This website allows some interaction between the bank and customers, where the latter may send information and make account enquiries. The modes may include email, online forms and account enquiries. These sites present a higher level of risk as they may provide the path to the banks’ internal networks via email or attachments. Banks are expected to have in place controls to prevent, monitor and alert management of any unauthorized attempt to access the banks’ internal network.
This website allows customers to execute transactions and presents the greatest risk to banks as it
provides a link to a bank’s internal network and the computer systems holding the account information. These sites would require the highest level of protection, including encrypted transmission of highly sensitive data.
Bank Negara provided preferential treatment to domestic banks by allowing them to establish:
- Communicative or Transactional websites with effect from June 1, 2000;
- Locally incorporated foreign banks were allowed to establish Communicative websites with effect from January 1, 2001; and
- Locally incorporated foreign banks were allowed to establish Transactional websites with effect from January 1, 2002.
Acknowledging the risks involved with Internet banking, Bank Negara has outlined guidelines on how each of these risks are to be approached and eliminated where possible or at least minimized (PriceWaterhouseCoopers, 2001).
Strategic Risk:
- Senior management should ensure that Internet banking products are consistent with bank’s overall strategic plans and the risks and ramifications of offering such products over the Internet is within the bank’s risk tolerance.
Transaction Risk:
- Senior management should ensure the availability of adequate operating policies and procedures, auditing standards, effective risk monitoring processes including contingency and business resumption plans.
Compliance Risk
- Senior management should ensure that Internet banking system is designed and operated in a manner that complies with relevant laws and guidelines. This should include monitoring developments and changes in consumer and banking laws, and regulations.
Reputation Risk
- Senior management needs to undertake immediate and effective remedies to address operational failures or unauthorized intrusions and ensure that timely responses are taken to address adverse customer and media reaction.
Traditional Banking Risk
- Banking institutions offering Internet banking are faced with the same types of traditional risks such as credit risk, interest rate risk, liquidity risk, price risk are still at hand.
- Develop appropriate systems to manage the various types of traditional banking risks.
Bank Negara also charges the board of directors with specific duties with respect to Internet banking. The board of directors should oversee the conduct of the Internet banking business and ensure that it does not create a substantial risk of serious loss to depositors. Bank Negara’s stand on risk management practices are as follows:
Risk Planning:
- When contemplating and implementing uses of technology, senior management should engage in a rigorous analytic process to identify and quantify risks, to the extent possible, and establish risk controls to manage risk exposures.
- The board of directors should review, approve and monitor Internet banking technology-related projects that may have a significant impact on the banking institution’s risk profile.
Implementation of the Technology
- Proper implementation of the Internet banking system requires senior management to establish controls, policies and procedures, training, testing, contingency planning and proper oversight of any outsourcing.
- It is the responsibility of the senior management to select the right mix of the Internet banking technologies and products for the banking institution, and ensure that they are properly installed.
Measuring and Monitoring Risk
- Senior management should use an integrated approach risk management to identify, measure, monitor and control risks, as with all other risks, to avoid excessive risk taking that may threaten the safety and soundness of the institution arising from the offering of products and services on the Internet.
- The board of directors should receive timely and reliable reports on the technology employed, risks assumed and how those risks are managed. Internet banking systems should be reviewed periodically to ensure that they meet performance standards.
Internet Banking Security Program
- Enforce appropriate policies and procedures
- Establish IT security framework and organization structure
- Conduct periodic security risk assessments
- Establish reporting procedures for security breaches
- Establish security awareness programs
- Establish contingency and business resumption plans
- Establish objective review and audit requirements
- Establish proper outsourcing and facilities management, if applicable.
Staff and Expertise Requirements
- Senior management should identify special staffing and training needs for personnel involved in system development, operation and customer support.
- Where internal expertise is unavailable, management should obtain appropriate external support to help, plan, operate and monitor the Internet banking system.
- Training programs should also include outreach to customers to ensure that a banking institution’s customers understand how to use or access the Internet banking system and that they are able to do so in an appropriate and sound manner.
Growth Potential
Vinton Cerf, the father of the Internet envisions an online environment populated by billions. The Internet, which was born in 1969, will certainly ‘catch fire’ according to Cerf. Cerf estimates that three billion users will be online by 2010, and the number of devices online could be anywhere from six billion to 30 billion by 2020. Cerf prophesies that by 2030 we will be speaking to our computers and other appliances and they will respond (Harmon, 2001).
Surveys undertaken by the World Bank does support Cerf’s notion of ‘catching fire’, especially in the more industrial nations (Table 1). Although the World Bank surveys did not include Malaysia, one can safely assume that Malaysia’s estimates would not be too much lower than Singapore, which is included in the study.
Table 1: Connectivity across countries, 1999
Source: Claessens, Glaessner, Klingebiel (2001), p.13.
A similar study by SalomonSmithBarney on the Asia-Pacific countries indicates that only 10-15 percent of Malaysian population has Internet access currently (Table 2). Internet devices are forecasted to reach 3.14 million in 2004. This projection indicates that the Internet banking would have an enormous potential. On personal computer ownership the growth rate is set at about 2.5 percent per annum (Table 3).
Table 2: Asia-Pacific Internet Users, 1999-2005 (Millions)
Source: SalomonSmithBarney (2000)
Table 3: Asia-Pacific- PC Penetration into household, 1999-2005 (Percent)
Source: SalomonSmithBarney (2000)
The World Bank has also estimated the level of penetration of e-banking (Table 4). It is interesting to note that electronic transactions have made greater inroads into the securities markets as opposed to online banking.
Table 4: E-Finance Penetration, end 1999
Source: Claessens, Glaessner, Klingebiel (2001), p.11.
With tremendous potential in sight it is of little wonder why banks are prepared to invest heavily in digitization of products and services. While income from e-banking per se is not readily available, an approximation guide on growth of revenue from e-transactions can be obtained by viewing the revenue from e-commerce (Table 5).
Table 5: Internet Commerce Revenue in Malaysia
Source: SalomonSmithBarney (2000)
Total revenue from e-commerce in Malaysia was RM224.2 million. By the year 2004, the corresponding figure is expected to reach RM11.4 billion.
Market Response
An important factor pushing both, banks as well as clients into the world of electronic impulses is the cost (Table 6).
Table 6: Transaction Cost by Channel (US Dollars per Transaction)
Source: SalomonSmithBarney, (2000)
As can be viewed from Table 6, the cost of Internet banking is almost negligible. Although the estimates given in the table represent US data, Malaysian figures cannot be too different in terms of the relative cost of monetary transactions.
Despite the speed at which Internet banking is stickling into the economy a survey reported by Agence France-Presse (2001) claims that Asian customers prefer ‘warmth of human interaction’ compared to the net. According to this survey, face-to-face contact is the preferred method of banking for 87 percent of respondents in China and Thailand, followed by 86 percent for Malaysia.
The market has of course been doing its share to prepare the grounds for greater utilization of e-banking. Table 7 shows a survey by the World Bank on creating an enabling environment.
Table 7: Progress in creating an enabling environment
Source: Claessens, Glaessner, Klingebiel (2001), p.27.
As mentioned earlier, although Malaysia may not be included in the survey, one can nevertheless determine the important questions related to making the environment favourable for the growth of e-banking. As shall be discussed in a later chapter on cyberlaws, the answers to all the three questions (Table 7) for Malaysia would be affirmative. This indicates that in Malaysia, the foundation for the proliferation of digitized financial transactions is already in place. On the other hand, banks have also been eager to evaluate their level of success. A survey undertaken in the US is presented below (Table 8).
Table 8: How US Banks Measure the Success of Their Online Services
Source: Forrester Research, (May 2002) available at
With numerous surveys being undertaken, it is not uncommon, however, to find results, which may not exactly be identical. Whilst Table 8 applauds banks success, Table 9 and 10 highlights problems associated with electronic financial services. Although the surveys covered only developed countries, the findings are nevertheless relevant for Malaysians. While the percentages given in the findings may differ, the issues still remain the same and hence must be taken seriously.
Table 9: Why Customers Dropped Banks’ Electronic Bill-Pay Services in 2001 (US)
Source: Gartner Group, December 2001 available at
Table 10: Consumer Attitudes Toward Online Financial Services
Source: American Express/International Communications Research available at
Finally, there is an issue, which is a major concern not only for bankers but also for customers. Cost of funds to customers as well as bottom line profits for bankers are a function of net interest margins. Estimates produced by the World Bank point towards squeezed interest margins, with the onset of the online revolution. The average net interest margin in emerging economies like Malaysia was estimated to be approximately 4.39 percent in 1997. By the year 2005, the corresponding figure will only be 3.85 percent and five years hence (2010) the figure is expected to reach 2.50 percent (Table 11).
Working with such miniscule margins is not going to be easy for banks. Only the fittest would survive. Extreme efficiencies in all aspects of operations will become essential if respectable profits are to be generated. One would expect mergers and acquisition, which currently occur largely due to Bank Negara’s ‘persuasion’ will take place on its own accord. To save cost banks will seek to get as many transactions as possible over the Net. To enjoy the benefits of cost savings, banks must succeed in gaining a critical mass in the Net activity. For this to occur banks must demystify online activity and work towards overcoming customer unease with regards to Net transactions. The areas of glitches and structural weaknesses that need to be addressed are discussed below.
Structural Weaknesses
Traditionally, financial markets have taken their time to evolve largely in view of being very dependent on labour intensive processes. These human centered processes have brought the market to its current stage. It must be remembered that confidence is a very important ingredient for the growth of financial markets and despite delays and ‘human-errors’, the labour dependent processes have built acceptable frameworks and workable procedures. A vital question at this juncture is whether the ongoing development and introduction of automated system, of varying degrees of sophistication, to the financial markets, is going to affect confidence and consequently the growth of these markets.
Table 11: Projected impact of e-finance on banks’ net interest margins, 2005 and 2010
Source: Claessens, Glaessner, Klingebiel (2001), p.21.
Fan et.al (2002) highlights areas where structural weakness in electronic transaction could result in serious disasters amounting to losses that may run into millions, if not billions.
- Hardware faults. Computer hardware including the processors, memory management or storage devices that can crash.
Software Faults - Software faults can originate from a single error in a segment code. The faults can also come from erroneous reactions of software to some imperfections in the hardware or other software segments.
Communication Faults. Communicating in an open network, messages can be lost, duplicated or corrupted. Techniques such as checksum or digital signature can detect corrupted messages but the original messages would still have to be resubmitted.
Kane (1998) presented a classic example of a computer glitch, which resulted in the Dow Jones Industrial Average being errorneous for 12 minutes. This happened on the morning of October 8, 1998. The computer was found to have latched on to a wrong price. On the November 24, 1998, the Tokyo Stock Exchange futures and options trading system failed. This went on for two days. With the bond futures screens being blacked out, market quotes were not available and trading coming to a halt. The bug was eventually located in the computer program that controlled transmission between the Tokyo Stock Exchange’s host server and the client servers. Not even NASDAQ has been spared of technical failures. On February 18, 2000 quotes for NASDAQ composite index was not available for more than 2 hours due to a glitch at its Connecticut office.
Fraud has been with banking presumably since the time banking commenced. But online fraud is becoming a new game, especially for computer whiz kids. In September 2000, 15 year old Jonathan Lebed was charged by the Securities and Exchange Commission for stock fraud (Wall Street Journal, September 21, 2000). Lebed had purchased a thinly traded stock and had subsequently posted hundreds of false messages on message boards touting the stock by using fictitious names (the infamous ‘pump and dump’). He then sold his stock for a thumping profit. Lebed had also done the same thing earlier in the year.
A month before Lebed’s conviction, Mark Jakob, a 23 year old man was arrested by the FBI for manipulating information leading to stock price changes. Jakob announced bogus news via Internet Wire, a company that offers Internet-based press releases. The fake release warned of a variation in earnings statements and of the resignation of an executive. The share of the company concerned plunged by 60 percent reducing its market capitalization by approximately $2.5 billion.
IT experts may however discard these ‘unfounded fears’ by offering fault-tolerant and ‘hacker-free’ systems. Fan et al. (2002) mention a number of fault-tolerant approaches that can counter the mentioned problems. These approaches include:
- Hardware Redundancy. For example, to use additional computers and storage devices.
- Software Redundancy. For example, to provide software that will take over when errors are detected.
- Active Replication. All replication components are executed concurrently and their internal states are closely synchronized. Active replication uses fault masking to hide the occurrence of faults. One fault-masking technique is to use a group of servers, each running on a different computer. It uses a group management mechanism. The group output is determined from the outputs of individual members. If the system does not incur errors, then only one output from the multiple components will be picked. If there are errors in the system, a majority vote is used to determine the correct output. For example, suppose there are three replicated components running concurrently. If there is a single error, then two components will produce the correct value and one will not. The result of the majority will be used for the output. This mechanism will not work if there is only two replicated components. When one component produces the correct output and the other one the wrong one, then it is not possible to tell which component has gone wrong.
- Passive Replication. In passive replication, only one master component is active, but other replication components’ internal states are regularly updated by means of checkpoints from the active component. Passive replication achieves fault tolerance by detecting the existence of faults and performing certain actions to remove faulty components from the system.
Table 1: Internet Access Cost Per Month (US$)
Source: New Straits Times (IDC Asia-Pacific), August 18, 1998.
References
Agence France-Presse, (2001), “Online Banking Takes Off in Asia”, available at
American Express/International Communications Research quoted in “Statistics for Online Banking”, by
Claessens, S., Glaessner, T., and Klingebiel, D., (2001), “E-Finance in Emerging Markets: Is Leapfrogging possible?”, Financial Sector Discussion Paper No. 7, World Bank.
Fan, M., Srinivasan, S., Stallaert, J., and Whinston, A., (2002), Electronic Commerce and the Revolution in Financial Markets, Thomson Learning Inc.
Forrester Research, (May 2002), quoted in “Statistics for Online Banking”, by
Gartner Group, (December 2001), quoted in “Statistics for Online Banking”, by
Harmon, S., (April, 2001), “The Future of the Internet”, Smart Investor, Issue 132.
Kane, M., (October 8, 1998), “Computer glitch trips up Dow Jones industrial average”, ZDNet.
PriceWaterHouseCoopers (September 21, 2001), “Guidelines on Internet Banking”, a seminar presented by Ronald Yap, from Global Risk Management Services .
Rajashekar, N., (2001), Banking in the New Millennium, ICFAI Press.
SalomonSmithBarney, (September 11, 2000), “E-Finance in Asia: The Internet’s Impact on Malaysian Banks”, Equity Research Malaysia: Industry Report.
Wall Street Journal, (September 21, 2000), “Teenager trader runs afoul of the SEC as stock touting draws charges of fraud”.