BOM/BSD 6/February 2001BANK OF MAURITIUSGuideline onInternet BankingFebruary 2001

Guideline on Internet Banking1. PrefaceThis guideline is issued to domestic banks and offshore banks under the authority of theBank of Mauritius Act and the Banking Act 1988.It is important that the banking industry in Mauritius adopts all desirable leading edgetechnologies in providing banking services to its customers. As a regulator of banks, theBank of Mauritius has an important interest in ensuring that the banking services,including Internet banking, evolve in an orderly fashion with public interest in mind.All licensed institutions are allowed to establish informational websites as defined in theguideline without seeking approval of the Bank of Mauritius. They must, however,advise the Bank in writing at least one month prior to the implementation of the website.The institutions proposing to launch communicative or transactional websites, arerequired to obtain prior written approval of the Bank of Mauritius.An institution which has obtained approval to launch communicative or transactionalwebsites will have its website posted on that of the Bank of Mauritius so as to allow thepublic to verify that the website belongs to an institution licensed under the Banking Act1988.This guideline will come into effect on 2 April 2001.2. Interpretation“Internet banking” refers to banking products and services offered by institutions on theInternet through access devices, including personal computers and other intelligentdevices.“Internet banking services” means products and services normally offered by institutionsunder their respective licences through the Internet.“Institution” means a domestic bank or an offshore bank licensed under the Banking Act1988 that has received or applied for approval to establish a communicative ortransactional website.“Communicative website” means a website which allows some interaction between theinstitution’s systems and customers, both existing and potential. Customers may sendinformation and make enquiries about their accounts. The communication may take theform of e-mail, on-line forms, making account enquiries or static file updates (e.g. nameand address changes).“Informational website” means a website which is intended to disseminate generalinformation about the institution and to advertise its products and services, but whichprovides no interactive capability.“Transactional website” means a website which allows customers to execute bankingtransactions, in addition to the services that are offered by a “communicative website” or“informational website”.

3. Scope of the GuidelineThe guideline sets out a regulatory framework for providing Internet banking services inMauritius. It lays down the minimum standards that the institutions must observeregarding Internet banking and prescribes the requirements and the processes forobtaining the Bank of Mauritius approval for establishing Internet banking services. Theinstitutions are free to adopt standards, systems and practices more stringent than thoseoutlined in the guideline to suit their particular circumstances.4. ObjectiveThe objective of this guideline is to require the institutions to establish systems andpractices for internet banking designed to:-limiting systemic and other risks that could threaten the stability offinancial markets or undermine confidence in the payment system;encouraging institutions to educate customers about their rights andresponsibilities and how to protect their own privacy on the Internet; andencouraging the development of effective, low risk, low cost andconvenient payment and financial services to customers and businessesthrough the Internet.5. Approval of Bank of MauritiusAn institution seeking to launch its own communicative and/or transactional website or toutilise the communicative and/or transactional website of a third party, is required toobtain the prior written approval of the Bank of Mauritius. In this regard, the documentsand information listed below shall be submitted to the Bank of Mauritius at least onemonth prior to the proposed launching of communicative and/or transactional websitesalong with the request for the Bank’s approval:(i)Confirmation by the Chairperson of the board of directors of the institution, (ChiefExecutive Officer in the case of a foreign bank branch) that it is ready to provideInternet banking (as per annexure);(ii)Business and strategic plans on Internet banking (for at least two years);(iii)Internet security arrangements and policy;(iv)Risk Management framework;(v)Terms and conditions for Internet Banking Services;(vi)Client Charter on Internet banking;(vii)Privacy Policy Statement; and(viii) Any outsourcing or website link arrangements, or strategic alliances orpartnerships with third parties that have been finalised.2

An institution which has obtained approval to operate a communicative or transactionalwebsite should submit the following information to the Bank of Mauritius within twoweeks after obtaining Bank of Mauritius approval or a week prior to the launching of thewebsite, whichever is the later:-Letter providing its website address, confirming the validity of its site andauthorising the inclusion of its site in the web page of the Bank ofMauritius; and-a soft copy of the institution’s logo to be included in Bank of Mauritius’site.6. ReportingAn institution operating a communicative or transactional website shall report to the Bankof Mauritius on its performance in achieving the objectives set out in its strategic andbusiness plans, including a brief overview of its risk management processes respectingInternet banking. It shall submit to the Bank copies of its security program andcontingency and business resumption plans at the end of each financial year beginningwith the financial year ending 30 June 2001.7. Internet banking risksInternet banking risks can adversely impact on an institution’s earnings and capital.Therefore, an institution offering Internet banking services is required to implementproper and effective policies, procedures and controls to protect information and ensureits integrity, availability and confidentiality. To assist institutions to properly identify,quantify and manage risks associated with Internet banking, it is recommended that suchrisks be categorised as follows.(i)Strategic riskStrategic risk stems from inappropriate business decision and/or incorrect implementationof decisions.An institution may incur substantial loss/wastage of its resources as a result of incorrectchoices or decisions regarding its Internet banking strategy.The institution should conduct a feasibility study prior to initiating on Internet financialservices.(ii)Transaction riskTransaction risk results from flaws in system design, implementation or ineffectivemonitoring leading to frauds, errors and failures to provide banking products and services.To control transaction risk there is need for adequate security and monitoring of theInternet banking system.3

An institution must have in place preventive and detective controls to ward off its Internetbanking systems from any unauthorised use, both internally and externally.Adequate operating policies and procedures, auditing standards, effective risk monitoringprocesses including contingency and business resumption plans should be implemented.(iii)Compliance riskCompliance risk arises from failure to observe laws, rules, regulations, prescribedpractices or ethical standards when delivering Internet banking services.The Internet banking service should be designed and operated in such a manner that italways complies with all relevant laws and guidelines.Every institution should state clearly in its Terms and Conditions for Internet BankingServices and on its website that the governing law is the Mauritian law.(iv)Reputation riskReputation risk occurs when systems or products do not work as expected and causewidespread negative public reaction. Internet banking systems that are poorly executedwould present this risk. An institution’s reputation may also be affected if its Internetbanking system is unreliable or inefficient or the products and services offered are notpresented in a fair and accurate manner.Adverse public opinion may create a lasting, negative public image on the institution’soverall operations, which may impair the institution’s ability to establish newrelationships or services or continue servicing existing customers and businessrelationships.An institution should undertake immediate and effective remedies to address operationalfailures or unauthorised intrusions and ensure that timely steps are taken to addressadverse customer and media reaction.An institution should also educate and inform its customers on what they can reasonablyexpect from a product or service and the special risks and benefits that they will incur orobtain when using the system.(v)Traditional banking riskAn institution offering Internet banking services is faced with the same types oftraditional banking risk such as credit risk, interest rate risk, liquidity risk, price risk andforeign exchange risk. The Internet may, however, heighten some of these risks.An institution providing Internet services should therefore develop appropriate andadequate systems to manage the various types of traditional banking risks and maintainthose systems on a regular basis.4

8. Risk Management Framework(i)Formulation of a policyThe development of Internet banking widens the scope for increased interaction betweeninstitutions and their customers and opens up new avenues for cross-border bankingtransactions exposing institutions to additional risks. Many aspects of risks associatedwith Internet banking are neither fully discernible nor readily measurable.Accordingly, each institution should develop a risk management framework that iscomprehensive enough to deal with known risks and flexible enough to accommodatechanges. It should be subject to appropriate oversight by the board of directors and seniormanagement. The sophistication of the risk management processes should be appropriatefor the institution’s level of risk exposure.(ii)Role of Board of DirectorsThe board of directors shall-approve the Internet banking strategy of the institution to ensure that it isconsistent with the institution’s strategic and business plan;-approve contingency and business resumption plans that should be in placebefore an institution launches the Internet banking services .-set the level of Internet banking risk and review, approve and monitorInternet banking technology related projects that may have significantimpact on the institution;-ensure that the Internet banking systems are operated in a safe and soundmanner, including the availability of contingency and business resumptionplans;-review and approve the information security policies;-ensure that an adequate system of internal controls is established andmaintained;-ensure that qualified and competent persons at senior level are employedto identify, monitor and control Internet banking risks and that theeffectiveness of the internal control system is monitored on a regular basis;and-carry out an active oversight of the management of Internet banking risk ofthe institution by regularly receiving comprehensive written reportsidentifying material risks.In carrying out the above responsibilities, the board may engage the services of outsideexperts, as needed.5

(iii)Role of ManagementThe senior management should ensure that-the Internet banking products are consistent with the institution’s overallstrategic plans and the risks and ramifications of offering such productsover the Internet are within the institution’s risk tolerance;-necessary steps are taken to identify, monitor and control Internet bankingrisk and monitor the effectiveness of the internal control system;-the Internet banking system is designed and operated in a manner thatcomplies with all relevant laws. Senior management should also monitordevelopments and changes in consumer and banking laws, regulations andinterpretative rulings and take adequate measures to comply with them;-the overall effectiveness of the institution’s internal controls is continuallymonitored. There should be a proper system to track and report internalcontrol weaknesses for prompt corrective measures;-adequate operating policies and procedures, auditing standards, effectiverisk monitoring processes, contingency and business resumption plans areavailable;-adequate and comprehensive reports are provided to the directors fordecision making;-adequate expertise and resources are available to operate and maintaintheir Internet banking system; and-effective channels of communication are established so that the employeesare fully aware of policies and procedures affecting their duties andresponsibilities, including a clear delineation of lines of authority andresponsibilities for managing Internet banking risks.9. Security policyEach institution shall establish a written policy on the overall security of its Internetbanking system.Security RequirementsEach institution must have a security program providing for the security arrangementswhich should achieve the following objectives.-Data privacy and confidentiality.Data integrity.Authentication/identification of counterparties.Non-repudiation of Internet banking transactions.Access control/system design to prevent unauthorised access attempts.Business continuity plan.6

An institution must have the following minimum security controls. However, it is theinstitution’s responsibility to ensure that its security controls are complete in the light ofits specific circumstances. As such, it could have additional security controls.(i)Network and Data Access ControlsEach institution should apply adequate access controls to protect its network, applicationsand data from unauthorised parties.Access controls should be designed to effectively restrict unauthorised individuals fromentering sensitive data, retrieving confidential information or enabling access to banksoftware applications and operating systems.(ii)User AuthenticationEach institution should put in place tested systems to securely authenticate the identity ofInternet banking customers when customers access personal account information orengage in on-line transactions for products or services.Each institution should provide sufficient authentication for Internet banking customerswho access personal account information or engage in online transactions for products orservices.The authentication processes should be reviewed and periodically tested for effectivenessthrough penetration testing and other monitoring methods.Senior management should keep abreast of new or developing standards which may affectthe institution’s existing use of authentication devices and processes.Each institution should use a combination of access, authentication and other securitycontrols to create a secure and confidential Internet banking environment. These generallyinclude passwords, firewalls, and encryption.(iii)Transaction VerificationEach institution should implement Internet banking agreements which clearly define theprocedures for valid and authentic electronic communications between its customers anditself. The agreements should specify that the parties intend to be bound bycommunications that comply with these procedures.Each institution should maintain audit trails of all transactions to enable the verificationof specific transaction and provide evidence in the event a transaction is repudiated by itscustomers.(iv)Virus protectionSenior management should implement a detection and prevention program to minimisethe possibility of computer viruses. This program should at least include end-userpolicies, training and awareness programs, virus detection tools and enforcementprocedures.7

(v)Detection of possible intrusionsEach institution should make effective use of monitoring tools to identify vulnerabilitiesof its Internet banking system and in a real-time mode, detect possible intrusions fromexternal and internal parties. In this regard, each institution is required to conductpenetration testing and administer manual or automated intrusion detection processes.a)Penetration testingEach institution should use penetration testing to identify, isolate, and confirm possibleflaws in the design and implementation of passwords, firewalls, encryption, and othersecurity controls. The testing should be conducted by an objective, qualified, internal orexternal source prior to the introduction of Internet banking and at least once a year orwhenever substantial changes are made to the Internet banking security systems.b)Intrusion DetectionEach institution should set up strong intrusion detection devices to control network trafficon a real-time basis. The intrusion detection system must withstand outside attacks and becapable of identifying and reporting departures from normal processing. Adequate audittrail mechanisms should be in place to prevent internal fraud, and provide the means todetect unauthorised intrusion or transactions.Each institution should ensure that it has a combination of regular monitoring of networkactivity, a well-configured firewall, and regular reminders of its security policies. Theinstitution’s security policy should make it incumbent on its responsible officers to reportsecurity breaches promptly to a nominated member of senior management and to theBank of Mauritius.10. Internet banking security programEach institution shall establish a written policy on the overall security of its Internetbanking system.Each institution shall further implement an overall security program which shouldincorporate the institution’s risk management controls. The security program should setout the policies, procedures and controls to safeguard the institution’s information, defineindividual responsibilities, and describe enforcement and disciplinary actions for noncompliance.The security program should establish the necessary organisation structure andaccountability in the process of the management of risks associated with Internet banking.The need to create awareness throughout the organisation that security is an importantcultural value should also be ingrained in the security program. Every institution shouldensure that adequate training is provided to the relevant staff to keep them updated onnew security risks and methods of mitigating such risks.Senior management should carry out regular security risk assessments to track downinternal and external threats that may undermine data integrity, interfere with service orresult in the destruction of information.8

