCUA, which has
reported resource constraints due to the Year 2000 computer
problem, has an obligation to help ensure the safety and soundness
of credit unions' Internet banking operations and needs a
reasonable strategy to do so once work on the Year 2000 computer
problem diminishes. The banking regulators' joint study of third-
party firms providing Internet banking service is a good first
step toward providing efficient and effective oversight, because
it has the potential to lead to single coordinated examinations.
However, it is too early to tell whether the study will result in
a proposal to jointly examine third-party firms. Also, NCUA's
authority to examine firms providing Internet banking services
expires on December 31, 2001. If this authority is not extended,
NCUA will not have the third-party oversight authority provided to
other federal banking regulators. Given the expected growth of
Internet banking and its attended risks, the lack of such
authority in the future could limit NCUA's effectiveness in
ensuring the safety and soundness of the credit unions' Internet
banking activities. Congress may wish to consider whether NCUA's
current authority to Matter for examine the performance of
services provided to credit unions by third- Congressional
party firms is needed to ensure the safety and soundness of credit
unions and, thus, should be extended beyond December 31, 2001.
Consideration To help regulators better understand the extent of
risks posed by Internet Recommendations banking and to more
effectively evaluate examination methods and procedures, we
recommend that, as more experience is gained in conducting
examinations of Internet banking services, the heads of the
banking regulatory agencies share information on the problems
depository institutions have had in operating Internet banking
activities as well as which Internet banking examinations methods
and procedures they find to be most efficient and effective. We
also recommend that the Comptroller of the Currency and the
Chairmen of the Board of Governors of the Federal Reserve System
and the National Credit Union Administration establish procedures
to obtain centralized information on institutions' plans to offer
Internet banking. Page 24 GAO/GGD-99-91
Enhancing Oversight of Internet Banking B-280366 They should use
this information to (1) enhance monitoring of technological trends
and innovations and thus their ability to assess emerging security
and compliance issues; (2) provide more timely and specific risk
management guidance to individual depository institutions, as
necessary; and (3) augment the information used to plan the scope
and timing of future examinations as well as to plan for the
availability of examiners with appropriate information systems
expertise. To help ensure that reviews of the adequacy of Internet
banking services provided by third-party firms are conducted in a
cost-efficient manner, we recommend that, on the basis of the
results of its research project, the Chairman of FFIEC through the
FFIEC Task Force on Supervision develop plans and a timetable for
the regulators' oversight of third-party firms. To help ensure the
safety and soundness of Internet banking at credit unions, we
recommend that, as work related to the Year 2000 computer problem
diminishes, the Chairman of NCUA expeditiously develop Internet
banking examination procedures and begin to examine Internet
banking- related activities offered by credit unions. FDIC, FRS,
NCUA, OCC, OTS, and FFIEC provided written comments on a Agency
Comments and draft of this report, and their comments are
reprinted in appendixes III Our Evaluation
through VIII. We also received written or oral technical comments
and suggestions from these agencies that we have incorporated
where appropriate. In general, the five regulators and FFIEC
concurred with the majority of the report's findings, conclusions,
and recommendations. Three specific comments are discussed more
fully below, and other more technical comments are discussed in
the appendixes. In response to our recommendation that it gather
more timely information on institutions' plans to implement
Internet banking, FRS commented that it has enhanced its
monitoring and information gathering efforts through routine
supervisory contacts, on-site examinations, and informal surveys.
The agency also said that it was developing more powerful
automation tools to aid more generally in examination planning,
review, and reporting. However, FRS did not believe it had seen
sufficient evidence on the need for a formal advance notification
procedure or preimplementation regulatory reviews for Internet
banking, which it said our report appeared to favor. We did not
intend to prescribe the specific method(s) for gathering
information on depository institutions' plans to offer Internet
banking and have made some changes to clarify this point in our
report. Page 25 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking B-280366 The report describes two
different methods employed by FDIC and OTS that provide them with
useful information on depository institutions' plans to offer
Internet banking. We continue to believe that implementation of
one of these methods or an alternative method for obtaining
centralized information on depository institutions' plans is
necessary for regulators to (1) enhance monitoring of Internet
banking technological trends and innovations and thus their
ability to assess emerging security and compliance issues; (2)
provide timely and specific risk management guidance to individual
depository institutions, as necessary; and (3) augment the
information used to plan the scope and timing of future
examinations as well as to plan for the availability of examiners
with appropriate information systems expertise. FDIC and OTS also
disagreed with an inference in the report that smaller
institutions were more likely to encounter Internet banking-
related problems. FDIC commented that it had observed numerous
examples of small banks successfully employing sophisticated
technology and believed that it is up to bank management,
regardless of the size of the bank, to properly manage any new
technology. OTS similarly commented that it did not believe that
it is inherently more difficult for smaller banks to properly
manage on-line and Internet banking activities and believed that
such technology should not be exclusively the province of large
institutions. We did not intend to broadly characterize small
banks as being technologically deficient and agree that a bank's
success in managing new technology depends on the strength of its
management. Our review of 81 examinations of on-line banking
assessments showed that examiners found that some small- and
medium-sized depository institutions were not taking all of the
prescribed precautions to mitigate Internet banking risks.
