Séminaire d’initiation

La banque à distance-La banque à distance-Internet banking lawInternet banking law

Etienne Wéry Attorney at law at the Brussels and Paris Bars

etienne.wery@ulys.netULYS law firmwww.ulys.net

Introduction

Séminaire - 6 modules : Notions et mutations/convergences du secteur

: features (I) Obligations d’information: Know your

customer- Anti-money laundering and the financing of terrorism-Special liabilities (II)

Securité/security : internet fraud (III) Services financiers par internet et e-payments

(IV) Contrats : Study case (V) Synthèse de droit européen (VI)

Module IModule I

Notions et mutations/convergences du secteur : features

Notions

• Internet banking refers to the use of the Internet as a remote delivery channel for banking services:– services include the traditional ones, such as opening an account or

transferring funds to different accounts, and new banking services, such as electronic online payments (allowing customers to receive and pay bills on bank’s web site) or financial transactions (acquisition, transfer, sale of securities etc.).

• Characteristics of Internet banking include – the unprecedented speed of change related to technological and customer

service innovation – the ubiquitous and global nature of the Internet – the integration of Internet banking applications with legacy computer

systems, and – the increasing dependence of banks on third parties that provide the

necessary information technology.

Notions (2)

• A bank can perform Internet activities in one or more of the following ways :– Informational: this is the basic level of Internet banking, marketing

information about the bank’s products and services on a stand-alone server

– Communicative : this type of Internet banking system allows some interaction between the bank’s systems and the customer (electronic mail, account inquiry, loan applications or static file updates (name and address changes))

– Transactional : this level of Internet banking allows customers to directly execute transactions with financial implications :

• basic transactional site only allows a transfer of funds between the accounts of one customer and the bank

• advanced transactional site provides a means for generating payments directly to third parties outside of the bank

RisksRisks associated with Internet banking

– Consistency of technology– Compliance with corporate policies and legal

requirements– Data and service availability, including business

recovery planning– Data integrity, including providing for safeguarding of

assets, proper authorisation of transactions and reliability of the data flow

– Data confidentiality and privacy standards, including controls over access by both employees and customers

Risks (2)

Security risks associated with Internet banking

– Customer security practices / Authentication of customers– Nonrepudiation and accountability of transactions– Segregation of duties– Authorisation controls within systems, databases and applications– Internal or external fraud (See module III)– Data integrity of transactions, databases and records– Audit trails for transactions– Confidentiality of data during transmission– Third-party security risk

Mutations/Convergences

• The number of customers who choose online banking as their preferred method of dealing with their finances is growing rapidly.

• The day may come when cash will be obsolete.• “Phénomène de convergence”• For instance, banking via cellphone or PDA as the

next option seemed impossible, but technology has already proved the skeptics wrong.

Module II Module II

Obligations d’information Know your customer- Anti-money

laundering and the financing of terrorism – special liabilities

Know your customer

• Due diligence or enhanced due diligence (EDD) to identify the clients and ascertain relevant information pertinent to doing financial business with them – Committee on Banking Regulations and Supervisory

Practices of the G 10 : The Basle Statement of Principles covers all aspects of laundering through the banking system.

– Customer Identification - "Know your Customer" (KYC).

– Financial Action Task Force on Money Laundering (FATF) of G-7

Anti-money laundering

• All financial firms must demonstrate effective money laundering procedures

• To be compliant firms must provide sufficient “Customer Information” to prove customer identity for both new and existing clients as follows:– > Customer ID –electronic ID (who are they)– > Risk Assessment (country of origin, any political affiliation,

movement of funds, etc)– > Validification (on any black lists)– > Existing customers need to be monitored in terms of their

transactional behaviour

Combating the financing of terrorism

• Money laundering is the process where cash raised from criminal activities is made to look legitimate for re-integration into the financial system, whereas terrorist financing cares little about the source of the funds, but it is what the funds are to be used for that defines its scope.

• International Convention for the Suppression of the Financing of Terrorism (UN 1999)

• US Patriot Act• European Regulation (EC) of 27 December 2001 on specific

restrictive measures directed against certain persons and entities with a view to combating terrorism

• United Nations Resolution (sanction and freezing of assets of terrorists) and Recommandations

• Groupe d’action financière sur le blanchiment des capitaux (GAFI)

LiabilitiesSome specific legal issues

related to secure electronic banking

• General duty of care in case of a professional service provider in the financial sector – role of service level agreements with key suppliers-outsourcing, industry

standards and best practices – Basel Committee presented a document 'Risk Management Principles for

Electronic Banking' (risk management principles and sound practices)• Liability under Electronic Transfer of Funds legislations• Impact of possible application of consumer legislation. • Legal security obligations in case of personal data processing • Legal security obligation for publicly available communications services • US Sarbanes Oxley Act (“SOX”)

Module IIIModule III

Securité/security : internet fraud

Securité/security : internet fraud

• Protection through password authentication not secure enough for personal online banking applications

• Online banking user interfaces are secure sites generally employing the https protocol and traffic of all information - including the password - is encrypted : reduces possibility for a third party to obtain or modify information after it is sent.

• Encryption alone does not rule out the possibility of hackers gaining access to vulnerable home PCs and intercepting the password as it is typed in (keystroke logging); danger of password cracking and physical theft of passwords written down by careless users.

Internet fraud• Second layer of security

– use of transaction numbers or TANs (single use passwords)– use of two passwords, only random parts of which are entered at the

start of every online banking session; – providing customers with security token devices capable of

generating single use passwords unique to the customer's token (the two-factor authentication or 2FA);

– using digital certificates, which digitally sign or authenticate the transactions, by linking them to the physical device (e.g. computer, mobile phone, etc).

• Setting up a combination of controls that recognize a customer's computer, ask additional challenge questions for risky behavior, and monitor for fraudulent behavior.

• Increasingly criminal practice to gain access to a user's finances is phishing, whereby the user is persuaded to hand over thispassword(s) to a fraudster

Exemple récent en Belgique

• Depuis 2005, il y a eu en Belgique 52 cas de comptes bancaires gérés via internet qui ont été pillés. Près de 800.000 euros ont été soustraits des comptes.

• Pour la première fois en 2007, c'était l'œuvre du crime organisé, la mafia russe, s'est attaquée à trois banques belges.

• Pour la CBFA, il faut relativiser le phénomène : 52 cas alors que 500.000 transactions sont réalisées quotidiennement via des comptes gérés à l'aide d'internet. De plus, les clients qui ont été victimes de fraude utilisaient tous des logiciels copiés.

• "Les gens doivent faire preuve d'un minimum d'hygiène en matière informatique".

• Depuis ces dernières attaques, les institutions visées ont pris des mesures de protection supplémentaires. Résultat : il n'y a plus eu de tentatives réussies en Belgique de pillage de comptes gérés via internet depuis le mois de juin. Les clients qui ont été victimes de cette fraude ont été remboursés.

Application

• Ecobank webiste study case:– https://www.tib.ecobank.com/scripts/ecobank.dll

• Belgian Online Bank samples :– https://secure.ing.be/eb/homebank/EN/index.jsp

– https://www.fortisbanking.be/pics/BE/F/fr/anon/priv/News/securite_internet_2_.html

– http://www.dexia.be/Fr/Particulier/BankingManagement/ViaDexiaDirectNet/demonstrations.htm

Module IVModule IV

Services financiers par internet et e-payments

Services financiers par internet :

exemples belges et français - Architecture du droit des services financiers à distance en droit européen, belge et français- Définitions des “services financiers” et du “contrat à distance”- Prospection commerciale et techniques de communication à distance- Obligation d’information et communication des conditions contractuelles- Droit de rétractation- Questions de DIP

Monnaie électronique-situation harmonisée au niveau européen

• Contrôle prudentiel : agrément et exemptions• Transparence des conditions régissant les services de

paiement• Droits et obligations liés à la prestation et à l’utilisation de

services de paiement– Autorisation des opérations de paiement

• Consentement, surveillance, irrévocabilité, droit au remboursement, preuve, contestation, archivage, responsabilité

– Exécution d’une opération de paiement• Acceptation et refus d’un ordre de paiement, montants et

commission, délai d’exécution, disponibilité des fonds, date-valeur, problème d’exécution

Module VModule V

Contrats : Study case

Module VIModule VI

Synthèse de droit européen

SEPA• Création d’un espace unique des paiements en

euros : Single Euro Payments Area

• Instruments de paiement SEPA– SCT ou SEPA Credit Transfer– SDD ouu SEPA Direct Debit– SCF ou SEPA Card Framework

MiFID

• MiFID (Markets in Financial Instruments Directive) : nouveau cadre réglementaire sur les marchés d'instruments financiers, objectif de promouvoir la prestation transfrontalière de services d'investissement, en instaurant un régime harmonisé dans tous les Etats membres, tout en renforçant la protection des investisseurs

• Know your customer—The directive, requires firms to update their client service processes in order to handle data for:– a) Customer classification (professional, non-professional, eligible

counterpart) – b) Proof of information provided related to classification– c) Proof of management of situations of “conflict of interest”

• New rules of conduct.

MiFID (2)

• Customer order handling—Best execution, classification, driven order handling and transparent pricing.

• Transparency—Fulfillment of real time and deferred reporting. Market data feed, pre-trade and post-trade transparency, customers' confirmations, information access for customers, and reporting to regulators

• Internal organization: investment firms are required to meet higher organizational standards, including new rules on the compliance functions, conflict of interests controls, record-keeping, safeguarding of money and assets, outsourcing arrangements, complaint handling mechanisms, personal transactions or inducements.

What next ?

• AML – EU 3rd Directive December 2007

• MiFID III

• Basel II

• New e-payments directive

Litterature

• Internet : http://www.droit-technologie.org

• Journal of internet banking and commerce : http://www.arraydev.com/commerce/jibc/

• Books : Internet Banking and the Law in Europe: Regulation, Financial Integration and Electronic Commerce, by Apostolos Ath. Gkoutzinis (www.cambridge.org/us/9780521860710)

Thank you for your attention

etienne.wery@ulys.net

Belgium : Tel : +32 (0) 2 340 88 10  / Fax : +32 (0) 2 345 35 80 France : Tel +33 (0) 1 40 70 90 11 / Fax +33 (0) 1 40 70 01 38

www.ulys.net