27 February 1998 Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html ------------------------------------------------------------------------- Electronic Banking: Experiences Reported by Banks in Implementing On-line Banking (Letter Report, 01/15/98, GAO/GGD-98-34). Pursuant to a congressional request GAO reviewed: (1) the channels used to deliver online banking services; (2) the reasons for implementing online banking; (3) whether online banking met or exceeded expectations; and(4) the electronic links that banks had with other payment systems. GAO noted that: (1) as of June 1997, an estimated 7 percent of U.S. banks offered online banking services, which most typically allow customers to access account information and transfer funds between their accounts; (2) on the basis of plans reported to GAO by surveyed banks, GAO projected rapid growth in online banking over the next year and a half as the number of U.S. banks implementing online systems is expected to increase about fivefold nationwide; (3) bank officials identified three primary reasons for their banks' offering online banking: keeping existing customers, remaining competitive, and attracting new customers; (4) officials of 170 of the 185 surveyed banks offering online services said their online banking systems had met or exceeded their expectations; (5) although an estimated 47 percent of U.S. banks reported that they expect to offer online banking services by the end of 1998, introduction of this technology brings with it some attendant risks; (6) responses from 93 of the banks GAO surveyed indicated that some had not performed risk assessments, which can serve as a tool to protect the integrity, confidentiality, and availability of their online operations; (7) although 65 of the banks responded that their banks had assessed the potential risk exposure of their systems, 12 banks reported that they had not assessed these types of security risks, and another 16 banks said that they did not know if they had assessed such risks; (8) risk assessments are an important step in protecting an online system so that appropriate controls can be implemented to mitigate risks; (9) although many of the 93 banks that responded to this question reported they had implemented controls to prevent unauthorized access to their online systems, 9 banks said they lacked firewalls for restricting access between computer networks; (10) 10 banks reported that they did not have such basic security features as detection software for computer viruses and worms; (11) many of the 93 banks that responded indicated they had experienced lapses in service, security problems, or system operation difficulties; and (12) with the projected rapid growth in online banking, it is important that banks take those steps necessary to ensure they protect their online banking operations. --------------------------- Indexing Terms ----------------------------- REPORTNUM: GGD-98-34 TITLE: Electronic Banking: Experiences Reported by Banks in Implementing On-line Banking DATE: 01/15/98 SUBJECT: Electronic funds transfer Financial institutions Clearinghouses (banking) Computer security Bank management Internal controls Computer software IDENTIFIER: Fedwire ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO report. Delineations within the text indicating chapter ** ** titles, headings, and bullets are preserved. Major ** ** divisions and subdivisions of the text, such as Chapters, ** ** Sections, and Appendixes, are identified by double and ** ** single lines. The numbers on the right end of these lines ** ** indicate the position of each of the subsections in the ** ** document outline. These numbers do NOT correspond with the ** ** page numbers of the printed product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ** A printed copy of this report may be obtained from the GAO ** ** Document Distribution Center. For further details, please ** ** send an e-mail message to: ** ** ** ** ** ** ** ** with the message 'info' in the body. ** ****************************************************************** Cover ================================================================ COVER Report to the Chairman, Committee on Banking and Financial Services, House of Representatives January 1998 ELECTRONIC BANKING - EXPERIENCES REPORTED BY BANKS IN IMPLEMENTING ON-LINE BANKING GAO/GGD-98-34 Electronic Banking (233501) Abbreviations =============================================================== ABBREV CHIPS - Clearing House Interbank Payment System FBI - Federal Bureau of Investigation FDIC - Federal Deposit Insurance Corporation FRS - Federal Reserve System OCC - Office of the Comptroller of the Currency OTS - Office of Thrift Supervision S.W.I.F.T. - Society for Worldwide Interbank Financial Telecommunications Letter =============================================================== LETTER B-275222 January 15, 1998 The Honorable James A. Leach Chairman, Banking and Financial Services Committee House of Representatives Dear Mr. Chairman: Information technology has increased the ability of bank customers to review their account balances, pay bills, or transfer funds between accounts while at home or work. This growing accessibility of on-line banking services through computers with direct dial-up or Internet connections, however, has led to heightened concerns about the vulnerability of bank and electronic payment systems. Accordingly, you requested that we examine the extent of on-line banking, federal regulatory efforts pertaining to on-line banking, and any problems posed by on-line banking for the security of Fedwire.\1 As agreed with your office, we are studying these issues under separate reviews. This report summarizes the results of the first of these reviews, which addressed our objectives of identifying (1) the number of banks and thrifts (referred to as banks in this report) that reported they offer or plan to offer on-line banking and the types of services they reported\2 and (2) experiences reported by banks in implementing their on-line banking systems as well as efforts to mitigate associated risks. Our subsequent review will examine federal regulatory efforts pertaining to on-line banking and the security of Fedwire. To gather this information, we surveyed 349 banks from May 1997 to June 1997, which included 219 banks that available information suggested were offering on-line banking services and 130 banks selected at random from the remaining banks in the United States. (See app. I for our telephone survey instrument.) We used this information to project to the total population of U.S. banks in two instances: (1) the number of banks offering and planning to offer on-line banking and (2) the number of banks offering specific types of on-line banking services. In conducting our survey, we found that 185 of the banks were providing on-line banking services. We also found that many of the banks providing on-line banking were affiliated and that a single official was able to provide on-line banking information on more than one bank in our survey. Hence, 93 bank officials provided certain information on 185 banks offering on-line banking. Information provided on the 185 banks allowed us to determine (1) the channels used to deliver on-line banking services, (2) the reasons for implementing on-line banking, (3) whether on-line banking met or exceeded expectations, and (4) the electronic links that banks had with other payment systems. Certain information obtained from these 93 officials was limited to the banks that they directly represented. Specifically, we collected information for 93 banks on (1) problems experienced, (2) risk identification, and (3) risk mitigation efforts. We also interviewed information security experts and federal agency and banking regulatory officials to identify potential risks and problems associated with on-line banking as well as basic security features that could help prevent such problems. In addition, we reviewed relevant technical literature and documents pertaining to these issues. We did not attempt to determine the effectiveness of security measures adopted by banks to prevent on-line banking- related problems, nor did we verify the information they provided. (See app. II for our detailed objectives, scope, and methodology.) Our review was conducted between October 1996 and October 1997 in accordance with generally accepted government auditing standards. We provided a draft of this report to the Federal Reserve System (FRS), Office of Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), and the Department of Justice for comment. The four regulatory agencies' written comments are discussed at the end of this letter and are reprinted in appendixes III through VI. The Department of Justice's Federal Bureau of Investigation (FBI) provided technical comments, which we incorporated, where appropriate. -------------------- \1 Fedwire is one of the nation's primary electronic funds transfer systems. Its network is used by participating banks to transfer the payments banks make to each other and their customers within the United States. \2 For this study, a bank was considered to offer on-line banking if its customers, either retail or corporate, had access to bank services through computers equipped with dial-up or Internet access. Banks were not considered to offer on-line banking if they established Web pages on the World Wide Web solely to provide information on bank services and products. RESULTS IN BRIEF ------------------------------------------------------------ Letter :1 As of June 1997, we projected that an estimated 7 percent of U.S. banks ( 3 percent sampling error\3 ) offered on-line banking services, which most typically allow customers to access account information and transfer funds between their accounts. On the basis of plans reported to us by surveyed banks, we projected rapid growth in on-line banking over the next year and a half as the number of U.S. banks implementing on-line systems is expected to increase about fivefold nationwide. Bank officials identified three primary reasons for their banks' offering on-line banking: keeping existing customers, remaining competitive, and attracting new customers. Officials of 170 of the 185 surveyed banks (92 percent) currently offering on-line services said their on-line banking systems had met or exceeded their expectations. Although an estimated 47 percent of U.S. banks ( 15 percent) reported that they expect to offer on-line banking services by the end of 1998, introduction of this technology brings with it some attendant risks. Responses from 93 of the banks we surveyed indicated that some had not performed risk assessments, which can serve as a tool to protect the integrity, confidentiality, and availability of their on-line operations. Although 65 of the banks (70 percent) responded that their banks had assessed the potential risk exposure of their systems, 12 banks (13 percent) reported that they had not assessed these types of security risks, and another 16 banks (17 percent) said they did not know if they had assessed such risks. Risk assessments are an important step in protecting an on-line system so that appropriate controls can be implemented to mitigate risks. Although many of the 93 banks that responded to this question reported they had implemented controls to prevent unauthorized access to their on-line systems, 9 banks (10 percent) said they lacked firewalls for restricting access between computer networks. Ten banks (11 percent) reported that they did not have such basic security features as detection software for computer viruses and worms. Many of the 93 banks that responded indicated they had experienced lapses in service (38 percent), security problems (30 percent), or system operation difficulties (36 percent). With the projected rapid growth in on-line banking, it is important that banks take those steps necessary to ensure they protect their on-line banking operations. -------------------- \3 All of the projected estimates made in this report have sampling errors which are calculated at the 95 percent confidence level. BACKGROUND ------------------------------------------------------------ Letter :2 Banks have provided electronic banking services to customers for a number of years using such familiar access devices as telephones and automated teller machines. Corporate customers also have had access to on-line banking features by dialing into a bank's system using proprietary software. More recently, retail customers have been able to access their bank accounts from computers in their homes or workplaces by connecting to on-line banking systems. Such systems offer services that enable individuals or businesses to verify their account balances, apply for loans, authorize bill payments, or transfer funds between their accounts and from other banks. Some on-line banking systems also let customers reorder checks, review their account histories, stop check payments, or facilitate wire transfers. Customers with computer modems can access their banks' on-line banking computer systems in one of several ways. Some of them can use banking software installed on their personal computers, local area networks, or mainframe computers to connect to the banks' on-line banking systems. Other customers may be able to access their banks' on-line banking systems by dialing into an Internet service provider and accessing the banks' World Wide Web\4 sites. Banks may operate their on-line banking systems in-house or contract out the operation of these systems to third-party vendors. After connecting to an on-line banking system, a customer generally enters a personal identification number and a password. Typically, customers must go through this step to identify themselves every time they sign on to the on-line banking system. According to bank officials, once customers have confirmed that they are legitimate account holders, they can proceed to use their computers to initiate the desired transactions, and the on-line banking system processes and routes the transaction data as needed to carry it out. -------------------- \4 The World Wide Web is a portion of the Internet through which information is exchanged via text, graphics, audio, and video that can be accessed with the use of a browser or search engine software. NUMBER OF BANKS IMPLEMENTING ON-LINE BANKING SYSTEMS GROWING RAPIDLY ------------------------------------------------------------ Letter :3 Our survey results indicated that the number of banks implementing on-line banking systems is planned to grow about fivefold by December 1998. We estimate that about 770 banks, or 7 percent ( 3 percent) of the approximately 10,520 banks active in the United States at the time of our survey, had implemented on-line banking as of June 1997. According to the responses to our survey results, an estimated 4,990 banks, or about 47 percent ( 15 percent) of the banks in the United States, plan to offer some type of on-line banking service to their customers by the end of 1998. This estimate of 4,990 banks includes the 770 banks offering on-line services in June 1997 as well as 4,220 banks projected to begin offering such services by December 1998 (see fig. 1). Figure 1: Projected Rapid Growth of On-line Banking Between June 1997 and December 1998 (See figure in printed edition.) Note 1: The above numbers do not include