However, the report specifically notes that too few examinations
had been conducted to identify the extent of any industrywide
Internet banking-related problems. Finally, FRS concurred with the
need for the regulators to develop supervisory plans with respect
to outsourcing of Internet banking operations by depository
institutions. However, it commented that it was not clear whether
we were recommending a change in the current policies and
practices regarding interagency examinations of service providers
or some other form of regulatory oversight. Further, FRS stated
that the report provided no evidence of problems at Internet
vendor firms that would indicate the need to expand the
regulators' responsibility to oversee directly all providers of
Internet banking products and services, and it suggested that the
report emphasize that banks, and not bank supervisors, bear the
responsibility for monitoring and overseeing their service
providers. Page 26 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking B-280366 We are encouraged by the
banking regulatory agencies' efforts to conduct a joint research
project designed to develop a greater understanding of the
oversight issues associated with assessments of Internet banking
products and services offered to banks and thrifts by third-party
firms. We believe that joint regulatory examinations of the
operations of third-party firms providing depository institutions'
Internet banking support services could increase the economy and
efficiency of federal oversight of Internet banking activities. In
this regard, our recommendation is intended to ensure that an
interagency strategy, instead of individual agency strategies, is
developed to examine those third-party firms. We also agree with
FRS that banks, and not banking supervisors, are responsible for
overseeing their service providers and have added language to the
report to emphasize the responsibilities of the depository
institutions. However, that does not negate the need for bank
regulatory agencies to exercise proper supervision over Internet
banking activities, whether performed by bank employees on the
bank's premises or by a third-party firm off the bank's premises.
As arranged with your office, unless you announce the contents of
this report earlier, we plan no further distribution until 30 days
after the date of this letter. At that time, we will provide
copies of this report to Representative John J. LaFalce, Ranking
Minority Member of the House Committee on Banking and Financial
Services; the Honorable John D. Hawke, Jr., Comptroller of the
Currency; the Honorable Alan Greenspan, Chairman, Board of
Governors of the Federal Reserve System; the Honorable Donna A.
Tanoue, Chairman, Federal Deposit Insurance Corporation; the
Honorable Norman E. D'Amours, Chairman, National Credit Union
Administration; the Honorable Ellen S. Seidman, Director, Office
of Thrift Supervision; the Honorable Laurence H. Meyer, Chairman,
Federal Financial Institutions Examination Council; and other
interested parties. We will also make copies available to others
on request. Page 27 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking B-280366 This report was prepared
under the direction of Richard J. Hillman, Associate Director,
Financial Institutions and Markets Issues, who may be reached on
(202)-512-8678 if you or your office has any questions. Key
contributors to this assignment are listed in appendix IX.
