Project on Project on Internet Banking - Report of RBI Working Group
Internet Banking - International Experience

Internet banking has presented regulators and supervisors worldwide with new challenges. The Internet, by its very nature, reaches across borders and is, for this reason, engaging the attention of regulatory and supervisory authorities all over the world. The experience of various countries, as far as Internet banking is concerned, is outlined in this and the next articles.

In the USA, the number of thrift institutions and commercial banks with transactional web-sites is 1275 or 12% of all banks and thrifts. Approximately 78% of all commercial banks with more than $5 billion in assets, 43% of banks with $500 million to $5 billion in assets, and 10% of banks under $ 500 million in assets have transactional web-sites. Of the 1275-thrifts/commercial banks offering transactional Internet banking, 7 could be considered ‘virtual banks’. 10 traditional banks have established Internet branches or divisions that operate under a unique brand name. Several new business process and technological advances such as Electronic Bill Presentment and Payment (EBPP), handheld access devices such as Personal Digital Assistants (PDAs), Internet Telephone and Wireless Communication channels and phones are emerging in the US market. A few banks have become Internet Service Providers (ISPs), and banks may become Internet portal sites and online service providers in the near future. Reliance on third party vendors is a common feature of electronic banking ventures of all sizes and degrees of sophistication in the US. Currently, payments made over the Internet are almost exclusively conducted through existing payment instruments and networks. For retail e-commerce in the US, most payments made over the Internet are currently completed with credit cards and are cleared and settled through existing credit card clearing and settlement systems. Efforts are under way to make it easier to use debit cards, cheques and the Automated Clearing House (ACH) to make payments over the Internet. Versions of e-money, smart cards, e-cheques and other innovations are being experimented with to support retail payments over the Internet.

There is a matrix of legislation and regulations within the US that specifically codifies the use of and rights associated with the Internet and e-commerce in general, and electronic banking and Internet banking activities in particular. Federal and state laws, regulations, and court decisions, and self-regulation among industries groups provide the legal and operational framework for Internet commerce and banking in the USA. The international model laws promulgated by the United Nations Commission on International Trade Law (UNCITRAL) provide the guidance to the member nations on the necessity for revising existing legal structures to accommodate electronic transactions. Some important laws of general application to commercial activity over the Internet within the US are the Uniform Commercial Code (UCC), the Uniform Electronic Transaction Act (UETA) (which provides that electronic documents and contracts should not be disqualified as legal documents particularly because of their electronic form), various state laws and regulations on digital signatures and national encryption standards and export regulations. Many states already have digital signature and other legislation to enable e-commerce. State laws in this area differ but the trend is towards creating legislation, which is technology neutral. The E-sign Act, a new US law that took effect on October 1, 2000, validates contracts concluded by electronic signatures and equates them to those signed with ink on paper. Under the Act, electronic signatures using touch-tones (on a telephone), retinal scans and voice recognition are also acceptable ways of entering into agreements. The E-sign Act takes a technological neutral approach and does not favor the use of any particular technology to validate an electronic document. The Act however does not address issues relating to which US state’s laws would govern an online transaction and which state’s code would have jurisdiction over a dispute.

The Gramm - Leach – Bliley (GLB) Act has substantially eased restrictions on the ability of banks to provide other financial services. It has established new rules for the protection of consumer financial information. The Inter-agency Statement on Electronic Financial Services and Consumer Compliance (July 1998) addresses consumer protection laws and describe how they can be met in the context of electronic delivery. In addition, the Federal Reserve Board has issued a request for comment on revised proposals that would permit electronic delivery of federally mandated disclosures under the five consumer protection regulations of the FRB (Regulations B, DD, E, M & Z).

The Interpretive Ruling of the Office of the Comptroller of Currency (OCC) authorizes a national bank to ‘perform, provide or deliver through electronic means and facilities any activity, functions, product or service that it is otherwise authorized to perform, provide or deliver’. The concerns of the Federal Reserve are limited to ensuring that Internet banking and other electronic banking services are implemented with proper attention to security, the safety and soundness of the bank, and the protection of the banks’ customers. Currently, all banks, whether they are ‘Internet only’ or traditional banks must apply for a charter according to existing guidelines. The five federal agencies - Federal Deposit Insurance Corporation (FDIC), Federal Reserve System (FRS), Office of the Comptroller of Currency (OCC), Office of Thrift Supervision (OTS) and the National Credit Union Association (NCUA) supervise more than 20,000 institutions. In addition, each state has a supervisory agency for the banks that it charters. Most financial institutions in the US face no prerequisite conditions or notification requirements for an existing banking institution to begin electronic banking activities. For these banks, supervisors gather information on electronic banking during routine annual examination. Newly chartered Internet banks are subject to the standard chartering procedures. For thrift institutions, however, OTS has instituted a 30-day advance notification requirement for thrift institutions that plan to establish a transactional web site. A few State banking departments have instituted a similar notification requirement for transactional Internet banking web sites.

Supervisory policy, licensing, legal requirements and consumer protection are generally similar for electronic banking and traditional banking activities. Internet banks are also subject to the same rules, regulations and policy statement as traditional banks. However, in response to the risks posed by electronic banking, federal banking agencies have begun to issue supervisory guidelines and examination procedures for examiners who review and inspect electronic banking applications. Although specialized banking procedures are used in some areas of Internet banking activities, the existing information technology examination framework that addresses access controls, information security, business recovery and other risk areas generally continues to be applicable. To assist supervisors in monitoring the expansion of Internet banking, state chartered and national banks have been required since June 1999 to report their websites’ ‘Uniform Resource Locators’ (URL) in the Quarterly Reports of Financial Condition that are submitted to supervisors. In addition, examiners review the potential for reputational risk associated with web-site information or activities, the potential impact of various Internet strategies on an institution’s financial condition, and the need to monitor and manage outsourcing relationships. To address these risks, the OCC is developing specific guidance for establishing ‘Internet only’ banks within the US. The Banking Industry Technology Secretariat recently announced the formation of a security lab to test and validate the security of software and hardware used by banking organizations. If a bank is relying on a third party provider, it is accepted that it should be able to understand the provided information security programme to effectively evaluate the security system’s ability to protect bank and customer data. Examination of service providers’ operations, where necessary, is conducted by one or more Federal banking agencies pursuant to the Bank Services Company Act, solely to support supervision of banking organizations

The Federal Financial Institutions Examination Council (FFIEC) introduced the Information Systems (IS) rating system to be used by federal and state regulators to assess uniformly financial and service provider risks introduced by information technology and to identify those institutions and service providers requiring special supervisor attention. The FFIEC has recently renamed the system as Uniform Rating System for IT (URSIT), which has enhanced the audit function. The importance of risk management procedure has been reinforced under the revised system

Some characteristics of e-money products such as their relative lack of physical bulk, their potential anonymity and the possibility of effecting fast and remote transfers make them more susceptible than traditional systems to money laundering activities. The OCC guidelines lay down an effective ‘know your customer’ policy. Federal financial institutions, regulators, Society for Worldwide Interbank Financial Telecommunications (SWIFT) and Clearing House Interbank Payment System (CHIPS) have issued statements encouraging participants to include information on originators and beneficiaries

Most banks in U.K. are offering transactional services through a wider range of channels including Wireless Application Protocol (WAP), mobile phone and T.V. A number of non-banks have approached the Financial Services Authority (FSA) about charters for virtual banks or ‘clicks and mortar’ operations. There is a move towards banks establishing portals.

The Financial Services Authority (FSA) is neutral on regulations of electronic banks. The current legislation, viz. the Banking Act 1987 and the Building Societies Act, provides it with the necessary powers and the current range of supervisory tools. A new legislation, the Financial Services and Market Bill, offers a significant addition in the form of an objective requiring the FSA to promote public understanding of the financial system. There is, therefore, no special regime for electronic banks. A draft Electronic Banking Guidance for supervisors has, however, been developed. A guide to Bank Policy has also been published by the FSA which is technology neutral, but specifically covers outsourcing and fraud. The FSA also maintains bilateral discussions with other national supervisors and monitors developments in the European Union (EU) including discussions by the Banking Advisory Committee and Group de Contract. New legislation on money laundering has been proposed and both the British Bankers Association and the FSA have issued guidance papers in this regard

The FSA is actively involved in the Basle Committee e-banking group which has identified authorization, prudential standards, transparency, privacy, money laundering and cross border provision as issues where there is need for further work. The FSA has also been supporting the efforts of the G7 Financial Stability Forum, which is exploring common standards for financial market, which is particularly relevant to the Internet, which reaches across all borders

The Financial Services and Markets Bill will replace current powers under the 1987 Banking Act giving the FSA statutory authority for consumer protection and promotion of consumer awareness. Consumer compliance is required to be ensured via desk based and on site supervision. The FSA has an Authorization and Enforcement Division, which sees if web sites referred to them are in violation of U.K. laws.

