Our clients' safety is a priority for us at Sterling Bank of Asia.
We take great care to safeguard our clients from risks that may arise when it comes to e-banking products and services. This memorandum is being issued to serve as the Bank’s policy in consumer protection for e-banking products and services.
The Bank shall provide consumer protection applicable to e-banking products and services, in accordance with Bangko Sentral ng Pilipinas (BSP) Circular No. 542 entitled Consumer Protection for Electronic Banking. In this regard, the Bank shall ensure that the implementation of its e-banking activities is in compliance with the requirements to safeguard customer information; prevention of money laundering and terrorist financing; reduction of fraud and theft of sensitive customer information; and promotion of legal enforceability of the Bank’s electronic agreements and transactions.
This policy shall cover all e-banking products and services offered by the Bank, including those that will be introduced later on.
Electronic banking (e-banking) generally refers to the provision of banking products and services through electronic channels such as personal computers, landlines, and mobile phone connections, or through automated teller machines (ATMs). These electronic banking products include electronic money products that are aimed at facilitating retail payments. Currently, the Bank has the following e-banking products and services:
In compliance with BSP Circular No. 542, the following guidelines shall cover all e-banking products and services of the Bank:
I. E-Banking Oversight Function
II. E-Banking Risk Management and Internal Control
IV. Account Origination and Customer Verification
With the growth of e-banking and e-commerce, the Bank shall use reliable methods of originating new customer accounts in an electronic banking environment. Potentially significant risks may arise when a bank accepts new customers through the internet or other electronic channels. Thus, all concerned units/business centers shall ensure that in originating new accounts, the "Know Your Customer" or KYC policy of the Bank, which involves "face-to-face" contact, is strictly adhered to.
V. Monitoring and Reporting of E-banking Transactions
The Bank may receive customer complaint either through an electronic medium or otherwise, concerning an unauthorized transaction, loss, or theft in its electronic banking account. Therefore, the Bank shall ensure that controls are in place to review these notifications and that an investigation is initiated as required. To resolve disputes arising from the use of the electronic banking products and services, the concerned unit/business center shall immediately conduct an investigation.
Although the above guidelines are focused on the risks and risk management techniques associated with an electronic delivery channel to protect customers and the general public, it should be understood, however, that not all of the consumer protection issues that have arisen in connection with new technologies are specifically addressed in this policy. Additional policies may be issued in the future to address other aspects of consumer protection as the financial service environment through electronic banking evolves.
To minimize/prevent ATM frauds and crimes, the Bank should, at a minimum, implement the following security measures with respect to automated teller machine facilities:
The Bank must study and assess ATM crimes to determine the primary problem areas. Procedures for reporting ATM crime should also be established. Knowing what crimes have occurred will aid the Bank in recognizing the particular crime problem and to what degree it exists so that it can implement specific prevention measures to mitigate the risk. In this connection, banks are encouraged to share information involving ATM fraud cases to deter and prevent the proliferation of the crime.
1. Network controls
Implement adequate security measures on the internal networks and network connections to public networks or remote parties. Segregate internal networks into different segments having regard to the access control needed for the data stored in, or systems connected to, each segment.
Properly design and configure the servers and firewalls used for the e-banking services either internet-based or delivered through wireless communication networks (e.g., install firewalls between internal and external networks as well as between geographically separate sites). Deploy strong and stringent authentication and controls, especially in remote access or wireless access to the internal network.
Implement anti-virus software, network scanners and analyzers, intrusion detectors, and security alerts as well as conduct regular system and data integrity checks.
Maintain access security logs and audit trails. These should be analyzed for suspicious traffic and/or intrusion attempts.
Ensure that wireless software for wireless communication networks includes appropriate audit capabilities (e.g., recording dropped transactions).
Develop built-in redundancies for single points of failure which can bring down the entire network.
2. Operating Systems Controls
Harden operates the system by configuring system software and firewall to the highest security settings consistent with the level of protection required, keeping abreast of enhancements, updates, and patches recommended by system vendors.
Change all default passwords for new systems immediately upon installation as they provide the most common means for intruders to break into systems.
Implement encryption technologies that are appropriate to the sensitivity and importance of data to protect the confidentiality of information while it is stored or in passage over external and internal networks.
Choose encryption technologies that make use of internationally recognized cryptographic algorithms where the strengths of the algorithms have been subjective to extensive tests.
Apply strong "end-to-end" encryption to the transmission of highly sensitive data (e.g., customer passwords) so that the data are encrypted all the way between customers’ devices and the Bank’s internal systems for processing data. This would ensure that highly sensitive data would not be compromised even if the Bank's web servers or internal networks were penetrated.
4. Website and Mobile Banking Authentication
Authenticate the official websites to protect the Bank’s customers from spoofed or faked websites. The Bank should determine what authentication technique to use to provide protection against these attacks.
For wireless applications, adopt authentication protocols that are separate and distinct from those provided by the wireless network operator.
5. Physical Security
House all critical or sensitive computers and network equipment in physically secure locations (e.g., away from environmental hazards, unauthorized entry and public disclosure, etc.).
Implement physical security measures such as security barriers (e.g., external walls, windows): entry controls (e.g., biometric door locks, manual or electronic logging, security guards), and physical protection facilities/devices (e.g., water and fire detectors, uninterruptible power supply (UPS), etc.) to prevent unauthorized physical access, damage to and interference with the e-banking services.
6. Developments and Acquisition
Separate physical/logical environments for development, testing, staging, and production.
Provide separate environments for the development, testing, staging, and production of internet-facing web-based applications; connect only the production environment to the internet.
7. IT Personnel Training
Provide appropriate and updated training to IT personnel on network, application, and security risks and controls so that they understand and can respond to potential security threats.
8. Service Providers
Perform due diligence regularly to evaluate the ability of the service providers (e.g., internet service provider, telecommunication provider) to maintain an adequate level of security and to keep abreast of changing technology.
Ensure that the contractual agreements with the service providers have clearly defined security responsibilities.
9. Independent Audit, Vulnerability Test, and Penetration Testing
Conduct regular audits to assess the adequacy and effectiveness of the risk management process and the attendant controls and security measures.
Perform vulnerability tests or assessments to evaluate the information security policies, internal controls, and procedures, as well as the system and network security of the Bank. Assessment should also include the latest technological developments and security threats, industry standards, and sound practices.
Conduct penetration testing at least annually.
The audit and test should be conducted by security professionals or internal auditors who are independent in the development, implementation, or operation of e-banking services, and have the required skills to perform the evaluation.
For e-banking services provided by an outside vendor or service provider, ensure that the above tests and audit are performed and the Bank is provided with the result and actions taken on system security weaknesses.
10. Incident Response
Establish an incident management and response plan and test the predetermined action plan relating to security incidents.
To ensure security in their e-banking transactions and personal information, consumers should be oriented on their roles and responsibilities, which, at a minimum include the following:
1. Internet Products and Services
A. Secure Login ID and Password or PIN
B. Keep personal information private
2. Other Electronic Products
A. Automated Teller Machine (ATM) and debit cards
B. Do not leave documents like bills, and bank statements in an unsecured place since these documents have direct access to deposit account information. Consider shredding sensitive documents rather than simply throwing them away. (Some people will go through the garbage to find this information).
C. Notify the bank in advance of a change in address.
D. Open billing statements promptly and reconcile card amounts each month.
Do not let other people use your card. If the card is lost or stolen, report the incident immediately to the Bank.
Since customers may find it difficult to take in lengthy and complex advice, the Bank should devise effective methods and channels for communicating with them on security precautions. The Bank may make use of multiple channels (e.g., Bank's website, alert messages on a customer's mobile phone, messages printed on customer statements, promotional leaflets, and circumstances when the Bank's frontline staff communicate with their customers) to enforce these precautionary measures.
1. General Requirement
Banks offering electronic banking services have to adopt responsible privacy policies and information practices. Banks should provide disclosures that are clear and readily understandable, in writing, or in a form the consumers may print and keep.
Banks should also ensure that consumers who sign-up for a new banking service are provided with disclosures (e.g., pamphlets) informing them of their right as a consumer.
At a minimum, the following disclosures should be provided to protect consumers and inform them of their rights and responsibilities.
2. Disclosure Responsibility
Examples of these disclosures include: