Project on Project on Internet Banking - Report of RBI Working Group
Internet Banking - International Experience - Other Countries

Australia

Internet Banking in Australia is offered in two forms: web-based and through the provision of proprietary software. Initial web-based products have focused on personal banking whereas the provision of proprietary software has been targeted at the business/corporate sector. Most Australian-owned banks and some foreign subsidiaries of banks have transactional or interactive web-sites. Online banking services range from FIs’ websites providing information on financial products to enabling account management and financial transactions. Customer services offered online include account monitoring (electronic statements, real-time account balances), account management (bill payments, funds transfers, applying for products on-line) and financial transactions (securities trading, foreign currency transactions). Electronic Bill Presentment and Payment (EBPP) is at an early stage. Features offered in proprietary software products (enabling business and corporation customers to connect to the financial institutions (via dial-up/leased line/extranet) include account reporting, improved reconciliation, direct payments, payroll functionality and funds transfer between accounts held at their own or other banks. Apart from closed payment systems (involving a single payment-provider), Internet banking and e-commerce transactions in Australia are conducted using long-standing payment instruments and are cleared and settled through existing clearing and settlement system. Banks rely on third party vendors or are involved with outside providers for a range of products and services including e-banking. Generally, there are no ‘virtual’ banks licensed to operate in Australia.

The Electronic Transactions Act, 1999 provides certainty about the legal status of electronic transactions and allows for Australians to use the Internet to provide Commonwealth Departments and agencies with documents which have the same legal status as traditional paperwork. The Australian Securities and Investments Commission (ASIC) is the Australian regulator with responsibility for consumer aspects of banking, insurance and superannuation and as such, it is responsible for developing policy on consumer protection issues relating to the Internet and e-commerce. ASIC currently has a draft proposal to expand the existing Electronic Funds Transfer Code of Conduct (a voluntary code that deals with transactions initiated using a card and a PIN) to cover all forms of consumer technologies, including stored value cards and other new electronic payment products. Australia’s anti-money laundering regulator is the Australian Transaction Reports and Analysis Centre (AUSTRAC).

Responsibility for prudential supervisory matters lies with the Australian Prudential Regulation Authority (APRA). APRA does not have any Internet specific legislation, regulations or policy, and banks are expected to comply with the established legislation and prudential standards. APRA’s approach to the supervision of e-commerce activities, like the products and services themselves, is at an early stage and is still evolving. APRA’s approach is to visit institutions to discuss their Internet banking initiatives. However, APRA is undertaking a survey of e-commerce activities of all regulated financial institutions. The growing reliance on third party or outside providers of e-banking is an area on which APRA is increasingly focusing.

Major banks offer Internet banking service to customers, operate as a division of the bank rather than as a separate legal entity.

Reserve Bank of New Zealand applies the same approach to the regulation of both Internet banking activities and traditional banking activities. There are however, banking supervision regulations that apply only to Internet banking. Supervision is based on public disclosure of information rather than application of detailed prudential rules. These disclosure rules apply to Internet banking activity also.

The Monetary Authority of Singapore (MAS) has reviewed its current framework for licensing, and for prudential regulation and supervision of banks, to ensure its relevance in the light of developments in Internet banking, either as an additional channel or in the form of a specialized division, or as stand-alone entities (Internet Only Banks), owned either by existing banks or by new players entering the banking industry. The existing policy of MAS already allows all banks licensed in Singapore to use the Internet to provide banking services. MAS is subjecting Internet banking, including IOBs, to the same prudential standards as traditional banking. It will be granting new licences to banking groups incorporated in Singapore to set up bank subsidiaries if they wish to pursue new business models and give them flexibility to decide whether to engage in Internet banking through a subsidiary or within the bank (where no additional licence is required). MAS also will be admitting branches of foreign incorporated IOBs within the existing framework of admission of foreign banks.

As certain types of risk are accentuated in Internet banking, a risk – based supervisory approach, tailored to individual banks’ circumstances and strategies, is considered more appropriate by MAS than "one-size-fits-all" regulation. MAS requires public disclosures of such undertakings, as part of its requirement for all banks and enhance disclosure of their risk management systems. It is issuing a consultative document on Internet banking security and technology risk management. In their risk management initiatives for Internet banking relating to security and technology related risks, banks should (a) implement appropriate workflow, authenticated process and control procedures surrounding physical and system access (b) develop, test, implement and maintain disaster recovery and business contingency plans (c) appoint an independent third party specialist to assess its security and operations (d) clearly communicate to customers their policies with reference to rights and responsibilities of the bank and customer, particularly issues arising from errors in security systems and related procedures. For liquidity risk, banks, especially IOBs, should establish robust liquidity contingency plans and appropriate Asset-Liability Management systems. As regards operational risk, banks should carefully manage outsourcing of operations, and maintain comprehensive audit trails of all such operations. As far as business risk is concerned, IOBs should maintain and continually update a detailed system of performance measurement.

MAS encourages financial institutions and industry associations such as the Associations of Banks in Singapore (ABS) to play a proactive role in educating consumers on benefits and risks on new financial products and services offered by banks, including Internet banking services.

