Carol Sergeant
Director, Banks & Buildings Societies
Financial Services Authority
29 March 2000

Introduction

Financial Regulators are generally viewed as the professional party poopers at any upbeat conference like this, warning of dire consequences ahead for any who stray from the virtuous path of prudence and regulatory compliance. I will do my best to meet your possibly reasonable but miserable expectations later on. But before I do please allow me to dwell briefly on what we in the FSA consider to be the potentially very positive aspects of E Commerce for firms, consumers – and even for regulators!

A few examples:

For Firms E Commerce brings:

- different and arguably lower barriers to entry;

- opportunities for significant cost reduction;

- the capacity to rapidly re-engineer business processes;

- greater opportunities to sell cross border.

Each and all of these potential benefits provides for increased competition and the ability to wrest market leadership from established players.

For consumers the potential benefits are:

- more choice;

- greater competition and better value for money;

- more information;

- better tools to manage and compare information;

- faster service.

And there are potential benefits even for regulators:

- better, more flexible, user friendly information for consumers and others on our own web-site;

- better, almost indestructible audit trails;

- potential to monitor advertising and advice activity more easily;

- more cost effective and efficient use of regulatory tools (for example the use of our extra net over the Y2K period).

But of course there are also risks. The risks to firms – specifically banks I will cover later.

For consumers the biggest risks are probably information overload and not understanding whom they are dealing with and on what terms. This can range from dealing with a perfectly respectable company from another jurisdiction, but not understanding for example the different legal environment, compensation schemes and ombudsman arrangements, through to being vulnerable to scams and frauds.

For regulators one key danger is a failure to understand changing risk profiles and vulnerabilities of individual firms and also changes to market structures and interactions. Another very important risk is that our own regulatory framework could somehow inhibit desirable innovations by not adapting quickly enough.

We are very conscious of this in the FSA and are trying very hard to be E-neutral (a recent example of this is the proposed Conduct of Business Sourcebook). We have also selected E-commerce as one of our regulatory themes for this year and are very active in international fora – but more of that later.

Impact of e-banking on traditional services

Before talking about the issues of risks and responses to E banking, I would like to spend a little time considering the wider question of what the e-banking revolution might mean for the future. I take "E" to mean anything electronic whether it be Internet, television, telephone or all three.

One of the issues currently being addressed is the impact of e-banking on traditional banking players. After all, if there are risks inherent in going into e-banking there are other risks in not doing so. It is too early to have a firm view on this yet. Even to practitioners the future of e-banking and its implications are unclear. It might be convenient nevertheless to outline briefly two views that are prevalent in the market.

The view that the Internet is a revolution that will sweep away the old order holds much sway. Arguments in favour are as follows:

E-banking transactions are much cheaper than branch or even phone transactions. This could turn yesterday’s competitive advantage - a large branch network - into a comparative disadvantage, allowing e-banks to undercut bricks-and-mortar banks. This is commonly known as the "beached dinosaur" theory.

E-banks are easy to set up so lots of new entrants will arrive. ‘Old-world’ systems, cultures and structures will not encumber these new entrants. Instead, they will be adaptable and responsive. E-banking gives consumers much more choice. Consumers will be less inclined to remain loyal.

E-banking will lead to an erosion of the ‘endowment effect’ currently enjoyed by the major UK banks. Deposits will go elsewhere with the consequence that these banks will have to fight to regain and retain their customer base. This will increase their cost of funds, possibly making their business less viable. Lost revenue may even result in these banks taking more risks to breach the gap.

Portal providers, are likely to attract the most significant share of banking profits. Indeed banks could become glorified marriage brokers. They would simply bring two parties together – eg buyer and seller, payer and payee.

The products will be provided by monolines, experts in their field. Traditional banks may simply be left with payment and settlement business – even this could be cast into doubt.

Traditional banks will find it difficult to evolve. Not only will they be unable to make acquisitions for cash as opposed to being able to offer shares, they will be unable to obtain additional capital from the stock market. This is in contrast to the situation for Internet firms for whom it seems relatively easy to attract investment.

There is of course another view which sees e-banking more as an evolution than a revolution.

E-banking is just banking offered via a new delivery channel. It simply gives consumers another service (just as ATMs did).

Like ATMs, e-banking will impact on the nature of branches but will not remove their value.

Experience in Scandinavia (arguably the most advanced e-banking area in the world) appears to confirm that the future is ‘clicks and mortar’ banking. Customers want full service banking via a number of delivery channels. The future is therefore ‘Martini Banking’ (any time, any place, anywhere, anyhow).

Traditional banks are starting to fight back.

The start-up costs of an e-bank are high. Establishing a trusted brand is very costly as it requires significant advertising expenditure in addition to the purchase of expensive technology (as security and privacy are key to gaining customer approval).

E-banks have already found that retail banking only becomes profitable once a large critical mass is achieved. Consequently many e-banks are limiting themselves to providing a tailored service to the better off.

Nobody really knows which of these versions will triumph. This is something that the market will determine. However, supervisors will need to pay close attention to the impact of e-banks on the traditional banks, for example by surveillance of:

  • strategy
  • customer levels
  • earnings and costs
  • advertising spending
  • margins
  • funding costs
  • merger opportunities and threats, both in the UK and abroad.

FSA Regulation of "E-banks"

The FSA intends to be E-neutral. Our current legislation, The Banking Act and the Building Societies Act, provide us with the powers we need and our current range of supervisory tools are perfectly adequate although we may need to deploy some with different degrees of intensity.

Our new legislation, The Financial Services and Markets Bill, offers a significant addition in the form of the objective which requires us to promote public understanding of the financial system. This, along with our consumer protection objective, provides the basis for our consumer education work which will be a key tool in dealing with many of the consumer risks I mentioned earlier.

So – we have no special regime for e-banks and we see no reason why we should not be able to authorise any new e-banks provided they meet our minimum prudential standards. After all we have authorised insurance banks and supermarket banks, which are heavily outsourced and often telephone based.

We like to see innovation in banking services because, quite simply, we think that this is good for retail consumers, industry and the economy as a whole.

Risks and Reponses

So, back to the future – nobody knows what it will look like.

My job is to think about the risks banks, and building societies, whether new or old, are running. And about how they should respond to these risks.

Allow me to consider them under the following headings:

  • strategy
  • business
  • security
  • reputation
  • operations.

You will notice that none of these are in themselves new and anyone who is familiar with the risk based approach to banking supervision (RATE) will know that they are already routinely covered by supervisors, albeit that we may need to give different weight and emphasis to these factors for E-banking.

Strategic Risk

On strategic risk E-banking is relatively new and, as a result, there can be a lack of understanding among senior management about its potential and implications. People with technological, but not banking, skills can end up driving the initiatives. E-initiatives can spring up in an incoherent and piecemeal manner in firms. They can be expensive and can fail to recoup their cost. Furthermore, they are often positioned as loss leaders (to capture market share), but may not attract the types of customers that banks want or expect and may have unexpected implications on existing business lines.

Banks should respond to these risks by having a clear strategy driven from the top and should ensure that this strategy takes account of the effects of e-banking, wherever relevant. Such a strategy should be clearly disseminated across the business, and supported by a clear business plan with an effective means of monitoring performance against it.

Business risks

Business risks are also significant. Given the newness of e-banking, nobody knows much about whether e-banking customers will have different characteristics from the traditional banking customers. They may well have different characteristics – eg I want it all and I want it now. This could render existing score card models inappropriate, thus resulting in either higher rejection rates or inappropriate pricing to cover the risk. Banks may not be able to assess credit quality at a distance as effectively as they do in face to face circumstances. It could be more difficult to assess the nature and quality of collateral offered at a distance, especially if it is located in an area the bank is unfamiliar with (particularly if this is overseas). Furthermore as it is difficult to predict customer volumes and the stickiness of e-deposits (things which could lead either to rapid flows in or out of the bank) it could be very difficult to manage liquidity.

Of course, these are old risks with which banks and supervisors have considerable experience but they need to be watchful of old risks in new guises. In particular risk models and even processes designed for traditional banking may not be appropriate.

Operations risk

Banks face three main types of operations risk:

  • volume forecasts
  • management information systems and
  • outsourcing.

Accurate volume forecasts have proved difficult - One of the key challenges encountered by banks in the Internet environment is how to predict and manage the volume of customers that they will obtain. Many banks going on-line have significantly misjudged volumes. When a bank has inadequate systems to cope with demand it may suffer reputational and financial damage, and even compromises in security if extra systems that are inadequately configured or tested are brought on-line to deal with the capacity problems.

As a way of addressing this risk, banks should:

  • undertake market research,
  • adopt systems with adequate capacity and scalability,
  • undertake proportionate advertising campaigns, and
  • ensure that they have adequate staff coverage and develop a suitable business continuity plan.

In brief, this is a new area, nobody knows all the answers, and banks need to exercise particular caution.

