OUTSOURCING RISK IN E-BANKING
Public confidence in e-banking is a cornerstone in the stability and reputation of a financial institution. Systems reliability and assurance of security requirements (availability, confidentiality and
Table 1.
E-banking risks categorization| Strategic Risk: Associated risk with Board and management decision-making. | |
| Operational Risk: Associated risk with implementation of e-banking functions. | Non financial risks |
| Legal Risk: Associated risk with non adherence to law enforcement. | |
| Reputational Risk: Associated risk with damage to e-trust and image of e-banking services. | |
| Credit Risk: Associated risk with the bank’s inability to meet its obligations in accordance with agreed terms. | |
| Market Risk: Associated risk resulting from changes in market prices, interest rates, foreign exchange rates, equity and commodity prices. | Financial risks |
| Interest Rate Risk: Associated risk resulting from falling bond prices due to variability of interest rates. | |
| Liquidity Risk: Associated risk with a bank’s inability of funding. | |
| Outsourcing Risk: Associated risk resulting from third parties dependence. | |
integrity) is therefore the responsibility of the bank even though the e-banking system is operated elsewhere, either domestically or abroad. The main drivers to outsource for banks have been the potential for cost savings and the need to focus on core competencies.
Other benefits involve lower personnel costs, instant access to talent and the need not to do extensive training (Angelakopoulos and Mihiotis, 2011). For these reasons, e-banking systems are based not solely on operational efficiencies but also on third party service providers. Therefore, as the range and relative complexity of such outsourced activities increase, so are the risks.Outsourcing can be defined as any activity that is not performed by the bank itself, but it is supported by a contracted third party (Rao et al., 2007). The most common way for a bank to mitigate outsourcing risks is via an ITSG process in due diligence. This means that a bank needs to ensure that the supported vendors are trusted third parties and through an ITSG process to assess the quality and reputation of their products and services. Particularly, the Federal Financial Institutions Examination Council (FFIEC, 2004) specifies recommendations about selecting a third party service provider when performing due diligence. The most important include
1. Qualifications and background ofthe vendor,
2. Financial status and reputation,
3. Adherence to legal and regulatory compliance and
4. Insurance coverage.
According to (Arshad et al., 2007) Information Computer Technology (ICT) outsourcing is an act of delegating or transferring a proportion of IT-related decision making rights, business process and material to external providers, who will be responsible to develop, manage and administer these activities in accordance with agreed upon deliverables as explicitly set in contractual agreement. Usually, most commonly outsourced are ISP services, web hosting, ICT application maintenance and support, ICT infrastructure, programming, e-business solutions, application analysis, application support end user, staff/user training, ICT security audit and security policy or standards development.
Outsourcing requires a contract or a solid deal with the third party to ensure smooth cooperation.
Particularly the contract arrangements should indicate the type and the range of the arrangement between the bank and the third party namely the terms and conditions of the agreement, ownership of information, limitations, dispute resolution, cost of transition and periodic reviews of the agreement. Normally outsourcing arrangements are classified into either IT outsourcing or business process outsourcing (BPO). More usually occurs the first arrangement since banks prefer to transfer the technological equipment outdoors (material outsourcing) and keep the business processes performed and managed internally (indoors). Another subset of outsourcing include the “offshore outsourcing” where the arrangement with the third service provider is based outside the bank’s territory, mostly because to take advantage of the labor costs. Another type of outsourcing contract is a service level agreement (SLA). This type of contract emphasizes the requirements a bank anticipates from the vendor as far as bandwidth, response time and business expectations are concerned (Shah and Siddiqui, 2006). Outsourcing and the perceived risks affect significantly financial and non financial risks as described in the previous section. For example strategic risks may emerge from the inadequacy of a financial institution to control the activities of the service provider. Moreover, reputation risk may arise when the service provider fail to deliver the promised results and the quality of the service is poor. This has a direct impact on the e-banking system operability and of course on the reputation of the bank. In addition, legal risk (compliance risk) may also manifest if the service provider fail to abide and conform to legal and regulatory provisions. In this respect, operational risk also arises because bank’s internal processes are downgraded due to the lack of support from the third party service provider.Furthermore, outsourcing risk may give rise to other risks such as the “Exit strategy risk” which occurs when a bank has high reliance on a vendor and lack in exit strategies.
In addition, other risks include the “Country risk” which may occur due to offshore outsourcing because economic, political, social and legal climate of the host country, where the service provider is located, prevent to fulfill the contract agreement. Outsourcing risk may also cause “Concentration and Systemic risk” which refers to the risk incidents that happen within the overall banking industry or sector. For example, if e-banking functional areas are dependent upon a certain number of external service providers this cause a number of banks to be indirectly dependent on the same service provider. Other types of risks include “Counterparty risk” which arises due to bad quality of services, “Contractual risk” when the agreement between the parties is not fulfilled as it should be and “Access risk” when the outsourcing arrangement hampers the ability of regulated entity to provide timely data and other information to regulators (Basel Committee on Banking Supervision, 2005). Managing outsourced services in e-banking imply the need for a sound Risk Management approach which will entail a comprehensive ITSG process for managing the whole range of e-banking risks including outsourcing and other third party dependencies.The role of ITSG will be
1. To enforce compliance functions,
2. Combat anti-money laundering,
3. Improve the reputation between the trusted parties and
4. Ensure the privacy of customer information.
Figure 7 shows that outsourcing risk affect traditional (financial) and nontraditional (non- financial) risks such as strategic risks but can also cause other risks such as “country risk” or “counterparty risk.” Therefore, evaluation of outsourcing decisions should begin with a proper Risk Assessment namely
1. Identification of the role of outsourcing in the overall business strategy and objectives of the financial institution,
2. Analysis due diligence on the complexity and nature of the vendor,
3. Analysis of risk-return benefits of outsourcing against the vulnerabilities and threats that may emerge upon the possibility of a security incident (Arshad et al., 2007).
Figure 7. Outsourcing risk relationships
Financial institutions relying on e-banking systems should mitigate the overall risk by developing appropriate contingency plans thereby plan for processing alternatives. The contingency planning for outsourced activities could be part of a Business Continuity Planning (BCP). BCP needs to ensure the sustainability of the e-banking system itself and of the activities outsourced. The BCP is a comprehensive written plan of action provides with specific requirements for the staff and infrastructure and establishes the procedures necessary to deal with a disruption and recovery of business functions within the estimated timeframes. At the same time, a Business Continuity Management (BCM) is a trade-off process between costs and benefits and can be included in a wider Risk Management approach (Kondabagil, 2007).