SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
FEDERAL OVERSIGHT OF
INTERNET BANKING
TUESDAY, AUGUST 3, 1999
U.S. House of Representatives,
Subcommittee on Domestic and
International Monetary Policy,
Committee on Banking and Financial Services,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:02 a.m., in room 2200, Rayburn House Office Building, Hon. Spencer Bachus, [chairman of the subcommittee], presiding.
Present: Chairman Bachus; Representatives Roukema, Green, Waters, Watt, Carson, Lee, Sherman, Inslee, and Moore.
Chairman BACHUS. I want to welcome you to the hearing of the Monetary Policy Subcommittee of the Banking Committee. We are here to consider a very exciting development. If we had tried to have this hearing in 1994, we would not have had anything to talk about, because this activity would not be a factor. We are talking about basically a brand new activity within the financial industry. The Internet and Internet banking has had an explosive growth in the last two years. It is today used by millions of consumers worldwide. It is not entirely new in that we have some experience with these electronic channels in that we have 18 ATM machines, we have credit card transactions, and they are a channel for transacting e-commerce or financial transactions. So this is really an additional channel that we have.
Page 2 PREV PAGE TOP OF DOC
Now, it is new in several regards. The most important consideration and concern is that as a channel for conducting financial transactions, this channel extends into the home. It actually extends onto the desk top. That brings on new safety and security consideration. It also means that there is an additional party which is responsible for security and for soundness and for confidentiality and that is the customer.
The customer has a shared responsibility in assuring that their transactions are safe and secure and confidential. There are several things that consumers, or customers, can do to assure that their transactions are secure. I am excited about really the partnership that is being formed between your banking institutions or your financial institutions, and when we talk about financial institutions, we are not only talking about banks, we are talking about thrifts, we are talking about credit unions, and other financial institutions, and there are some differences there that we need to look at. But I am excited that the network providers, the customers, the banking institutions, all of them are working together, and really, the financial institutions have been doing a lot of planning, they have been doing a lot of—I guess we call it in Alabama—leg work, but they have done some exciting things to ensure that this additional channel for the delivery of financial services is safe and secure.
So I think out of this hearing, there may be some concerns. There surely will be as with any new technology. There was with the horseless carriage and there will be Internet banking and commerce. But at the same time, there is a lot of good news. And, as I say, one thing that I think maybe is missed—I have read several accounts of Internet banking and a lot of time the focus is on the financial institutions and their responsibilities—I would like to stress today—and we will have additional hearings, and we may have a hearing which will focus on the customers and their responsibilities; I think that will be an important hearing. When H.R. 10 moved through the Congress, there were no provisions dealing with Internet banking. And I attached an amendment onto the legislation which asked the regulators to look at our existing laws and to see if those laws were consistent with concerns and the considerations now that we do have these new technologies. And they will be doing that and they will be reporting back to Congress.
Page 3 PREV PAGE TOP OF DOC
I think this hearing today will help and aid with that look in that the GAO and the IGs of the various regulators have been communicating, they have been discussing the matter. So I think it has been a positive having both this hearing and having that amendment.
A lot of people do not realize that a lot of our financial laws, even when we have H.R. 10, a lot of it will still be based on the 1930 laws, some of which we did not throw out, we simply amended, and there may be need for further work. At the same time, the last thing we do not want to do is we do not want for Government to get in the way of a new technology and retard it unduly. That is a final concern.
I want to introduce both the panels. We are going to hear first from the first panel, but then from the second panel. The first panel will be two representatives from the General Accounting Office. They will present the results of an extensive GAO review of how the five banking regulators examine the online services provided by various financial institutions. The main presenter will be Rick Hillman, who is Associate Director for Financial Institutions and Market Issues. He will be presenting information about the response of regulators to the growth of Internet-based banking services. He will be accompanied by Kane Wong, who is Assistant Director in GAO's San Francisco Regional Office.
I have already shared this with them, but I will share this with the audience. They have done a very fine job and I think their contribution will be significant if nothing else in identifying where the concerns ought to be focused and on what regulators, where there might be deficiencies, and I think they have identified at least one deficiency in our preparation and our regulation.
Page 4 PREV PAGE TOP OF DOC
The second panel is composed of experts from the private sectors who are knowledgeable about different aspects of online banking. First, we will hear from Mike Vaughn, who is Executive Vice President and co-founder of SBS Corporation. SBS is based in Birmingham, Alabama. SBS provides online banking and other Internet services to over a thousand community banks. Mr. Vaughn is responsible for managing software development and oversees technology related issues for both SBS and its affiliate company, SBS Data Services. That company is one of a handful of companies that supply services to some of the institutions who do not feel they can do this work in-house and that raises additional issues.
Second, we will hear from Catherine A. Allen. I included the A. Allen; is that all right? Catherine Allen. Ms. Allen serves as CEO of the Banking Industry Technology Secretariat, known to those familiar in the industry as BITS. It is a division of the Financial Services Roundtable. The BITS board is made up of the chairmen and CEOs of the largest, 14 largest, U.S. bank holding companies as well as representatives of the American Banking Association and the Independent Community Banks of America. Ms. Allen will speak about the different ways that BITS has helped shape the banking industry's response to the growth in demand for online banking services.
Their work is what I referred to earlier, or their work and others, as really being out there preparing for this, looking at these concerns before the regulators even posed questions, and so the industry—this is not something industry is not aware of. In fact, it is something that I think industry has done an exemplary job of preparing for. And I say preparing for. We are here. But they have been doing a good job.
Page 5 PREV PAGE TOP OF DOC
Next, we will hear from Stephen Katz. Mr. Katz is Chief Information Security Officer at Citigroup where he is head of the Corporate Information Security Office and is responsible or the Worldwide Information Security Program. He has been associated with information security for 24 years. Previously Steve had been with J.P. Morgan for ten years where he was responsible for their global information security. Mr. Katz will speak about how the financial services industry has developed a partnership with the public sector to help devise industry standards for security and customer protection using online banking. And I suppose that would mean your network people, your software people, and everyone along the system.
Last, we will hear from Peter Browne. Mr. Browne is division head of Information Security Services for First Union Corporation. He is responsible for providing information security policy disaster recovery—and I hope we will not have any disasters here so he will not have any role to play there—and security administration. He is also a key member of the Technology Architect Steering Committee for First Union and is currently reengineering a number of internal system and security management processes.
Mr. Browne will focus on the BITS Security Lab and the way it will help protect the security of online banking services, and I think that is a very good story to tell. So with no further delay, we will—oh, we will have a delay—oh, I am sorry, Marge.
Mrs. ROUKEMA. No, that is fine. I am here to listen and listen intently.
Chairman BACHUS. We want to welcome the Chairman of the Financial Institutions Subcommittee. That is the premier subcommittee of Banking and I think that shows the importance of the hearing.
Page 6 PREV PAGE TOP OF DOC
Mrs. ROUKEMA. Only if we work together is it the premier subcommittee.
Chairman BACHUS. We also have Representative Dennis Moore from Kansas and I want to welcome you to the hearing.
Mr. MOORE. Thank you.
Chairman BACHUS. And is that Kansas III or Kansas IV?
Mr. MOORE. Kansas III.
Chairman BACHUS. OK. From Kansas——
Mr. MOORE. Do you mind if I sit on this side with you?
[Laughter.]
Chairman BACHUS. Yes. In fact, would you? We need to replace a Member from Long Island. All right. OK. Mr. Hillman, and you can violate the five-minute rule if you need to. We look forward to hearing your testimony.
STATEMENT OF RICHARD J. HILLMAN, ASSOCIATE DIRECTOR, FINANCIAL INSTITUTIONS AND MARKETS ISSUES, GENERAL GOVERNMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE, ACCOMPANIED BY KANE WONG, ASSISTANT DIRECTOR, SAN FRANCISCO REGIONAL OFFICE
Page 7 PREV PAGE TOP OF DOC
Mr. HILLMAN. Thank you, Mr. Chairman. I am accompanied this morning by Kane Wong, Assistant Director from our San Francisco Office, who has led our Internet banking work. We are pleased to be here this morning to discuss Federal oversight of the depository institutions' Internet banking activities. Internet banking involves individuals using their personal computers over the Internet for conducting banking transactions.
This testimony summarizes our July 6 report being released today which responds to the subcommittee's request asking us to first describe risks posed by Internet banking and the extent of any industry wide Internet banking problems. Second, assess the methods used by regulators to track depository institutions' Internet banking plans. Third, assess the regulators' initial efforts to examine Internet banking activities of depository institutions. And finally, determine the extent to which regulators have examined or plan to examine firms providing Internet banking support services to institutions.
Before I summarize our findings in these four areas, I would like to briefly highlight for you some of the services available through Internet banking and chart the growth in Internet banking. As shown in the graphic of an actual transactional page from a bank's Web site, customers can carry out many kinds of transactions on a bank's Web site. By clicking on the icons along the top of the screen, they can do such things as check their account balances, pay bills or move funds between accounts. By clicking on the funds transfer icon, customers call up the computer screen allowing them to actually move funds.
Recent data——
Page 8 PREV PAGE TOP OF DOC
Chairman BACHUS. We may want to kind of move that more flat so the audience can also see it. I do not know if there is going to be a way to do that, but we can—even if you turn it that way, we can still see it. And we have copies of those here on the desk so we can view those and just go ahead and turn it that way. And we will just view our information out of the packets.