banks establishing Web pages on the World Wide Web solely to provide information on bank services and products, rather than to allow customers to access banking services. Note 2: The sampling error for the estimate of banks currently offering on-line banking is 3 percent. Sampling errors for the other two estimates (4,220 and 4,990) are both 15 percent. Source: GAO analysis of survey results. Although U.S. banks offer a wide range of services on-line, reviews of account information and funds transfers between a customer's accounts were the most common services reported to be available to bank customers at the time we conducted our survey in June 1997. Our analysis indicated that over 99 percent ( 1 percent) of the estimated 770 banks offering on-line banking allowed their customers to check their balances, and the same percentage allowed customers to transfer funds between their own accounts. In comparison, 54 percent ( 24 percent) of these banks reported allowing their customers to transfer funds to other banks (see table 1). Table 1 Projected On-line Banking Services Offered by Banks as of June 1997 Weighted estimate of banks saying "yes" -------------- Percen Services t Number ------------------------------------------------------ ------ ------ Review account balance 99% 768 Transfer funds between customer's accounts 99 762 Bill payment 37 281 Transfer funds to other banks 54 413 Accept loan applications 14 106 Other\a 64 496 ---------------------------------------------------------------------- Note 1: Based on GAO's estimate that 770 banks offered on-line banking as of June 1997. Note 2: Sampling errors by offered services are: review account balance (<1 percent), transfer funds between customer's accounts (<1 percent), bill payment ( 19 percent), funds transfers to other banks ( 24 percent), accept loan applications ( 7 percent), and other ( 22 percent). \a Other on-line services included check reordering and stop check payment orders. Source: GAO analysis of survey results. As part of our survey, we asked officials from all 185 banks we surveyed that reported offering on-line banking for more detailed information on the channels they used to deliver on-line services. Their survey responses indicated that most banks used software that enables customers to directly connect to the banks' own on-line systems or a vendor's system. Of the 185 banks, 116 (63 percent) reported using software that provides for a direct connection to a vendor's system, and 79 (43 percent) reported using software that allowed customers to directly connect to their banks' on-line computer systems. More than half of the banks reported they offered on-line banking by allowing customers to connect with their on-line systems through the Internet (see table 2). Table 2 Surveyed Banks Reporting Use of Various Delivery Channels for Their On-line Banking Operations Delivery channel Percent Number ---------------------------------------------- ---------- ---------- Direct connection 91% 168 Personal computer banking software allowing 63 116 for direct dial-in to on-line banking system operated by third-party vendor Personal computer banking software allowing 43 79 for direct dial-in to bank's on-line banking system Internet 54 100 Internet Web site maintained by bank, third- 49 91 party vendor, or affiliated bank Internet service provider (e.g., Prodigy, 31 57 America OnLine) ---------------------------------------------------------------------- Note 1: Banks may use more than one delivery channel in offering on-line services. Note 2: Based on information for 185 banks. Source: GAO analysis of survey results. We also asked officials who represented the 185 banks that reported offering on-line banking for their reasons for implementing their on-line banking systems. Key reasons bank officials cited for their banks' decisions to offer on-line banking involved the intention to remain competitive with other banks, retain customers, attract new customers, reduce operating expenses, or generate fee income. Although 133 banks (72 percent) indicated they implemented on-line banking to retain customers, two other motivating factors--remaining competitive and attracting new customers--were cited almost as often. Other motivating factors, such as keeping up with banking technologies and the desire to offer customers alternative delivery channels, were cited by some banks (see fig. 2). Banks planning to offer on-line banking responded similarly to questions about motivating factors. Among the 36 banks planning to implement on-line banking by December 1998, the desires to remain competitive and to retain their customers were the most frequently cited motivating factors. Figure 2: Reasons Cited by Surveyed Banks for Implementing On-line Banking (See figure in printed edition.) Note: Based on information for 185 banks. Source: GAO analysis of survey results. Survey responses for 185 banks indicated that their on-line banking systems generally met or exceeded their expectations (see table 3). Half of the banks reported that their expectations were met, and another 77 banks (42 percent) said that their expectations were exceeded. Bank officials commonly reported that customer usage of on-line banking systems met or surpassed initial targets. One bank official told us that about 400 new employees were hired to meet the customer demand for on-line banking. In a few instances, banks' experiences fell short of expectations. In one case, a bank official told us that customer use was much lower than expected. The official said that the rural location of the bank may have been a contributing factor. Table 3 Extent to Which Surveyed Banks That Reported On-line Banking Said Their Expectations Were Met Expectations Percent Number ---------------------------------------------- ---------- ---------- Exceeded 42% 77 Met 50 93 Fell short 3 6 Too early to tell 4 7 Don't know 1 2 ---------------------------------------------------------------------- Note: Based on information for 185 banks. Source: GAO analysis of survey results. SOME BANKS THAT REPORTED OFFERING ON-LINE BANKING SAID THEY DID NOT CONDUCT RISK ASSESSMENTS ------------------------------------------------------------ Letter :4 On-line banking presents a wide range of potential risks, according to information security experts and banking regulators. On-line banking can expose bank and customer information and transactions to risks from electronic interception, data corruption, or fraud because of the widespread access characterizing these systems. An important step in ensuring the integrity of an on-line system is ascertaining the vulnerabilities and threats potentially affecting individual on-line systems and establishing compensating internal controls to mitigate risks. Accordingly, information security experts and federal banking regulators suggest that banks analyze risks associated with their on-line banking systems and evaluate whether their security policies protect the integrity, confidentiality, and availability of their on-line operations and are capable of limiting or mitigating identified risks.