The second type of operations risk concerns management information systems. Again this is not unique to E-banking. I have seen many banks venture into new areas without having addressed management information issues. Banks may have difficulties in obtaining adequate management information to monitor their e-service, as it can be difficult to establish/configure new systems to ensure that sufficient, meaningful and clear information is generated. Such information is particularly important in a new field like e-banking. Banks are being encouraged by the FSA to ensure that management have all the information that they require in a format that they understand and that does not cloud the key information with superfluous details.

Finally, a significant number of banks offering e-banking services outsource related business functions, e.g. security, either for reasons of cost reduction or, as is often the case in this field, because they do not have the relevant expertise in-house. Outsourcing a significant function can create material risks by potentially reducing a bank’s control over that function. Outsourcing is of course neither new nor unmanageable but banks should be mindful of the FSA’s guidance on outsourcing, which addresses these risks.

Security

Security issues are a major source of concern for everyone both inside and outside the banking industry. E-banking increases security risks, potentially exposing hitherto isolated systems to open and risky environments. Both the FSA and banks need to be proactive in monitoring and managing the security threat.

Security breaches essentially fall into three categories; breaches with serious criminal intent (e.g. fraud, theft of commercially sensitive or financial information), breaches by ‘casual hackers’ (e.g. defacement of web sites or ‘denial of service’ - causing web sites to crash), and flaws in systems design and/or set up leading to security breaches (e.g. genuine users seeing / being able to transact on other users’ accounts). All of these threats have potentially serious financial, legal and reputational implications.

Many banks are finding that their systems are being probed for weaknesses hundreds of times a day but damage/losses arising from security breaches have so far tended to be minor. However some banks could develop more sensitive "burglar alarms", so that they are better aware of the nature and frequency of unsuccessful attempts to break into their system.

The most sensitive computer systems, such as those used for high value payments or those storing highly confidential information, tend to be the most comprehensively secured. One could therefore imply that the greater the potential loss to a bank the less likely it is to occur, and in general this is the case. However, while banks tend to have reasonable perimeter security, there is sometimes insufficient segregation between internal systems and poor internal security. It may be that someone could breach the lighter security around a low value system, e.g. a bank’s retail web site, and gain entry to a high value system via the bank’s internal network. We are encouraging banks to look at the firewalls between their different systems to ensure adequate damage limitation should an external breach occur. As ever though, the greatest threat so far has been from the enemy within – ie your own employees, contractors and so on.

It is easy to overemphasise the security risks in e-banking. It must be remembered that the Internet could remove some errors introduced by manual processing (by increasing the degree of straight through processing from the customer through banks’ systems). This reduces risks to the integrity of transaction data (although the risk of customers incorrectly inputting data remains). As e-banking advances, focusing general attention on security risks, there could be large security gains.

So what should banks be doing? Our view is that to deal with these emerging threats effectively, financial institutions need as a minimum to have:

a strategic approach to information security, building best practice security controls into systems and networks as they are developed

a proactive approach to information security, involving active testing of system security controls (e.g. penetration testing), rapid response to new threats and vulnerabilities and regular review of market place developments

sufficient staff with information security expertise

active use of system based security management and monitoring tools

strong business information security controls

These are the issues line supervisors will be raising with their banks as part of their on-going supervision; or, for new applicants, will need to be given adequate assurances about.

Reputational risks

Finally, with regard to risks, I would mention reputational risk. This is considerably heightened for banks using the Internet. For example the Internet allows for the rapid dissemination of information which means that any incident, either good or bad, is common knowledge within a short space of time. Internet rumours can easily become self-fulfilling prophecies. The speed of the Internet considerably cuts the optimal response times for both banks and regulators to any incident. Banks must ensure their crisis management, particularly PR, processes are able to cope with Internet related incidents (whether they be real or hoaxes).

Any problems encountered by one firm in this new environment may affect the business of another, as it may affect confidence in the Internet as a whole. There is therefore a risk that one rogue e-bank could cause significant problems for all banks providing services via the Internet. This is a new type of systemic risk and is causing concern to e-banking providers. Overall, the Internet puts an emphasis on reputational risks. Never before has the bank’s shop window (ie its site) been so important.

One last reputational risk will be familiar to us all. That is whether the products being sold over the net are being marketed in such a way that the bank will be protected against future charges of mis-selling. As in the physical, so in the virtual world. Banks need to be sure that customers’ rights and information needs are adequately safeguarded and provided for.

International developments

So, these are some of the particular risks arising in E-banking that we have hitherto identified in the UK domestic environment – though I suspect that many of my regulator colleagues outside the UK would share many of these views. I would like to move on to the international side.