Every institution should establish specific reporting requirements for security breaches.Senior management should ensure that the security measures instituted are current andproperly implemented and comprehensive security policies and procedures are stringentlyenforced.An institution should adopt a security awareness program to give users a clearunderstanding of the procedures and controls necessary for a secure environment. Thissecurity awareness program should strengthen the institution’s security policy andprogram and may include, for example, instructions regarding password protection,Internet security procedures, user responsibilities and employee disciplinary actions.11. Contingent and Business Resumption PlansThe contingent and business resumption plans should be approved by the board ofdirectors prior to the launching of Internet banking services . They should includemeasures covering data recovery, alternate data processing capabilities, emergencystaffing and a public relations and outreach strategy to respond promptly to customer andmedia reaction to system failure and unauthorised intrusions.Each institution should evaluate and determine the importance of the businessapplications and processes and establish in order of importance business resumptiondesigned to recover the most critical functions and systems.Each institution should also establish procedures to be followed in the event itscompetitors which rely on similar technology, experience operational failure.The back-up systems should be fully maintained and tested on a regular basis to minimisethe risk of system failures and unauthorised intrusions. It is expected that security andinternal controls at the back-up locations should be as sophisticated as those at theprimary processing site.Any intrusion, attempted intrusion or suspicious activity should be immediately reportedto the nominated member of senior management for prompt corrective measure, followedby a report to the Bank of Mauritius.12. OutsourcingEach institution may outsource its Internet banking systems to resident and non-resident(i.e. located outside Mauritius) service providers and software vendors subject to the priorwritten approval of the Bank of Mauritius and the following conditions:(i)The decision taking function of an institution should remain with it and theprocess to be outsourced should not threaten its strategic flexibility and itsprocess control;(ii)The image, integrity and credibility of the institution should not beimpaired by the outsourcing arrangement;(iii)The institution should be able to manage risks associated with these newrelationships;9

(iv)Appropriate oversight program should be set up to monitor the outsourcingvendor’s controls, condition and performance; and(v)There should be adequate undertaking for regular servicing by thesupplier.Each institution should continue to remain responsible for the performance and actions ofits outsourcing vendors in relation to the services outsourced by the institution.Each institution should be aware of the privacy concerns and its obligations for any lossof control of customers’ information.Before contracting any Internet banking service, each institution should fulfil thefollowing conditions:(i)The institution should perform sufficient due diligence to satisfy itself ofthe outsourcing vendor’s expertise, experience and financial strength tofulfil the obligations;(ii)The written approval of the Board of Directors should be obtained tooutsource the Internet banking system to the service provider or softwarevendor;(iii)The ownership and control of bank records should remain with theinstitution;(iv)The institution should enter into a service agreement with the outsourcingvendor with a clause on professional ethics and conduct in performing hisduties. It should be clearly stipulated in the service agreement that itreserves the right to terminate the services of the outsourcing vendor if itfails to comply with the conditions imposed. The service agreementshould also clearly delineate the roles, responsibilities and accountabilityof each party;(v)The institution should carry out a risk assessment of such arrangementswhich should ensure that adequate back-up arrangements such asalternative service providers are available;(vi)The institution should have the ability to exercise the necessary control toproperly manage the outsourced system for providing the Internet bankingservices;(vii)The institution should put in place proper reporting and monitoringmechanisms to ensure that the integrity and quality of work conducted bythe outsourcing vendor is maintained. Regular testing and review of thework done by the outsourcing vendor must be conducted;(viii) The external and internal auditors of the institution should have the abilityto review the books of the outsourcing vendor and perform audits or obtainfrom the outsourcing vendor independent internal control audit reports.Any weaknesses highlighted during the audit must be well-documentedand promptly rectified especially where such weaknesses may affect theintegrity of the internal controls of the institution; and(ix)The details of the outsourcing arrangement should be forwarded forapproval by the Bank of Mauritius at least two weeks before entering into10