\5 Information security experts and federal regulators stated that although risk assessments specific to on-line banking are not a federal banking requirement, such assessments are a useful tool for identifying, measuring, monitoring, and managing potential risks. Assessments can help banks evaluate the seriousness of such potential problems as viruses, unauthorized access into banking systems, and lost transactions. Our survey results indicated that 54 of the 93 banks (58 percent) that reported having on-line systems had conducted formal risk assessments of their on-line banking systems. However, 12 banks (13 percent) said they had not performed such assessments. Another 16 banks (17 percent) did not know if they had performed risk assessments of their on-line banking systems. The remaining 11 banks (12 percent) reported holding limited or informal discussions about potential risks of on-line banking. Two bank officials we interviewed explained that their banks did not perform a risk assessment because the latest industry information their banks had obtained on the security of on-line banking systems suggested that such systems were secure. To help prevent unauthorized access to on-line banking systems, information security experts and regulatory officials emphasize the importance of banks' implementing mitigating controls, such as restrictions on access, secure firewalls that restrict access between computer networks, intrusion detection software, and tests of on-line banking system vulnerability. The risk mitigation process can be used to not only identify controls necessary to protect an on-line system, but also to weigh the cost of implementing controls against their benefits. The Federal Reserve Bank of New York notes that the level of protection of an Internet site should be commensurate with the degree of risk associated with the level of services offered and the value of assets at risk. For example, the cost of implementing strong authentication controls, through techniques such as digital signatures, would tend to be more appropriate for a bank that offers extensive on-line banking services, such as bill payment and funds transfers to other banks, than for a bank that limits its on-line banking services to the review of account balances. -------------------- \5 The Federal Reserve System and the Office of Thrift Supervision have indicated that they expect financial institutions that provide services over the Internet to analyze risks related to the security of customer information and other data and to use the results of their risk analyses to make appropriate modifications to their on-line systems and implement necessary controls and monitoring tools to mitigate risks. SOME BANKS REPORTED PROBLEMS WITH THEIR ON-LINE BANKING SYSTEMS ------------------------------------------------------------ Letter :5 For the 93 banks that they directly represented, we asked bank officials for information on the types of problems they had experienced with their systems, whether other banking systems were connected to their systems, and the types of controls they had in place to mitigate risks. Many of the 93 reported that they had experienced service availability lapses (38 percent), security problems (30 percent), or operational problems (36 percent) with their systems (see table 4). We could not assess the significance or underlying causes of these apparent problems because we did not examine individual banks' systems and processes. Moreover, we did not determine the appropriateness of a bank's mitigating features, which could vary depending on the complexity of the on-line banking system as well as the types of services offered. Table 4 Extent to Which Banks Reported Various On-line Banking Problems Problems Percent Number ---------------------------------------------- ---------- ---------- ====================================================================== Service availability difficulties 38% 35 Denial/disruption of system 35 33 Difficulties in tracking on-line banking transactions as 4 4 transmission volume increases ====================================================================== Security difficulties 30 28 Unauthorized access attempts\a 19 18 Transactions lost during transmission 15 14 Proving valid customers are using on-line 4 4 banking system Employee sabotage of on-line banking system\b 1 1 Theft of PINs or passwords 1 1 Viruses and worms\c 1 1 ====================================================================== Operational difficulties 36 33 Upgrade or replacement of software 22 20 Staffing & training 29 27 ====================================================================== Other difficulties\d 22 20 ---------------------------------------------------------------------- Note 1: The list of problems is not comprehensive, and some reported problems could be classified under more than one category. Note 2: Based on information from 93 banks. \a Only 1 of the 93 banks reported an instance of successful unauthorized entry into its on-line banking system. \b According to the National Institute of Standards and Technology, examples of computer-related employee sabotage include theft of customer data, destruction of hardware, incorrect data entry, and deletion or alteration of data. \c A virus is a computer program that replicates itself by attaching copies of itself to existing computer programs. The new copy of the virus is executed when a user loads a program or opens an electronic mail message attachment. A worm, which does not require a host program, is a self-replicating computer program that commonly uses network systems to propagate to other host systems. \d Other problems reported by bank officials include software or hardware not working as designed and customers attempting to fraudulently transfer funds between their accounts. Source: GAO analysis of survey results. SERVICE AVAILABILITY PROBLEMS ---------------------------------------------------------- Letter :5.1 One category of on-line banking problems reported by banks involved lapses in the availability of services. Thirty-three of the 93 banks (35 percent) reported that their on-line banking systems had experienced service availability problems involving the denial or disruption of service (see table 4). Such problems frequently can be caused by a breakdown in the hardware or software supporting the system, which in turn may be the result of a design defect, insufficient system capacity, or a mechanical breakdown. Almost half of the 33 banks that reported experiencing denial or disruption of service indicated that some type of damage resulted, such as loss of customer confidence or customers closing their accounts. Banks should be able to prevent or at least partly mitigate service availability problems by monitoring vendor systems and by adopting emergency or contingency plans, which are designed to allow banks to continue their on-line banking operations after a system failure. Forty-one of the 58 surveyed banks (71 percent) that relied on vendors to operate their on-line systems said that they monitored vendor systems as a mitigation measure. Two of the 58 banks (3 percent) said that they request certifications or guarantees from vendors that proper controls are in place to mitigate potential risks. A few other banks that reported they did not monitor their vendors' systems said that they relied on the vendors to ensure that emergency or contingency plans were in place to guard against, among other things, lapses in the availability of services. Seventy-nine of the 93 banks (85 percent) we surveyed said they had emergency or contingency plans in place (see table 5). Table 5 Percent of 93 Banks That Reported Having Implemented Various Features Designed to Mitigate Problems Not Mitigating feature Don't applicab Problem in place Yes No know le ------------------- ------------------- -------- -------- -------- -------- Unauthorized access Access restricted 89% 7% 4% attempts after at least 3 failed entry attempts 79 10 12 Firewalls in 45 23 32 place\a 51 27 23 Intrusion detection software Penetration testing Staffing and On-line banking 88 9 3 training guidelines established 96 1 3 On-line banking training provided Denial/disruption Emergency or 85 11 4 of service contingency plans\b 44 10 9 