The Board (Board) and management team members of Forrest City Bank (“Bank”) have identified a growing need to establish and document the institution's policy and approach to Internet banking activities. Recent regulatory agency issuances detail suggested bank and bank holding company focus areas, including the need to establish specific internal operating guidelines for such activities, and the subsequent need for regulators to examine Internet banking activities and related systems.
While there are inherent risks with any type of banking activity, the benefit of diversifying banking channels, for example, offers customers more flexibility in accessing funds or requesting information for products or applying for loans. Likewise, Internet banking will assist bank management to more efficiently manage customer services, help customers manage liquidity or handle other banking transactions, potentially reduce exposures to security risks, and generate more income. For these reasons, and others unknown at this time, the Board wants to carefully proceed into the Internet banking business.
Accordingly, directors and management must scrutinize not only the bank's level of risk, but also the bank's ability to manage that risk. While Internet banking has quickly become recognized as an important next step in banking channels for customers, there are certain risks inherent with any new delivery channel. For example, control weaknesses such as inadequate line security, poor disbursement of confidential personal identification numbers (PINs), poor servicing, or inadequate planning are, alone or in combination, factors that will impact a bank's reputation as an institution with which customers enter into an Internet banking relationship. Furthermore, in planning each aspect of Internet banking, the impact of information searches, data processing, data retrieval, and data output as it relates to personal computer/local area network (PC/LAN) systems within the organization are of a primary concern.
It is the objective of the Board to establish effective policies and procedures for Internet banking that are consistent with safe and sound banking practices and are appropriate to the size of the bank and the nature and scope of its operations.
GENERAL POLICY OBJECTIVES
The objective of this policy is to establish guidelines for Forrest City Bank's involvement in Internet banking systems, which are emerging and increasingly important banking activities due to:
• Increasing competition from nonbank financial services companies
• Growing competition from the telecommunications industry
• Emerging competition from systems and/or software developers
• Growing demand for more efficient and convenient capabilities
• Accelerating costs and cost differentials between electronic capabilities and traditional delivery channels
The Board will establish parameters for such involvement, including limitations to various risk exposures. The establishment of an Internet banking business focus, as a function of the overall bank strategic plan, will provide the corporate vehicle for a wide range of products and services activities and marketing management techniques and activities.
SPECIFIC POLICY GOALS
Forrest City Bank will consider Internet banking in one or more of the following three types of Internet banking activities:
• Electronic information transfer systems
• Electronic payment systems
Participation in such activities will be undertaken to achieve, or in support of, the following goals:
• Developing new market competition opportunities and alternatives
• Meeting customer demands for more efficient and convenient banking capabilities
• Enhancing opportunities for overall bank growth within reasonable risk tolerances as guided by the bank's strategic plan
• Providing additional alternative income-generating banking functions to enhance bank profitability
• Reducing costly operational and/or transactional scenarios, as possible
• Leveraging internal operational capacities
GENERAL POLICY CONSIDERATIONS
In order to achieve the objective of this policy as aforementioned, the following considerations have been defined and the Internet Banking procedures will be designed to support these considerations.
a. Internet Banking services are to be offered only to customers of the Bank, and will be offered as service to those customers to provide access to account information, the ability to transfer funds among the customer's own accounts within the Bank provided they are an authorized signer on the accounts, and to obtain information about the Bank's products and services.
b. The Bank will outsource to third parties for the technology required to deliver Internet Banking services to its customers. Prior to contracting for such services, the Bank will perform reasonable due diligence in the analysis of the various vendors under consideration to assure they have the technical expertise, operational quality, and financial stability to support the Bank's product delivery and risk management initiatives. Subsequent review and analysis will be performed to determine the vendor's ability to provide product delivery support.
c. The Bank will develop procedures to assure that the Internet Banking product and operations are in compliance with all applicable laws and regulations, that proper internal controls are established and that regular audits are performed to evaluate the effectiveness of the Banks procedures with respect to Internet Bank services. All reports produced as a result of those audits will be will be reviewed by the Board.
d. The Bank will develop procedures to achieve the highest level of security for its customer's account information within its internal operations with respect to Internet Banking services, and will periodically evaluate the operations of its vendors to assure that proper internal controls are in place, operating effectively, and that unauthorized attempts to access the Bank's data are promptly detected and appropriately reported. Specific security details are outlined in the Bank’s information security risk assessment and Information Security Policy.
The Bank recognizes that the various and specific procedures required to achieve the aforementioned policy objectives may change from time to time as a result of independent and periodic reviews of those procedures, improvements and enhancements in the technology and products obtained from third parties, and the experience of Bank personnel. It is the intent of this policy to permit such changes to procedures to be expeditiously implemented.
Cash management is a vital function of local government finance and requires that written cash management policies be developed. An effective cash management plan will include procedures for monitoring and reporting on the plan. The reporting system will address results of the plan and identify areas where adjustments are necessary.
Elements of a Cash Management System The basic premise of sound cash management is to ensure that cash inflows (sources of funds) and outflows (uses of funds) are effectively controlled and utilized. To effectively control cash flow, institutions must implement adequate cash management techniques to expedite cash collections and check clearing in order to access and use the funds. Institutions must also develop cost-effective disbursement mechanisms for transferring funds. The board and management are ultimately responsible for selecting the best collection and payment mechanisms as well as adopting appropriate oversight and review guidelines, operating policies and procedures, and audit requirements. In some cases, institutions may deploy other financial institutions and organizations for cash management related services that can be performed more economically or efficiently. Such services include transfer and payment of funds, collection and concentration of funds, sweep account services, information reporting, and so on. Before discussing the major elements of a cash management system, a general understanding of how float affects the overall collection and disbursement process is important.
Float is caused by delays along the cash flow timeline. Float is usually measured in dollar days and is a function of the transaction's dollar amount and the number of days of delay. It is simply a means of quantifying the efficiencies or inefficiencies of the "cash in-cash out" cycle and focusing on opportunities and costs. An institution benefits from shortening all types of float associated with cash inflows and lengthening all types of float associated with cash outflows. The major components of float include mail, processing, availability, and clearing float.
Collection – An important component of the cash management function is the collection of funds. This process involves speeding up the conversion of receipts into available funds. By minimizing the float time associated with collection of accounts receivable and extending the float on the accounts payable side, institutions can more effectively manage cash. Hence, institutions should effectively develop a system to collect payments from customers.
Forrest City Bank may collect funds dropped off at their location, by mail, or electronically. For payments received in person or in the mail, an institution may use either its own processing center or a lockbox.
Complete elimination of risk from electronic funds transfer is an impossible task. However, the increasing use of electronic transfer activities makes it essential that each System institution clearly understands the risks inherent in these activities and be aware of the methods for possibly reducing these risks to an acceptable level. The next section provides a brief discussion of some of the sources of risk involved in the overall cash management operations. Types of Risks Risks are inherent in all operational areas, including cash management. While cash has always been an area of high risk because of its liquidity, the risks have changed dramatically as a result of electronic media. Traditional currency is no longer the focal point of most institutions. Instead, electronic commerce moves incredible amounts of electronic money from one point to another almost instantaneously. Consequently, material losses could occur through error, inadequate controls, or fraud in electronic funds transfer systems. The following briefly identifies several types of risks associated with the cash management process. These risks are not all-encompassing or exhaustive by any means.
Payment System Risk – Payment system risk is the exposure to the uncertainty that settlement will occur. The failure of one participant to settle deprives other institutions of expected funds and prevents those institutions from settling in turn.
Fraud Risk – Fraud risk arises when a payment transaction is initiated or altered in an attempt to misdirect or misappropriate funds.
Operational Risk – Operational risk arises from the potential for loss because of significant deficiencies in system reliability or integrity. Security considerations are paramount, as institutions may be subject to external or internal attacks on their systems or products. Operational risks can also arise from customer misuse and from inadequately designed or implemented electronic banking.
Credit Risk – Credit risk is the risk that a counterparty will not settle an obligation for full value. Banks engaging in electronic banking activities may extend credit via nontraditional channels and expand their market beyond traditional geographic boundaries. Institutions engaged in electronic payment programs may face credit risk if a third-party intermediary fails to carry out its obligations with respect to payment. In addition, the institution must ensure that it has adequate controls to ensure that electronic fund transactions are conducted in accordance with loan conditions and that funds are not disbursed in excess of undisbursed commitments. Liquidity Risk – Liquidity risk arises from an institution's inability to meet its obligations when they come due without incurring unacceptable losses. Liquidity risk may be significant for institutions that transact significant amounts of electronic fund transfers if they are unable to ensure that funds are adequate to cover liquidity needs.
Legal Risk – Legal risk arises from violations of or nonconformance with laws, rules, regulations, or prescribed practices. Legal risk may also arise when the legal rights and obligations of parties to a transaction are not well established. Institutions can face legal risks with respect to customer disclosure and privacy protection. Many aspects of electronic transactions are relatively new and have not yet been established with court precedence.
Reputational Risk – Reputational risk is the risk of significant negative public opinion that results in a critical loss of funding or customers. Reputational risk may involve actions that create a lasting negative public image of overall institution operations, such that the institution's ability to establish and maintain customer relationships is significantly impaired. Service or product problems, mistakes, malfeasance, or fraud may cause reputational risk. Reputational risk may be affected by not only the institution itself but its affiliation with other institutions.
Foreign Risk – Foreign risk might exist for institutions dealing with other countries. Institutions dealing with foreign participants are subject to country risk to the extent that foreign parties become unable or unwilling to fulfill their obligations because of economic, social, or political factors. In addition, institutions accepting foreign currency for electronic payment may be subject to risk from the market because of movements in foreign exchange rates.
Forrest City Bank Risk Management Process Forrest City Bank’s risk management is an ongoing process of identifying, measuring, monitoring, and managing existing and potential risk exposure. Institutions should develop a risk management process to address known risks as well as remain dynamic enough to address risks that will undoubtedly surface in the future. An effective risk management program should minimize the negative effects of a problem situation. However, minimizing the potentially negative effects can be particularly difficult in an electronic environment that offers speed, sophistication, and access to many users. Because of the risks associated with cash management activities, Forrest City Bank has established systems and processes to control these risks. The level and complexity of the risk management process is commensurate with the risk characteristics of each System. Additional details regarding Forrest City Bank’s risk management process are provided below.
Board and Management Responsibilities – An effective risk management process requires appropriate direction, control, and oversight by the Forrest City Bank board of directors (board) and senior management. Forrest City Bank’s board is ultimately responsible for ensuring that management takes the steps necessary to ensure the safety and soundness of the cash management system. They must define the institution's cash management philosophy and policies and ensure that the risks being taken by the institution fit within the overall business strategies and financial capabilities of the institution.
The board is responsible for approving the overall policies of the institution with respect to cash management. The board should ensure that senior management has a full understanding of the risks incurred by the bank, and that the institution has personnel available who have the necessary technical skills to evaluate and control these risks. The board, or a designated committee, should periodically review information that is sufficient in detail and timeliness to allow it to understand and assess the performance of senior management. Exposures to the risks associated with cash management should be reviewed as a part of this planning process.
Senior management must ensure that cash management procedures and processes are in place to effectively monitor and measure cash management. Senior management should ensure that proper cash management procedures are developed and revised as necessary. Furthermore, senior management should develop, implement, and monitor the internal controls for cash management. Areas to be considered include clearly defining the individuals and/or committees responsible for managing cash-related activities, ensuring adequate segregation of duties, ensuring sufficient resources, and providing sufficient cross-training or backup of identified key personnel. Personnel in sensitive positions should be required to take uninterrupted holidays of sufficient length to exercise the organization's ability to cope with unavailability and to detect fraudulent activity.
Policies and Procedures – Proper cash management policies and procedures are critical to implementing any sound cash management process. Institutions should have the board-approved policies that define its philosophy on cash management and procedures to implement the policy parameters. As indicated previously, cash is a highly liquid asset that can be easily transferred, concealed, and converted into other assets. As a result, Forrest City Bank has policies and procedures in place to direct and control the flow of cash from the time it is received, through the various stages of use and custody, to its final disbursement. The board should establish policies that address the objectives and operating parameters for maintaining cash. Generally, this would include target cash balances and a periodic analysis of the Forrest City Bank's cash needs.
• Compensating balances or fees charged by depository institutions are cost-effective and comparable to the fees charged by other depository institutions. • The financial condition of the depository institution is sound and deposits in excess of Federal deposit insurance are safe. • New or alternative cash management services and techniques are available to further reduce costs.
Internal Controls – A system of effective internal controls is another critical component of cash management and a foundation for the safe and sound operation of any institution. Forrest City Bank’s controls consist of policies, procedures, operating parameters, monitoring activities, separation of duties, reporting, audit, and management information systems. Segregation of responsibilities is one control that used to safeguard cash and reasonably ensure the reliability of accounting records. Forrest City Bank’s audit controls ensure that individuals responsible for evaluating risk monitoring and controls are independent of the function they are assigned to review. Audit activities should ensure that personnel are following established policies and procedures, as well as ensuring that the procedures that are established actually accomplish intended objectives. To augment internal audit, management may seek qualified external auditors, such as cash management consultants or other professionals with relevant expertise, to provide an independent assessment of the cash management activity. The board and management should address the problems identified in the audits and correct any material weaknesses noted in a timely manner.
Monitoring and Reporting – Ongoing monitoring and reporting are important aspects of any risk management process. For cash management activities, monitoring is particularly important because of the electronic environment and rapid changes that may occur with new innovations, such as the use of the Internet. In relation to information systems, two important elements of monitoring are system testing and auditing. Testing and auditing of systems operations can help detect unusual activity patterns and avert major system problems, disruptions, and attacks. Periodic reporting is also essential to ensure that the institution is complying with policy requirements and established parameters. The reports provided to the board and senior management should be clear, concise, timely, and provide the information needed for making decisions.
Contingency Planning – Contingency planning is a routine part of Forrest City Bank's business planning and operations. Contingency planning is basically a process of reviewing an institution's functions and assessing each area's importance to the viability of the organization. In the area of cash management, contingency plans can minimize business disruptions caused by problems that may impair or destroy an institution's processing and delivery system (i.e., communications equipment, computer equipment, and funds transfer network). The loss or extended Forrest City Bank shall assess its own risks and develop strategies at least annually. The cash management contingency plan will cover all the bases of the Forrest City Bank’s business operations and should be annually evaluated and tested for adequacy and feasibility. POLICY ELEMENTS
Forrest City Bank ITC and the Board of Directors has recommended that the Chief Technology Officer also serve in the role of Internet Banking Coordinator. This individual has an understanding and working knowledge of the elements of Internet banking, including related electronic funds transfer issues and managing the development of new electronic products, implementing new products and services, and monitoring those processes. The Internet banking coordinator has the authority to work closely with the senior management team members to communicate and implement necessary actions across product and department lines. Additionally, the Internet banking coordinator is responsible for carefully considering the impact of any policy or procedural changes in current products and services that may impact internal systems as well as electronic funds transfer systems.
The Internet Banking Coordinator will report to the President with management reports and materials pertaining to electronic funds systems and Internet banking activities.
General Internet Banking Operational Elements
To facilitate a sound Internet banking system as part of Forrest City Bank, the following elements will be addressed by bank management in implementing each Internet banking system. This responsibility is jointly shared for each system by various operational areas. Other areas (e.g., marketing, lending) will be required to participate in decision making on new products and/or services if their input is requested by the joint functional areas. The Chief Technology Officer is responsible for chairing each meeting, establishing agendas, maintaining documentation of meetings, ensuring follow-up on issues or questions, and documenting compliance with policy for each Internet banking system product and/or service.
The following represent general areas for consideration and management supervision for the Internet banking function. These points will be documented (in the appropriate committee and board minutes and risk assessments) as being considered, discussed, and resolved/approved before implementation of an Internet banking system product and/or service.
Operating Policy and Procedures
Each product or service that encompasses elements of Internet banking will be covered by a bank policy in terms of objectives of that product or service. The policy will also set out specific guidelines for management procedures, training, controls, and monitoring. The operating policy and related procedures will address control points to protect and guard against data integrity problems, system failure, etc. Such policies will address the risk tolerance levels for these activities established by the Board.
Planning and Development
The development of any new Internet banking product or service will encompass a complete risk assessment including but not limited to: fact-finding, implementation planning, cost-pricing analyses, and strategic planning implications analyses. If appropriate, these plans will also address systems design vs. use of existing systems or other data processing resources and current capabilities vs. future requirements. With respect to the design and development of any new product or service, competitive/marketplace insights will also be provided. Insurance coverage will be also detailed as part of the planning document submission. Security
Appropriate and comprehensive procedures will be detailed in the Forrest City Bank Information Security Program and will be established to ensure the logical, physical and technical security with respect to Internet banking operations. These procedures will include provisions for the use of encryption technologies and virus protection to secure Internet banking information. Periodic testing will be performed by independent third parties to determine the effectiveness of these security initiatives. Any violations, exceptions, or suspicious activities with respect to established security policies and procedures will be evaluated and when appropriate, elevated and reported as required by and to various regulatory and law enforcement agencies
The Bank maintains an Internet website to provide information about the Bank, and function as a portal to the Internet banking system. A number of the aforementioned risks can be exacerbated if this website is not properly monitored and managed. Appropriate procedures will be developed for the administration of this web site, including procedures to address the security of the site and the Banks domain name, web-linking policies, the use of financial calculators, security of Internet email initiated through the site, and to ensure regulatory compliance. Record Retention
Retained information that pertains to Internet banking activities or transmissions must comply with various regulatory guidelines. Destruction of Internet banking will follow similar guidelines as the disposal of other types of banking information.
The Bank’s annual risk management and insurance assessment review shall also evaluate the Bank’s Internet banking activities. The level of insurance coverage and types of coverage will be evaluated no less than annually.
Audit and Monitoring
Internet banking, given the wide reaches of impact and speed of movement in transactions, makes it necessary to institute different audit techniques. On an implementation basis, audit and regulatory compliance risks will be carefully evaluated and identified. Clear audit and compliance trails will be created, not only for start-up but also for ongoing periodic monitoring/auditing.
Administrative and System Operations
Instituting new and/or expanded Internet banking services entails also reviewing the systems' operations. Specific allowances must be made not only for the development, but also the daily activities related to system hardware, system software, and disaster recovery plans in case of failure of hardware or software. System size, obsolescence, software support, and other related support issues will be carefully evaluated and planned for. Even system protocols and standards will be analyzed to ensure corporate compatibility. Administrative issues, including physical and information security, security controls, and protection of carrier lines will be considered. User guides and training will be provided to ensure proper operation of the Internet banking system. Vendors and Outsourcing
The bank, may rely on vendors, third-party support, or other outsourcing avenues. Before introducing a new Internet banking product or service, the internal controls of a vendor, maintenance and upkeep of a third-party provider's systems, and/or financial condition of the third-party vendor will be carefully evaluated in accordance with the vendor due diligence assessment outlined in this policy. Competence of the vendor for outsourced work will be carefully reviewed and considered. Procedures will be established for the ongoing oversight of these third party service providers in compliance with regulatory guidelines.
Legal and Regulatory
Before proceeding with any new Internet banking product or service, the regulatory issues related to the product or service will be carefully evaluated. Internet banking may or may not fall within certain guidelines for paper transactions; management will document compliance with such regulations as reserve requirements, financial recordkeeping, disclosures, filings, and customer information and authorizations by customers. To protect the bank, enforceability of electronic contracts, agreements, and signatures will be carefully reviewed and concerns resolved. What courts or agencies have legal jurisdiction over such elements of Internet banking as documentation, taxation reporting, and interstate commerce must be identified, and resolved to the extent possible. Privacy issues will be addressed before the introduction of a product. The identity and level of contingent liabilities will also be carefully evaluated.
Disaster Recovery and Contingency Plans
With the development of Internet banking products or services, management will also carefully analyze related disaster recovery and contingency planning requirements. Not only will the Internet banking products or systems be considered as part of the disaster recovery; it is imperative that the plans for recovery be tested to ensure Internet banking services may be restored per bank policy. External and Internal Reporting
The growth and success of Internet banking and its widespread acceptance in the marketplace depend on a number of elements. From careful planning of a new electronic payment system product or service to providing well-organized, accurate information detailing the performance of an Internet banking transaction, the entire range of events and potential concerns will be considered. Quite often, Internet banking information is time sensitive. The Bank will establish procedures to provide for the regular meeting of appropriate personnel to verify that information is promptly circulated and shared, including insights on sources for accuracy and completeness of Internet banking data.
Internally, management of departments involved with Internet banking activities will necessitate timely reporting of Internet banking activities. Depending on the size of transactions, activities, and other related risks, information on Internet banking activities may be generated on a weekly basis or as often as hourly, or more promptly if necessary. It is important to ensure that all information regarding Internet banking systems performance and security is accurate, time sensitive, and effectively communicated to the designated responsible department management team members.
Internal time-sensitive reports will focus on three primary potential risk areas:
• Unauthorized user access of information
• Loss of data integrity
• Lack of transaction completeness and inability to transmit transactions
These three elements require immediate reporting. Although mitigating controls exist, such as on-site security, system passwords, encryption, computerized logs, edit checks, separation of duties, antivirus software, and sequential numbering, the alert of unauthorized entry, loss of data integrity, and/or transaction problems/transmission errors will prompt an immediate management response. Such breakdowns will be logged whenever they occur, even if a "false alarm," and be included as part of the senior management team report package.
Other periodic reports will include:
• Daily volume, size of transactions, and ranges
• Error resolution and complaints log analysis
• Systems maintenance considerations
• Audit and/or compliance reports
Reports, in addition to providing monthly activity, will set out trend analysis, based on prior month, quarter, and annual comparisons. To the extent strategic planning has established goals, actual vs. budgeted goals will be reviewed.
Staff and Management will receive periodic training with respect to Internet banking operations, policies and procedures commensurate with the employee job responsibilities. Employees will also be trained and kept aware of their security responsibilities as defined in the Bank’s related policies and procedures regarding password protection, proprietary use of Bank computer hardware and software, e-mail, the Internet, etc.
ADMINISTRATIVE PROCEDURES Vendor Management
Since the Bank is totally dependent upon its Internet Banking services provider(s) for effective and efficient product delivery, Forrest City Bank will implement an oversight program to monitor each Internet service provider’s controls, condition, and performance. The broad geographic reach, ease of access, and anonymity of the Internet requires close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. The bank understands that the potential risks introduced are a function of a system’s structure, design and controls and not necessarily the volume of activity.
Responsibility for the administration of the service provider relationship will be assigned to bank personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. It is important that the bank document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning. Some specific factors to consider regarding oversight of service provider relationship are as follows:
Monitor Financial Condition and Operations
• Evaluate the service provider’s financial condition annually to determine the vendor's ability to provide long-term programming and processing support and report the results of the analysis to the Board. If the financial condition is unsound or shows signs of serious deterioration, this problem will be closely monitored while alternative contingency plans are pursued.
• Ensure that the service provider’s financial obligations to subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews) as well as regulatory examination reports if available, and evaluate the adequacy of the service providers’ systems and controls including resource availability, security, integrity, and confidentiality. The third party review letter (also referred to as a Service Auditors' report) which is prepared annually on behalf of the service company by Certified Public Accountants. This third party letter is a useful document in that it identifies any control weaknesses which the CPA firm may considers material enough to warrant mentioning. The report also describes, in some detail, the control environment and the control responsibilities which should be recognized by users to accomplish an effective system of internal controls relating to the IT operations.
• Follow up on any deficiencies noted in the audits and reviews of the service provider.
• Periodically review the service provider’s policies relating to internal controls, security, systems development and maintenance, and back up and contingency planning to ensure they meet the institution’s minimum guidelines, contract requirements, and are consistent with the current market and technological environment.
• Review access control reports for suspicious activity. With respect to the complexities of the Internet, particular attention will be directed to the frequency and results of penetration testing performed on that vendors Internet banking operations. Penetration testing determines the ability of the Internet hardware, software, and telecommunication systems to defend against attempts for unauthorized access, commonly referred to as "hacking". The sophistication of the processes involved with attempting to obtain unauthorized access to computer systems is consistently evolving and improving. Penetration testing should be performed no less that annually to determine the continued effectiveness of the system to protect itself from such attempts. Documentation of the review of these letters will be provided to the Board as a component of the Bank's risk management processes.
• Monitor changes in key service provider project personnel allocated to the institution. • Review and monitor the service provider’s insurance policies for effective coverage.
• Perform on-site inspections in conjunction with some of the reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client institutions. Assess Quality of Service and Support
• Regularly review reports documenting the service provider’s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes.
• Evaluate the provider’s ability to support and enhance the institution’s strategic direction Including anticipated business development goals and objectives, service delivery requirements, and technology initiatives.
• Determine adequacy of training provided to financial institution employees.
• Review customer complaints on the products and services provided by the service provider.
• Periodically meet with contract parties to discuss performance and operational issues.
• Participate in user groups and other forums.
Monitor Contract Compliance and Revision Needs
• Review invoices to assure proper charges for services rendered, the appropriateness of rate changes and new service charges.
• Periodically, review the service provider’s performance relative to service level agreements, determine whether other contractual terms and conditions are being met, and whether any revisions to service level expectations or other terms are needed given changes in the institution’s needs and technological developments.
• Maintain documents and records regarding contract compliance, revision and dispute resolution.
Maintain Business Resumption Contingency Plans
• Review the service provider’s business resumption contingency plans to ensure that any services considered mission critical for the institution can be restored within an acceptable timeframe. • Review the service provider’s program for contingency plan testing. For many critical services, annual or more frequent tests of the contingency plan are typical. • Ensure service provider interdependencies are considered for mission critical services and applications. Fcbnet.com
Forrest City Bank maintains an Internet website to provide information about the Bank, and function as a portal to the Internet banking system. The following describes the procedures utilized by the Bank for the administration and maintenance of this website: Web site Administration and Maintenance: The Bank will maintain the Website using popular tools and software. Maintenance refers the changes to the pages that appear when the site is accessed by a client browser. Such changes may include adding content, (pictures, text, etc.) and functionality (searches, calculators, applications, etc. Any changes must be requested in writing and submitted to the Chief Technology Officer. The use of financial calculators should include a disclosure that that calculator has been provided as a convenience and is not intended to be construed as an offer to provide service at any terms entered and accepted by the calculator. The Bank has advised website users of security issues regarding Internet email initiated through the site. Any changes to the website should be logged and independently verified to assure accuracy.
Security: It is important that the bank be alert to security considerations regarding domain name servers, which are computers that allow Internet users to locate information and resources on the Internet by domain name. Unauthorized changes to the server could result in misdirected Internet traffic or obstructed access to the bank’s Internet site. Forrest City Bank outsources this function to a third-party service provider, and will ensure that security features are in place and assessed periodically as defined in the vendor management section of these procedures. Fcbnet.com: Forrest City Bank recognizes that as the number of banks with Web sites continues to grow, the number of incidents involving disputes, confusion and fraud related to their Internet domain names also has increased. To protect its online identity, the Bank will employ internal controls that ensure timely registration and renewal of relevant domain names, periodically review the status of similar domain names, and be familiar with the formal and informal dispute resolution processes. Management also can consider security in its communications with the bank’s domain name registrar. For example, to prevent unauthorized changes to a bank’s domain name information, management can ensure that proper controls are in place for authenticating and authorizing all requests for modifications to its registration. Steps include ensuring that Forrest City Bank maintains administrative control of the domain and that domain registration is configured as private. Depending on the nature of the problem involving the bank’s domain name, management may pursue various courses of action. Legal recourse may be available under the Anti-Cybersquatting Consumer Protection Act, 15 U.S.C. §1125(d), which prohibits registering or using a domain name that is confusingly similar to another name, with the intent to profit. Other situations involving Web sites that are used to promote fraud or illegal activity can be addressed under existing laws that address financial fraud and computer crime (e.g., 18 U.S.C. §1101 - Fraud and False Statements, 18 U.S.C. §1030 - Fraud in Connection with Computers, 18 U.S.C. §1343 - Wire Fraud). Suspicious activity involving domain names should be reported according to existing instructions for filing Suspicious Activity Reports with our primary federal regulator and law enforcement agencies. Private arbitrators also can handle disputes over domain names. The Internet Corporation has established a dispute resolution process, outlined in the Uniform Domain-Name Dispute-Resolution Policy, for Assigned Names and Numbers (ICANN) to deal with conflicts arising over domain name ownership. All registrars in the .com, .net, and .org domains are subject to this policy, the text of which can be accessed at ICANN’s Web site at www.icann.org. Web-linking policies: A weblinking relationship with a third party involves both the bank’s website and the third party’s website. When the bank customer accesses a third party website from a bank’s website, the access is accomplished through a hyperlink. The primary risk in providing direct access to third party websites for our customers through hyperlinks is that associated with reputation risk. The performance of the third party and the website with which the bank links are major sources of reputation risk to the bank. Bank customers may have expectations about the third parties with which the bank chooses to link its website. Should customers experience disappointment, poor quality products or services, or loss as a result of their transactions with linked companies providing products and services, they may attempt to hold the bank responsible for the perceived deficiencies of the third party. The Bank will monitor any website to which it has provided a weblink from its site for accuracy and appropriateness on a periodic basis. Management will approve any weblinks and consider any regulatory restrictions regarding links to those parties which may constitute a conflict of interest. Finally, the Bank will provide a message (not affected by popup blocker software or browser settings) informing the user that he/she is leaving the Bank’s website for a third party website that does not belong to the Bank. Regulatory compliance: The Bank will continuously monitor regulatory guidance with respect to changes in the relevant sections of federal consumer protection laws and regulations that address electronic financial services and other relevant provisions of law. It is critical that the Bank in providing an electronic delivery mechanism develop and maintain an in-depth knowledge of the relevant statutes and regulations. Security Controls The Bank requires its customers to use a secure Internet browser to access account information and perform transactions, which currently are limited to internal transfers between accounts maintained at the Bank. Secure browsers employ secure socket layer ("SSL") technology to communicate with servers. This technology encrypts - or scrambles - account information so that it is virtually impossible for anyone other than the Bank and the customers to read it.
The Bank, through its vendor, will ensure that in giving its customers access to their account information through internet banking, that security measures are taken to provide the strictest control and security measures, including advanced encryption mechanisms such as SSL, ensuring that data cannot be altered or modified on the Internet. Additionally, vendors will be expected to employ redundant Security Firewall: This gateway between the Internet and internal processing networks. These firewalls, strategically placed before the Internet web server, are designed to protect the bank's home site from external tampering. In addition, this security gateway further protects customer account information from unauthorized access. Record Retention Guidelines The Bank will retain source documents supporting its Internet banking activities for a period of 12 months. Documents to be retained include account applications, instructions for account transactions, and any other records or documents that are relevant to the Bank's providing Internet banking services.