an agreement with the service provider, indicating whether all of theabovementioned requirements are satisfied.13. Advertisements and website linksAn institution will not require the prior approval of the Bank of Mauritius foradvertisements or web linking arrangements made on its website, provided that suchadvertisements do not fall within the ambit of section 38 of the Banking Act 1988. Theinstitution should, however, keep the Bank of Mauritius informed of such advertisementarrangements.(i)Advertisements by an institution on third party websitesThis guideline does not seek to restrict the advertisement and posting of financial productinformation of an institution on third party websites including those of institutionsoperating outside Mauritius. However, each institution should ensure that it has thenecessary controls in place to manage risks associated with the third-party websites.The advertisement should be monitored for completeness, accuracy and timeliness.An institution is advised to notify its customers regarding the websites that it will use toadvertise its products and services and to caution them that information contained in anyunauthorised third party websites may be incomplete, inaccurate or outdated.An institution is encouraged to adopt additional procedures to safeguard its customers’and its own interests.(ii)Website linksWhen an institution provides links to third party websites to enable customers to accessother third party services or products, the institution should analyse the risks presented bythese arrangements.In managing Compliance Risk, an institution providing hypertext links to third parties onits website should include a clear message to inform the customers that as soon as theyleave its website the privacy policy of the institution would lapse.The institution should advise customers to read its privacy policy statements and also usedisclaimers to indicate that:-A link to other websites is not an endorsement of those websites; and-the institution makes no warranties as to the accuracy informationavailable on those sites.Where the link draws information from a third party’s website into the institution’swebsite, it is important that the institution clearly states the source of such information inorder not to mislead or deceive users.11

As part of its overall management policy, an institution should adequately manage itslinking practices and enter into linking agreements where appropriate. The linkingagreement should include the use and control of user data generated by the links as wellas privacy and data protection obligations.An institution providing hypertext links to third parties on its website or advertisementfacilities to third parties should also have clear disclaimer statements informing customersthat it is not responsible for the products and services offered by third parties.14. Strategic alliances or partnershipAn institution may enter into strategic alliances with partners in relation to the provisionof Internet banking services.An institution should ensure beforehand that the proposed alliances or partnerships do notresult in any conflict of interest.The details of alliance arrangements should be forwarded for approval to Bank ofMauritius at least two weeks before entering into an agreement with partners.15. Customer Protection and Privacy Issues(i)Customer EducationEach institution should have a web page to educate customers on Internet bankingparticularly, with respect to their rights and responsibilities and the protection of theirown privacy on the Internet.Prior to the offering of Internet banking services to their customers, each institution isrequired to ensure that it has complied with the following:(ii)a)The customers have agreed to the terms and conditions for Internetbanking services;b)The customers have been informed of the risks involved in the use of theInternet banking services ;c)The customers know their rights and responsibilities and are fully awarethat they are responsible for their own actions;d)The customers have been informed that they may specify maximum limitsfor funds transfer to limit their risks;e)The customers have been advised to read the privacy policy statements ofthe institution and third parties (refer to 13(ii) “Website links”) prior toproviding any personal information to the institution or third parties; andf)The customers have been educated on their role to maintain security oftheir personal information by not sharing their IDs and passwords withanyone, by changing their passwords regularly, and by remembering tosign off.Product TransparencyEach institution should ensure that the products and services offered on the Internet arefairly and accurately disclosed. The features of the products and services, terms and12

conditions including any fees, charges, penalties and relevant interest rates should bemade transparent to the customers in plain language as far as possible. Any agreementsor contracts should be made available in a form, which can be downloaded, printed andretained by a customer.Each institution should provide advance notice to customers of variation of terms andconditions of the Internet banking services in relation to imposing or increasing charges,increasing the customer’s liability for losses or any other material changes.The terms and conditions for Internet banking services shall include the duties of theinstitution and customers, contractual arrangements for liability arising from unauthorisedor fraudulent transactions, mode of notification of changes in terms and conditions andinformation relating to the lodgement of complaints, investigation and resolutionprocedures.The contractual arrangements for liability should provide for sharing of risks between theinstitution and the customers. Customers should not be liable for loss not attributable toor not contributed by them.Each institution should only enrol customers into a new product or servic

The guideline sets out a regulatory framework for providing Internet banking services in Mauritius. It lays down the minimum standards that the institutions must observe regarding Internet banking and prescribes the requirements and the processes for obtaining the Bank of Mauritius approval for establishing Internet banking services. The