Journal of Banking & Finance 25 (2001) 2103±2123

www.elsevier.com/locate/econbase

``Clicks and bricks'':

e-Risk Management for banks in the age of
the Internet

Anita K. Pennathur *
Department of Economics and Finance, College of Administration and Business, Louisiana Tech
University, P.O. Box 10318, Ruston, LA 71272, USA

Received 8 March 2001; accepted 19 July 2001

Abstract

The banking industry realizes that a vital and pro®table segment of its clientele de-
mands a signi®cant online presence that complements the traditional ``bricks and
mortar'' presence. A virtual mine®eld of traditional and new issues and risks arises as
banks adopt 24/7 transactional websites in their pursuit of a ``clicks and bricks''
strategy. Banks face operational, security, legal, and reputation risk with their foray into
online banking. An innovative and proactive approach to risk management is essential
as banks move into this new territory. Recent regulatory and legislative developments
suggest that as electronic banking evolves, the earlier regulatory stance of ``self-reg-
ulation'' appears to be changing to one of increased scrutiny. Ó 2001 Elsevier Science
B.V. All rights reserved.
JEL classi®cation: G21; G28; O3

Keywords: Electronic banking; Electronic payments; Market strategy; Bank regulation;

Risk management

*
Tel.: +1-318-257-3863; fax: +1-318-257-4253.
E-mail address: [email protected] (A.K. Pennathur).

0378-4266/01/$ - see front matter Ó 2001 Elsevier Science B.V. All rights reserved.
PII: S 0 3 7 8 - 4 2 6 6 ( 0 1 ) 0 0 1 9 7 - 2
2104 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

1. Introduction

The Internet and the World Wide Web (WWW) have made a profound
impact on the way the world conducts business today. While initially slow
to jump on the e-commerce bandwagon, the banking industry understood
the importance of establishing an online presence in the latter part of the
1990s. The initial exhilaration regarding the Internet led to the establish-
ment of several ``Internet''-only banks. However, many banks are fast re-
treating from a presence that is only online. 1 Most banks realize, however,
that an extremely vital and pro®table segment of their clientele demands a
signi®cant online presence that serves as a complement to the traditional
``bricks and mortar'' presence. Demographics indicate that young, a‚uent
customers are the most likely to use online services, and consequently, there
is an increased focus on developing a strategy to target this clientele. 2
Thus, recent years have seen the industry, from community banks to the
national and global banks, rapidly moving towards a ``clicks and bricks''
strategy that emphasizes an online supplement to the conventional banking
services.
The number of banks with transactional websites is growing tremen-
dously every year. The FDIC estimates that there are approximately 2000
FDIC-insured ®nancial institutions with transactional websites (January
2001), including ``trade name'' banks that give a slightly di€erent name to
their Internet operations, but are not separately chartered. In addition,
there are approximately 21 institutions that conduct business almost entirely
via the Internet. Approximately 37% of all national banks o€er transac-
tional online banking. Economists at the Oce of the Comptroller of the
Currency (OCC) estimate that about 90% of all customers currently bank at
institutions that o€er Internet banking, although approximately only 13%
use such services (Hawke, 2001). There seems little doubt that the way of
the future is the increased use of online banking facilities as the technology

1
Launched in October 1995 as the ®rst Internet-only bank, Security First Network Bank
(SFNB) purchased Prism, a Chicago based mortgage company with 150 branches in 2000. SFNB is
now repositioning itself as an online banking initiatives vehicle for other companies (Koller, 2000).
Many other Internet-only banks are also adding physical locations to their ``branchless'' presence.
2
In 1999, Bank One Corp. introduced WingspanBank.com as a separate entity from its own
online banking e€orts at BankOne.com. Unfortunately, the low-cost alternative touted by
Wingspan was not very successful. In January 2001, this Internet-only branch of Bank One
announced an increase in monthly service fees and a decrease in interest rates paid on low-balance
customer accounts, heralding a new strategy that targets the more pro®table, high-balance niche
clientele.
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2105

is evolving and changing rapidly. But as the usage increases, so do the

risks. 3
To illustrate, the specter of system disruptions and security compromises
looms large for many corporations today. Even Microsoft Corp.'s websites
have been rendered o‚ine by distributed denial of service (DDoS) attacks.
While this is indeed ironic for the technology Goliath, whose founder, Bill
Gates, once triggered a mini-technology alarm when he referred to banks
operating as ``dinosaurs'', the threat of security compromises is a real concern
for many banks today. 4
The traditional banking risks, in some instances, are magni®ed when banks
o€er 24/7 transactional websites. As banks move into this new territory, several
challenges arise in the context of banking risks. This paper explores the current
issues in electronic banking and the banks' risk management techniques re-
garding several new (and old) banking risks.
The remainder of the paper is organized as follows. Section 2 de®nes and
discusses modes of electronic banking, while Section 3 discusses the many
challenges and strategic choices that banks face as they make the leap into
electronic banking. The risks that emerge in this context are illustrated in
Section 4, and the risk management processes are developed in Section 5. The
current regulatory and policy environment relevant to electronic banking is
presented in Section 6. A summary and conclusion is provided in Section 7.

2. De®nition of electronic banking

What is electronic banking? According to the Basel Committee report on

banking supervision (1998), it refers to the provision of retail and small value
banking products and services through electronic channels. Thus, in the most
encompassing de®nition, electronic banking would run the gamut from direct
deposits, ATMs, credit and debit cards, telephone banking, to electronic bill
payment and web-based banking. It appears that the Federal Reserve prefers
this broad de®nition of electronic banking. Federal Reserve Vice Chairman
Ferguson's de®nition includes mature and familiar products such as ATMs,
direct deposits, and products that are in the experimental stage such as stored
value cards and Internet-based stored value products (Ferguson, 1998).

3
In a recent case, a 32 year old high school dropout allegedly used Forbes magazine's ``400
richest people in America'' to target celebrities and tycoons such as Steven Spielberg and Ted
Turner, cybercloned their identities, and managed to purloin hundreds of thousands of dollars from
online banking and brokerage operations (Bruno, 2001).
4
See ``Dinosaur remark by Gates sets o€ technology alarms'', Epper and Kutler (1995).
According to Sinkey (1998), Bill Gates later clari®ed that he viewed the back-oce databases of
banks as dinosaurs.
2106 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

Electronic banking can be viewed as either a ``closed'' system or an ``open''

system. Closed systems restrict access to participants bound by agreements on
the terms of membership. An example of a closed system is the access to a
bank's website by its members. Open networks, on the other hand, have no
such membership restrictions. Systems (or websites) can also be viewed as
``informational'' or ``transactional''. An informational site provides informa-
tion only, while user interaction is allowed on a transactional site.
The FDIC manual of examination policies for electronic banking (FDIC,
2000b) further separates electronic capabilities into three categories by degree
of functionality:
Level 1 systems are those that simply provide information as de®ned by
the publisher or allow for transmission of non-sensitive electronic mail (in-
formation only systems) or other publicly available information. The bank
de®nes the information to be available, usually what is already available in
print, and thus level 1 systems generally tend to be marketing based in their
approach.
Level 2 systems allow users to share sensitive information and communicate
electronic information transfer systems. An example of this system is a bank
site where you can submit an online loan or deposit account application.
Level 3 systems are the most advanced and can facilitate electronic funds
transfer and other ®nancial transactions (e.g., electronic payment systems).
Level 3 represents the highest degree of functionality and allows the customer
to conduct account queries, transfer of funds among accounts, bill payments,
and engage in other transactional banking activities.
One should also distinguish between the pure-play Internet-only banks and
banks that provide some Internet services. As the early euphoria over the
``virtual'' banks fades, it seems obvious that a pure-play Internet-only strategy
will not be pro®table. DeYoung (2001a) presents some preliminary evidence
that the pure-play bank is not a ®nancially viable business model. Yet, cus-
tomers demand online services, and a bank that ignores this need makes a poor
strategic choice.
Other recent studies compare banks with online services to banks that do
not o€er Internet banking. Furst et al. (2000) ®nd that all of the large national
banks o€er Internet banking, but less than 10% of the smallest size banks o€er
online services. They estimate, however, that small banks will fuel most of the
growth in Internet banking. In his study of banks within the 10th District,
Sullivan (2000) veri®es this result. Moreover, both studies ®nd that Internet
banks rely more on purchased funds relative to deposits and are also more
dependent on non-interest sources of income. The major di€erence between the
two studies is the estimate of Internet bank pro®tability. Furst et al. (2000) ®nd
that banks with online services are more pro®table than banks that do not o€er
such services (except for small, de novo banks with Internet banking), while
Sullivan (2000) ®nds pro®tability to be the same for both types of banks.
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2107

It appears that online banking is here to stay. A survey of 23 banker

members of the American Bankers' Association (ABA) board of directors
identi®es technology concerns as one of the top ®ve issues bankers expect to
wrestle with during 2001 (Streeter, 2001). The biggest technology issue these
bankers grapple with is the strategy towards online banking and e-commerce.
As they struggle with the logistics of electronic banking, the costs of upgrading,
and the fact that there is no real revenue stream from these activities, these
bankers also worry about the increased risk and regulatory burdens that come
with the foray into electronic banking.

3. Strategic choices for banks 5

The venture into the Internet opens a Pandora's box of issues and challenges
as banks seek to de®ne their role and stake in the mushrooming world of e-
commerce. Several questions arise in this context. Do Internet services repre-
sent a new product or simply a complement to existing services? Does online
banking open up banking markets from local levels to national levels, and what
does this mean for competition between large and small banks? Do banks face
a new and insidious threat of disintermediation via the Internet?
I contend that online banking services represent a new, sophisticated de-
livery channel that web-savvy customers demand. While many functions such
as paying bills, moving money from one account to another can be performed
very eciently over the Internet, the very nature of banking is personal. One
cannot replace the loan ocer who knows your children by name with the click
of a mouse, and this personal touch represents a hurdle that the pure-play
Internet bank cannot surmount. Thus, a successful strategy is one where the
bank maintains a fully transactional site, while allowing the customer who
desires personal contact the physical space to conduct transactions. In this
context, DeYoung (2001b) argues that pro®tability ultimately depends on the
quality of the services provided, and not necessarily the channel through which
they are delivered.
Does online banking open up new markets for banks? Are banking products
becoming commodities as consumers gain access to more powerful search and
comparison tools on the Internet? To be sure, the ubiquity of the Internet
opens up new horizons for banks to move from local to perhaps even global
frontiers. To illustrate, a homeowner searching for the lowest mortgage rate
need only log on to the Internet and be almost instantaneously granted several
competing o€ers. The entire mortgage approval transaction can be conducted
from start to ®nish without any face-to-face contact, and indeed, many

5
I thank a reviewer for the insightful comments that provided the motivation for this section.
2108 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

homeowners have done exactly this. To this end, the Internet levels the playing
®eld between local and national banks and, to some extent, services do become
commodities.
A fully transactional website can render an extension to the fabled ``rela-
tionship banking'' pro€ered by a community bank. To a great extent, com-
munity banks embody the ``clicks and bricks'' strategy of using the Internet to
tap into a new customer base, while o€ering existing customers multi-channel
services that include the Internet. Nathan (1999) identi®es some important
potential bene®ts of online services for rural communities. Internet services
that facilitate home banking are extremely time-ecient. Moreover, the In-
ternet conjures up a national vista of diverse choices for the rural customer in
an era of increasing bank consolidations and shrinking competition. Yet, In-
ternet banking can be both a boon and a bane. The community bank that
reaches too far can risk losing the very advantage of personal, customized
services. To illustrate, a recent survey ranks the top 100 U.S. banking groups
for response time to information requests. The results indicate that regional
banks are better than top banks in handling such e-mail communications, and
the 10 largest U.S. banking groups score 20% points lower on average than the
top performers (Marlin, 2001). While larger banks possess a distinctive brand
identity, the smaller banks appear to better maintain their personal touch.
Do banks face a new and insidious threat of disintermediation via the
Internet? In this area, banks are scrambling in the race for several new inno-
vations. One of them is account aggregation. Sometimes called ``screen-
scraping'', account aggregation allows users to consolidate all their ®nancial
and other information such as frequent ¯ier miles, travel reservations, e-mail,
and the like on a single web page. Providers of screen scraping services access
the customers' multiple accounts overnight and download them into a ®le,
allowing the client to access new, current information the next day. In fact, the
user can even access this information on a wireless phone or devices such as a
Palm Pilot.
Non-bank sites such as Excite, Onmoney.com, America Online and
Quicken.com, allow customers to access all this information, on one site, for
free, via a single password. Banks initially saw this as a subtle form of disin-
termediation and rose to the gauntlet by o€ering account aggregation services
themselves. Recent entrants to the aggregation market are Wells Fargo, JP
Morgan Chase, Morgan Stanley Dean Witter, Merrill Lynch, and Citigroup.
But the non-bank ®rms are giving banks a run for their money. A recent Booz-
Allen & Hamilton and e-Rewards survey ®nds that as many as one-third of the
aggregation customers select portals that are not tied to a major ®nancial in-
stitution (Altman et al., 2001).
Further, according to this survey, the number of users of aggregation ser-
vices exploded from 10,000 in January 2000 to 700,000 in December of the
same year. It is estimated that the number of aggregation customers will grow
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2109

from 1 million in 2001 to more than 22 million by 2003. These clients have very
attractive demographics; they are fairly young, with an average age of 36, and
half of the early adopters have incomes between $75; 000 and $149; 999.
However, one major obstacle with aggregation is that customers must be
willing to relinquish passwords to all their accounts to facilitate screen
scraping.
Banks have several advantages in this regard. The trust and comfort level
that a customer shares with her bank makes the bank the obvious, safe choice
in the aggregation market. Sixty-eight percent of the respondents in the Booz-
Allen & Hamilton survey state that their existing relationship with a ®nancial
institution made aggregation with that institution an attractive option, whereas
®nancial portals claim 26% of the aggregation customers simply because they
were the ®rst one the customer came upon. Banks also have the advantage of a
physical location over their non-bank Internet portal competition. Thus, banks
should capitalize on their existing relationships with their customers and seize
the opportunity for aggregation.
Does aggregation mean that banks cannot create customized bundles to
retain customers? Is customization incongruent with account aggregation? I
propose that the two do not represent divergent strategies, but are two sides of
the same coin. Survey results show that aggregation customers are very re-
ceptive to o€ers that are tailored to their ®nancial pro®les. Banks that facilitate
account aggregation are privy to vast and valuable amounts of information
regarding their customers. Envision the following scenario. The aggregating
bank observes its 30-something client's payment patterns (perhaps including a
high-interest credit card), and notices a recent search for mortgage quotes. The
bank can suggest a personalized o€er for this customer and can perhaps even
include a ®nancial advising o€er, making ``one-stop'' shopping an ecient
option for the customer.
Non-®nancial ®rms have typically been more adept at using customer be-
havior patterns than banks. While banks have traditionally been loath to ex-
ploit this knowledge, I suggest that the successful strategic choice for
aggregating banks is to provide customized bundles that are based on customer
®nancial pro®les. In a sense, banks can still o€er the personal touch ± a global
village touch via the WWW. Unfortunately, such customization can also bring
up the prickly issue of customer privacy where the bank risks losing the ``trust
relationship'' with the customer.
The need for new and improved methods of payment for business-to-busi-
ness (B2B) and customer-to-customer (C2C) transactions also heralds new
opportunities for banks. According to the Gartner Group, 83% of B2B
payments are still paper based. Using the Internet to make automated check-
ing house (ACH) payments will certainly be faster than making a paper
check payment. ACH payments are also cheaper than credit card transac-
tions (Messmer, 2001). Several technology companies such as e-Credit.com,
2110 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

TradeCard, to name a few, are beginning to provide services such as credit

procurement, escrow services, and payments processing. Actrade o€ers the
electronic trade acceptance draft that provides an alternative to an open ac-
count, paying suppliers immediately while allowing up to six months for
purchase payments.
Businesses want eciency in trade and lower transactions costs, and Inter-
net-based payments should bene®t both banks and businesses. Businesses also
want a ®nancial settlement system that is integrated with their back-oce
systems. Financial institutions have the choice of being passive conduits for
payments or to be actively involved in providing the infrastructure necessary
for B2B transactions. In this arena, the smart decision for banks is to forge
strategic alliances with the technology companies that provide B2B e-com-
merce services. For example, Bank of America has an alliance with Ariba and
Fleet Boston has partnered with Equidity. Bottomline Technologies' Bank-
Quest provides interface with banks. Wenninger (2000) suggests that the banks'
role in B2B e-commerce is a natural extension of the automated cash man-
agement services they already provide to large corporations.
In April of 2001, 11 major banks, including Citigroup, Bank of America,
J.P. Morgan Chase, and Wells Fargo & Co. pledged $28 million to a payment
system that will assign universal identi®cation numbers for buyers and sellers
engaging in ACH and wire payments. This new system will support both the
traditional ACH and wire payment options as well as payments based on a
new, Internet-based protocol, XML. This system will eliminate the need for
online trading partners to exchange bank account information (Roth, 2001).
Alliances such as this are crucial as banks jostle for the B2B market that is
expected to reach $2.4 trillion by 2004.
The road to C2C payments systems is littered with failed attempts at digital
cash; American Express Co.'s e-Wallet is the latest casualty (Kuykendall,
2001). However, X.com's PayPal, popularized by the runaway success of eBay
rose above the pack to become CNET's ``best person-to-person payment sys-
tem on the Web'' in 2000 (Keizer, 2000). PayPal is giving banks a run for their
money, and its exponential growth proves that it is imperative for banks to
move quickly. Wells Fargo and Billpoint o€er an alternative to PayPal, as does
Citibank's c2it. Yet other services such as Bank One's eMoneyMail have
¯oundered. For banks the vital decision, once again, is one of strategy and
position. Should they o€er e-payments as a free service? While both c2it and
eMoneyMail charge a transaction fee, PayPal aggressively promotes its free
service for consumers, with a small transaction fee for businesses (Smith, 2000).
In December of 2000, PayPal even began paying money market yields on
money in its accounts.
Should banks join hands with one of the existing systems or attempt to
venture out on their own? Bank of America is coaxing other banks to partic-
ipate in its CheckFree system, which its competitors are loath to join. Smaller
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2111

banks, on the other hand, lack resources to start an e-payment system from
scratch and perhaps should collaborate in formulating a joint e-payment so-
lution (Luke, 2000). Fraud is always an issue, and once again, the trust and
security o€ered by a bank puts it in a commanding position. Already, PayPal
has lost valuable customer goodwill because of its hawkish anti-fraud tactics,
which include freezing accounts, leading the Silicon Valley Better Business
Bureau to rate PayPal's customer service as unsatisfactory in January 2001
(Sandoval, 2001).
Several crucial decisions confront banks as they step into the world of
electronic transactions and e-commerce. As banks make these determinations
about the scope of electronic banking, they also face the risks that occur with
such technology.

4. Banking risks

With the burgeoning of transactional banking websites, regulatory agencies

are increasingly worried about the risks associated with Internet banking. The
Basel Committee report on banking supervision (1998) states that the agency
``recognizes that along with the bene®ts, electronic banking and electronic
money activities carry risks for banking organizations, and these risks must be
balanced against the bene®ts'' (p. 1). Following is a review of some of the risks
that are inherent in online banking.

4.1. Operational/security risk

External and internal security issues pose perhaps the greatest threat to the
growth of online banking. Security can be compromised via both internal and
external networks. Spivey (2001) discusses some cyber-perils to a bank. In-
ternally, security is risked by an unauthorized use of the computer by a bank
employee who can then manipulate data to alter account balances, to misap-
propriate funds, or to perhaps wipe out a friend's loan account. A bank can
also be hacked into externally and account information stolen, or the bank web
site can be shut down via a DDoS attack. Banks also face the threat of viruses
that can be placed in the bank network, or a scenario where a hacker obtains
con®dential information and then cyber-exhorts the bank with an o€er to sell
the information back to the bank. 6
Many of the smaller banks simply outsource their web operations. Out-
sourcing then adds an additional burden of monitoring by the bank, as internal

6
See ``Visa reveals hacker stole computer data, demanded a ransom'', Wall Street Journal
(2000), January 19.
2112 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

controls may not extend to vendors who perform critical functions. Thus, the
Basel report on banking supervision (1998) de®nes this operational risk as the
potential for loss due to signi®cant de®ciencies in system reliability and in-
tegrity. Along the same lines, the FDIC manual on electronic banking (FDIC,
2000b) includes hardware and/or software failures, disruptions, protections,
system, or database compromise as administrative concerns. Inadequate con-
trols, policies, procedures also create operational risk. In addition, the bank
faces the risk of technological obsolescence. Finally, customer misuse, either
intentional or unintentional, also impacts operational risk as well.

4.2. Legal risk

Legal risks can arise due to violations of laws, rules, and regulations. In the
world of electronic commerce, where technology and business are in a state of
constant ¯ux, there is considerable ambiguity and uncertainty regarding legal
rights. From the basic issues of customer privacy and disclosure, to money
laundering and liability concerns because of links to other websites, the process
of electronic banking is a virtual mine®eld of potential legal issues. Regulators
have to address concerns that range from the traditional acts such the Com-
munity Reinvestment Act to the regulations on digital signatures. Bankers also
worry about their liability for loss of customer funds due to computer theft.
The FDIC lists this planning and implementation risk as the uncertain appli-
cability of blanket bond/other insurance coverage to electronic activities. The
agency also indicates that the paper trails needed for audits might be incom-
plete or lacking in electronic transactions and systems.
Banks involved in electronic payments, such as stored value cards, must
determine whether such transactions impact reserve requirements. Yet other
risks of cross-border regulatory compliance arise as the Internet blurs national
boundaries for commerce and payments. In fact, the accelerating pace of In-
ternet banking operations by late 2000 has convinced international bank su-
pervisors to agree that a cooperative approach to the supervision of electronic
banking is essential in order to avoid con¯icting regulation among di€erent
countries and supervisors (OCC, 2000; Basel Committee report on banking
supervision, 2000). The Electronic Banking Group of the Basel Committee has
also issued a number of papers addressing sound supervisory banking practices
for home and host country banking regarding cross-border communication
and banking risk (Basel Committee publications no. 76).

4.3. Reputation risk

Any problems with either security or legal issues can signi®cantly impact the
reputation of the bank. This is especially important in the banking industry
where public con®dence is long touted as paramount. Reputation risk can
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2113

range from problems of customer dissatisfaction with online services to secu-

rity breaches and fraud. For instance, identity misrepresentation, or ``spoof-
ing'', where bank customers are directed toward a false site, can lead to an
irreparable loss of trust between the customers and the bank. For a bank that
provides aggregation services, any breach of security can cause considerable
reputation risk. The 1998 Basel report on electronic banking suggests that
reputation risk is serious enough that if a globally active bank experiences a
blow to its reputation, it might impact the reputation of other banks o€ering
similar services, leading to ``systemic disruptions in the banking system as a
whole'' (p. 7).

4.4. Traditional banking risks

Finally, the traditional banking risks such as interest rate risk, credit risk, or
liquidity risk can be exacerbated for a bank that has a signi®cant online lending
and/or transactions presence. In May 2001, the Basel Committee has identi®ed
14 risk management principles for electronic banking to help banking insti-
tutions expand their existing risk oversight policies and processes to cover their
e-banking activities (Basel Committee report on banking supervision, 2001,
publications no. 82).
Do pure-play Internet banks encounter any special risks? DeYoung (2001a)
documents that these banks have diculty in obtaining core deposits, and
therefore, they often o€er short-run, teaser rates to attract new customers. He
suggests that these rates mostly attract the ``hit and run'' customers who
maintain an account with the Internet-only bank until the special o€er expires.
Thus, pure-play banks can encounter and create risks due to the ebb and ¯ow
associated with such deposits. However, there are only about 21 Internet-only
banks, and research (Hawke, 2001) shows that approximately 50% of the ac-
counts in these pure-play banks are inactive. Therefore, the magnitude of this
risk is probably not as large as the other risks that come with electronic banking.

5. Risk management

The ubiquity of the Internet, the constant threat of hackers, and the in-
creased usage of the Internet to transmit sensitive information all render its
users vulnerable to security threats. While a bank's online activities might be
meager, an external attack leaves all its operations susceptible. As the usage of
online services increases, several issues arise from both regulatory and con-
sumer standpoints. A General Accounting Oce review (GAO, 1999) of bank
examinations conducted from April 1998 to May 1999 found that 35 of the 81
(approximately 44%) institutions surveyed had not taken all the risk-limiting
steps that are needed for online banking. The shortcomings included the lack of
2114 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

approval of strategic plans by the board of directors and a lack of policies and
procedures for Internet banking operations at some institutions. However, the
report cautions that the limited number of banks that were studied does not
allow for any accurate industry-wide generalization to be made.
Bank management should adapt and improvise traditional risk management
techniques to address the new concerns that arise with electronic banking. To
this end, the Basel report in 1998 cautions that ``supervisors should encourage
banks to develop a risk management process rigorous and comprehensive
enough to deal with known material risks, and ¯exible enough to accommodate
changes in the type and intensity of material risks associated with their elec-
tronic banking and electronic money activities'' (p. 2). In other words, even the
process of risk management has to be constantly evolving and changing to
meet the demands and innovations of the day. The function of risk manage-
ment should address all the risks outlined in the previous section. Further, it
should be a constant process of identifying, monitoring, and managing po-
tential risk exposure. The steps taken to manage risk and liability exposure
should be integrated with every facet of bank operations such as planning,
administration, supervising, usage and transactions processing. 7 Some of these
areas are as follows.

5.1. Human resources

According to the OCC bulletin on infrastructure threats from cyber-ter-

rorists (OCC, 1999), ``the ultimate threat to computer security is the insider''
(p. 1). To alleviate internal breaches, banks must be vigilant in pre-employment
screening and security. This rigorous process should be used for all employees,
from receptionists to the bank's security sta€. Employees should be routinely
tested on security policies and should be restricted from complete and unfet-
tered use of the network. If the online operations of the bank are outsourced to
a vendor, the bank should ensure that the vendor follows the same security
guidelines in its employment practices. Finally, when personnel leave em-
ployment, their passwords and authorization codes should be immediately
revoked.

5.2. Policy and procedures

The bank should have a written policy that clearly states the risks of elec-
tronic banking, and the bank's risk-tolerance and monitoring of such risk.

7
A recent buzzword in risk management is enterprise risk management (ERM). The ERM
approach integrates all functional areas in the process of risk management. For more information,
visit http://www.erisk.com
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2115

Furthermore, banks should communicate all policies and procedures regarding

security to the employees in writing. The 1998 Basel report emphasizes that
constant internal communication between senior management and technical
sta€ is imperative in order to monitor and detect any operational risks. In fact,
in a recent speech, Federal Reserve Vice Chairman Ferguson states that when
technology related issues have been identi®ed with banks, they have been
managerial or ®nancial concerns due to inadequate planning or project man-
agement (Ferguson, 2000). Finally, training should be an ongoing process for
bank personnel.

5.3. External threats, security, and technology

Security measures that are combinations of hardware and software tools

should be employed to ®ght internal and external attacks. These measures
include intrusion detection, encryption, password protection, ®rewalls (com-
binations of hardware and software that serve as a wall between the internal
network and the Internet), and virus controls. Further, the bank should have a
plan for system updates on a regular basis. The OCC bulletin on technology
risk management: PC banking (OCC, 1998) provides a detailed analysis of how
to identify, monitor, and control risks arising from the use of PC banking. The
guidance recommends that banks test system ®rewalls and security controls by
attempting to penetrate the system from outside at least once a year. It also
appears that the onus for system integrity is on the individual banks, and bank
supervisors are not committing to a detail-oriented approach on the speci®cs of
technology used to ensure security (Ferguson, 2000).

5.4. Regulatory and legal compliance

Banks should also be cognizant of the regulations that pertain to online

banking and must also recognize that these laws are continuously changing and
evolving. Management should verify that the insurance coverage for liability
due to an unauthorized transaction is covered by a bank's ®nancial bond
policy. In this regard, smaller banks generally have a computer theft clause
written into their policy, while larger institutions tend to carry a separate
computer theft policy (Potter, 2000).

5.5. Usage and transactions

Transactions should be safeguarded to ensure integrity, con®dentiality,

availability, and accountability. Many banks are now using pro®ling software
to detect any activities that vary from the customer's normal usage. The net-
work should also be monitored periodically on a real-time basis.
2116 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

5.6. Incident response and contingency planning

Finally, the bank should have a plan of action on responses and course of
action if its services are attacked either internally or externally. This should
include a backup system to allow temporary, alternative services. These
plans should be communicated in writing to all personnel. In addition, the
bank should also ensure that all its external vendors who provide support in
the bank's online activities have similar contingency plans. The 1998 Basel
report suggests that clear communication of such plans by a bank can
mitigate reputational risk in cases of disruptions. Therefore, policies should
identify potential risks and address incident response and preparedness
speci®cally. 8
In the realm of risk management of electronic banking, the FDIC deems
strategic planning and feasibility analysis, incident response and preparedness,
and internal routines and controls to be paramount in importance. Moreover,
the agency endorses performing a sound risk assessment to determine vulner-
abilities for both in-house and outsourced operations (FDIC, 1999, Risk as-
sessment tools and practices for information system security).
The FDIC bulletin on electronic banking (FDIC, 2000b) also outlines some
speci®cs on examination and evaluation of a bank's online activities. It suggests
a pre-examination period to evaluate the web site and those ®ndings from the
examination be documented in the risk-scoping memorandum. Examiners
should complete the safety and soundness of electronic banking examinations
procedures for each system deployed. The FDIC conducts three levels of ex-
amination review designed to build upon one another, based on the level of
online activities of the bank. A level 1 examination is for banks that provide an
information-only site, while a level 2 examination is conducted for banks with
information transfer systems such as loan requests. Level 3 examinations are
the most in-depth and cover all transactional activities o€ered by the bank.
Each examination reviews the speci®c risk areas outlined in the previous sec-
tion and the ®ndings are factored into the management rating for safety and
soundness. Consequently, these ratings could also impact other component
ratings of the bank.
Other questions relating to reserve requirements and deposit insurance
for electronic money and stored value cards have also arisen in recent
years. Solomon (1999) discusses some of the legislative questions and
agenda pertaining to reserve requirements and deposit insurance coverage

8
The 1998 Basel report provides a matrix of possible risks, manifestations, e€ect on the banking
organization, and risk management measures. Similarly, the 2000 FDIC report provides a table of
potential risks and mitigating controls that should be considered in developing a system security
program.
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2117

for electronic money where third party non-bank institutions hold backup
reserves.
There are substantial costs, both tangible and intangible, involved in the
very process of risk management and, therefore, banks have realized the im-
portance of forming coalitions to share information and resources. In late
1999, several major ®nancial institutions formed an alliance named Financial
Services Information Sharing and Analysis Center (FS/ISAC). FS/ISAC was
created by the Banking and Finance Sector Coordinating Committee and
addresses the Presidential Decision Directive 63, which calls for a variety of
measures to ensure the security of the nation's information infrastructure
(Global Integrity, 1999). FS/ISAC is a secure database that provides authen-
ticated and anonymous sharing of information associated with threats, inci-
dents, and vulnerabilities of ®nancial services industry assets and outlines
available resolutions or solutions. Several major players in the industry such as
Bank of America, Merrill Lynch, Wells Fargo, and Pershing are board mem-
bers of this group.

6. Regulatory developments

Until recently, the industry and the government have propounded a stance
of self-regulation. The federal government's position was that it did not want
to impose regulation prematurely and thereby sti¯e a process that was still in
the stages of infancy. As Federal Reserve Chairman, Alan Greenspan (1996)
remarked during the early years of Internet banking, ``If we wish to foster ®-
nancial innovation, we must be careful not to impose rules that inhibit it''. To
this extent, the 1999 GAO report on electronic banking found di€ering levels of
regulatory examination on Internet banking activities. The FDIC and the
Oce of Thrift Supervision (OTS) reviewed the institutions' online banking
activities during the ®rst examination of the institution after it has gone online.
On the other hand, the Federal Reserve System (FRS) and the OCC did not
require that an institution's new online banking operations be examined, rea-
soning that the relatively small size of online services did not present a safety
and soundness concern for the bank. The National Credit Union Association
(NCUA) was the only regulator that had not established procedures for online
banking examinations.
But as electronic banking evolves, this attitude of self-regulation is in-
creasingly under pressure from all sides. In February of 2000, the FRS released
draft guidance for examiner use in reviewing a bank's electronic delivery sys-
tems, and added a training web site to aid examiners (Valentine, 2000). The
draft guidance is divided into four functional examination areas, namely ad-
vertisements, lending, deposits, and stored value products. The guidance ad-
dresses applicable laws and regulations that a€ect on each of these areas, with
2118 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

the overall objective to ensure that the consumer protections that apply to
paper-based delivery systems are also applied when delivery is made via elec-
tronic channels.
Recent regulations and legislative developments include the following:
Electronic Signatures in Global and National Commerce Act: The E-Sign Act,
as it is more commonly known as, was e€ective October 1, 2000, with record
retention requirements e€ective from March 1, 2001. It provides the general
rule of validity for electronic records and signatures for transactions in or af-
fecting interstate or foreign commerce. Moreover, it allows a ®nancial insti-
tution to provide electronic disclosures in lieu of written disclosures while
conducting business over the Internet, once the consumer's consent has been
obtained (FDIC, 2000a, E-Sign Act).
Gramm±Leach±Bliley Act: Full industry compliance with this law, otherwise
known as the Financial Modernization Act, is scheduled for July 1, 2001. This
act requires ®nancial institutions to establish appropriate standards relating to
the administrative, technical, and physical safeguards of customer records and
information. In addition, the law speci®cally addresses the issue of privacy of
consumer ®nancial information and requires that ®nancial institutions notify
their customers of their privacy policies in writing (FDIC, 2000e, Security
Standards). 9
The Anti-Cybersquatting Consumer Protection Act: Legal resource against
domain name protection is available under this act which prohibits registering
or using a domain name that is confusingly similar to another name, with the
intent of pro®t (FDIC, 2000d, Internet Domain Names).
The Interim Rule to the Electronic Funds Transfer Act (EFTA): Regulation
E establishes certain rights and liabilities for participants in EFTs, such as
account activities, disclosures, and error resolution. The Interim Rule to
Regulation E, e€ective March 20, 1998, allows depository institutions to de-
liver communications regarding disclosure, etc. by electronic communication,
as long as the consumer agrees to such delivery.
The guidance on electronic ®nancial services and consumer compliance
(Federal Financial Institutions Examination Council, 1998) issued by the ®ve
regulatory agencies (FRS, FDIC, OCC, OTS, and NCUA) speci®cally ad-
dresses some traditional banking activities and the regulatory burden on banks
when these services are o€ered via an electronic channel.

9
The FDIC conducted a survey of Internet privacy policies of insured depository
institutions between May and July of 1999. They found that only 40% of the banks
surveyed had at least one privacy disclosure posted on their website (FDIC, 2000c), which was
below the industry average of 48%. However, this 40% disclosure rate represented a 100%
increase over the 1998 survey in which only 20% of the websites listed at least one privacy
disclosure.
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2119

Advertising and information-only systems: Truth in Lending Act (Regulation

Z), Equal Credit Opportunity Act (Regulation B), Consumer Leasing Act
(Regulation M), Truth in Savings Act (Regulation DD), and Fair Housing Act
apply, and disclosure regarding these acts must be posted in a ``clear and
conspicuous'' manner on the electronic medium.
Online depository services: The following acts must be posted: Regulation E
(EFTA), Expedited Funds Availability Act, Regulation DD, Reserve Re-
quirements of Depository Institutions (Regulation D). Disclosures must be
delivered in a timely manner and should be ``clear and readily understand-
able''.
Lending and leasing services: The disclosures and procedures required by the
Equal Credit Opportunity Act, Home Mortgage Disclosure Act, Regulation
M, Regulation Z, Unfair and Deceptive Practices Act, Community Reinvest-
ment Act, Fair Credit Reporting Act, and Fair Housing Act apply to online
lending.
Non-deposit investment products: The institution should ensure that ap-
propriate notices are posted indicating whether the services are not FDIC
insured, not guaranteed by the bank, and therefore subject to loss of
principal.
As banks move toward account aggregation, privacy issues abound. The
OCC chief counsel, in a recent conference on account aggregation, suggests
that ``lapses in security . . . could be devastating,'' and calls for a ``no surprises''
approach for customer relationships concerning aggregation and privacy (ABA
Bank Compliance, May 2001). Banks should ensure compliance with the
Gramm±Leach±Bliley Act. In February 2001, the OCC issued a guidance for
bank aggregation services that discusses the risks involved and suggests control
mechanisms that banks should consider when they o€er such services (OCC,
2001). The bulletin details three basic compliance issues: Regulation E, asset
management, and privacy. Regulation E does not speci®cally address the re-
sponsibility of aggregators and it is not clear who bears the responsibility of an
unauthorized transaction. Thus, as a safeguard, if the aggregation client is
provided links to other pages, the bank should post information regarding the
risks involved and details on the availability or lack of FDIC insurance. In
addition, the OCC has released a booklet that discusses the policies and pro-
cedure for setting up an Internet-only bank. This document speci®cally ad-
dresses the risks encountered when a narrow range of products and services are
targeted (Community Banker, 2001).
Hence, regulators who once were unwilling to curb the ¯edgling industry of
Internet banking are now addressing protocol and controls due to concerns
regarding safety, soundness, and lending practices. As more banks adopt fully
transactional websites, this regulatory scrutiny is likely to increase. Conse-
quently, an adequate risk management process should adhere to regulatory
compliance and be alert to impending legislative directives.
2120 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

7. Summary and conclusion

There is little doubt that Internet banking is here to stay. As banks venture
into e-banking, many challenges and strategic choices arise. Technology
companies are threatening the bank's turf in the areas of account aggregation,
B2B and C2C transactions. How banks respond to these challenges will de-
termine their role and stake in facilitating e-commerce; will they be merely
passive conduits in electronic exchanges or be actively involved in all the
processes required for such transactions? The infrastructure necessary for such
B2B arrangements is daunting, and therefore, perhaps the best option for
banks is to forge strategic alliances with the technology companies that provide
these services.
The development of an e-commerce portal is the next frontier for banks with
an established Internet presence. Facilitated by Gramm±Leach±Bliley, a ®-
nancial institution's e-commerce portal can o€er a multitude of services and
links such as brokerage, insurance, real estate services, and related links.
Mariyappa (2001) provides some caveats for banks that choose to develop their
own e-commerce portal. He argues that a vertical portal that is integrated with
home banking, bill payment, account aggregation, and cash management ca-
pabilities is the only way for a meaningful online experience for Internet
banking customers. However, smaller banks may opt to participate in a larger,
third-party portal, and prefer to be a hyperlink from a high-trac portal.
In the scope of e-payment systems, banks also face the encroachment on
their territory from non-bank technology companies. So far, none of the
payments systems pro€ered by banks has enjoyed the popularity of the Palo
Alto start-up, PayPal. To this end, the Payments System Development Com-
mittee, created by the Federal Reserve, seeks to enhance innovation, identify
barriers to such innovations, and engages in discussions with the private sector
regarding retail payments issues.
However, risks increase as customers, businesses, and banks adopt elec-
tronic channels of communication. For instance, PayPal is not protected by the
FDIC and, as a privately held company, faces little regulatory scrutiny. Reg-
ulatory impact is also murky for non-bank companies that provide account
aggregation. The regulation of non-bank aggregators is still being debated.
Under the provisions of Gramm±Leach±Bliley, non-bank aggregators are
considered ®nancial institutions if they are deemed to be performing ®nancial
functions. However, the Bank Service Cooperation Act states that regulators
can also examine any third-party providers of services for banks. An intera-
gency discussion regarding the safety and security of aggregation services is
now under way (McNee, 2001).
Traditional banking risks are magni®ed in an electronic medium. Online
banking also faces a myriad of risks that are speci®c to conducting sensitive
business over the Internet. Thus, regulators have to walk a thin line between
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2121

fostering innovation and promoting self-regulation while protecting the safety

and stability of the ®nancial system. The recent guidances and bulletins issued
by the various regulatory bodies suggest a growing trend toward increased
oversight and the establishment of suitable control mechanisms for the risks of
electronic banking. As Michael Moskow, Chicago Federal Reserve President,
said recently, ``the ¯uidity of the ®nancial marketplace raises challenges for
regulators, who must be ¯exible enough to ensure that innovation is not sti¯ed,
while also ensuring that the ®nancial industry remains safe and sound''
(Moskow, 2001). As the technological landscape is constantly evolving and
changing, regulators are also aware that policies might be outdated even before
they are fully implemented.
Today, many banks are looking toward the wireless world as the next
generation of electronic delivery. In their quest for their role in the virtual
world, banks need to be cognizant of the issues involved and be proactive in
taking steps to mitigate risk exposure through well-de®ned risk management
policies and procedures.

Acknowledgements

Financial support from the Louisiana Tech University DEFE grant is

gratefully acknowledged. I thank John Barkoulas, the editor, and two anon-
ymous reviewers for their helpful comments, and Barbara Allison for expert
editorial advice.

References

ABA Bank Compliance, May 2001. Aggregation and privacy, p. 7.

Altman, L., Simon, A., Bhandari, A., Hyatt-Shaw, Z., 2001. Run for the money: The battle for online
aggregation business. At http://www.strategy-business.com/enews/011501/enews011501.html.
Basel Committee report on banking supervision, 1998. Risk management for electronic banking
and electronic money activities. Bank of International Settlements, Basel.
Basel Committee report on banking supervision, 2000. Electronic Banking Group initiatives and
White Papers, #76. Bank of International Settlements, Basel.
Basel Committee report on banking supervision, 2001. Risk management principles for electronic
banking, #82. Bank of International Settlements, Basel.
Bruno, M., 2001. Secure. Really? U.S. Banker (May), 22.
Community Banker, 2001. OCC issues manual on setting up Internet bank, March, p. 52.
DeYoung, R., 2001a. The ®nancial performance of pure play Internet banks. Economic
Perspectives, Federal Reserve Bank of Chicago 25 (1), 60±76.
DeYoung, R., 2001b. The Internet's place in the banking industry. Chicago Fed Letter, Federal
Reserve Bank of Chicago (March), 163.
Epper, K., Kutler, J., 1995. Dinosaur remark by Gates sets o€ technology alarms. The American
Banker (January 4), 16.
2122 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123

FDIC, 1999. Federal Deposit Insurance Corporation. Risk assessment tools and practices for
information system security, Financial Institution Letters. At http://www.fdic.gov/news/news/
®nancial/1999/®l9968a.html.
FDIC, 2000a. Federal Deposit Insurance Corporation. Electronic signatures in Global and
National Commerce Act, Financial Institution Letters. At http://www.fdic.gov/news/news/
®nancial/2000/®l0072.html.
FDIC, 2000b. Federal Deposit Insurance Corporation. FDIC DOS manual of examination
policies: Electronic banking, Section 4.6. At http://www.fdic.gov/regulations/safety/manual/
00EBANK.htm.
FDIC, 2000c. Federal Deposit Insurance Corporation. Financial institution web site privacy
survey, Financial Institution Letters. At http://www.fdic.gov/news/news/®nancial/2000/
®l99113.html.
FDIC, 2000d. Federal Deposit Insurance Corporation. Protecting Internet domain names, Bank
Technology Bulletin. At http://www.fdic.gov.
FDIC, 2000e. Federal Deposit Insurance Corporation. Security standards for customer informa-
tion, Financial Institution Letters. At http://www/fdic.gov/news/news/®nancial/2000/
®l0043.html.
Federal Financial Institutions Examination Council, 1998. Guidance on electronic ®nancial
services and consumer compliance. At http://www.ec.gov/PDF/EFS.pdf.
Ferguson, R., 1998. Electronic banking: Where are the customers? What do they think? What does
it mean for the Federal Reserve? Remarks at the Bank Administration Institute's Symposium
on Payments System Strategy, Washington, DC.
Ferguson, R., 2000. Information technology in banking and supervision. Remarks at the Financial
Services Conference 2000, St. Louis University, St. Louis, Missouri.
Furst, K., Lang, W., Nolle, D., 2000. Who o€ers Internet banking. Quarterly Journal, Oce of the
Comptroller of the Currency 19 (2), 29±48.
General Accounting Oce, 1999. Electronic banking: Enhancing federal oversight of Internet
banking activities, Statement of Richard J. Hillman, Washington, DC.
Global Integrity announces ®nancial services information sharing and analysis center, 1999. At
http://www.globalintegrity.com/09301999.html.
Greenspan, A., 1996. Regulations of electronic payment system. Statement at the U.S. Treasury
Conference on Electronic Money & Banking: The Role of the Government, Washington, DC.
Hawke, J., 2001. Internet banking. Remarks before a Conference on Financial E-Commerce,
Federal Reserve Bank of New York, New York.
Keizer, G., 2000. CNET review. At http://www.cnet.com/internet/0-3761-7-2t.cn.3761-7-
2040210.txt.
Koller, L., 2000. Web banks in trouble. Bank Technology News. At wysiwyg://136/h wysiwyg://136/
://www.banktechnews.com/btn/articles/btnsept00-2.shtml.
Kuykendall, L., 2001. Amex says e-wallet proved too awkward: Product's demise puts concept in
doubt; its partisans persist. American Banker (June 22), 1.
Luke, R., 2000. You've got cash! Banking Strategies (September/October), 35±46.
Mariyappa, T., 2001. Financial portals. Bank Marketing (March), 22±25.
Marlin, S., 2001. Regionals better than top banks at handling e-mail communications, survey ®nds.
Bank Systems & Technology (April), 10.
Messmer, E., 2001. Banks explore B2B payment options. Network World (May 7), 57.
McNee, A., 2001. Lack of regulation increases insecurities. At http://www/erisk.com/news/analysis/
news_analysis 2001-05-22_01.asp.
Moskow, M., 2001. Productivity, innovation, and Internet banking in the United States. Statement
at the 2001 Economic and Financial Summit, Taipei, Taiwan.
Nathan, L., 1999. Community banks are going online. Communities and Banking, Federal Reserve
Bank of Boston 27 (Fall), 2±8.
 A.K. Pennathur / Journal of Banking & Finance 25 (2001) 2103±2123 2123

OCC, 1998. Oce of the Comptroller of the Currency. Technology risk management: PC banking,
OCC 98-38. At http://www.occ.treas.gov/ftp/bulletin/98-38.txt.
OCC, 1999. Oce of the Comptroller of the Currency. Infrastructure threats from cyber-terrorists,
OCC 99-9. At http://www.occ.treas.gov/ftp/bulletin/99-9.txt.
OCC, 2000. Oce of the Comptroller of the Currency. Basel committee report addresses the
supervisory challenges of electronic banking, NR 2000-82. At http://occ.treas.gov/ftp/release/
2000-82.doc.
OCC, 2001. Oce of the Comptroller of the Currency. Bank-provided account aggregation
services, OCC 2001-12. At http://www.occ.treas.gov/ftp/bulletin/2001-12.doc.
Potter, M., 2000. Internet banking & fraud: Making business less risky. Community Banker 9 (7),
42±43.
Roth, A., 2001. Banks fund B2B payment system e€ort. American Banker. At http://www.amer-
icanbanker.com/PSUser/ABC_Story.html?doc_id ˆ 200010424TECH335.
Sandoval, G., 2001. PayPal, BBB come to terms on customer service rating. At http://
news.cnet.com/news/0-1007-200-4578975.html?tag ˆ rltdnws.
Sinkey, J., 1998. Financial innovation, information technology, and corporate restructuring. In:
Commercial Bank Financial Management. Prentice Hall, NJ, pp. 795.
Smith, G., 2000. Why PayPal may survive Citi's onslaught. At http://www.businessweekonline.com.
Solomon, E.H., 1999. What should regulators do about consolidation and electronic money?
Journal of Banking and Finance 23, 645±653.
Spivey, J., 2001. Banks vault into online risk. Security Management 45 (1), 132±138.
Streeter, W., 2001. Top issues & trends. ABA Banking Online. At http://www.banking.com/aba/
management_trends.asp.
Sullivan, R., 2000. How has the adoption of Internet banking a€ected performance and risk in
banks. Financial Industry Perspectives, Federal Reserve Bank of Kansas City (December),
1±16.
Valentine, E., 2000. Compliance implications of electronic delivery systems: Guidance is coming.
SRC Insights, Federal Reserve Bank of Philadelphia 4 (4).
Wall Street Journal, 2000. Visa reveals hacker stole computer data, demanded ransom. January 19.
Wenninger, J., 2000. The emerging role of banks in e-commerce. Current Issues in Economics and
Finance, Federal Reserve Bank of New York 6 (3).