Sincerely yours, Nancy R. Kingsbury Acting Assistant Comptroller
General Page 28 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking Page 29 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking Contents 1 Letter 32 Appendix I
Objectives, Scope, and Methodology 35 Appendix II Banking
Regulators Guidance on On-line Banking 37 Appendix III
GAO Comments
40 Comments From the Federal Deposit Insurance Corporation 41
Appendix IV GAO Comments
44 Comments From the Board of Governors of the Federal Reserve
System 45 Appendix V GAO Comments
47 Comments From the National Credit Union Administration 48
Appendix VI GAO Comments
51 Comments From the Comptroller of the Currency Page 30
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Contents 52
Appendix VII GAO Comments
55 Comments From the Office of Thrift Supervision 56 Appendix VIII
Comments From the Federal Financial Institutions Examination
Council 58 Appendix IX GAO Contacts and Staff Acknowledgments
Table 1: The Number and Asset Size of Depository
5 Tables Institutions Overseen by Banking
Regulators, as of June 30, 1998 Table 2: On-line Banking-Related
Weaknesses in Risk 12 Mitigation
Systems, as Reported in 81 Examinations Completed From June 1997
to August 1998 Table II.1: Regulatory Guidance on On-line Banking
35 Abbreviations FDIC Federal Deposit Insurance
Corporation FFIEC Federal Financial Institutions
Examination Council FRS Federal Reserve System NCUA
National Credit Union Administration OCC Office of the
Comptroller of the Currency OTS Office of Thrift
Supervision Page 31 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking Appendix I Objectives, Scope, and
Methodology Our objectives were to (1) describe risks posed by
Internet banking and any identified industrywide Internet banking-
related problems, (2) assess the methods used by regulators to
track depository institutions' plans to provide Internet banking
services, (3) determine how regulators examined Internet banking
activities, and (4) determine the extent to which regulators
examined firms providing Internet banking support services to
depository institutions. To identify the risks posed by Internet
banking, we interviewed officials from the Federal Deposit
Insurance Corporation (FDIC), Federal Reserve System (FRS), Office
of the Comptroller of the Currency (OCC), Office of Thrift
Supervision (OTS), and National Credit Union Administration
(NCUA). We also obtained and reviewed agency documents, including
advisory guidance provided to the industry and examiners on risks
posed by Internet banking. We also interviewed 8 representatives
from selected small-, medium-, and large-sized depository
institutions and 11 representatives from related third-party firms
to obtain their views on the scope and frequency of examinations
and their assessment of risks posed by Internet banking. We
selected these depository institutions based on their size and
also on the probability that they would offer Internet banking. We
identified the third-party firms from the examinations of Internet
banking that we reviewed. To determine the methods regulators used
to identify depository institutions' plans to offer Internet
banking services and to track growth and technological trends in
Internet banking, we reviewed the five agencies' off-site
monitoring procedures and interviewed their officials about the
requirements each places on the institutions to provide Internet
banking information. We also discussed with FDIC officials both
their database on banks and thrifts with transactional Web sites
and their Electronic Banking Data Entry System. In addition, we
reviewed OTS' recently established requirement on advance notice
of a thrift's plans to implement a transactional Web site. To
understand the regulators' safety and soundness and information
systems on-line banking examination programs, which included
Internet banking, we reviewed the on-line banking examination
policies and procedures from each agency. In addition, we
contacted the banking regulators to obtain their safety and
soundness and information systems examination reports and
workpapers pertaining to on-line banking. Since not all regulators
track examinations of on-line banking operations, we could not
ascertain how many on-line banking examinations had been
conducted. FDIC was the only regulator that was able to tell us
the number Page 32 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking Appendix I Objectives, Scope, and
Methodology of on-line banking examinations it completed during
the period of our review. FRS did not maintain centrally on-line
banking examinations conducted by the various Federal Reserve
districts at the time of our review. As such, FRS officials
directed us to the Reserve Banks, which maintain examination
workpapers and are responsible for scheduling and conducting
examinations. We discussed with the San Francisco District Bank
staff their on-line banking procedures and related examiner
training and obtained copies of examination work papers. We then
contacted the New York District Bank, which was field testing the
on-line banking procedures. To review additional examinations, we
contacted the Atlanta and Kansas City District Banks. OCC was not
able to provide the number of on-line banking examinations
conducted by its district offices. To obtain this information, we
obtained OCC's listing of national banks with electronic
activities and compared the names of the banks on this listing to
a list of information system examinations conducted by OCC
examiners during our review period. For those banks that appeared
on both lists, we then requested a Profile Extract Report for each
bank to determine the scope of examination activities. This method
resulted in our identifying eight examinations with a scope that
included Internet banking. Initially, OTS was also not able to
tell us with certainty the number of on-line banking safety and
soundness and information systems examinations conducted by its
regional offices. To obtain this information, OTS contacted each
office for the information because each office maintains its own
information and determines its own examination schedule. We were
able to identify 81 on-line banking safety and soundness and
information systems examinations conducted during the period June
1997 to August 1998. These examinations consisted of 62 FDIC
examinations, 6 FRS examinations, 8 OCC examinations, and 5 OTS
examinations. We reviewed available on-line banking examinations
using a data collection instrument that allowed us to collect
information on the extent and scope of Internet banking
examinations and any exceptions noted in the workpapers. We then
compiled this information in a database, determined the nature of
the exceptions, and grouped them by type. Because the examination
sample size was small, it was not possible to determine the
adequacy of examination procedures, nor could we make any
statistical generalizations regarding the safety and security of
on-line banking operations. To determine the extent to which
regulators examined third-party firms that provided Internet
banking services to depository institutions, we Page 33
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix I
Objectives, Scope, and Methodology interviewed regulatory
officials and examiners involved with the examinations we
reviewed, as well as 11 selected third-party firms. In particular,
we gathered information on the authority regulators have to
examine these third-party firms and the nature and extent of joint
interagency examinations of traditional third-party data
processing firms. With the assistance of our Office of the General
Counsel, we researched the Bank Service Company Act and the
Examination Parity and Year 2000 Readiness for Financial
Institutions Act to determine the regulators' authority to examine
and regulate third-party firms that provide Internet banking
services. Our early work on this assignment focused on PC banking,
which included both direct-dial computer banking systems and
Internet computer banking systems. As our work progressed, it
became evident that institutions were moving from proprietary
direct-dial to Internet banking and that many institutions
initiating on-line banking were offering access via the Internet.