38% Bank oversight of vendor\c Employee sabotage Separation of 86 5 8 1 system control duties Viruses and worms Detection software 70 11 18 1 Transactions lost Audit logs and/or 90 4 5 during reports generated transmission Difficulty in Audit logs 85 5 0 10 tracking on-line routinely reviewed banking transactions as volumes increase Outdated software Software update 66 15 7 13 control program Theft of PINs or Codes or encryption 83 9 9 passwords used Proving authorized Digital signature\d 8 81 12 customers are using on-line banking systems -------------------------------------------------------------------------------- Note 1: Based on information from 93 banks. Note 2: Row percentages do not always sum to 100 due to rounding. Note 3: This table contains examples of features that banks can use to mitigate potential problems and is not meant to be an all-inclusive list. \a Fifty-five of the 73 survey banks (75 percent) that had firewalls reported that their firewalls distinguished among customers, vendors, and/or internal systems. \b Emergency or contingency plans can be used to respond to natural disasters, acts of terrorism, sabotage, or power disruptions of an electronic banking system. \c The percentages for this mitigation feature were calculated on the basis of the responses of the 58 surveyed banks that provided their on-line banking services through third-party vendors. \d Digital signatures are generally recognized as being a more secure and sophisticated authentication method than personal identification numbers and passwords. Source: GAO analysis of survey results. SECURITY PROBLEMS ---------------------------------------------------------- Letter :5.2 Of the 28 surveyed banks that reported experiencing security problems, almost two-thirds involved attempts at unauthorized access (see table 4). Experts described a number of methods that can be used to try to gain unauthorized entry for illicit purposes. For instance, personal computer banking software may be taken apart to find its vulnerabilities or may be used to access the bank system to decipher the bank's payment protocol. Another method involves the use of devices to capture bank information as it travels across telecommunication lines. Two of the 18 banks that reported there had been attempts at unauthorized access could not tell us how many attempts had been made on their systems, because they did not have systems in place for monitoring such attempts. However, 1 bank reported that up to 50 attempts at unauthorized access had been made on its system. One bank we surveyed reported a successful unauthorized access into its internal systems. The number of successful unauthorized access attempts involving the banking industry has been difficult to determine. According to the FBI, cross-industry sector surveys indicate that the number of computer intrusions and the amount of financial losses resulting from those intrusions are rapidly increasing. Although segments of the financial services industry are included in many of these studies, none focus solely on financial institutions or the banking industry. Nonetheless, a FBI official told us that he knew of many alleged attempts at unauthorized entry into on-line banking systems. However, the FBI has not been able to substantiate through the banking industry or other intelligence sources whether successful unauthorized entries are actually occurring either. He attributed the difficulty his agency and others have had confirming whether unauthorized entries are occurring to various factors, including banks' reluctance to disclose unauthorized entry incidents, the inability of banks to detect or recognize such incidents, and the lack of a separate category for banks to report successful or attempted unauthorized entries on the forms required to be filed on known or suspected violations of federal criminal law. To improve the reporting of computer-related crimes, the FBI, working with the federal banking agencies and other federal law enforcement agencies, recently issued guidance providing further definitions and specific examples for financial institutions to assist them in reporting unauthorized computer entries. Eighty-three of the banks (89 percent) we contacted reported that they restricted access after three unsuccessful entry attempts into their systems (see table 5). Although 73 of the 93 banks (79 percent) indicated that either their systems or the vendors' systems had firewalls in place, 12 of the 73 (16 percent) reported that their firewalls did not distinguish among customers, vendors, and/or internal systems. Fewer of the banks reported that they had conducted vulnerability tests or had installed intrusion detection software. Twenty-five of the 93 banks (27 percent) reported that tests were not performed to see whether their on-line systems were subject to penetration. Fewer than half said that intrusion detection software was in place. Problems involving transactions that were lost by the bank or by the vendor operating the bank's on-line banking system reportedly occurred less frequently than unauthorized access attempts. Fourteen of the 93 banks (15 percent) indicated that on-line banking transactions have been lost (see table 4). Officials reported a variety of reasons for these losses, such as customers not knowing how to use their on-line banking software and system failures. One bank official told us that lost transactions had led to a financial loss, and two others reported reduced customer confidence in the banks' on-line systems as a consequence. To help prevent losses of on-line banking transactions, Federal Deposit Insurance Corporation guidelines and security experts recommend that audit logs and reports be generated and subsequently routinely reviewed. Monitoring these reports can provide bank officials with an indication of problems requiring their attention, according to security experts. As shown in table 5, 79 of the 93 banks (85 percent) reported that audit reports were both generated and routinely monitored. Some federal agencies and information security experts have pointed out that unauthorized entries into a bank's on-line banking system can also entail risks for other financial institutions with which the bank has electronic links. They point out that an individual gaining access into one bank's system could potentially also gain access to other systems for illicit purposes if the bank's on-line banking system is electronically linked to other financial institutions and computer systems. Recently issued guidance by the Federal Reserve Bank of New York\6 warns that the Internet potentially exposes a bank's on-line system, and in turn its internal computer network, to worldwide attack and compromise. Many of the 185 banks in our survey with on-line systems reported having electronic links with various other computer systems (see table 6). Most said their on-line systems were linked to a vendor's system or to the banks' business partners. To a lesser extent, they reported their on-line systems were electronically linked to the Fedwire or other computer systems. At one bank we contacted, an individual was able to break into the bank's on-line system and use its electronic connection to transfer funds fraudulently to other financial institutions. Table 6 Surveyed On-line Banks Reporting Electronic Links Between Their On-line Banking System and Other Computer Systems\a Links to other computer systems Percent Number ---------------------------------------------- ---------- ---------- Fedwire\b 15% 28 Clearing House Interbank Payment System 16 29 (CHIPS)\c Society for Worldwide Interbank Financial 17 31 Telecommunications (S.W.I.F.T.)\d Vendor systems\e 65 120 Other financial institutions 17 31 Bank's business partners 32 59 ---------------------------------------------------------------------- Note: Based on information for 185 banks. \a For more information about computer systems mentioned in this table, see Payments, Clearance, and Settlement: A Guide to the Systems, Risks, and Issues (GAO/GGD-97-73, June 20, 1997). \b Fedwire serves approximately 9,500 depository institutions. \c CHIPS is the main U.S. wire transfer system for processing international U.S. dollar transfers. CHIPS is operated by the New York Clearing House Association and serves 95 foreign and domestic banks representing 28 countries. \d S.W.I.F.T. is an international financial payment cooperative organization that operates a network that facilitates the exchange of payment and other financial messages between financial institutions throughout the world. \e Vendor systems are on-line banking systems operated by a third party under contract to a bank. Source: GAO analysis of survey results. -------------------- \6 Sound Practices Guidance on Information Security, Federal Reserve Bank of New York, September 1997. OPERATIONAL PROBLEMS ---------------------------------------------------------- Letter :5.3 The third category of problems reported by the 93 banks involved operational problems, most of which involved staffing or training problems or difficulties in upgrading or replacing outdated software. Twenty-seven of the 93 banks (29 percent) reported that they had experienced staffing and training problems (see table 4). Some banks reported that their employees lacked the computer-related technical backgrounds needed to handle on-line banking problems. One bank official said that the volume of customer inquiries far exceeded the ability of his bank's current staff to handle them promptly. Another bank said that staffing and training problems led to a loss of customer confidence. To reduce difficulties stemming from inadequate or limited staffing or training, information security experts and federal regulators have suggested that banks should equip their staffs to respond to problems affecting on-line systems by establishing guidelines or providing associated training. Nearly all of the 93 banks reported providing training to staff (see table 5). One bank that attributed its staffing problems to the newness of its on-line banking system believed that such problems would decrease over time. Twenty of the 93 banks (22 percent) reported operational difficulties relating to the need to upgrade and replace outdated software (see table 4). One bank explained that it must at least partly rely on its customers to buy banking software upgrades on their own. According to information security experts, problems stemming from a failure to upgrade and replace software can pose a risk to banks. For instance, as software becomes dated, it becomes easier for someone to exploit the vulnerabilities of software programs. Information security experts stated that software update control programs can identify which customers have not updated their software and automatically upgrade the access software installed on a customer's personal computer. Sixty-one of the 93 banks (66 percent) reported that they had installed some type of a software update control program (see table 5). A few banks told us that they had not yet implemented this type of measure because of the newness of their banks' systems. CONCLUSIONS ------------------------------------------------------------ Letter :6 Our analysis indicated that the number of banks implementing on-line banking systems is planned to increase about fivefold by December 1998. Although responses of most of the banks we contacted indicated that their on-line banking systems had met or exceeded their expectations, the introduction of on-line banking technology exposes banks and their customers to risks from electronic interception, data corruption, and fraud. Accordingly, information security experts and federal banking regulators suggest that banks assess risks associated with their on-line banking systems and take measures to protect against them. Although many of the banks we surveyed had conducted such assessments, others had not and, thus, lacked assurance that they were taking appropriate mitigating measures to protect their on-line banking systems. Moreover, over two-thirds of the banks reported some combination of service availability, security, or operational problems with their on-line banking systems. Although difficulties such as these can be expected with the introduction of new banking technology, our work suggests that banks will face considerable challenges implementing and maintaining secure and dependable banking services as on-line banking in the United States continues to grow. AGENCY COMMENTS AND OUR EVALUATION ------------------------------------------------------------ Letter :7 The Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Office of Thrift Supervision provided written comments on a draft of this report, and their comments and our additional responses are reprinted in appendixes III through VI. In addition, these four agencies and the FBI provided technical comments, which we have incorporated where appropriate. The four regulatory agencies generally found that the report provided useful information and insights on the challenges faced by banks and thrifts when implementing and maintaining on-line banking services. FRS and OCC expressed concerns about the presentation of certain data in the report. Specifically, FRS believed it would be useful to differentiate between problems caused by hardware, software, or operational failures and those caused by attacks on systems and felt that presentation problems prohibited it from being able to interpret the data sufficiently to determine the underlying causes of the issues identified in the report. OCC was concerned that the report did not sufficiently distinguish between significant and relatively minor problems. We amended the report to reflect the actual percentage of problems experienced for each category discussed, rather than aggregating the problems into a single category. However, the purpose of our survey was to obtain information on the problems experienced by banks and thrifts that offered on-line banking, and the scope of this work did not include an assessment of the significance or underlying causes of the problems each institution experienced. Moreover, information security experts we spoke with emphasized that each of the problems identified was considered to be a serious issue warranting attention. OTS and FDIC stated that our projection that 47 percent of all U.S. banks will be offering on-line banking by the end of 1998 appeared high. This projection is based on the responses of randomly selected banks that we surveyed and represents what they reported to us about their future plans. Due to the size and characteristics of our sample, our projection of the percentage of banks offering on-line banking by the end of 1998 is subject to a sampling error of 15 percent, resulting in a confidence interval which ranges between 32 percent and 62 percent. We incorporated additional material in appendix II to provide greater detail on our sampling and projection methodology. In addition, we now show the sampling error for each projection presented in the report. ---------------------------------------------------------- Letter :7.1 As agreed with your office, unless you announce the contents of this report earlier, we plan no further distribution until 30 days after the date of this letter. At that time, we will send copies of the report to the Ranking Minority Member of your Committee, the Chairmen and Ranking Minority Members of other interested congressional committees, and individual Members. Copies will also be made available to others on request. This report was prepared under the direction of Kane Wong, Assistant Director, Financial Institutions and Markets Issues. Other major contributors are listed in appendix VII. Please contact either Mr. Wong on (415) 904-2000 or me on (202) 512-8678 if you have any questions about this report. Sincerely yours, Thomas J. McCool Director, Financial Institutions and Markets Issues (See figure in printed edition.)Appendix I TELEPHONE SURVEY INSTRUMENT ============================================================== Letter (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) OBJECTIVES, SCOPE, AND METHODOLOGY ========================================================== Appendix II Our objectives for this assignment were to determine (1) the number of banks and thrifts (referred to as banks in this report) that reported they offer, or plan to offer, on-line banking and the types of services they reported; and (2) the experiences reported by banks in implementing their on-line banking systems as well as their efforts to mitigate associated risks. We focused our work on those U.S. banks and thrifts that accepted retail deposits or provided retail services. To accomplish our objectives, we conducted a telephone survey between May 1997 to mid-June 1997 of 349 banks, which included 219 banks that available information suggested were offering on-line banking services\7 and 130 randomly selected banks that were representative of the remaining banks and thrifts in the United States. The random sample of 130, stratified across 7 size categories, was drawn from a population of 11,288 banks and thrifts that remained in a database of the September 1996 Federal Financial Institutions Examination Council's Call Reports and the Office of Thrift Supervision's Thrift Financial Reports after the banks and thrifts previously identified as on-line banking providers were removed, as shown in table I.1. Although neither GAO nor the agencies that produced the source data have fully assessed the reliability of this database, Call Report data are widely used by researchers in academia, government, and private industry. Table II.1 Disposition of Bank and Thrift Survey Sample Sample disposition ---------------------------------- Refusals/ Sample Original Ineligible no Usable Response source population Sample \a response response rate\b -------- ---------- ---------- ---------- ---------- ---------- ---------- Previous 219 219 42 16 161 91% ly known on- line banking offeror s Stratifi 11,288 130 12 2 116 98% ed random sample of remaini ng banks and thrifts ================================================================================ Totals 11,507 349 54 18 277 94% -------------------------------------------------------------------------------- \a No longer in business, acquired or merged with another institution, or duplicate listings. \b Response rate was calculated as the number of banks and thrifts completing usable questionnaires divided by the number of eligible banks and thrifts in the sample (original sample minus ineligibles). Source: GAO survey. We contacted officials representing the 349 institutions in our sample by telephone to determine whether the institution was currently an active bank eligible for our survey and found that 295 banks were eligible. For those eligible banks, we asked the bank to identify the most appropriate respondent, and we then mailed that person a letter requesting his or her participation in our telephone survey. We also faxed the telephone questionnaire to 10 banks that could not respond to our questionnaire by telephone and asked them to return the questionnaire by fax. When we completed our fieldwork in mid-June 1997, 277 of the 295 eligible banks (94 percent) from our original sample of 349 had provided complete responses. We did not verify the information provided by survey respondents. To accomplish our first objective, we asked each respondent whether the bank offered or planned to offer on-line banking to retail or corporate customers and the reasons for offering or not offering on-line banking. In addition, we asked these officials about the types of on-line banking services their banks offered. We found that 185 of the 277 banks we contacted reported they offered on-line banking services. We found that many of those banks were affiliated and a single official was able to provide on-line banking information on several banks in our survey. Thus, we interviewed only 93 bank officials who were able to provide information for the 185 banks that reported offering on-line banking in our survey. Our estimates of the (1) overall numbers of U.S. banks offering or intending to offer on-line banking and (2) specific services offered are projected to the entire population of approximately 10,520 U.S. banks we estimate to have been active at the time of our survey. To arrive at 10,520 banks from the original population of 11,507, we adjusted the original number on the basis of the number of ineligible banks we found during our review. To make such estimates, we assigned each completed survey questionnaire a mathematical weight proportional to the number of other unsampled banks in the stratum that the sampled bank was to represent. We assigned a weight of 1 to banks previously identified with on-line banking systems, as they were not drawn at random to represent a larger stratum of nonsampled banks. For example, to arrive at our population estimate of 4,220 banks that do not currently offer any on-line banking services but plan to offer at least 1 such service by December 1998 (see app. I, ques. 3), we multiplied each of the 36 sampled banks that gave us this answer by a weight, ranging from 1 to 336, depending on which size stratum each was drawn from. Because we surveyed only a sample of banks, these estimates have a sampling error, which is a measure of the precision with which the estimated value approximates the actual value. Sampling errors are calculated at the 95 percent confidence level for each weighted estimate made and are reported in the text. To accomplish our second objective, to determine the experiences reported by banks in implementing their on-line banking systems as well as efforts to mitigate associated risks, we based our results on the responses of the officials we interviewed and did not project the results to all active banks in the United States. We obtained information for 185 banks on (1) the channels used to deliver on-line banking services, (2) the reasons for implementing on-line banking, (3) whether on-line banking met or exceeded expectations, and (4) the electronic links that banks had with other payment systems. We limited certain information obtained from these officials to the banks they directly represented. Specifically, these officials provided information for 93 banks on (1) problems experienced, (2) risk identification, and (3) risk mitigation efforts. The difficulties of conducting any survey may introduce other types of "nonsampling" errors that affect both the weighted and unweighted estimates. For example, differences in how a particular question is interpreted, or in the sources of information that are available to respondents, can introduce unwanted variability into the survey results. Although we did not verify the survey results, we took various steps to reduce nonsampling errors. Prior to designing our telephone questionnaire, we interviewed information security experts and federal agency officials to identify the types of potential risks and problems that could be associated with on-line banking as well as basic security features that could help prevent the occurrence of such problems. We also reviewed relevant documents and technical literature on these issues. We then solicited expert opinions on the wording and structure of our questions, and we pretested the survey instrument with several banks. All data collected during our survey were keypunched and verified during data entry, and computer analyses were performed to identify additional inconsistencies or other indications of errors. All computer analyses were checked by an independent analyst. In this study, we did not attempt to determine the effectiveness of security measures that banks implemented to prevent the occurrence of on-line banking problems. To do so would have required us to look at numerous factors, such as particular computer system architectures and banks' policies and guidance. In addition, we interviewed information security experts from Lawrence Livermore Laboratory; Science Applications International Corporation; Advanced Programming and Development, Inc; the Department of Defense; and the National Institute of Standards and Technology to identify potential risks and problems associated with on-line banking as well as basic security features that could help prevent such problems. We also discussed these issues with officials from the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision, and the Department of the Treasury. We further contacted officials from the Federal Bureau of Investigation, the President's Commission on Critical Infrastructure Protection, the American Bankers Association, the Bankers Roundtable, and the California Bankers Association. We conducted our review between October 1996 and October 1997 in accordance with generally accepted government auditing standards. We provided a draft of this report to the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, and the Department of Justice for comment. The four regulatory agencies provided written comments, which are reprinted in appendixes III through VII. In addition, these four regulatory agencies and the Department of Justice's Federal Bureau of Investigation provided technical comments, which we have incorporated where appropriate in the report. (See figure in printed edition.)Appendix III -------------------- \7 We consulted an Internet-based directory of North American banks that offered on-line banking, maintained by the Online Resources & Communications Corporation. We did not validate the coverage or content of the directory. COMMENTS FROM THE FEDERAL RESERVE SYSTEM ========================================================== Appendix II (See figure in printed edition.) The following are GAO's comments on the Federal Reserve System's letter dated November 14, 1997. GAO COMMENTS 1. FRS commented that the draft report overstates the extent to which real security problems may exist due to the inclusion of unsuccessful unauthorized attempts to access a system or inadvertent errors by authorized users. In order to eliminate any confusion, our discussion was changed to comment only on the number of banks reporting unauthorized access attempts and, thus, excludes the one bank that classified a customer error as an unauthorized access attempt. The purpose of our survey was to obtain information on the problems reported by banks and thrifts that offered on-line banking, and the scope of the work did not include an assessment of the significance or underlying causes of the problems each institution experienced. 2. FRS suggested that we clarify our use of the terms "denial of service" and "disruptions in service." We did not differentiate these terms in the question we posed to the banks. Our question was directed to whether the bank was unable to provide service regardless of whether it was due to a malicious intent or breakdown in the hardware or software supporting the system and thus cannot be used to determine underlying causes. (See figure in printed edition.)Appendix IV COMMENTS FROM THE COMPTROLLER OF THE CURRENCY ========================================================== Appendix II (See figure in printed edition.) (See figure in printed edition.)Appendix V COMMENTS FROM THE FEDERAL DEPOSIT INSURANCE CORPORATION ========================================================== Appendix II (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) The following are GAO's comments on the Federal Deposit Insurance Corporation's letter dated November 17, 1997. GAO COMMENTS 1. FDIC stated that the survey results in our draft report did not include telephone banking or the experiences or efforts of the credit union industry. Although we agree that these are important subjects to cover, they were beyond the scope of our work. 2. FDIC commented that it would be useful to provide an analysis of the survey results by bank asset size. An analysis of survey results organized by asset size of the banks would be helpful. However, we were not able to project distinctions between asset size categories because of the size of our sample. 3. FDIC commented that it had rarely encountered an electronic link between banks under its review and other systems, including Fedwire. It commented that it may be possible that the survey question may have been ambiguous. In addition, FDIC said it has seen very few banks offer their customers the ability to directly transfer funds to other banks. We specifically asked the banks whether their on-line banking services were electronically linked to Fedwire and other systems. In addition, we recontacted one bank that examiners told us they believed was not linked to Fedwire, and bank officials told us that in fact the bank did have an electronic link to the Fedwire system. In regard to transferring funds between banks, we specifically asked the banks whether their on-line systems allowed customers to authorize or perform interbank funds transfers. We did not validate whether customers could actually perform these transfers, and we presented the information as it was reported to us. 4. FDIC stated that the number of reported experiences of employee sabotage and internal attacks was low and contrary to other recent reports. We recognize that internal attack is one of the biggest threats to on-line banking. However, we were limited to presenting the number of experiences that the banks reported to us. Although the FBI had information that insider attacks constitute a large number of computer crimes, FBI officials told us the information is not specific to the banking industry. See page 14. (See figure in printed edition.)Appendix VI COMMENTS FROM THE OFFICE OF THRIFT SUPERVISION ========================================================== Appendix II (See figure in printed edition.) the attachment. The following is GAO's comment on the Office of Thrift Supervision's letter dated November 17, 1997. GAO COMMENT 1. The Office of Thrift Supervision described its agency's efforts in providing guidance to thrift institutions on retail on-line personal computer banking. We have added to the report OTS' expectations that thrifts providing services over the Internet evaluate and mitigate risks to their on-line systems. See page 9. MAJOR CONTRIBUTORS TO THIS REPORT ========================================================= Appendix VII GENERAL GOVERNMENT DIVISION, WASHINGTON, D.C. Carl Ramirez, Senior Social Science Analyst Delois Richardson, Computer Specialist SAN FRANCISCO OFFICE Denise Callahan, Evaluator-in-Charge Grace Sakoda, Evaluator May Lee, Evaluator Gerhard C. Brostrom, Communications Analyst OFFICE OF THE GENERAL COUNSEL, WASHINGTON, D.C. BN PAUL G. THOMPSON, ATTORNEY *** End of document. ***