There has been a spate of activity in Internet banking in Hong Kong. Two virtual banks are being planned. It is estimated that almost 15% of transactions are processed on the Internet. During the first quarter of 2000, seven banks have begun Internet services. Banks are participating in strategic alliances for e-commerce ventures and are forming alliances for Internet banking services delivered through Jetco (a bank consortium operating an ATM network in Hong Kong). A few banks have launched transactional mobile phone banking earlier for retail customers.

The Hong Kong Monetary Authority (HKMA) requires that banks must discuss their business plans and risk management measures before launching a transactional website. HKMA has the right to carry out inspections of security controls and obtain reports from the home supervisor, external auditors or experts commissioned to produce reports. HKMA is developing specific guidance on information security with the guiding principle that security should be "fit for purpose". HKMA requires that risks in Internet banking system should be properly controlled. The onus of maintaining adequate systems of control including those in respect of Internet banking ultimately lies with the institution itself. Under the Seventh Schedule to the Banking ordinance, one of the authorization criteria is the requirement to maintain adequate accounting system and adequate systems control. Banks should continue to acquire state-of-the art technologies and to keep pace with developments in security measures. The HKMA’s supervisory approach is to hold discussions with individual institutions who wish to embark on Internet banking to allow them to demonstrate how they have properly addressed the security systems before starting to provide such services, particularly in respect of the following – (i) encryption by industry proven techniques of data accessible by outsiders, (ii) preventive measures for unauthorized access to the bank’s internal computer systems, (iii) set of comprehensive security policies and procedures, (iv) reporting to HKMA all security incidents and adequacy of security measures on a timely basis. At present, it has not been considered necessary to codify security objectives and requirements into a guideline. The general security objectives for institutions intending to offer Internet banking services should have been considered and addressed by such institutions.

HKMA has issued guidelines on ‘Authorization of Virtual Banks’ under Section 16(10) of the Banking Ordinance under which-

1. the HKMA will not object to the establishment of virtual banks in Hong Kong provided they can satisfy the same prudential criteria that apply to conventional banks,

2. a virtual bank which wishes to carry on banking business in Hong Kong must maintain a physical presence in Hong Kong;

3. a virtual bank must maintain a level of security which is appropriate to the type of business which it intends to carry out. A copy of report on security of computer hardware, systems, procedures, controls etc. from a qualified independent expert should be provided to the HKMA at the time of application,

4. a virtual bank must put in place appropriate policies, procedures and controls to meet the risks involved in the business;

5. the virtual bank must set out clearly in the terms and conditions for its service what are the rights and obligations of its customers

6. Outsourcing by virtual banks to a third party service provider is allowed, provided HKMA’s guidelines on outsourcing are complied with. There are principles applicable to locally incorporated virtual banks and those applicable to overseas-incorporated virtual banks.

Consumer protection laws in Hong Kong do not apply specifically to e-banking but banks are expected to ensure that their e-services comply with the relevant laws. The Code of Banking Practice is being reviewed to incorporate safeguards for customers of e-banking.

Advertising for taking deposits to a location outside Hong Kong is a violation unless disclosure requirements are met. Consideration is being given as to whether this is not too onerous in the context of the global nature of the Internet.

Recognising the relevance of Public Key Infrastructure (PKI) in Hong Kong to the development of Internet banking and other forms of e-commerce, the government of Hong Kong has invited the Hong Kong Postal Authority to serve as public Certificate Authority (CA) and to establish the necessary PKI infrastructure. There is no bar, however, on the private sector setting up CAs to serve the specific needs of individual networks. There should be cross-references and mutual recognition of digital signatures among CAs. The Government is also considering whether and, if so, how the legal framework should be strengthened to provide firm legal basis for electronic transactions (particularly for digital signatures to ensure non-repudiation of electronic messages and transactions).

Banks in Japan are increasingly focusing on e-banking transactions with customers. Internet banking is an important part of their strategy. While some banks provide services such as inquiry, settlement, purchase of financial products and loan application, others are looking at setting up finance portals with non-finance business corporations. Most banks use outside vendors in addition to in-house services.

The current regulations of the Bank of Japan on physical presence of bank branches are undergoing modifications to take care of licensing of banks and their branches with no physical presence. The Report of the Electronic Financial Services Study Group (EFSSG) has made recommendations regarding the supervision and regulation of electronic financial services. Financial institutions are required to take sufficient measures for risk management of service providers and the authorities are required to verify that such measures have been taken. Providing information about non-financial businesses on a bank web site is not a violation as long as it does not constitute a business itself.

With respect to consumer protection it is felt that guidance and not regulations should encourage voluntary efforts of individual institutions in this area. Protection of private information, however, is becoming a burning issue in Japan both within and outside the field of e-banking. Japanese banks are currently requested to place disclosure publications in their offices (branches) by the law. However, ‘Internet Only banks’ are finding it difficult to satisfy this requirement. The Report of the EFSSG recommends that financial service providers that operate transactional website should practice online disclosure through electronic means at the same timing and of equivalent contents as paper based disclosure. They should also explain the risks and give customers a fair chance to ask queries. The Government of Japan intends to introduce comprehensive Data Protection Legislation in the near future.

There are no restrictions or requirements on the use of cryptography. The Ministry of International Trade and Industry (MITI)’s approval is required to report encryption technolog