We did our work from April 1998 to May 1999 in Washington, D.C.;
San Francisco, CA; Los Angeles, CA; Atlanta, GA; Kansas City, KS;
and New York, NY, in accordance with generally accepted government
auditing standards. Page 34 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix II Banking
Regulators Guidance on On-line Banking Banking regulators have
issued guidance to depository institutions on on- line banking.
The guidance advises depository institutions that, before
implementing on-line banking, including Internet banking,
management should exercise due diligence and develop comprehensive
plans to identify, assess, and mitigate potential risks and
establish prudent controls. Most regulators have also issued
policies and procedures to examiners. Table II.1 lists the
guidance and policies and procedures published by the regulators.
Table II.1: Regulatory Guidance on On- Regulator Date
Guidance Policies and procedures line
Banking FDIC February 1997 N/A
Electronic Banking Safety and Soundness Examination Procedures
December 1997 Security Risks Associated with N/A the
Internet August 1998 Electronic Commerce and N/A
Consumer Policy FFIEC December 1997 Guidance for Financial
N/A Institutions on Reporting Computer-Related Crimes July 1998
Guidance on Electronic Financial N/A Services and Consumer
Compliance FRS September 1997Sound Practices Guidance for
N/A Information Security for Networks March 1998 N/A
Draft examination module on Retail Banking Via Personal Computers
April 1998 Assessment of Information N/A Technology
in the Risk-Focused Frameworks for the Supervision of Community
Banks and Large Complex Banking Organizations NCUA April
1997 Interagency Statement on Retail N/A On-line PC Banking
OCC February 1998 Technology Risk Management
N/A August 1998 Technology Risk Management: N/A PC Banking
August 1998 N/A Draft General
PC Procedures March 1999 Infrastructure Threats From
N/A Cyber-Terrorists Page 35 GAO/GGD-99-
91 Enhancing Oversight of Internet Banking Appendix II Banking
Regulators Guidance on On-line Banking Regulator Date
Guidance Policies and procedures OTS
June 1997 Statement on Retail On-line N/A Personal
Computer Banking October 1997 N/A
Updated bulletin on information technology examination guidelines
that include the evaluation and control of risks associated with
the Internet August 1998 N/A
Notice of modified proposed rulemaking regarding electronic
banking operations January 1999 Regulation Requiring A
Thrift's N/A Written Notice Before Establishing A Transactional
Web Site Note: N/A equals not applicable. Source: GAO analysis of
information provided by FDIC, FRS, NCUA, OCC, and OTS. Page 36
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix III
Comments From the Federal Deposit Insurance Corporation Note: GAO
comments supplementing those in the report text appear at the end
of this appendix. Page 37 GAO/GGD-99-91 Enhancing Oversight of
Internet Banking Appendix III Comments From the Federal Deposit
Insurance Corporation Page 38 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix III Comments From
the Federal Deposit Insurance Corporation See comment 1. Now on p.