Supervision in today’s global environment can only ever be effective if it has an international dimension. This is especially the case with e-banking because of its non-territorial nature, the ease with which customers outside the home country can access the site and the opportunity to buy several types of product. Of course, regulators have long had to deal with the regulatory problems of international banking. They had set up mechanisms for cross-border supervision; agreements over home/host responsibilities (especially within the Community), bilateral agreement for information sharing and general standards by which they expect all banks, including those offshore territories, to abide. In principle, the expectation is that this general mechanism for international supervision will be robust enough to work just as well in the e-banking as the physical environment.

Nevertheless, it will not be quite as easy as that! Inevitably the nature of e-banking raises particular issues in the application of the general approach outlined here. E-banking makes it even more necessary to develop a cohesive international approach to regulation – not only in the field of prudential regulation where Basel has made much progress, but also in the areas of conduct of business for consumer protection.

The Basel Committee E-Banking Group believes that Basel "should provide the international supervisory community with a broad set of advisory guidance with respect to electronic banking," thereby providing a basis for domestic regulation and supporting consumer and industry education. Globally, such guidance would assist international co-operation and act as a foundation for a coherent approach to supervising e-banking. It could facilitate international e-banking by creating consumer confidence in sound banks based in different, possibly less satisfactory, regimes and might dissuade host supervisors from imposing additional, potentially draconian, regulation on such banks. The Group identified:

  • Authorisation,
  • prudential standards,
  • transparency,
  • privacy,
  • money laundering, and
  • cross border supervision

as issues on which they felt that there is need for further work, both at the analytical and policy level before any such guidance could be developed. The FSA is involved in the Basel Group and will be contributing to the work, participating in the drafting of papers and hosting both the group’s next meeting and a roundtable for its members and a number of European banks and service providers. We welcome any contributions from the industry to this debate; and have indeed been actively soliciting them.

Cross-border issues

There are also significant cross-border issues.

We foresee difficulties for depositors identifying the jurisdiction within which e-banks offering services in the UK are based, given the potential absence of physical presence and the ability for e-banks to move to a new jurisdiction relatively rapidly. These concerns have prompted a considerable amount of debate and analysis in the international supervisory community. Within Europe home v host state supervision is a particularly important issue. Banks may tend to seek authorisation wherever the tax, compliance and costs are lowest, as location will become less of a critical issue since services may easily be provided on a cross-border basis. E-banking is likely therefore to significantly increase the usage of the 2BCD passport (that is the Community equivalent of your passport, but for a bank), thereby making it even more crucial that all European regulators undertake supervision in a satisfactory (and harmonised) manner and that communication between regulators is adequate.

A number of initiatives with implications for home and host state supervision are being discussed, for example the draft e-commerce and distance marketing directives and the Rome and Brussels conventions. The debate is far from being resolved and a considerable degree of uncertainty remains. For example within the e-commerce Directive ‘home’ and ‘host’ have been replaced with ‘home’ and ‘country of origin’, the implications of which are as yet unclear. The current drafting (agreed at Council) is sufficiently vague to potentially allow numerous regulators to assert jurisdiction over an Internet service, thereby nullifying the main advantage of the Directive, home state regulation. However we would expect that a suitable compromise on the point will be worked out so as to avoid this outcome. Certainly this is what we at the FSA are working towards.

Conclusion

And so in conclusion e-banking creates issues for banks and regulators alike. For our part we will continue our work, both national and international, to identify and remove any unnecessary barriers to e-banking. For their part, banks should:

Have a clear and widely disseminated strategy that is driven from the top and takes into account the effects of e-banking, together with an effective process for measuring performance against it.

Take into account the effect that e-provision will have upon their business risk exposures and manage these accordingly.

Undertake market research, adopt systems with adequate capacity and scalability, undertake proportional advertising campaigns and ensure that they have adequate staff coverage and a suitable business continuity plan.

Ensure they have adequate management information in a clear and comprehensible format.

Take a strategic and proactive approach to information security, maintaining adequate staff expertise, building in best practice controls and testing and updating these as the market develops. Make active use of system based security management and monitoring tools.

Ensure that crisis management processes are able to cope with Internet related incidents.

I started my talk today by noting potential benefits as well as the risks in e-banking. I end in the same way. Certainly there are risks. But there are also opportunities, and significant potential benefits for consumers, banks and regulators.

We see no problems in principle with mitigating and managing the risks both for new entrants and existing players. As regulators we need to ensure that our approaches are adequate to deal with the risks without getting in the way of the innovations and benefits that E-banking brings to firms and consumers. We are very mindful of this as we develop our rules and guidance but will be looking also to you in the industry to help us to achieve the right balance.

More Speeches: