Risk Management Principles for Electronic Banking

電子銀行業務風險管理原則

Basel Committee on Banking Supervision

巴塞爾銀行監理委員會

May 2001

20015月發布

 

A. Board and Management Oversight (Principles 1 to 3)

A.董事會和管理階層之監督(原則13

 Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks.

原則1:董事會和高級管理階層應就電子銀行業務所涉及的風險訂定有效的監督管理機制,包括詳細的權責劃分、經營政策及風險控管措施,以管理這些風險。

Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control process.

原則2:董事會和高級管理階層應檢討及審核其銀行安全控管程序的重要層面。

Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.

原則3:董事會和高級管理階層應訂定週延及經常性的善盡責任及監督程序,以管理其銀行之委外往來關係及其他倚賴第三者對電子銀行業務提供支援的關係。

B. Security Controls (Principles 4 to 10)

B. 安全控管措施(原則410

Principle 4: Banks should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internet.

原則4:對於透過網際網路進行交易的客戶,銀行應採取適當措施驗證客戶的身分及交易權限。

Principle 5: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.

原則5:各銀行應運用交易驗證方法,提昇交易的不可否認性,並確立電子銀行業務交易責任。

Principle 6: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.

原則6:各銀行應確保其已採取適當措施,以促進在電子銀行業務各項系統、資料庫、及應用軟體內建立妥適的分工牽制機制。

Principle 7: Banks should ensure that proper authorisation controls and access privileges are in place for e-banking systems, databases and applications.

原則7:各銀行應確保其對電子銀行業務各項系統、資料庫、及應用軟體,已建立妥適的授權控管措施及操作權限制度。

Principle 8: Banks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information.

原則8:各銀行應確保其已採取適當措施,以保護電子銀行業務各筆交易、紀錄、及資訊的完整正確。

Principle 9: Banks should ensure that clear audit trails exist for all e-banking transactions.

原則9:各銀行應確保所有的電子銀行業務交易均留存清楚的稽核線索。

Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.

原則10:各銀行應採取適當的措施,以維護重要電子銀行業務資訊的機密;且須視其所傳送之資訊及(或)儲存於資料庫資訊之機密程度,採取相稱的機密維護措施。

C. Legal and Reputational Risk Management (Principles 11 to 14)

C. 法規及信譽風險管理(原則1114

Principle 11: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions.

原則11:各銀行應確保在其網站提供充分的資訊,使潛在客戶在進行電子銀行業務交易之前,即可對該銀行的身分及法律地位有判斷依據。

Principle 12: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.

原則12:各銀行應採行適當措施,以確保其於提供電子銀行業務商品或服務時,遵守該司法管轄區適用之客戶機密維護規定。

Principle 13: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.

原則13:各銀行應具備有效的業務運轉容量、營業不中斷及緊急應變計畫程序,以協助確保各項電子銀行業務系統及服務隨時可以正常使用。

Principle 14: Banks should develop appropriate incident response plans to manage, contain and minimise problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.

原則14:各銀行應研訂適當的意外事故因應方案,以管理、控制、及減輕不可預期事件所引發的問題,包括可能阻礙電子銀行業務各項系統及服務之提供的各種內部或外部攻擊事件。

 

回首頁     聯絡本站