Mr. HILLMAN. In the second graphic prepared for you this morning, it shows that recent data that shows that after a steady rise, more than 5,000 U.S. banks, thrifts and credit unions now have banking Websites and that many of these Websites are fully transactional, which means they offer a full range of Internet banking services. As shown in the chart, between the end of 1995 and mid-1999, the proportion of banking Websites providing transactional capabilities has gone from virtually none to roughly a quarter of all banking Websites.
This dramatic growth in Internet banking makes it crucial that institutions and regulators understand Internet banking risks and they ensure institutions have needed safeguards in place, which brings me to the risk posed by Internet banking which is the focus of our report.
Internet banking heightens various types of traditional banking risks of concern to regulators including strategic risks which is the risk to earnings or capital arising from adverse business decisions by depository institutions; reputation risk, which is another risk that involves potential for significant negative public opinion resulting in customers taking their deposits out of an institution; another more serious risk, a security risk, which involves potential unauthorized access to a depository institution's systems and databases that could compromise customer data and result in financial losses.
Page 9 PREV PAGE TOP OF DOC
I am pleased to report this morning that regulators have found that depository institutions have not experienced financial losses or security breaches due to Internet banking activities. However, in 81 examinations we reviewed, regulators found that 44 percent of the institutions reviewed had not completely implemented the online banking risk mitigation steps the regulators had outlined. Specifically, as shown in the table being displayed, examiners identified strategic planning deficiencies for roughly a quarter of the 81 institutions reviewed.
For example, some institutions had not prepared strategic plans or had not gotten their directors to approve their plans before starting to offer online banking. 32 percent of the examinations found that depository institutions had no policies and procedures in place to address security concerns. 36 of the examinations found that banks lacked sufficient audit coverage of online banking activities, and finally 18 percent of examinations showed that institutions had not evaluated third party firms providing them with Internet banking services or lacked a written contact with it.
I need to note that too few examinations have been completed by the regulators to identify the extent of any industry-wide problems. According to the regulators, too few examinations were completed, because the regulators needed to conduct Year 2000 mitigation efforts and they had a shortage of trained staff with information systems expertise.
In assessing methods used to identify depository institutions with new Internet banking services, we found that only two regulators were systematically learning about institution's plans to provide Internet banking services and capturing this information in a central database. We are recommending that all the regulators develop methods for monitoring institutions' Internet banking plans and activities. In our judgment, they need this kind of information to stay abreast of their rapid growth and technological trends in Internet banking. It would also allow them to better plan the scope, timing and staffing of future examinations and enable regulators to provide individual depository institutions with more timely and specific risk management guidance and advice before such institutions begin providing these services.
Page 10 PREV PAGE TOP OF DOC
In our third area of attention, we found that most regulators were developing, testing or implementing new online banking procedures, but that their approaches varied. For example, because Internet banking is a relatively new and evolving banking activity, FDIC and the Office of Thrift Supervision require their examiners to thoroughly examine an institution's Internet banking activities during their first examination after those activities were implemented.
The Federal Reserve and the OCC did not. We also found that the National Credit Union Administration, which reported a significant diversion of resources due to work-related to the Year 2000 computer problem, was the only regulator that had not developed an Internet banking examination program. While some differences in how the regulators oversee Internet banking are to be expected at this early stage, we are recommending that they share information about their experiences supervising Internet banking so as to implement examination methods that work best. We are also recommending that the National Credit Union Administration develop an effective examination program.
The final area of our report looked at the regulatory oversight of third-party firms providing Internet banking support services. Over time, the regulator's authority to review these firms has become more important as institutions have contracted out an increasing proportion of their operations. Our work indicated that the regulators are in the early stages of determining what they need to do to oversee these firms. In doing so, the five regulators initiated a joint study of Internet banking services provided by third-party firms. The regulators have met with five of the largest firms to date to obtain a greater understanding of the services and security features provided to depository institutions and the regulators plan to summarize their findings in their report to the FFIEC later this year.
Page 11 PREV PAGE TOP OF DOC
We are encouraged by these efforts and have recommended that the regulators go on to develop plans and a timetable for oversight of these important support services. Before leaving the oversight area, I would like to mention that the National Credit Union Administration's authority to examine firms providing Internet banking services expires in seventeen months on December 31, 2001. If this authority is not extended, NCUA will not have the authority provided to other Federal banking regulators. This is of particular concern, because credit unions offering Internet banking services rely heavily on these firms for services they do not provide for themselves either because they do not want to or because they lack the capability.
NCUA agrees with the need to retain this authority and will be asking Congress to extend its oversight responsibilities in this important area. Mr. Chairman, this concludes my formal statement. If you or other Members of the subcommittee have any questions, we will be pleased to answer them.
[The prepared statement of Richard J. Hillman can be found on page 36 in the appendix.]
Chairman BACHUS. Thank you, Mr. Hillman. You have identified a number of things that you think regulators can do better including share more information, require advanced notice of banks or other financial institutions when they plan to introduce online services, and that they pay more attention to the activities of third-party service providers. Which issues are most important and what can or should Congress do to see that these concerns are addressed?
Page 12 PREV PAGE TOP OF DOC
Mr. HILLMAN. Probably the number one concern that we have based on the study that we have conducted is that the National Credit Union Administration has been unable to effectively develop an Internet banking examination program and has virtually conducted no examinations to date. This is a particular concern to us since the credit unions are typically ones most in need of advice and guidance in this important new and evolving area.
Chairman BACHUS. Do you think that it is a matter of not having the resources or the financing to do that? I am not aware of any additional appropriation they have asked the Congress, but——
Mr. HILLMAN. The National Credit Union Administration is aware of its need to beef up its resources in the information systems area and is beginning to do that. However, at this time, they are still woefully short in the expertise that they need to cover this area. The Year 2000 computer problem has proven to be a particularly sticky problem for all of the regulators and it has challenged their abilities to cover not only the Year 2000, but other important applications like Internet banking. From the National Credit Union Administration's standpoint, they have really spent all of their effort in the Year 2000 area and have been unable to focus needed attention in the Internet banking area.
Chairman BACHUS. I see. Thank you. At this time, I will yield to Ms.——
Mr. WONG. Excuse me, Mr. Chairman. I would like to add one point to Mr. Hillman's comment. I think another thing that is important in addition to the NCUA is banking regulators getting a better sense of really what are the issues facing the banks as they deal with Internet banking. As we mentioned in our report, too few examinations have been conducted for the regulators to determine the extent, if any, of the problems that the Internet might be posing to the financial institutions. As such, I think it is important for the regulators to get a better understanding system-wide, if you will, throughout the industry so that they can better provide the necessary guidance to the industry as a whole and as we found more specifically to individual institutions. We think that these regulators can provide what we call advisory assistance to some of the institutions that are not totally familiar with the need for adequate security.
Page 13 PREV PAGE TOP OF DOC
Chairman BACHUS. Thank you, Mr. Wong. I do think I want to ask one other question. I mentioned in my opening statement that we have moved this system actually onto the desk top and the consumer, or the customer, now has a shared responsibility. Banks can assure that their own internal systems are safe, sound and secure, but if individual customers do not take measures to protect themselves, the security of their experience cannot be assured. Did you all, when you took a look into this area, did you look to see whether banks or other financial institutions were making these risks known to their customers or whether the customers appreciated those risks?
You know we hear in other areas do not use a PIN number that is your birthday or do not use a PIN number that is your address or your telephone number. Has there been information sharing between the institutions?
Mr. HILLMAN. There has been a fair amount of information sharing. Number one, the regulators have provided a great deal of guidance to depository institutions on the types of concerns that they need to be aware as they implement the Internet banking systems. In addition, the depository institutions' Web pages themselves provides a great deal of useful information to consumers as to what they need to be aware of as they prepare to engage in the Internet banking activity.
While we have seen a significant amount of information, as many times as you talk about the responsibilities from a consumer's standpoint, you cannot talk enough about it, and I agree with you wholeheartedly that the individual shares in responsibility with the depository institution for ensuring a safe system.
Page 14 PREV PAGE TOP OF DOC
Chairman BACHUS. OK. Thank you.
Ms. Carson, do you have questions?
Ms. CARSON. Yes. I just wanted to say that you state in your report that there is predicted to be a huge increase in the number of institutions that plan on providing online banking in the near future. Could you expound on the rate of that movement and give us your thoughts as to why it is expanding so quickly? And do you have any specific concerns about the rapid growth in that industry and—well, there were a lot of questions, but we got to go vote so I will just stop there.
Chairman BACHUS. What we could do is go ahead and field that question, and it is a fifteen minute vote, and maybe use that.
Ms. CARSON. In H.R. 10, that was a lot of concern, too, about the privacy and all that. And I was wondering how consumers would be exposed by enhancing their participation online?
Mr. HILLMAN. Well, you are absolutely right about the growth. We charted the recent growth from December 1995 to June 1999 in the growth in Websites and transactional Web pages. Statistics about the future even call for even more dramatic growth. In 1998, for example, 6.6 million households used the Internet to conduct Internet banking activities, and by 2003 the number has been projected to grow from 6.6 million to something over 32 million. The number of depository institutions using Internet banking services has grown from a projection of about 1,100 to over 15,000 by the year 2002.
Page 15 PREV PAGE TOP OF DOC
So today, what we are finding is that the regulators are just in the beginning of looking at this Internet banking activity and we feel it is vitally important that they step up their activities because of the large growth projection that we are seeing.
From a privacy standpoint, we have not found to date that there are any additional issues associated with privacy that have not already been discussed in other banking transactions and activities, but it is something that we would like to pursue further down the road.
Ms. CARSON. Do you have any Y2 concerns with the rapid growth in the industry?
Mr. HILLMAN. From a Year 2000 perspective?
Ms. CARSON. Yes.
Mr. HILLMAN. As you introduce new applications toward this latter half of this year, there are always concerns as to the extent to which those applications are adequately prepared to handle the Year 2000 computer problem. We are comforted by the work from the financial services industry as a whole from a Y2K perspective. They seem to be a leader across the sectors of the economy not only here in the United States, but across the world as well. However, the specter of the Y2K is something that we have not reached yet and are still keeping our fingers crossed.
Page 16 PREV PAGE TOP OF DOC
Ms. CARSON. We have rumors abound in my district and I guess in other parts of the country that people should go get their money out of the bank toward the end of the year.
Mr. HILLMAN. Chairman Greenspan expressed his comments last week about this subject area where he said that the banking system was probably more reliable place to keep your money than in your own possession from a Y2K perspective.
Chairman BACHUS. I think the burglars' union is spreading that.
[Laughter.]
Mrs. ROUKEMA. It would be better than under the mattresses; is that what you are saying?
Ms. CARSON. I think the banks are spreading the rumor.
Mr. WONG. That is right, Mrs. Roukema.
Mrs. ROUKEMA. I do not know whether or not we will have time to go into this. I want to present this question to you and I would like to present it even if I cannot get back for the second panel. I am hopeful that I can, but if I cannot, then I want to present it in writing to the second panel as well. I have heard what you have said about the regulators and they have not been coming up with timely and appropriate recommendations. I do not know how much of that lapse has been the result of things being too complicated, or is it indifference or lack of attention?
Page 17 PREV PAGE TOP OF DOC
Therefore, the question I want to know is aside from further recommendations, should we be setting some sort of standards, maybe even statutory requirements, on what the regulators should be doing in this area, before we have some terrible kinds of reports of abuse or breakdowns that are really serious? I have not heard anything in terms of specificity here. We know what they are not doing, but I do not know why they are not doing it, and maybe we have to make more demands on them in terms of setting the standards. I do not know whether, Mr. Chairman, you can just say one of two words on that and then submit it in writing for the subcommittee?
Mr. HILLMAN. We would be pleased to do that.
Mrs. ROUKEMA. Can you do that? I am sure based on your own examinations, you must have some strong feelings on the matter.
Mr. HILLMAN. Yes, we do. We would be happy to provide those in writing. Let me say, in short, that there are two real reasons why the regulators have not focused the attention we feel is necessary to assess their online banking activities. Number one, as we have discussed, is the Year 2000 computer problem. Number two is the issue that the regulators themselves seem to be stretched very thin from an information systems expertise standpoint and are really not able to cover the waterfront, if you will, from the Year 2000 problem as well as other major systems.
Mrs. ROUKEMA. I hope you will give us more information on that, the question of what is known and what is more likely unknown. Would you like to comment just briefly?
Page 18 PREV PAGE TOP OF DOC
Mr. WONG. No, I just wanted to reinforce Mr. Hillman's comment that a lot of the problem is the lack of expertise and what we are finding is that the regulators are competing with the industry to get what we call information specialists. These are people that really understand the ins and outs of a computer system, and as such, these are the people that are needed to really determine whether the computer systems are adequate. And so as the regulators gear up, if you will, they are going to find it increasingly difficult to get these people with expertise.
Mrs. ROUKEMA. Well, thank you again. I would like a more thorough, more comprehensive response from you and I will be submitting the same question to the second panel. Thank you, Mr. Chairman.
Chairman BACHUS. Thank you.
The gentleman from Wisconsin, Mr. Green.
Mr. GREEN. Very quickly, because we will have to go to vote, but I would hope that, not just that this panel, but the other panel would also provide some information on the users of online banking. If you can give us some information on what the average user is like, what the trends are in terms of who is utilizing these services? Are these primarily businesses that are utilizing these services? I would suspect it is, but growing in the area of individual consumer utilization of online banking, but I think that would be very useful from the panel for us to find out who the users are on this and whether or not there are deficiencies in terms of consumer protections for the users. And perhaps if you have that information, if you could provide it in writing, that would be very helpful, because I know we have to go vote.
Page 19 PREV PAGE TOP OF DOC
Mr. HILLMAN. We would be pleased to respond to that in writing, sir.
Mr. GREEN. Thank you.
Chairman BACHUS. Thank you. I want to ask one final question. Obviously this is something that consumers should ask themselves, but how many of the online banking services are not federally-insured? Did you look at that?
Mr. HILLMAN. Well, each of the depository institutions are federally-insured. Whether or not you are providing your deposits through Internet banking or through your personal teller, those funds would be secured.
Chairman BACHUS. OK. But you could have online banking services being offered by, I guess, non-federally-insured institutes, but, of course——
Mr. HILLMAN. The third-party firms that are providing Internet banking services do not carry with them a Federal guarantee. But since they are under contract for the depository institution, that institution is insured; therefore, the deposits of the customers would be covered.
Chairman BACHUS. OK. All right. And I will—OK. I think we will dismiss the first panel at this time. Well, I tell you why do we not hold you till we come back, see if any of the Members come back, and we will ask a few—I think we will ask a few additional questions. We are going to recess the hearing. We have four votes on the floor of the House. The first one is a fifteen minute vote which is probably almost over. Then we will have three five-minute votes, so why do we not simply recess until ten after. That will be our target time. Thank you. At this time we are recessed.
Page 20 PREV PAGE TOP OF DOC
[Recess.]
Chairman BACHUS. All right. We are going to reconvene the hearing and we have to be out of this room by 12:30 so we are going to go very quickly. If we can, I do want to ask you two additional questions. First of all, what level of cooperation are the Federal regulators having with State regulators in the area of online banking? And either one of you gentlemen.
Mr. HILLMAN. We have not really assessed the extent of coordination being done between the Federal regulators and the State regulators in this area, but it is something that we could provide for the record for you.
Chairman BACHUS. OK. Great. I am just going to ask you this. This is a prepared question, but we seem to be talking today about online banking as represented by transactions over the Internet, which most conceive of as transactions over some form of telephone fiber or fiber-optic cable. However, earlier versions of wireless Internet use have been with us for several years and the current crop of cellular telephones is starting to demonstrate Internet capacity. As it is difficult to imagine someone with such a device not wanting to do banking with it, it seems prudent to ask if the security challenges of wireless Internet use are not much higher than wired use and—are you following this question?
[Laughter.]
Mr. HILLMAN. Yes, I am.
Page 21 PREV PAGE TOP OF DOC
Chairman BACHUS. OK. And how well will the industry deal with that further challenge? How well are the regulators positioned to evaluate such a challenge?
Mr. HILLMAN. Right now it is our understanding that the majority of Internet banking transactions are being conducted through wire transfers, but you are right, there are discussions within the industry about moving out into a wireless environment.
Chairman BACHUS. Wireless. And I guess I will just rephrase that question. Are there challenges on wireless communication that are not present in wired use transactions?
Mr. HILLMAN. That is an additional area of security that the regulators and the depository institutions themselves need to be aware of, Mr. Chairman. The activities over a wireless activity do present them with additional challenges, additional vulnerabilities. Certain tools that are being used to engage in security features over the wire are different than those tools used by individuals on a wireless environment. So it is another area where the regulators would need to get up to snuff on the security features and to help ensure that the customers are being protected.
Chairman BACHUS. OK. That is the last question and I appreciate your work on that.
Mr. HILLMAN. It was our pleasure.
Page 22 PREV PAGE TOP OF DOC
Chairman BACHUS. Thank you. We will dismiss the first panel and ask the second panel to take their seat. I want to welcome the second panel and I think what we will do is, first, we will hear from Mike. We will start with you and then from Ms. Allen and then Steve, you will go third, and Peter, you are going to sum up; is that right?
Mr. BROWNE. No, I think we will switch. If it is all right, I will go third, and then Steve, fourth.
Chairman BACHUS. OK. Great. Yeah. And is that fine or would you rather, Catherine, should she start out?
Ms. ALLEN. I will start and then Peter and then Steve, if that is all right with you.
Chairman BACHUS. OK. On the three, but——
Ms. ALLEN. But you can start with Mike, then our three.
Chairman BACHUS. OK. Mike, why do you not go ahead? You can start.
STATEMENT OF MICHAEL H. VAUGHN, EXECUTIVE VICE PRESIDENT, SBS CORPORATION, BIRMINGHAM, AL
Mr. VAUGHN. Mr. Chairman, thank you for inviting me here today. I welcome the opportunity to share my assessment of the challenges of the Internet banking and the necessary steps to protect the safety and privacy of the public in using this technology.
Page 23 PREV PAGE TOP OF DOC
SBS Corporation is a third-party firm providing Internet banking support services as referenced in the General Accounting Office testimony given today. Most of our clients are community banks having assets of less then $1 billion. In the context of this testimony, I am referring to these community banks when I use the term ''bank.''
When assessing the challenges of Internet banking, I break the risks down by three categories: overt, common and strategic. All of these risks can be mitigated through the implementation of proper technology coupled with diligent and professional operation following safe and sound policies. Internet banking combines private financial data including monetary transactions with complex technology and communication through a public medium, the Internet. There are many overt, sensationalized, yet legitimate, risks in doing this.
Overt risks tend to involve security issues. Some of these risks include: theft of private information in transit on the Internet: unauthorized access of the bank's database; criminal creation of fraudulent monetary transactions; vandalism of the bank's Web site with electronic graffiti; disruption of the accurate functioning of the Web site; a complete shutdown of the Web site and a denial of service to customers; and the creation of a totally fraudulent bank or the usurpation of a legitimate bank site by criminals.
Sources of these risks range from the casual voyeur or thrill seeker with no intent of harm to entities intending a truly malicious attack. They include, for example, determined hackers bent on cracking a site just as a trophy; children with freely available and automated hacking tools; people who would deface or disrupt a site for reasons we may never understand; traditional yet technologically savvy criminals; or terrorists seeking new forms of attack and seeing American financial institutions as highly visible targets.
Page 24 PREV PAGE TOP OF DOC
The implementation and proper use of today's encryption, firewall and intrusion detection technologies mitigates these overt risks.
Common risks are those associated with any computer operation such as Year 2000 issues; mechanical failure; software bugs; human operator error; loss of trained personnel through employee turnover; computer viruses; lack of system capacity to handle the workload; power failure; disruption of communication lines; or a lack of disaster recovery capability in the case of a catastrophic event such as a fire, tornado, hurricane or earthquake.
These common risks can be mitigated with proper management and by following professional information system guidelines for operating mission critical systems.
Strategic risks are usually ongoing or indirect and harder to define and measure. These risks include software for the customer that lacks intuitiveness and is frustrating to use; rapid obsolescence of hardware and software requiring unplanned upgrades; keeping up with the emergence of new security risks and their counter measures; the ongoing rapid pace of development in hardware and software creating significant education and training challenges; lack of knowledge to manage this complex environment; and law enforcement preparedness.
In addition to the obvious potential for direct financial loss from any of these types of risks, the bank also risks damage to its reputation and erosion of its customer base.
Privacy loss is the single greatest risk facing the public on the Internet. A cornerstone of ensuring privacy is the use of data encryption. Employing encryption is straightforward and to the best of my knowledge used in all Internet banking applications. Beyond addressing privacy issues by ensuring a secure Internet banking environment for the public, the bank should assess third parties involved in Internet banking for trustworthiness. All third parties with access to confidential customer information should be under contractual obligation to keep such information confidential and to restrict its use to the fulfillment of the contract.
Page 25 PREV PAGE TOP OF DOC
Key pieces of identifying information such as a customer's PIN, password or account number should not be displayed on the customer screen and should be masked from casual over-the-shoulder observation. Internet banking sessions should automatically terminate if idle too long in order to protect customers who leave their PCs unattended once they have entered their password. The bank should caution customers that e-mail, in general, is not secure and should be used for confidential matters. The Internet banking software should have its own Internet secure method for sending and receiving confidential information.
To ensure the proper implementation of Internet banking, there must be independent validation and ongoing verification. Let me describe some of the steps that SBS has taken along these lines. SBS has received an ICSA TruSecure Web Host Compliance certification. The ICSA is a worldwide provider of Internet security assurance services. To receive this certification, SBS had to meet stringent guidelines verified by external electronic analysis that tested our security vulnerabilities as well as undergo an on-site physical audit. The ICSA continues this electronic analysis on an ongoing basis.
To verify that we follow adequate and sound practices in our operations, we contract with an external auditor to perform a SAS 70 audit. To verify that our systems are available to customers, we contract with an external Web site monitoring service which accesses our systems through the Internet 24 hours a day. We are notified immediately if it is detected that our service becomes unavailable or even has a slow response.
As a third-party provider of services to banks, SBS is subject to regulatory examination under the Bank Service Company Act. In April of this year, during a joint regulatory Year 2000 readiness exam led by the OCC, a brief overview of our Internet banking system was conducted.
Page 26 PREV PAGE TOP OF DOC
As a third-party firm, SBS welcomes the regulatory oversight of our operations. We view examinations by regulators almost as a service provided to us and as assurance to our clients that SBS is following safe and sound policies and procedures. In June of this year, we participated in an FFIEC study of third-party providers of Internet banking services. We appreciated the opportunity to present a detailed overview of SBS' Internet banking and received feedback from a room full of examiners representing all five regulatory agencies.
This study was primarily concerned with identifying risks to the supervised institutions and developing best practices for risk management, examination and supervisory oversight. One of the challenges to Internet banking is the readiness of the regulators to meet the goals of this study. Given the accelerating pace of growth in Internet banking and the rightful allocation of limited regulator resources to the higher priority Year 2000 computer problem, I hope there is continued cooperation between the regulators, perhaps under the auspices of the FFIEC. I would recommend the joint development of best practices to help ensure the timely implementation of consistent practices in all financial institutions regardless of the supervising regulatory agency.
Another challenge to Internet banking will be finding examiners with appropriate expertise and training in information systems to perform detailed examinations. This issue can only be addressed with the proper allocation of personnel and time. My understanding is that the OCC uses information system specialists in this role. I applaud this approach, but I think it would be wise that all examiners are familiar in general with the appropriate best practices being developed.
Page 27 PREV PAGE TOP OF DOC
In summary, the acceptance of the Internet banking by both banks and the public has already reached statistically significant levels. The technology and expertise exist to mitigate the risks involved and assure the public's safety and privacy if privately implemented. Due to the significant resources required to achieve this assurance, I predict that most community banks will outsource Internet banking to a trusted third party. There will be additional benefits from this practice such as allowing for concentrated and coordinated examinations by regulatory agencies. Another benefit will be that when a given bank rolls out its Internet banking offering to the public for the first time, it will actually be rolling out a system well tested and in general use by other banks.
Even when using a third-party service, a bank has responsibilities that it cannot outsource. The four types of weakness in risk mitigation discussed in the GAO testimony involve responsibilities that the bank must retain. Mr. Chairman, this concludes my prepared statement. I will be pleased to answer any question you or other Members of the subcommittee may have.
[The prepared statement of Michael H. Vaughn can be found on page 120 in the appendix.]
Chairman BACHUS. Thank you.
Ms. Allen.
STATEMENT OF CATHERINE A. ALLEN, CHIEF EXECUTIVE OFFICER, BITS, THE FINANCIAL SERVICES ROUNDTABLEE
Page 28 PREV PAGE TOP OF DOC
Ms. ALLEN. Good morning and thank you, Mr. Chairman.
Chairman BACHUS. Let me just interrupt and say that the FF—what—IEC?
Ms. ALLEN. FFIEC, yes.
Chairman BACHUS. The GAO and I have had some extensive conversations on this and they have been working with the FFIEC and so we are aware of that as a great place to coordinate the efforts, and I am going to—in fact, after you said that, I am going to submit two questions to the GAO in this regard asking them what has been done.
Ms. ALLEN. OK. Thank you for the opportunity to appear before the subcommittee. In the essence of time, I am going to give some brief remarks and not go through the whole testimony. Let me dispel three myths about the Internet and Internet banking. The first myth is that security is just the responsibility of the financial services industry. It is really a responsibility of everyone that is involved in e-commerce, because security on financial transactions can be privacy related, it can be information-related, it can be any kind of interaction. What we are dealing with is a larger problem than just financial services.
The second myth is that the Internet is only for techies and the young. The fastest growing age group using the Internet is 55 plus. It means people who are older who are retired or going into second careers have the time and have learned to use PCs and the Internet. They start with e-mail; then travel planning; then third is financial services. And, as you know, a significant amount of wealth in this country is in that age group. Do not believe this is just for college kids.
Page 29 PREV PAGE TOP OF DOC
The third myth is that consumers are at risk for losing their money in online banking. Consumers are protected under Reg E. We are already regulated for online banking under Regulation E if it is a federally-insured depository institution. If a breach or something were to occur, the customer is protected for their amount of money. Some people do not realize that. I wanted to make sure we start with dispelling those myths.
I am here along with my colleagues, Peter Browne from First Union and Steve Katz from Citigroup, to talk about what the financial services industry is doing in the security area, and specifically to discuss some efforts around a BITS Security Lab that has been created and an information sharing database. You will be hearing from Peter and Steve about those specific issues. As you mentioned, the Financial Services Roundtable has as its membership some of the largest financial institutions in the United States. BITS was created by the chairmen and CEOs to be, in essence, a SWAT team for the industry on e-commerce— to help drive standards, to look at the areas of security and privacy, on behalf of the financial services institutions. Our focus has really been in particular on security.
There have been a number of activities over the past two years since BITS' inception—looking at the role of certificate authorities and authentication; looking at what we call end-to-end security—where are the gaps that may occur in the transactions that occur from a customer, or consumer, all the way to the bank and back? The other thing that we have looked at is the critical infrastructure. We were part of this study, the President's Commission on Critical Infrastructure Protection, and provided information for that evaluation. We have been actively involved.
Page 30 PREV PAGE TOP OF DOC
Over a year ago, we started to meet with vendors on specific technology security related issues around the PC, the desk-top environment. Peter Browne will tell you more about that and the outgrowth of that being the Lab. Our board of directors, which is made up of the chairmen and CEOs of the largest financial institutions, is very actively involved. We meet physically twice a year, we have conference calls, we have monthly meetings with their CIOs and CTOs, so this security area is something that has very heavy involvement from the financial institutions in shaping this and all of the work that has been done on the lab and security testing. I have a small staff. I am saying that for you to know how much we are involved.
You mentioned that the Internet is explosive and one of the congressmen asked for more specific information. By the year 2000, one more year, we are expecting to have 45 million households in the U.S. that will have PCs and modems. That means the capacity to be online will be 45 million households. Today, PC banking or Internet banking is only around three percent of the households. It is expected to grow dramatically to about 28 percent of the households by next year. So we almost have a quarter of households shifting into Internet banking.
The majority of Internet transactions, however, are in B-to-B—business-to-business—commerce. E-commerce is a world of business-to-business commerce so in very large corporations it is all transacted electronically. There is increasing growth in the small- to medium-size businesses, and what has happened is tremendous growth in spinoffs, in small start-offs, in a number of rural areas in this country. Because of the Internet, it has allowed these businesses to grow. So it is really helping the economy, just not in major urban areas, but all over this country. I happen to live in Santa Fe, New Mexico, and there are a number of Internet startups that are based in a town of 50,000 people.
Page 31 PREV PAGE TOP OF DOC
The financial services industry understands the need for rigorous attention to security. It is the basis of our business. We are in the risk management and trust business. Not only is that the essence of what we do, but it is also part of our regulatory responsibility. We do think that responsibility needs to be shared. BITS, from its beginning, has included the OCC, the Fed, the Department of Justice executives, and some of the Congressional Banking Committee Members in its forums and its workshops, to make sure that we had a partnership in understanding what we needed to do in this particular area.
We have a Security and Risk Assessment Steering Committee made up of the security experts of all the financial institutions that really are driving the efforts in this particular area. The actions we have taken, as I mentioned, have included the development and opening last week of a BITS Financial Services Security Laboratory that Peter will talk to you about, the establishment of a BITS-tested mark, like an Underwriters Laboratory or Good Housekeeping seal, that will allow consumers and businesses to understand that this browser, or this piece of software, or this server, meets the security criteria standards that we are setting on behalf of the industry.
Let me take a second here to talk about why this is important to us. Outside of the Department of Defense, the financial services industry has the highest needs for security. Again, it is our business, trust, but it is also because we have a financial, a fiduciary responsibility, to our customers. We have met with a number of the DOD units. The Under Secretary of the Navy, Jerry Hultin, last week at our opening, announced that the Navy hopes to standardize around the BITS criteria. This not only helps in lending credibility to the need for common criteria and standards which the financial services industry has set, but it helps us to go to the technology providers, and say, ''We are the buyers of technology, we need for you to respond to us on these particular security issues.'' This is what has been effective.
Page 32 PREV PAGE TOP OF DOC
We have been a catalyst in the development of the Information Sharing and Analysis Center that Steve is going to talk about. We have worked with Sandia Laboratories on the President's Commission on Critical Infrastructure Protection, and conducted numerous forums and sent alerts to the financial institutions about viruses like ''Back Orifice,'' created by the Cult of the Dead Cow, and we also continue to conduct research and share that with the industry.
We believe consumers have a big part in this. As you know, as you move towards distributed architectures such as the Internet and PC environment, it changes the types of risk management that we can do, and the types of techniques that we need. There are a number of things that customers can do. All of our banks in the Financial Services Roundtable have information that they share with customers in the online environment to tell them to download anti-virus software or to not share their PIN numbers or pass codes, to be knowledgeable about online banking, to bank only with federally-insured institutions, because that is the only place that you will have the coverage of regulation.
You asked the question earlier, ''Can others provide Internet banking?'', and some who are trying to do that are not federally-insured organizations. Other things consumers can do are to limit access to the PC. You cannot control what your teenager is doing on the PC, and sometimes if they are in the Internet environment going to chat rooms and then going into banking, you do not know if a virus may have somehow gotten from the Internet into your PC. We tell our customers not to open any unauthorized attachments. ''Back Orifice'' is an example. It was a virus that came through an add-on to an e-mail that said, ''We have got some news for you.''
Certainly to install and regularly update virus detection and eradication software and to make sure that the browser you are using is as secure as possible are other ways consumers can help. All these issues—the security devices, the browsers, software—are things that the BITS Security Lab is going to address, developing the standards, and then certifying for that.
Page 33 PREV PAGE TOP OF DOC
In terms of recommendations for Members of Congress based upon the GAO report, first of all, we commend you for having this hearing, because we think there needs to be a partnership in education to let all the parties, the stakeholders, as we call them, which are the regulators, the financial institutions, the technology providers, and our customers, take a share and a partnership in providing the highest levels of security as possible. So more education or hearings, as you mentioned, on customer responsibility would be excellent.
To endorse the work of the industry, in particular the BITS-tested Mark, as a way of setting standards and criteria, would be helpful. The fact that your amendment is requiring the FFIEC or the agencies to report back what they are doing is an excellent move. We have presented also with the FFIEC—I have a hard time saying that—FFIEC, so that they know what we are doing and are actively involved in what we are trying to do with the Security Lab and the ISAC. And lastly, work collaboratively with us. We have not yet seen any major breaches, certainly no customers have been harmed to date, but we are concerned about the future. We are trying to be proactive and very cautious about this.
The Internet brings great joy, great business opportunities, and certainly high levels of productivity for our economy. Alan Greenspan has been quoted that he feels that the information technology arena is what is driving the robust economy that we have today. One of the issues is how are the things that we are doing at BITS and the Roundtable translated to the community banking environment? We have representation from the American Bankers Association and the Independent Community Bankers Association on the BITS Board of Directors. They also participate in the working groups, and through them, we are disseminating information. But the most important thing we are doing is developing the criteria and standards for security and a mark that will ensure that any bank, whether it is in Tupelo, Mississippi or whether it is Citigroup, has the same level of security in the browser, software, networks and so forth that they put in.
Page 34 PREV PAGE TOP OF DOC
We thank you for this opportunity to testify. I will remind you that we are not lobbyists. We are technology experts and we may not do this quite the right way, but we would be happy to provide the subcommittee, subcommittee, or you any information or serve as technological advisors, in any future activities that you have.
Let me introduce now Peter Browne, who is Senior Vice President from First Union, one of the leading experts in security technology in the United States.
[The prepared statement of Catherine A. Allen can be found on page 131 in the appendix.]
STATEMENT OF PETER A. BROWNE, SENIOR VICE PRESIDENT AND DIVISION HEAD, FIRST UNION CORPORATION
Mr. BROWNE. Thank you. Thank you, Mr. Chairman, and distinguished Members of Congress, including my own representative Mr. Watt, my own district. I bring 30 years of experience in this field in a corporate role, as a consultant, as an educator, and once even as a vendor, and have seen over these periods of 30 years, you know, some sea changes in terms of how technology is used and in how that technology is protected and controlled and managed. We are at that stage now. I see this in terms of some of the reasons for these hearings. But in those 30 years and in maybe the 30 years prior to that, the essential processes of protection and control have not changed. You still have to access control and auditability and these precepts of protection and control.
Page 35 PREV PAGE TOP OF DOC
They just now are somewhat different terms of the online world, the Internet world and the like. And so I think the message that we are really trying to say is that this is not a revolution, but an evolution. It is an evolution that may go faster, but it is still an evolution in how we control, and I think we are trying to say that we are working to step up to those challenges and to those needs.
So I want to talk specifically about the BITS lab, but also want to conclude with some of the things that we are doing as an industry and as individual institutions to deal with these issues of protection and control. The banking industry always has brought some expertise in this area, because, again, as Cathy mentioned, Catherine mentioned, and I think Steve will follow me in saying, is that we are selling or we are requiring ourselves to be in a position of trust. And so in the past, you walk into a branch, you use the safety deposit box, you collect money or give money, and you trust the fact that there is security and protection in the physical sense. And now we have to work and we are working on that same level of trust in a logical sense, especially when the bank is your comfortable easy chair at home or even on the beach with an online device.
So as far as public concerns about security, the establishment of the security lab, I think you will see, and you will agree with us, is a landmark event. So we do want to talk about that. Incidents of cyber crime and intrusion and hacking into computers do occur, just as if in the credit card, there are credit card frauds, and if you write checks, there are check kiting schemes that exist, and we in the industry have to deal with these in turn. So we are dealing with the issues of how people are trying to break into our systems, and that is a long story—and some of the mechanisms we use—for some other time.
Page 36 PREV PAGE TOP OF DOC
And the point to make there, of course, is as customers are protected in a credit card carbon transaction from fraud or someone stealing their card and misusing it, they are also protected in an online world by our processes and our procedures. We make them right.
Now let us talk about the BITS Security Lab. The creation of this, as Catherine mentioned, evolved over some work that our risk assessment, Security and Risk Assessment Committee under the BITS offices, comprised of people like ourselves—Steve and I both are on that committee; I co-chair it—have been working for years, and we did some vendor visits last year to some of the major household name vendors who supply products that can be used by consumers such as browsers or a product that is used by the financial services industry to deliver online products and services, and we got to them at pretty high levels and got commitments from them that, yes, indeed, they consider we as an industry, a major customer, and that they consider our needs for protection, control and security of paramount importance, and we actually got some commitments to intersperse in the software product life cycle development process agreement in terms of how they would consider security and our own particular needs. But it went beyond that and what evolved was the idea is if there were an industry unified approach toward testing these products for security and control, then it would benefit a lot of parties including them as vendors, because now they have a unified set of requirements from a major industry bloc of customers.
It would benefit the industry, the banking, we who are in the industry as providers of service to our customers, because now we would have at least a baseline layer or level of security and control. It would benefit the consumer in terms of some peace of mind and recognition that the due diligence had occurred, and that these products that they were using then were tested and validated for security, because in time after time if you do focus groups and customer surveys, one that popped up right at the top of the concerns by customers is, indeed, the security of this online Internet new world for them.
Page 37 PREV PAGE TOP OF DOC
So a lot of people agreed that such a process, such a capability, would be a win-win-win for all sorts of segments, and if the regulatory people that we have talked to in the Government added their fourth voice to those win-win-win-win now. So the notion of the lab grew out of that and then through a lot of very, very hard work by ourselves and our partner Global Integrity and others, we have evolved to the point where this lab was open for business as of last Wednesday and some of you were there and I hope you realize that with the support that it got.
The notion of the lab is an issuance of what we call a BITS tested mark and the BITS tested mark, very, very similar to the Underwriters Lab mark, at least the intent is that it would be, in that if a product, and we are talking about a product being certified as it were or validated via this BITS testing, not certified by the way—that's different—but tested through this BITS tested mark, then it met the criteria. These criteria would be published and known and they would be baseline standards of what protection is needed in the given product, and so that notion now has been refined and documented and articulated in a series of documents including criteria and product profiles, as it were, with more to come as the product scope of testing evolves over the next six to nine months.
Anyway, so a product, let us just say it is a browser, OK, well, OK, a browser, that is a good example, has certain levels and if you use a browser today, and you do buying on the Internet, you will have a security mark, and that browser may have varying levels of security for you or encryption. And a 40 bit level of encryption has been proven not to be enough to protect financial transactions, but 128 bit level encryption generally is.
Page 38 PREV PAGE TOP OF DOC
Well, these products like the browsers would be tested for what they actually employ. And if 128 bits is the minimum standard for encryption, then that would be validated by the testing process and the results of the testing process then becomes a report which is then issued, in this case, to the financial community, and made available by the vendor, to other parties as the vendor would see fit to validate, again, the security of that product.
So we have gone through a process of developing the criteria, baseline and framework criteria, and we have gone through a process of building some of the product profiles that would then be used. And so this product profile for electronic bill presentment, software, both at the desk top or client level and at the provisional level or that which we would deploy within the financial services industry. And others are in process right now. And we will be testing security products that just provide security in the infrastructure and customers may never see. We will be testing applications such as bill presentment, which is a very hot type of application now in the industry, and we will be testing products that do things like browsers, and then we may even be testing products which provide the operating environment, and all that is underway.
So the testing then is designed to provide the subjective evaluation against known and published security criteria, and of course as time goes on and as new technology comes in place or as new types of vulnerabilities are made available to the hacking or community and thus to the people who have to prevent and protect against the hacking community, cracking community as it is known, then, of course, these criteria will change and evolve and have to to meet the ever-changing landscape of threatened vulnerabilities.
Our partner in this is Global Integrity, which is a division of Science Application's Corporation, which is a company well known in the industry, a company which has been very active in security, especially in the DoD and intelligence communities, but now is broadening its scope to serve us in the commercial industry. And an action went out with an RFP under the auspices of BITS and we chose them because of their experience and capability in doing very similar types of testing, and we also employed another division of SAIC called Telcordia, formerly Bellcore, which have been in the standards setting business, especially for the telecommunications industry, for so many years.
Page 39 PREV PAGE TOP OF DOC
We are also in partnership, as Cathy mentioned, with the Government. We established the basic criteria based on something called the Common Criteria, which is based on Department of Commerce or NIST criteria which have been developed over the years, and we have gone beyond those because of specific requirements of the financial services industry.
Chairman BACHUS. And what we will do, Mr. Browne, is we can put the rest of your statement in the record.
Mr. BROWNE. Right. Yes. I was about ready to finish, yes. And all I wanted to say in the rest of the statement relates that there are a number of initiatives that the financial services community has done including a lot of things internally that show the attention that we have to spend toward dealing with these issues. So what we are trying to say, in summary, is that this is a proactive thing that we are doing. The BITS Security Lab is a very proactive and I think very important milestone on this journey of protecting the infrastructure.
[The prepared statement of Peter A. Browne can be found on page 135 in the appendix.]
Chairman BACHUS. Thank you.
Ms. ALLEN. It is my pleasure to introduce Steve Katz, who is Chief Information Security Officer for Citigroup. He also is the private sector liaison on financial services to the Department of Treasury on what is called the President's Commission on Critical Infrastructure. Steve.
Page 40 PREV PAGE TOP OF DOC
STATEMENT OF STEPHEN R. KATZ, CHIEF INFORMATION OFFICER, CITIGROUP
Mr. KATZ. Thank you, Cathy. Thank you, Mr. Chairman. Thank you for inviting me here today. I am really here with two hats. One is the Chief Information Security Officer for Citigroup, but what I would like to focus on today is my role as Financial Sector Coordinator for Critical Infrastructure Protection and highlight some of the efforts that we have in this private-public partnership that is at least in this case very much a reality. It is the way we are existing and we went to great lengths to improve or enhance the security within the infrastructure and share information from the very largest of the financial services organizations to the smallest that exist.
First, let me begin by saying and reiterating the main product offered by this sector is trust. We have a trust contract with our customers. We have a trust contract that says we will ensure the confidentiality and integrity and availability of data when they need it as they need it. In today's world, that is 24 hours a day literally from anywhere in the world. We have seen graphs here. The reality is we are seeing an explosion of Internet-based commerce. And I think we have just seen the tip of the iceberg.
As Cathy mentioned, it is not just the five-year-olds through college, we are seeing significant growth in those over 55, and I think that will grow, that will continue to grow. It is easy, it is convenient, and they have to have trust and confidence in these systems and technologies and products that they are using. And it is imperative and incumbent upon us in the financial services to continue with the trust model that we have been based on since the foundations of banking in this country.
Page 41 PREV PAGE TOP OF DOC
In July of 1996, President Clinton signed an Executive Order creating the President's Commission on Critical Infrastructure Protection. The commission was convened to bring together the public and private sectors to assess infrastructure vulnerabilities and to develop assurance strategies for the future. And there is a very strong understanding that we as a country rely more upon technology than probably any country in the world and anything that would impact those technologies would impact everything we do.
The commission's principal finding regarding financial services was that—and I will quote: ''Due to its carefully constructed mixture of public oversight and private initiative, the U.S. financial system is among the world's finest. The modern U.S. financial system has never suffered a debilitating catastrophe, and for that reason among others carries an extraordinarily high level of global confidence. Some observers go so far as to characterize it as shock-proof.''
Their summary of the current situation in our business sector was the institutions comprising the financial services industry are further ahead than most in employing sophisticated and in some cases unique defenses against the loss of asset and corruption of core data. Consequently, the U.S. financial system is unusually well protected at the national level and is well prepared to confront a broad range of threats to its operations and integrity.
The commission report went on to say, and this is really key, that managing risk is the principal business of financial institutions. They and we in this case view protection against physical and cyber threats as a cost of doing business. And we position security as a competitive advantage and highlight it in our advertising to attract new customers for services such as remote banking. Security has been, continues to be, an integral component of institutional performance and accountability.
Page 42 PREV PAGE TOP OF DOC
The PCCIP went on to say that financial institutions would benefit from better access to reliable information from the Government and very much across the sector, because anything that impacts any member of the sector to one degree or another impacts every one of us. The PCCIP report then led to Presidential Decision Directive 63 which reinforced the need for public-private sector partnership. In line with the commission's statement that financial institutions would benefit from better access to reliable and current information, the directive recognized that the targets of attack on an infrastructure would very much include facilities in the private sector.
It sought for, it directed, it looked for public-private partnership to identify and reduce vulnerabilities. For each infrastructure sector, the directive designated a lead agency and for us it was the Treasury Department, and it directed the lead agency to appoint a senior liaison official within the agency to work with the private sector, and that agency was also asked to select a counterpart in the private sector. Mr. Greg Baer, Deputy Assistant Secretary of the Treasury, and I have been fulfilling those roles respectively.
The objectives of the sector and what we have been trying to do is to ensure that we maintain the viability and continuity of service against acts that could or would impact our ability to provide for the orderly functioning of the economy. For, in fact, we are the conduit for the world's economy. And we also as an objective must be able to provide for continued customer confidence in our ability to prevent, detect and respond to incidents.
Both of these require significant information from within the sector, much more so than is done today, across sectors, which does not exist, and to provide for the ability for us to share information with the Government. To address these objectives, members of the Treasury staff and leaders from the financial services sector are contributing to a National Infrastructure Assurance Plan. We are doing this by assessing the vulnerabilities of the sector to both cyber and physical attacks.
Page 43 PREV PAGE TOP OF DOC
We are doing this by recommending a plan to eliminate significant vulnerabilities. We are doing this by proposing a system for identifying and preventing major attacks and we are doing this by developing information about an information sharing and analysis center. In terms of efforts to date, we have been again proactive in instituting robust information security programs to protect privacy, confidentiality and integrity of customer and corporate information. It is the cornerstone of our business.
In continuation of this effort, the industry has been meeting for the past year among itself and with representatives of the Treasury Department. On October 7, 1998, we had our first full Financial Sector Critical Infrastructure Protection meeting over at the Department of Treasury. It was attended by well over 100 representatives of the private and public sector and the meeting was keynoted by Mr. Rubin and we exceeded the capacity of the room.
At the end of the day, we realized and agreed on the fact that the threat of potential cyber attack is valid; it is real. We also agreed that a cooperative effort between public and private sector was absolutely essential. As much as we have done on our own and as much as we are leaders in this, there is a need to work together. We agreed that we needed to move forward with creating a process to identify and deal with cyber attack and we agreed that we need to establish a Financial Services Information Sharing and Analysis Center that can identify, screen, and analyze problems.
We held our second formal meeting of the banking and financial sector on March 11, 1999. At that meeting, we established four working groups that can focus on problems facing the financial services critical infrastructure. The first was look to establish a CEO council made up of the chief executive officers of the 25 to 30 top financial service firms in the country. We want to bring them together, have them focus on the problem, bring awareness to their counterparts, and also provide advice and information sharing with Washington.
Page 44 PREV PAGE TOP OF DOC
The second committee is to focus on information sharing. And I will spend a little more time on that in a minute. The third was finding a way to identify and share vulnerability issues and concerns within the sector and with the Government. And the fourth was to look at allocating R&D funds.
In terms of information sharing, the effort is to develop a trusted mechanism for sharing incident and intrusion information across the sector to facilitate sharing of system-wide risk concerns. The primary goal would be to share data among all members of the financial services sector. Firms that elect to participate will provide and share information about information security related incidents, intrusions, vulnerabilities, threats, and more importantly solutions that we have used and how we have applied them. Used effectively, the financial services ISAC, Information Sharing and Analysis Center, can be and will be an early warning mechanism and radar screen.
A governance board will be put in place to make it happen. At this point, we have a committee consisting of 25 volunteers from the industry that are meeting with vendors to develop the criteria and requirements for the ISAC. It will be live, fully operational, by October 1 to begin to capture information associated with Y2K. In less than one year, the industry and the public sector have developed a partnership. We have moved at lightning speed and we believe we have results that we can all be proud of and results that truly demonstrate that a public-private partnership can exist, and that as an industry from the very largest to the very smallest we can effectively share information.
That concludes my testimony. I will be pleased to answer any questions the subcommittee might have.
Page 45 PREV PAGE TOP OF DOC
[The prepared statement of Stephen R. Katz can be found on page 139 in the appendix.]
Chairman BACHUS. Thank you.
I would just say that what we are discussing here today, and that is security over the Internet and in these financial transactions, is everyone's issue. It affects everyone. It not only affects people who are using e-commerce or the Internet, but today, because of the usage of e-commerce and the Internet, crisis in confidence in the e-commerce can actually bring the economy to its knees and affecting those who do not use it. So trust and confidence in the infrastructure is absolutely essential. It is now not only a financial concern, it is an economic concern.
And one of my biggest concerns is the banks and the financial institutions are used to dealing with hackers and I say ''used to,'' it is a continuous battle, you have to develop new technologies and new procedures to combat them, and they are very aggressive, and you have to be very aggressive in dealing with them. And I am not so much concerned—you know, I have concerns about your ability to deal with them, but I think the record demonstrates you have done a good job in dealing with hackers and other breaches. But we have new players that are involved. And I am concerned about they are inexperienced in dealing with these matters. And I think that a lot of what you are doing will empower them to be able to meet that challenge. You are basically sharing the experiences you have gained in these areas.
I am going to yield to Mr. Inslee from Washington.
Page 46 PREV PAGE TOP OF DOC
Mr. INSLEE. Thank you, Mr. Chairman. I appreciate it. I was reading, I think Mr. Vaughn's testimony referred to sort of three different threats to security, if you will, and I think the first one he referred to is overt, and I want to ask you, perhaps Mr. Katz, you can take a stab at this one. There has been discussion in these halls a lot about privacy issues, perhaps from some overt threats, meaning use of information by financial services industry that was not intended by the consumer.
And let me just give you an example of some concerns that have been expressed, particularly with H.R. 10, when we will have a consolidation of the financial services industry, which I am a supporter of, by the way. I supported general expansion of that ability to affiliate. But there are a lot of concerns being expressed that information that is intended to be used for one purpose, for instance, just checking or banking account information, that through the use of computer networks, will be used by affiliates or operating subsidiaries for other purposes, for marketing purposes specifically. A lot of concern by people that—and this is not just over Internet banking. This is a broader question I guess, but I think it is the growth of the Internet has fueled this concern when people are seeing the capability of capabilities.
I just wonder if you can tell us what your policies are, what you are aware of throughout the industry say in the use of checking and banking account information for other purposes, for marketing purposes? Does that go on to market other products by affiliates or operating subsidiaries or through dissemination of the information of third parties? Should it go on? What are your thoughts in that regard?
Mr. KATZ. I can tell you at least what we do and my expertise is really in the area of securing information. But there are two or three questions that must be effectively answered in every product or service that is offered. The first is having very strong means of identifying who has access to information and depending upon the level of access, you can go from passwords which are six, seven, eight, nine, ten characters long, to technology that creates the password that can only be used once. So we must be very certain who has access to information, knowing who they are; that is then further subdivided by the type of business that they are in. So that once we know who you are, we tightly control what you can have access to and that is controlled within the operating environments and the systems we use, but in still other areas, that information is further cryptographically secured so that you just cannot get to it.
Page 47 PREV PAGE TOP OF DOC
So we can really do a very strong job of making sure that only authorized people have access to information and it is only to the information that they are authorized to get, and that is continually reviewed and approved.
Mr. INSLEE. Let me give you an example. Let us assume you got a deposit of Emma Smith. She writes the bank and says—your bank—says I have an account with you and please do not share any information in my checking or savings account for marketing purposes. Use my information only for purposes of administering my checking and savings account information. Let us assume she gets $10,000 in the bank one day and your group, and I am not saying you do this, but I just wanted to say in a hypothetical your group has a policy of trying to use that for marketing so you want to advise your affiliate who is a stockbroker, sells stocks, for instance, that she has got $10,000, and it would be a good time to call her to try to sell her hotstock.com or something. Should that be allowed and is it in any institutions, as far you know? Should that kind of transfer of information occur?
Mr. KATZ. Not in any way I have any specific knowledge. So, again, I say we have a very strict privacy promise posted on our Web site. It does provide for opting out, as you indicated, and that is strictly followed.
Mr. INSLEE. Thank you. Appreciate it.
Chairman BACHUS. All right.
Ms. Carson.
Page 48 PREV PAGE TOP OF DOC
Ms. Lee. I am sorry, Ms. Lee.
Ms. LEE. Let me just ask you a question and I guess with the backdrop of the model of trust and confidence, which is very difficult for me to get to in the whole Internet banking, online banking issue, who regulates or how are consumers protected against computer errors, against Internet errors, against problems that arise which actually cost them money? For example, if a person is online with their checking account, and there is a computer Internet error, which causes their account to go into I will not say default, but causes checks to bounce, their account becomes overdrawn through no fault of theirs, well, that begins a spiral of events with check charges and bounced checks and returned checks and what have you. A week later perhaps we find that it is a bank error, an Internet error, an online error. Is the burden of proof on the consumers to prove that and to collect from the bank in terms of charges? Or how is this regulated so that consumers do not end up paying enormous amounts of money as a result of errors not of their doing?
Ms. ALLEN. Let me try to answer that at least first. First of all, consumers are protected under Regulation E for online banking. So if—and we have not yet had any major breaches or problems that have impacted consumers in any way—but if they were to be hacked or something, an attempt occurred that would impact the bank account, they are protected under regulation for us to make the customer whole and that means that they would not lose their money. There would be whatever procedures would be in place to make that happen. Before it would happen, you have to look—there are several players along the route—to see where the fault happened. For instance, if the customer gave out their PIN number to someone and it was not an error, it was fraudulent activity, that would be something that the bank and the consumer would try to understand.
Page 49 PREV PAGE TOP OF DOC
But if it is clear that it is an error either because of an intrusion or because of a bank error, the technology error is something that the consumers are protected against.
Ms. LEE. OK, but in terms of protection, there are a lot of levels of protection. One is the financial protection. They are reimbursed for the check charges. Two, should other checks bounce, for example, what happens in terms of their reputation, their credit record, you know, all of those ancillary kinds of issues that arise as a result of those kinds of things?
Mr. BROWNE. Yeah. All of us have processes in place to deal with those issues of error and mistake and mistaken kinds of issues and we always tend to err on the side of protecting the consumer rather than trying to beat them out of some interest or something like that. And we have to do that, because that is how we keep consumers. If we act in a haughty way, then we lose consumers and they go to the bank down the street, and so forth. And so it is really a matter of extending these same processes and procedures into the electronic space.
And frankly it is easier for a clerk to make an error than it is for, you know, an electronic issue, at least our experience has proven that over time, you know, as we get into these new channels.
Mr. KATZ. Just to take that a step further. When you make an online transaction through the Internet, there are built in technical integrity checks that say what is transmitted matches what has been received. That is not to say that errors cannot occur. But it is far less likely for a change to take place or a mistake to take place as something goes across the network, because the technology is in place to really check every bit of that record and compare it to what was originated and then you deal with if an error does occur, it is finding out where, but it is dealt with the same way you would if somebody who does data entry, processing a check, keys in $10,000 instead of $100, but it is far less likely to happen, because there is technology that is involved to minimize that.
Page 50 PREV PAGE TOP OF DOC
Ms. LEE. OK. And one more question. Just in terms of the processes that are in place, what happens in terms of the financial industry with regard to consumers attempting to resolve some of these problems? Is it voice mail that they get or do they get a person? Do they have to go to the bank? Do they do it via computer? How do they resolve these problems?
Ms. ALLEN. Again, in an online environment, resolution tends to happen in an e-mail environment, because the consumers who want to use Internet banking are also heavy e-mail users. So oftentimes that is the way it is set up. All systems have the ability for someone to use any channel, to call your bank or to be able to e-mail. In some cases, banks actually have video conferencing. If you have a high tech computer, you can actually go into an online officer in real time in video.
Mr. BROWNE. Pretty extensive use of telephone service center type of activity to resolve it.
Ms. LEE. Thank you very much. That is very helpful.
Chairman BACHUS. OK. Thank you. Mr. Browne, you testified that hacking attempts are numerous, but that there were actually few breaches and almost no damage.
Mr. BROWNE. Typically how that happens, if you set up yourself as an Internet site—and you could actually do that in your own home computer, and people do—you can see people with personal Websites. Or even if you were to go and use some of this new technology like cable modems, which are always connected, what we call a persistent connection to the Internet, and you then put some monitoring software out there, you would actually find people on almost a continuous basis trying to break in, signatures of attacks, using of these hacker tools, and so forth, and so forth. It is quite revealing to put some of these measurement devices on. And if there were errors or flaws or security vulnerabilities in the software you particularly used, indeed, you or this site would be hacked into. So we have to put up the security walls around our Internet.
Page 51 PREV PAGE TOP OF DOC
Chairman BACHUS. I agree. And let me say this. My question, I probably should not have stopped there. I was just——
Mr. BROWNE. No, it is OK.
Chairman BACHUS. In case of breaches, are the breachers or the hackers identifiable?
Mr. BROWNE. Sometimes. In most cases they are, at least their source is. In the case of breaches, there are also SWAT teams that go, you know, go out and immediately deal with the issues and, in essence, firewall off the breached area.
Chairman BACHUS. OK. Now that is maybe where we are going with this. SWAT teams. But my question is this: are these hackers prosecuted?
Mr. BROWNE. Yes. And some of the prosecution history will show that they have been.
Chairman BACHUS. OK. Are they all prosecuted?
Mr. BROWNE. Cannot speak—because everybody has a different policy on prosecution, but most of us would, would hope they are.
Ms. ALLEN. But may I respond to that just for a second? One of the things the Department of Justice has done is set up training in all the attorney general's offices in all the states to be much more aware of cyber terrorism and hacking and just being computer literate. That has helped up the opportunities to prosecute a number of the offenders that are out there.
Page 52 PREV PAGE TOP OF DOC
Chairman BACHUS. You know I would say this. As a committee and I think as a Congress, because we view that so seriously, I think if we have what is necessary to identify these hackers, then we need to prosecute them, and I think it would help. I will ask you this: Would not an aggressive campaign that is well publicized be a good deterrent to this? And I will ask you to respond to that question.
Ms. ALLEN. The answer is yes. I think that is part of the education is to make people aware that this is a criminal activity. It is not just a game to try to hack into or breach into financial services or any e-commerce type of network. The more that people take it seriously and it is treated as a serious crime, I think that will help to deter certainly some of the amateur stuff that goes on.
Mr. BROWNE. A good recent case in point is the perpetrator or the alleged perpetrator of the Melissa virus. They caught them very quickly and are working the process now.
Chairman BACHUS. You know we would not tolerate people breaking in, I mean intercepting our mail, getting things out of our mailbox and reading it, or wiretapping our telephones, and I will say that I do not know that we have. I think we need a campaign to publicize that this is illegal, that it is criminal, that prosecutors will—I mean that perpetrators will be prosecuted and I think we need—those who see it as a game need to be informed otherwise. Parents of children who may be sophisticated enough to do this type thing. But there needs to be some—I think it would be a good deterrent, and I think that is one tool that we need to utilize.
Page 53 PREV PAGE TOP OF DOC
I am going to ask one other question if I can. In its testimony on page ten, the GAO observed that 44 percent of the examinations it looked at found some sort of internal control weaknesses. Weaknesses ranged from a lack of internal audits and strategic plans to senior banking management not approving their Internet banking activity plans before their banks begin offering services over the Internet. It would appear to me that a new type of banking activity such as Internet banking needs to be approved at the highest level of the financial institution.
So my question to Mr. Browne and Mr. Katz would be this: how was online banking initiated at your institution or and was the board consulted or did they approve of it?
Mr. BROWNE. Well, I will start it and turn it over to my distinguished colleague. In our particular case, we have now established a top level, equal to all of the other business units within the bank, an executive vice president in charge of electronic commerce. And he sits at the table in the strategic planning process with the CEO and his peers and so he is intimately and he is very technically knowledgeable, by the way. He is also very, very much tuned into security and control of this process and so I have the ongoing dialogue with him all the time. And so those linkages and the risks are understood as part of the development process.
And there is actually a quarterly meeting of the top management of the company which focuses entirely on internal controls, audit and security, and Y2K, by the way.
Mr. KATZ. In Citi we have six corporate executive vice presidents. One of the six is in charge of all electronic banking and electronic commerce. He reports directly to the chair and they are very tightly controlled and managed. Nothing—there is not an Internet product or Internet-based product that can be designed or go live anywhere in the corporation unless it has his approval and then they review. It is part of the quarterly or rather monthly review with the chair.
Page 54 PREV PAGE TOP OF DOC
Ms. ALLEN. Let me if I could just address the fact that the OCC has had three advisories they put out on PC banking, on certificate authorities. The first was on technology risk saying that they would hold accountable as part of the process that the CEO, chairman and the board of directors of the financial institutions must look at technology risk just as they do as the other risk factors. That piece alone has increased in the last year the awareness of the board of directors and chairmen and almost all of them—I know, because I have spoken before a number of boards—are being briefed on a regular basis on technology risk internally and externally.
Chairman BACHUS. And Mr. Katz, you are senior information systems expert, I think, right, at the bank? Would you be concerned that senior management did not know before one of these initiatives was rolled out?
Mr. KATZ. I would certainly be concerned if they did not know.
Chairman BACHUS. Yes.
Mr. KATZ. It is to a great extent, it is the direction of the future of what we are doing, and it requires a unique blend of understanding the business itself, understanding a marketplace that is constantly changing, and a dramatically new delivery mechanism, and it has to be focused upon by the executive management of the company as well as the board.
Chairman BACHUS. Thank you.
Page 55 PREV PAGE TOP OF DOC
Mr. Vaughn, do you have any comments?
Mr. VAUGHN. I would make one comment along those lines. I reviewed the underlying statistical information that was summarized in this chart. For example, that first one involving strategic planning, of that 25 percent, 90 percent of those were in the small category. They were broken down into small, medium and large, and I think with the tendency of smaller institutions to outsource, they have a tendency to outsource everything, and one of the points I was trying to make was that even when outsourcing the technology side of Internet banking, the strategic planning, and the management oversight and audit needs to remain within the bank. And I would be interested to see if the correlation of those small institutions correlated to those that outsourced.
Chairman BACHUS. As a provider of this, you are saying that you would welcome the oversight?
Mr. VAUGHN. Well, as a provider, I welcome the oversight to ensure that we do a good job and that our customers, the banks, do a good job. But we cannot take on all responsibility as an outsourcer. If we attempt to do so, then we will fail.
Chairman BACHUS. OK. Thank you. I very much appreciate your attendance today. This concludes our hearing. I will say this. I think it might be helpful, and maybe we can issue in the next few days a list of things that customers can do to protect themselves when they are utilizing the bank, and I would ask maybe for your cooperation on those. You know we talked about the browser, whether they are using a current browser? Whether it is properly configured, you know? But you have numerous issues like that. Several of those specific things have been mentioned, but maybe we could catalog those and I think it would be helpful to six million people who are using these services and as many as 20, 25 percent of Americans we expect to be utilizing those services by the year 2002, which is mind-boggling. Thank you very much. The hearing is adjourned.
Page 56 PREV PAGE TOP OF DOC
Ms. ALLEN. Thank you.
[Whereupon, at 12:35 p.m., the hearing was adjourned.]
[insert offset folios 33 to 150 here]