12. See Comments p. 26. Now on p. 12. See comment 2. Now on p. 16.
Now on p. 18. Now on p. 22. See comment 3. Page 39
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix III
Comments From the Federal Deposit Insurance Corporation The
following are GAO's comments on the Federal Deposit Insurance
Corporation's letter dated June 1, 1999. 1. FDIC said that it
understood the scope of our review to include both PC GAO Comments
direct-dial and Internet banking. It suggested that the evolution
of the report's scope be explained in more detail in the
background section. We further discuss in appendix I why this
report focused on Internet banking instead of reporting on PC
banking which also includes direct dial-up computer banking
systems. 2. FDIC stated that it has taken several additional steps
to address the challenges facing Internet banking supervision,
including developing new procedures, increasing the number of
information systems examiners, and expanding agency training. A
reference to these efforts, which occurred after the completion of
our fieldwork, has been added to this report. 3. FDIC requested
that the report attribute to the specific regulator the statement
that examinations of third-party service providers may be
unnecessary and may create "moral hazard." FDIC said that it did
not agree with the statement because it raised questions about the
need for examinations of third-party providers. While we believe
that regulatory oversight of banking activities outsourced to
third-party firms is essential, we also believe the referred-to
statement reflects a useful observation- that depository
institutions still have the basic responsibility to oversee their
third-party firms. In the report, we have attributed the statement
to FRS officials. Page 40 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix IV Comments From
the Board of Governors of the Federal Reserve System Note: GAO
comments supplementing those in the report text appear at the end
of this appendix. See comment 1. Page 41 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix IV Comments From
the Board of Governors of the Federal Reserve System See Comments
pp. 25-26. See Comments pp. 26-27. Page 42
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix IV
Comments From the Board of Governors of the Federal Reserve System
Page 43 GAO/GGD-99-91 Enhancing Oversight
of Internet Banking Appendix IV Comments From the Board of
Governors of the Federal Reserve System The following are GAO's
comments on the Board of Governors of the Federal Reserve System's
letter dated June 11, 1999. 1. FRS agreed with our recommendation
on sharing of experience and GAO Comments expertise and added
that FFIEC member agencies have traditionally developed
coordinated procedures and guidance in the information technology
area. While our recommendation did not specifically address the
mechanism to be used to share experience and expertise, we agree
with FRS' suggestion that having FFIEC member agencies develop
coordinated examination procedures and guidance would be one way
to do this. Such interagency coordination could not only develop a
more effective and efficient oversight program but also provide
common guidance to the industry. Page 44
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix V
Comments From the National Credit Union Administration Note: GAO
comments supplementing those in the report text appear at the end
of this appendix. See comment 1. See comment 2. See comment 3. Now
on p. 3, 2nd paragraph. See comment 4. Page 45 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix V Comments From
the National Credit Union Administration Now on p. 5, 2nd
paragraph. See comment 5. Now on p. 9, 4th paragraph. See comment
6. Page 46 GAO/GGD-99-91 Enhancing
Oversight of Internet Banking Appendix V Comments From the
National Credit Union Administration The following are GAO's
comments on NCUA's letter dated June 3, 1999. 1. NCUA commented
that the draft of this report did not recognize the GAO Comments
agency's on-line banking training in 1997 and 1999. The draft
report did mention NCUA's 1997 training. We have added language to
this report to recognize NCUA's planned training in 1999. 2. NCUA
commented that the draft of this report did not recognize its
development of a draft Electronic Financial Services
Questionnaire. We did not specifically mention the questionnaire
because it was included in the white paper on "cyber credit union
services" that was mentioned in the draft report. 3. NCUA
commented that the draft of this report did not recognize its
creation of three information systems officer positions. We have
added a discussion of these positions to this report. 4. While
stating that the agency did not have formalized examination
procedures specifically tailored to Internet banking, NCUA
commented that the report should recognize that examiners did
review Internet banking processes when they became aware of a
credit union's Internet banking program. In the report we state
that each of the regulators had policies requiring examiners to
determine how various existing or emerging issues facing an
institution or the banking industry affected the nature and extent
of risks at particular institutions. Since NCUA lacked Internet
examination policies and procedures and its examiners lacked
training in Internet risks and mitigation controls, we do not
believe that NCUA's approach adequately addresses the Internet
banking risks facing credit unions. 5. NCUA commented that the
draft of this report should be expanded to recognize its work with
state regulators. We have made this change. 6. NCUA commented that
the report seems to imply that guidance initiated to date by
regulators is missing the mark. We did not intend to imply this.
To the contrary, as NCUA said, regulatory guidance to the entire
industry on risks posed by Internet banking is a necessary first
step. However, as noted in a later section of the report, we
encourage regulators to take the next step, which is to work with
individual institutions that examiners find are not sufficiently
prepared to mitigate risks posed by Internet banking. Page 47
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VI
Comments From the Comptroller of the Currency Note: GAO comments
supplementing those in the report text appear at the end of this
appendix. Page 48 GAO/GGD-99-91 Enhancing Oversight of Internet
Banking Appendix VI Comments From the Comptroller of the Currency
See Comment 1. Page 49 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix VI Comments From
the Comptroller of the Currency Page 50
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VI
Comments From the Comptroller of the Currency The following are
GAO's comments on the Office of the Comptroller of the Currency's
letter dated June 3, 1999. 1. While stating that the agency did
not collect information centrally for GAO Comments banks
planning to offer Internet banking or require advance
notification, OCC commented that it does conduct a quarterly
review of a bank's risk profile, which would include significant
changes in bank products or services. According to OCC's guidance
to examiners, examiners are to assess the overall condition and
risk profile of the bank, but they need not answer or complete
optional steps. Assessing changes in technology, such as Internet
banking, is an optional step in the guidance. OCC's efforts to use
other methods to collect information on a bank's Internet banking
plans will enhance information gathered during its quarterly
reviews and achieve the intent of our recommendation. Page 51
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VII
Comments From the Office of Thrift Supervision Note: GAO comments
supplementing those in the report text appear at the end of this
appendix. Page 52 GAO/GGD-99-91 Enhancing Oversight of Internet
Banking Appendix VII Comments From the Office of Thrift
Supervision Now on pp. 2 and 15. See comment 1. Now on pp. 6 and
7. See comment 2. Now on pp. 11 and 12. See Comments p. 26. Now on
pp. 15 and 16. See comment 3. Page 53
GAO/GGD-99-91 Enhancing Oversight of Internet Banking Appendix VII
Comments From the Office of Thrift Supervision Now on p. 18. See
comment 4. Page 54 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix VII Comments From
the Office of Thrift Supervision The following are GAO's comments
on OTS' letter dated June 3, 1999. 1. OTS commented that the draft
of this report did not include information GAO Comments on its
Web site reporting requirement and the agency's national database.
We added language to this report discussing both points. 2. OTS
commented that the draft of this report did not discuss compliance
examinations that are conducted to assess an institution's
compliance with consumer protection laws and regulations. We have
added to this report a discussion of compliance examinations. 3.
OTS referred to a section of the report that discusses after-the-
fact methods used by other regulators to obtain information that
OTS gathers through its advance notice requirement. OTS commented
that it was proactively supervising thrifts as evidenced by its
thrift notice requirement. We agree and believe that the report
clearly reflects that. 4. OTS commented that the draft of this
report suggested that the agency only examined Internet banking
activities through its safety and soundness examination program.
We added language to this report discussing compliance
examinations. We also have added language to clarify that we are
referring to safety and soundness and information systems
examinations. Page 55 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix VIII Comments
From the Federal Financial Institutions Examination Council Page
56 GAO/GGD-99-91 Enhancing Oversight of Internet Banking
Appendix VIII Comments From the Federal Financial Institutions
Examination Council Page 57 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Appendix IX GAO Contacts
and Staff Acknowledgments Richard J. Hillman, (202) 512-8678 GAO
Contacts Kane Wong, (415) 904-2123 In addition to those
named above, Abiud Amaro, Bruce Engle, Robert Acknowledgments
Pollard, Nolani Traylor, and Karen Tremba made key contributions
to this report. Page 58 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Page 59 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Page 60 GAO/GGD-99-91
Enhancing Oversight of Internet Banking Ordering Information The
first copy of each GAO report and testimony is free. Additional
copies are $2 each. Orders should be sent to the following
address, accompanied by a check or money order made out to the
Superintendent of Documents, when necessary. VISA and MasterCard
credit cards are accepted, also. Orders for 100 or more copies to
be mailed to a single address are discounted 25 percent. Order by
mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC
20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts.
NW) U.S. General Accounting Office Washington, DC Orders may also
be placed by calling (202) 512-6000 or by using fax number (202)
512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of
newly available reports and testimony. To receive facsimile copies
of the daily list or any list from the past 30 days, please call
(202) 512-6000 using a touch-tone phone. A recorded menu will
provide information on how to obtain these lists. For information
on how to access GAO reports on the INTERNET, send e-mail message
with "info" in the body to: [email protected] or visit GAO's World
Wide Web Home Page at: http://www.gao.gov United States General
Accounting Office Bulk Rate Washington, D.C. 20548-0001
Postage & Fees Paid GAO Permit No. G100 Official Business Penalty
for Private Use $300 Address Correction Requested (233562)
*** End of document. ***