Audit Requirements and Procedures Forrest City Bank will support a process to monitor internal compliance with the bank's Internet banking program. This internal compliance monitoring will encompass a pre-review of any electronic product and/or service to ensure compliance with relevant laws, regulations, and/or rulings. In addition, on a periodic basis, a review of implemented Internet banking products and services will be performed, per a schedule approved by the Board and submitted and accepted by the Forrest City Bank compliance officer. The reviews will encompass testing for compliance with laws, regulations, and interpretations, as well as corporate policies, including compliance with agreements. The reviews will address whether personnel have the necessary skills; systems have the operational capacity to handle servicing; the processing of transactions is both timely and accurate; and the reliability of management and customer reporting is satisfactory Internet Banking Contingency Plan As the Bank does not open accounts outside its established market area, in the event of a disaster with respect to the Internet Banking and Bill Payment service, the Customer would be referred to the Banks banking offices and telephone banking systems until the problems affecting the Internet service are resolved.
OPERATIONAL PROCEDURES FOR INTERNET BANKING Setting Up Customers for Internet Banking:
1. Customers fill out a specific application for online banking. Completed applications are sent directly to the bookkeeping department from Forrest City Bank’s Internet Banking Vendor.
2. When received The Premier system will verify the application for specific information, including Social Security number, Tax ID, address, primary and secondary owner and telephone number.
3. If the above information doesn't match the information in the system, then the Internet Banking application is void then and a system report is generated.
4. The Premier system will generate to the name and address on file. This letter is checked and mailed by the Bookkeeping Department. This provides dual control security in the event that someone forged an application the original owner would receive the letter and let us know that they never signed up for the internet banking system.
Setting Up Customers for Business Banking:
1. First a customer must inquire or be recommended by their branch manager for Business Banking.
2. Customers fill out a specific application for business banking. This application is available only in hard copy and must be signed by the owner of the Business or Corporation. Completed applications are kept in the customers loan file and within the IT Dept.
3. When received by the IT dept. the application is reviewed for completeness, including Tax ID, address, primary and secondary owner, telephone number and at least one account number.
After the information is verified, then the application and appropriate account numbers are added to the business banking system. This action enables the customers to begin using the Internet Banking system within a few days.
The application will be initialed and kept by the IT department where it will be filed.
After receiving the initialed application, a member of the IT department will setup the customer with a company ID, user ID and a generic password. This information will be delivered to the customer personally at the time of training.
Technical Support for Internet Banking and Business Banking
1. Customer inquiries regarding the use of the Internet Banking system require the knowledge of certain specific and unique information to verify the customer’s identity:
a. Customer name. b. Customer Number c. Address and Telephone Number on File
If the customer provides the appropriate information then tech support is continued. If the customer fails to provide or is in unaware of the required information, then a conference call is placed with his/her appropriate branch, to verify the customer's identity. If the customer fails to provide the appropriate information, and fails to acknowledge his identity with branch personnel, then tech support is no longer continued.
The most common customer inquiry results when the customer has forgotten the PIN number and has been locked out of the Internet Banking system. Users are locked out after entering an incorrect PIN number five times. To reset the customers, the following procedures must be performed:
a. After customer authentication is verified a member of the IT Department will log on to the Management Console of Internet Banking.
b. Enter required Administrative information to log on
Once the account is unlocked, then the Customer is immediately able to continue to do their online banking.
1. Customer inquiries regarding the use of the Business Banking system require the knowledge of certain specific and unique information to verify the customer’s identity:
a. Customer name / Company Name b. Customer Number / Tax Id c. Address and Telephone Number on File d. User ID to be unlocked ** If the Company ID needs to be unlocked, the user calling must be the Super User of the Company.
If the customer provides the appropriate information then tech support is continued. If the customer fails to provide or is in unaware of the required information, then a conference call is placed with his/her appropriate branch, to verify the customer's identity. If the customer fails to provide the appropriate information, and fails to acknowledge his identity with branch personnel, then tech support is no longer continued.
Daily Internet Banking –
All Activities (audit) – Previous Day
Locked Users – Current
Weekly Internet Banking –
Bad Logins – Current Week
Weekly Log Statistics
Users without Bill Pay
Number of Failed Logins
Bill Pay –
Monthly Bill Pay –
Number of Users
General Web Site –
(continue to application)
(return to www.fcbnet.com)
Forrest City Bank, NA | 715 North Washington | Forrest City, AR 72335 | Phone: 888.287.6851 | Privacy & Security