The FSA has issued guidelines on advertising in U.K. by banks for deposits, investments and other securities, which apply to Internet banking also. The guidelines include an Appendix on Internet banking. The FSA’s supervisory policy and powers in relation to breaches in the advertising code (viz. invitation by any authorized person to take a deposit within U.K., fraudulent inducements to make a deposit, illegal use of banking names and descriptions, etc.) are the same for Internet banking as they are for conventional banking. The FSA does not regard a bank authorized overseas, which is targeting potential depositors in its home market or in third countries as falling within U.K. regulatory requirements solely by reason of its web site being accessible to Internet users within the U.K., as the advertisements are not aimed at potential U.K. depositors.

Swedish and Finnish markets lead the world in terms of Internet penetration and the range and quality of their online services. Merita Nordbanken (MRB) (now Nordic Bank Holding, a merger between Finland’s Merita and Nordbanker of Sweden) leads in "log-ins per month" with 1.2 million Internet customers, and its penetration rate in Finland (around 45%) is among the highest in the world for a bank of ‘brick and mortar’ origin. Standinaviska Easkilda Banken (SEB) was Sweden’s first Internet bank, having gone on-line in December 1996. It has 1,000 corporate clients for its Trading Station – an Internet based trading mechanism for forex dealing, stock-index futures and Swedish treasury bills and government bonds. Swedbank, is another large-sized Internet bank. Almost all of the approximately 150 banks operating in Norway had established "net banks". In Denmark, the Internet banking service of Den Danske offers funds transfers, bill payments, etc.

The basic on-line activity is paying bills. Swedbank was the first bank in the world to introduce Electronic Bill Presentment and Payment (EBPP) and now handles 2 million bill payment a month. E-shopping is another major Internet banking service. MNB has an on-line "mall" of, more than 900 shops, which accepts its "Solo" payment system. Swedbank has a similar system called "Direct". Besides using advanced encryption technology, the Scandenavian banks have adopted a basic but effective system known as "challenge response logic", which involves a list of code numbers sent to every online client and used in sequence, in combination with their password or PIN. This gives each transaction a unique code, and has so far proved safe. Some banks use even more sophisticated versions of the same technique. It is not a common practice to use third party vendors for services.

In Sweden, no formal guidance has been given to examiners by the Sverigesbank on e-banking. General guidelines apply equally to Internet banking activities. Contractual regularization between customers and the bank is a concern for regulators and is being looked into by the authorities

The role of the Bank of Finland (Suomen Parkki) has been, as part of general oversight of financial markets in Finland, mainly to monitor the ongoing development of Internet banking without active participation. Numerous issues concerning Internet banking have, however, been examined by the Bank of Finland

All Internet banking operating from a Norwegian platform are subject to all regular banking regulations, just as any other bank. As part of the standard regulation, there is also a specific regulation on the banks’ use of IT. This regulation dates from 1992 when Internet banking was not the main issue, but it covers all IT systems, including Internet banking. The regulation secures that banks’ purchase, development, use and phase out of IT systems is conducted in a safe and controlled manner. An Act relating to Payment systems defines payment systems as those which are based on standardized terms for transfer of funds from or between customer accounts in banks/financial undertakings when the transfer is based on use of payment cards, numeric codes or any other form of independent user identification. Internet banking is covered by this regulation. The Banking, Insurance and Securities Commission may order for implementation of measures to remedy the situation if there is a violation of provisions.

In addition to their national laws, countries in Europe are also expected to implement European Union (EU) directives. In 1995, the EU passed a Europe-wide Data Protection Directive aimed at granting individuals greater protection from abuses of their personal information. It also passed the Telecommunications Directive that prescribes special protection in relation to telephones, digital TVs, mobile communications, etc. Every EU country is to have a privacy commissioner to enforce the regulations as they apply within the EU. The EU directive on electronic signature is also required to be implemented in national laws.