a. The Bank’s Board of Directors and the Senior Management Committee shall be responsible for developing the Bank's e-banking business strategy and establishing an effective management oversight over e-banking services. This shall include the review and approval of the key aspects of the Bank's security control program and process, such as the development and maintenance of security control policies and infrastructure that properly safeguard e-banking systems and data from both internal and external threats. This will also include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.

b. The Board of Directors and the Bank’s senior management shall ensure that the Bank’s risk management policies and processes are updated and modified where necessary, to cover existing or planned e-banking services.

c. The Bank’s Compliance Officer shall also ensure that proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. The product managers and system designers should consult with the Compliance Officer during the development and implementation stages of e-banking products and services. This level of involvement will help decrease the Bank’s compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

a. Information Security Program

The Bank, through the Information Technology Group (SBA-ITG), shall establish and maintain a comprehensive information security program which must be properly implemented and strictly enforced. The information security program should include, at a minimum, the following:

1. Identification and assessment of risks associated with e-banking products and services;
2. Identification of risk mitigation actions, including appropriate authentication technology and internal controls;
3. Information disclosure and customer privacy policy; and
4. Evaluation of consumer awareness efforts.

SBA-ITG shall adjust or update, as appropriate, the said information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information.

b. Information Security Measures

1. SBA-ITG shall ensure that the information security measures and internal controls related to electronic banking are installed, regularly updated, monitored and are appropriate with the risks associated with the products and services. Please see Appendix A and Appendix B for the minimum security measures that the Bank should employ in ATM facilities and internet/mobile banking activities, respectively, to protect depositors and consumers from fraud, robbery and other e-banking crimes.
2. SBA-ITG shall also take into account other relevant industry security standards and sound practices as appropriate, and keep up with the most current information security issues (e.g., security weaknesses of the wireless environment), by sourcing relevant information from well-known security resources and organizations.

1. To authenticate the identity of e-banking customers, the product managers shall employ techniques appropriate to the risks associated with e-banking products and services. The implementation of appropriate authentication methodologies should start with a risk assessment process. The risk should be evaluated based on the following:

I. type of customer;

II. customer transactional capabilities (e.g., bill payment, fund transfer, inquiry)

III. sensitivity of customer information and transaction being communicated to both the Bank and the customer;

IV. ease of using the communication method; and

V. volume of transactions.

2. Because of standards for implementing a commercially reasonable system may change overtime as technology and other procedures develop, SBA-ITG , together with the Bank’s technology service providers, shall continuously review, evaluate and identify authentication technology and ensure appropriate changes are implemented for each transaction type and level of access based on the current and changing risk factors.

3. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, the product managers and system designers shall implement multifactor authentication (e.g., ATM card and PIN), layered security, or other controls reasonably calculated to mitigate those risks.

4. The authentication process should be consistent with and support the Bank’s overall security and risk management programs. An effective authentication process should have customer acceptance, reliable performance, scalability to accommodate growth, and inter-operability with existing systems and future plans as well as appropriate policies, procedures, and controls.

With the growth of e-banking and e-commerce, the Bank shall use reliable methods of originating new customer accounts in an electronic banking environment. Potentially significant risks may arise when a bank accepts new customers through the internet or other electronic channels. Thus, all concerned units/business centers shall ensure that in originating new accounts, the "Know Your Customer" or KYC policy of the Bank, which involves "face-to-face" contact, is strictly adhered to.

1. Monitoring systems can determine if unauthorized access to computer systems and customer accounts has occurred. The product managers and system designers must ensure that a sound monitoring system is in place, which should include audit features that can assist in the detection of fraud, money laundering, compromised passwords, or other unauthorized activities.
2. SBA-ITG shall be responsible for the activation and maintenance of audit logs which can help the Bank to identify unauthorized activities, detect intrusions, reconstruct events, and promote employee and user accountability. This control process can also facilitate the Bank in the submission of suspicious activities reports as required by the Anti-Money Laundering Council (AMLC) and other regulatory bodies.
3. When users are no longer authorized to access a particular system, the same must be reported promptly to the security administrators for the timely removal or suspension of user account access
4. Whenever critical systems or processes are outsourced to third parties, SBA-ITG shall ensure that the appropriate logging and monitoring procedures are in place and that suspected unauthorized activities are communicated to the Bank in a timely manner.
5. An independent party (e.g., internal or external auditor) should also review activity reports documenting the security administrators' actions to provide the necessary checks and balances for managing system security.

To minimize/prevent ATM frauds and crimes, the Bank should, at a minimum, implement the following security measures with respect to automated teller machine facilities:

Locate ATM’s in highly visible areas;

Provide sufficient lighting at and around the ATM;

Where ATM crimes (e.g., robbery, vandalism) are high in a specific area or location, the Bank should install surveillance camera or cameras, which shall view and record all persons entering the facility. Such recordings shall be preserved by the bank for at least thirty (30) days;

Implement ATM programming enhancements like masking/non-printing or card numbers; 

Educate customers by advising them regularly of risks associated with using the ATM and how to avoid this risks; 

Conduct and document periodic security inspection at the ATM location, and make the pertinent information available to its clients; 

Educate bank personnel to be responsive and sensitive to customer concerns and to communicate them immediately to the responsible bank officer; and 

Post near the ATM facility a clearly visible sign which, at a minimum, provides the telephone 

numbers of the bank as well as other banks’ hotline numbers for other cardholders who are allowed to transact business in the ATM, and police hotlines for emergency cases. 

The Bank must study and assess ATM crimes to determine the primary problem areas. Procedures for reporting ATM crime should also be established. Knowing what crimes have occurred will aid the Bank in recognizing the particular crime problem and to what degree it exists so that it can implement specific prevention measures to mitigate the risk. In this connection, banks are encouraged to share information involving ATM fraud cases to deter and prevent proliferation of the crime.

​​​​​​1. Network controls

Implement adequate security measures on the internal networks and network connections to public network or remote parties. Segregate internal networks into different segments having regard to the access control needed for the data stored in, or systems connected to, each segment.

Properly design and configure the servers and firewalls used for the e-banking services either internet-based or delivered through wireless communication networks (e.g., install firewalls between internal and external networks as well as between geographically separate sites). Deploy strong and stringent authentication and controls especially in remote access or wireless access to the internal network.

Implement anti-virus software, network scanners and analyzers, intrusion detectors and security alert as well as conduct regular system and data integrity checks.

Maintain access security logs and audit trails. These should be analyzed for suspicious traffic and/or intrusion attempts.

Ensure that wireless software for wireless communication network includes appropriate audit capabilities (e.g., recording dropped transactions).

Develop built-in redundancies for single points of failure which can bring down the entire network.

2. Operating Systems Controls 

Harden operating system by configuring system software and firewall to the highest security settings consistent with the level of protection required, keeping abreast of enhancements, updates and patches recommended by system vendors.

Change all default passwords for new systems immediately upon installation as they provide the most common means for intruders to break into systems.

3. Encryption 

Implement encryption technologies that are appropriate to the sensitivity and importance of data to protect confidentially of information while it is stored or in passage over external and internal networks.

Choose encryption technologies that make use of internationally recognized cryptographic algorithms where the strengths of the algorithms have been subjective to extensive tests.

Apply strong "end-to-end" encryption to the transmission of highly sensitive data (e.g., customer passwords) so that the data are encrypted all the way between customers’ devices and the Bank’s internal systems for processing data. This would ensure that highly sensitive data would not be compromised even if the Bank's web servers or internal networks were penetrated.

4. Website and Mobile Banking Authentication 

Authenticate official website to protect the Bank’s customers from spoofed or faked websites. The Bank should determine what authentication technique to use to provide protection against these attacks. 

For wireless applications, adopt authentication protocols that are separate and distinct from those provided by the wireless network operator.

5. Physical Security 

House all critical or sensitive computers and network equipment in physically secure locations (e.g., away from environmental hazards, unauthorized entry and public disclosure, etc.). 

Implement physical security measures such as security barriers (e.g., external walls, windows): entry controls (e.g., biometric door locks, manual or electronic logging, security guards) and physical protection facilities/devices (e.g., water and fire detectors, uninterruptible power supply (UPS), etc.) to prevent unauthorized physical access, damage to and interference with the e-banking services. 

6. Developments and Acquisition 
Separate physical/logical environments for the development, testing, staging and production.

Provide separate environments for the development, testing, staging and production of internet facing web-based applications; connect only the production environment to the internet.

7. IT Personnel Training 

Provide appropriate and updated training to IT personnel on network, application and security risks and controls so that they understand and can respond to potential security threats.

8. Service Providers 

Perform due diligence regularly to evaluate the ability of the service providers (e.g., internet service provider, telecommunication provider) to maintain an adequate level of security and to keep abreast of changing technology.

Ensure that the contractual agreements with the service providers have clearly defined security responsibilities.

9. Independent Audit, Vulnerability Test and Penetration Testing 

Conduct regular audit to assess the adequacy and effectiveness of the risk management process and the attendant controls and security measures.

Perform vulnerability test or assessment to evaluate the information security policies, internal controls and procedures, as well as system and network security of the Bank. Assessment should also include latest technological developments and security threats, industry standards and sound practices.

Conduct penetration testing at least annually.

The audit and test should be conducted by security professionals or internal auditors who are independent in the development, implementation or operation of e-banking services, and have the required skills to perform the evaluation.

For e-banking services provided by an outside vendor or service provider, ensure that the above tests and audit are performed and the Bank is provided with the result and actions taken on system security weaknesses.

10. Incident Response

Establish an incident management and response plan and test the predetermined action plan relating to security incidents.

To ensure security in their e-banking transactions and personal information, consumers should be oriented of their roles and responsibilities, which, at a minimum include the following:

1. Internet Products and Services 

A. Secure Login ID and Password or PIN   

• Do not disclose Login ID and Password or PIN
• Do not store Login ID and Password or PIN on the computer.
• Regularly change password or PIN and avoid using easy-to-guess passwords such as names or birthdays, Password should be a combination of characters (uppercase and lowercase) and numbers, and should be at least 6 digits in length.

B. Keep personal information private

• Do not disclose personal information such as address, mother’s maiden name, telephone number, social security number, bank account number or e-mail address – unless the one collecting the information is reliable and trustworthy.
• Keep records of online transactions
• Regularly check transaction history details and statements to make sure that there are no unauthorized transactions.
• Review and reconcile monthly credit card and bank statements for any errors and unauthorized transactions promptly and thoroughly.
• Check e-mail for contacts by merchants with whom one is doing business. Merchants may send important information about transaction histories.
• Immediately notify the Bank if there are unauthorized entries or transactions in the account.
• Check for the right and secure website. 
• Before doing any online transactions or sending personal information, make sure that correct website has been accessed. Beware of bogus or "look alike" websites which are designed to deceive consumers.
• Check if the website is “secure” by checking the Universal Resource Locators (URLs) which should begin with “https” and a closed padlock icon on the status bar in the browser is displayed. To confirm authenticity of the site, double-click on the lock icon to display security certificate information of the site.
• Always enter the URL of the website directly into the web browser. Avoid being re-directed to the website, or hyperlink to it from a website that may not be as secure.
• If possible, use software that encrypts or scrambles the information when sending sensitive information or performing e-banking transactions online.
• Protect personal computer from hackers, viruses and malicious programs.
• Install a personal firewall and a reputable anti-virus program to protect personal computer from virus attacks or malicious programs.
• Ensure that the anti-virus program is updated and runs at all times.
• Always keep the operating system and the web browser updated with the latest security patches, in order to protect against weaknesses or vulnerabilities.
• Always check with an updated anti-virus program when downloading a program or opening an attachment to ensure that it does not contain any virus.
• Install updated scanner software to detect and eliminate malicious programs capable of capturing personal or financial information online.
• Never download any file or software from sites or sources, which are not familiar or hyperlinks sent by strangers. Opening such files could expose the system to a computer virus that could hijack personal information, including password or PIN.
• Do not leave computer unattended when logged-in. 
• Log-off from the internet banking site when computer is unattended, even if it is for a short while.
• Always remember to log-off when e-banking transactions have been completed.
• Clear the memory cache and transaction history after logging out from the website to remove account information. This would avoid incidents of the stored information being retrieved by unwanted parties.
• Check the site’s privacy policy and disclosures. 
• Read and understand website disclosures specifically on refund, shipping, account debit/credit policies and other bank terms and conditions.
• Before providing any personal financial information to a website, determine how the information will be used or shared with others.
• Check the site’s statements about the security provided for the information divulged
• Some websites' disclosures are easier to find than others – look at the bottom of the home page, on order forms or in the "About" or "FAQs" section of site. If the customer is not comfortable with the policy, consider doing business elsewhere.
• Other internet security measures: 
• Do not send any personal information particularly password or PIN via ordinary e-mail. Do not open other browser windows while banking online.
• Avoid using shared or public personal computers in conducting e-banking transactions.
• Disable the “file and printer sharing” feature on the operating system if conducting banking transactions online. Contact the banking institution to discuss security concerns and remedies to any online e-banking account issues.

2. Other Electronic Products

A. Automated Teller Machine (ATM) and debit cards

• Use ATMs that are familiar or that are in well-lit locations where one feels comfortable. If the machine is poorly lit or is in a hidden area, use another ATM.
• Have card ready before approaching the ATM. Avoid having to go through the wallet or purse to find the card.
• Do not use ATMs that appear to have been tampered with or otherwise altered. Report such condition to the Bank.
• Memorize ATM personal identification number (PIN) and never disclose it with anyone. Do not keep those numbers or passwords in the wallet or purse. Never write them on the cards themselves. And avoid using easily available personal information like a birthday, nickname, mother’s maiden name or consecutive numbers.
• Be mindful of "shoulder surfers" when using ATMs. Stand close to the ATM and shield the keypad with hand when keying in the PIN and transaction amount.
• If the ATM is not working correctly, cancel the transaction and use a different ATM. If possible, report the problem to the Bank.
• Carefully secure card and cash in the wallet, handbag, or pocket before leaving the ATM.
• Do not leave the receipt behind. Compare ATM receipts to monthly statement. It is the best way to guard against fraud and it makes record-keeping easier.
• Do not let other people use your card. If card is lost or stolen, report the incident immediately to the Bank.

B. Do not leave documents like bills, bank statements in an unsecured place since these documents have direct access to deposit account information. Consider shredding sensitive documents rather than simply throwing them away. (Some people will go through the garbage to find this information).

C. Notify the bank in advance of a change in address.

D. Open billing statements promptly and reconcile card amounts each month.

Do not let other people use your card. If card is lost or stolen, report the incident immediately to the Bank.

Since customers may find it difficult to take in lengthy and complex advice, the Bank should devise effective methods and channels for communicating with them on security precautions. The Bank may make use of multiple channels (e.g., Bank's website, alert messages on a customer's mobile phone, messages printed on customer statements, promotional leaflets, circumstances when the Bank's frontline staff communicate with their customers) to enforce these precautionary measures.

1. General Requirement

Banks offering electronic banking services have to adopt responsible privacy policies and information practices. Banks should provide disclosures that are clear and readily understandable, in writing, or in a form the consumers may print and keep.

Bank should also ensure that consumers who sign-up for a new banking service are provided with disclosures (e.g., pamphlet) informing him of his right as a consumer.

At a minimum, the following disclosures should be provided to protect consumers and inform them of their rights and responsibilities.

• Information on the duties of the banking institution and customers
• Information on who will be liable for unauthorized or fraudulent transactions
• Mode by which customers will be notified of changes in terms and conditions
• Information relating to how customers can lodge a complaint, and how a complaint may be investigated and resolved
• Disclosures that will help customers in their decision-making (e.g., PDIC insured, etc.)
• For internet environment, information that prompt in the bank's website to notify customers that they are leaving the banking institutions' website and hence they are not protected by the privacy policies and security measures of the banking institutions when they hyperlink to third party's website

2. Disclosure Responsibility

• Compliance officers should review bank's disclosure statements to determine whether they been designed to meet the general and specific requirements set in this circular.
• For banks that advertise deposit products and services on-line, they must verify that proper advertising disclosures are made (e.g., whether the product is insured or not by the PDIC; fees and charges associated with the product or services, etc.). Advertisements should be monitored to determine whether they are current, accurate, and compliant. 
• For banks that issue various products like stored value cards, e-wallets, debit cards, they must provide information to consumers regarding the features of each of these products to enable consumers to meaningfully distinguish them. Additionally, consumers would find it beneficial to receive information about the terms and conditions associated with their usage.

Example of these disclosures include:

1. PDIC insured or non-insured status of the product;

2. Fees and charges associated with the purchase, use or redemption of the product;

3. Liability for lost;

4. Expiration dates, or limits on redemption; and

5. Toll-free telephone number for customer service, malfunction and error resolution.