E-BANKING RISKS
The vast majority of best known Risk Management methods, frameworks and best practices in e-banking suggest security policies, procedures, standards, and guidelines as the key components in order to provide management, support compliance and direct employees with what is expected as security behavior (Kouns and Minoli, 2010).
Up to this point, there is no distinct Risk Management approach for this domain but only generic models modified to suit the e-banking environment (Tanampasidis, 2008). However, the e-banking environment is characterized as highly dynamic and involves perceptible changes such as product and service innovation, the unprecedented speed of technological change, the increasing dependence of banks on third-party service providers and the ubiquitous nature of open electronic networks. For these reasons the Basel Committee has acknowledged e-banking risks under two main categories with four subcategories each namely traditional risks or financial risks under credit, market, interest rate, and liquidity risk, and as inherently new risks or non financial risks namely operational, reputation, legal and strategic (Kondabagil, 2007). Figure 6 and following paragraphs provide an overview of the e-banking risks.Strategic risks can derive when management does not efficiently plan, manage and monitor the performance of the e-banking services and products. In this regard, the need for an effective ITSG process will enable value delivery, performance measurement and management of IT-related risks. This will in turn create competitive advantage, increase customer satisfaction, and improve cost efficiency and innovation (Kondabagil, 2007). Factors influencing strategic risk include, but not
Figure 6. E-banking risks
restricted, to the adequacy of information systems, the increased dependence on outsourcing and third parties and the adequacy oftechnical, operational, compliance and marketing support.
Particularly, outsourcing risk and third parties dependencies have become integral part of e-banking therefore, will be analyzed separately.Operational risk can be defined under the B asel Committee principles as the risk of loss resulting from inadequate processes, people and systems or from external events. This broad definition is also found on literature as transaction risk, security risk or IT risk (Kouns and Minoli, 2010). Examples of operational risk involve but not limited to internal and external fraud, human factors, and erroneous transaction processing and product and service liability. Operational risk affects the financial institution in the ability to deliver e-banking services and has a direct impact on customer service and satisfaction. Major factors affecting the nature of operational risk are the structure and complexity of the bank’s processing environment, complexity of supportive technology and failed outsourced processes. In this regard, a sound ITSG process can mitigate operational risks by acting as an internal control process thereby increasing business value.
Legal risk arises mainly from violations or non-conformance with laws, rules, regulations and ethical standards. Legal risk is also found in the literature as compliance risk (Shah and Clarke, 2009) where non compliance may indicate serious consequences including rating downgrades, monetary fines, enforced penalties, reputational damage and in extreme cases withdrawal of authorization to operate. E-banking is a highly dynamic channel that necessitates a strong governance program where the laws, rules, policies and procedures are clear and implemented in a daily basis. However, since e-banking is still evolving the risk associated with legal issues is considered highly complex because the changing technological environment and the cross-border transactions are deliberate causes for concern.
Reputational risk is described as the risk of significant negative public opinion where the image and the reputation of the bank are badly damaged.
Factors affecting the reputation of ebanking system are, but not limited, the loss of trust due to an unauthorized activity on customer accounts, failure to deliver marketing objectives, confusion between services, lack on online communication and the modification of the bank’s website (Kondabagil, 2007). For this reason, an ITSG program can help improve reputational risk by establishing monitoring procedures capable not only to prevent failures but educate the customer along with formal incident responses.Financial risks such as credit, market, liquidity and interest rate risks are considered as traditional e-banking risks. However, their practical implications may be of a different magnitude for banks than non financial risks (Rao et al., 2007). This is true in the case where banks cover a variety of banking activities as compared to banks or solely Internet banks that focus exclusively on e-banking services. For example a liquidity risk may emerge if a bank lacks in resources and has inability to meet its obligations whereas credit risk emerges from a bank’s inability to make payments as promised. It should be pointed out here that specific problems may occur at different risk categories. For example an internal fraud can be classified as operational risk but such an event also exposes a bank to reputational and legal risk. Table 1 summarizes the categorization of e-banking risks with the addition of outsourcing risk that will be explained in detail in the next section since it has the ability to affect traditional risks and also cause other risks in the e-banking environment.