Risk Management in Electronic Banking:
Concepts and Best Practices


Risk Management in Electronic Banking:
Concepts and Best Practices

Jayaram Kondabagil

John Wiley & Sons (Asia) Pte Ltd.


Copyright © 2007 by John Wiley & Sons (Asia) Pte Ltd
Published in 2007 by John Wiley & Sons (Asia) Pte Ltd
2 Clementi Loop, #02-01, Singapore 129809
All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning or otherwise, except as expressly permitted by law, without
either the prior written permission of the Publisher, or authorization through payment
of the appropriate photocopy fee to the Copyright Clearance Center. Requests for
permission should be addressed to the Publisher, John Wiley & Sons (Asia) Pte Ltd,
2 Clementi Loop, #02-01, Singapore 129809, tel: 65-64632400, fax: 65-64646912, e-mail:

This publication is designed to provide accurate and authoritative information in
regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering professional services. If professional advice or
other expert assistance is required, the services of a competent professional person
should be sought.

Other Wiley Editorial Offices
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

John Wiley & Sons Ltd, The Atrium Southern Gate, Chichester P019 8SQ, England
John Wiley & Sons (Canada) Ltd, 5353 Dundas Street West, Suite 400, Toronto,
Ontario, M9B 6HB, Canada
John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia
Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany
Library of Congress Cataloging-in-Publication Data
ISBN: 978-0-470-82243-2

Wiley Bicentennial Logo: Richard J. Pacifico
Typeset in 10.5 on 13 points, Palatino by SNP Best-set Typesetter Ltd., Hong Kong
Printed in Singapore by Mainland Press Pte Ltd
10 9 8 7 6 5 4 3 2 1


To the memory of my father
Kondabagil Sheshappa


Contents

List of Figures

xiii

List of Tables

xv

Preface


xvii

Acknowledgments

xxiii

Foreword

xxv

PART I: INTRODUCTION TO E-BANKING
Chapter 1

Chapter 2

E-Banking Basics

3

Evolution of e-banking
Impact on traditional banking
E-banking components
Regulatory approval

3
4
7
8

E-Banking Risks


10

Strategic risk
Operational risk
Compliance risk
Reputational risk

11
12
13
13


viii

Chapter 3

Contents

Other risks
Risk management challenges
The five-pillar approach

14
15
17

Product and Service-specific Risks


19

Internet banking
Aggregation services
Bill presentment and payment
Mobile banking
Weblinking
Electronic money
Cross-border transactions
New products and services

19
21
23
24
25
27
27
29

PART II: RISK MANAGEMENT
Chapter 4

Chapter 5

Chapter 6

Risk Management Framework

33


Policies and procedures
Risk management process
Operational risk management
Governance and internal controls

34
35
39
40

Risk Management Organization

43

Organization structure
Board and senior management
Executive risk committee
IT management
Internal and external audit

43
44
49
51
53

International Standards

56


Basel Committee on banking supervision
COBIT 4.0
ISO 17799
OCTAVE
COSO – enterprise risk management
PCI data security standard
Financial Action Task Force

56
57
58
59
60
61
62


ix

Contents

Corporate governance codes
Regulatory guidelines

63
64

Part III: INFORMATION SECURITY
Chapter 7


Chapter 8

Chapter 9

Information Security Management

69

Security objectives
Security controls
Security risk assessment
Classification of controls
Monitoring and testing
Incident response plan

70
73
76
78
79
80

Operational Controls

82

Personnel issues
Segregation of duties
Technical issues

Database management
Change management
Backups and off-site storage
Insurance
Fraud management

82
84
86
88
89
90
92
93

Technical Controls

97

Logical access controls
Identification and authentication
Authentication methods
Audit trails
Network security
Firewalls
Malicious code
Information security incidents

98
99

101
104
105
108
110
111

PART IV: OUTSOURCING
Chapter 10

Outsourcing in E-Banking

117

Types of outsourcing
Material outsourcing

118
119


x

Chapter 11

Chapter 12

Contents

Supervisory approach

Key risks of outsourcing
Board and senior management responsibility
Outsourcing policy

120
121
123
124

Managing Outsourced Services

126

Outsourcing decisions
Risk assessment and control
Service provider due diligence
Offshoring
Contingency plans
Customer service
Monitoring and audit

126
127
130
131
132
132
134

Outsourcing Contracts


137

Contractual provisions
Right of access clauses
Termination clause
Offshoring contracts
Confidentiality and security clauses
Business continuity clauses

138
140
141
141
142
144

PART V: BUSINESS CONTINUITY
Chapter 13

Chapter 14

Business Continuity Management

147

The main drivers
Board and senior management responsibility
Components of BCM
Business impact analysis

BIA methodologies
Recovery strategy

147
149
151
152
153
156

Business Continuity Plan

158

Major components of BCP
Continuity management team
Recovery procedures
Resource requirements
External communications

158
160
162
163
165


xi

Contents


Chapter 15

Plan maintenance
Awareness and training
Testing of BCP
Testing methods

167
169
171
172

Data Centers and Alternate Sites

175

Evolution of data centers
Location of the sites
Mitigating concentration risk
Data center design
Logistics management
Maintenance procedures
Alternate site models
External support
Business continuity in real life

175
176
177

178
180
182
183
185
186

PART VI: LEGAL AND REGULATORY COMPLIANCE
Chapter 16

Chapter 17

Compliance Function

193

Organization of the compliance function
Board and senior management responsibility
Role of regulators

194
195
196

Major Compliance Issues

198

Anti-money laundering
Know your customer (KYC)

Suspicious activities
Privacy of customer information
Information disclosures
Customer education

198
199
201
202
204
206

High-level review checklist

209

Acronyms

225

Glossary

227

References

245

Index


251


List of Figures

2.1
4.1
4.2
4.3
5.1
7.1
13.1

The five-pillar approach
Risk management framework
Risk management process
Risk management triad
Risk management organization structure
Information security objectives
BCM process

18
34
36
40
44
71
151



List of Tables

1.1
1.2
1.3
2.1
2.2
2.3
4.1
5.1
5.2
5.3
7.1
7.2
7.3
9.1
10.1
10.2
10.3
11.1
12.1
13.1
13.2
13.3
14.1
14.2
14.3
14.4
17.1
17.2


Common e-banking services
Examples of e-banking components
Information sought by regulators for licensing
Factors influencing strategic risk
Examples of operational risk
Factors affecting a bank’s reputation
Key requirements in the risk management process
Responsibility of key players in risk management
Responsibilities of the Board and senior management
Responsibilities of board committees
Information security challenges
Security objectives and control measures
Outline of information security policy
Effects of malicious code
Outsourcing examples
Factors to determine the materiality of an outsourced
activity
Outline of an outsourcing policy
Due diligence parameters for outsourcing
Confidentiality and security clauses in outsourcing
contracts
Potential threats to business continuity
Illustrative questionnaire for impact analysis
Illustrative list of critical functions
Intensity levels of disruption
Responsibilities of CMT
Triggers for unscheduled maintenance of the BCP
BCP testing parameters
Broad objectives of anti-money-laundering measures

Security-related instructions to customers

4
8
9
11
12
14
37
45
46
48
70
74
75
111
118
119
125
130
143
152
154
155
159
160
169
172
199
206



Preface

B

anking has traditionally been built on the branch-banking model. The
unprecedented speed of technological changes over the last two
decades has changed the way banking has been done over centuries.
Technology has offered tremendous opportunities to banks to surmount
geographical, commercial, and demographic barriers; and to deliver
products and services at virtually zero marginal cost combined with
unbounded reach.
The success of a bank is now determined by its ability to deliver innovative products and services, and to provide remote access in a technologically advanced way that meets the changing needs of the customer.
We now have a variety of delivery channels from ATMs and the Internet
to mobile banking – collectively termed “electronic banking.”
However, this has carried risks as well as benefits. Some of the traditional risks associated with banking activities such as strategic, operational, legal, and reputational risks have been modified and heightened
for banks providing electronic banking services. This has influenced the
overall risk profile of banking.
It has become all the more critical now for banks to have flexible and
responsive operating processes, as well as sound and robust risk management systems that recognize, address and manage these risks in a
prudent manner according to the basic characteristics and challenges of
e-banking services.

WHY THIS BOOK?
Risk management is not a new concept or challenge for banks. Banks
have traditionally adopted risk mitigation measures, but the focus has


xviii


Preface

generally been on financial risks such as credit, market, interest rates,
and liquidity. Non-financial risks such as strategic, operational, compliance, and reputational risks have received only a cursory treatment, more
as a need to meet legal and regulatory requirements.
The increased share of e-banking activities as a percentage of revenue
and volume of business, and the consequent demands, especially on ICT
infrastructure, has forced many a bank management to wake up and
have another look at its risk management practices. The Basel Committee
on Banking Supervision has been working on this aspect for more than
a decade, and its latest report, Risk Management Principles for Electronic
Banking, issued in July 2003, is a significant step in activating regulators
around the world to take notice of the need to treat e-banking risks on a
separate platform. A flood of regulatory guidelines has supplemented
this in the last two years.
This book is a pioneering effort to provide a conceptual framework
for the management of risks in an electronic banking environment, supplemented by an overview of sound practices based on international
standards and guidelines on risk management.
Basel II has introduced explicit capital adequacy requirements for
operating risk in the new accord. With Basel II capital adequacy norms
due for implementation across the world (different countries have
set different deadlines starting from this year), there is an increasing
interest and regulatory focus on operational risk management. As
electronic banking forms a major component of operational risk, Risk
Management in Electronic Banking is presented at the most appropriate
time.

ORGANIZATION OF THE BOOK
This publication follows and recommends a five-pillar approach for the

management of risks in an electronic banking environment:

Pillar
Pillar
Pillar
Pillar
Pillar

I
II
III
IV
V

Risk management framework
Information security management
Outsourcing management
Business continuity management
Legal and regulatory compliance.


xix

Preface

Part I

Introduction to E-Banking

The introductory part provides an overview of e-banking and associated

risks, and lays the foundation for the rest of the book. Chapter 1 traces
the evolution of electronic banking and its impact on traditional banking,
followed by an overview of e-banking components and the regulatory
approval process. Chapter 2 contains a discussion on strategic, operational, compliance, reputational, and other risks in an e-banking environment. The product and service-specific risks, such as those relating to
Internet banking, aggregation services, bill presentment and payment,
mobile banking, and cross-border transactions are covered in Chapter 3.

Part II

Risk Management

The conceptual framework for the management of electronic banking
risks is covered in this part. Chapter 4 details the adaptation of the
generic risk management model to an electronic banking environment.
Chapter 5 provides a detailed analysis of the risk management organization with associated roles and responsibilities. Chapter 6 gives an overview of the international standards, guidelines, and sound practices.

Part III

Information Security

Trust and security has always been an essential feature of the banking
system. Information security management is today an essential business
requirement in view of the capture, transmission, processing, and storage
of data in digitized forms over open networks. Recent regulatory requirements related to information security and internal control magnify these
concerns. The different components of information security management
are discussed in Chapter 7, while chapters 8 and 9 deal with the operational and technical controls to be built under the security management
framework.

Part IV


Outsourcing

Outsourcing and third-party dependencies have become an integral part
and the most critical component of the electronic banking schematics of
banks. The range and the relative complexity of these outsourced activities are increasing and so are the risks. The key risks in outsourcing,
Board and management responsibility, sound practices for managing


xx

Preface

outsourced services, and outsourcing contracts are dealt with in this
part.

Part V

Business Continuity

This part provides a conceptual framework for the business continuity
management (BCM) function and each component of BCM is discussed
in detail. Chapter 14 gives a detailed method to develop a business continuity plan (BCP). Chapter 15 is devoted to data centers in view of the
critical role they are playing in e-banking schematics.

Part VI

Legal and Regulatory Compliance

This part deals with the legal and regulatory compliance requirements
applicable for an electronic banking environment. Chapter 16 deals

with the organization of the compliance function, the roles of the Board
and senior management, and the regulators in the compliance function.
The last chapter discusses major compliance issues, including measures
to ensure privacy of customer information and anti-money laundering, and the importance of information disclosures and customer
education.
To increase the practical utility of Risk Management in Electronic Banking,
case studies based on some of the most recently reported events have
been included. The high-level review checklist provided at the end of the
book will facilitate a quick management review of the status of risk management in banks providing electronic banking services. The glossary
and acronyms of the relevant terms used, and a list of references, are also
appended.

INTENDED AUDIENCE
Risk management has moved up the organizational ladder and is more
of a management than technical issue. It is a multidisciplinary function
with roles and responsibilities associated with all sections of personnel
in a bank. Keeping this in mind, the technical jargon has been kept to the
bare minimum.
Risk Management in Electronic Banking is aimed at central bankers,
Board members, the senior management of banks, senior managers with
risk management responsibilities, operational risk managers, IT manage-


Preface

xxi

ment in banks, senior operations staff, auditors and compliance officers, technology service providers, and risk management consultants.
Researchers and academics working in the risk management area and
students of banking-related courses will find this an informative reference book.


AN EXPLANATORY NOTE
There are significant differences with regard to the functions of the Board
of Directors and senior management across countries dependent on the
corporate governance codes and regulations applicable for the particular
legal or regulatory jurisdiction. For example, the US “board of directors”
has functional similarities with the “supervisory boards” in Germany,
whereas the functions of a German “management board” are akin to
senior management functions.
Owing to these differences, without going into the legalities, the terms
Board of Directors and senior management are used in this book only to
identify the two distinct decision-making functions within a bank: the
former with the main function of supervising the executive body comprising of senior management and general management, and the latter
with executive functions.
Likewise there are differences in the supervisory structure across jurisdictions. Some central banks perform both regulatory and supervisory
functions. In some countries the regulatory and supervisory functions
are divided among two or more agencies. For the sake of consistency the
term regulator is used throughout the book.


Acknowledgments

I

would like to acknowledge the contribution of my professional colleagues U.M. Kamath, B.M. Tambakad, and B.K. Bhat for their valuable
suggestions. I would also like to thank the Basel Committee on Banking
Supervision for granting permission to use text from their publications.
The publication of this book would not have been possible without
the interest shown in my proposal and the assistance rendered by Nick
Wallwork and his able team at Wiley. My special thanks are due to Fiona

Wong, Janis Soo, and Edward Caruso.
Finally, I would like to note the support of my family: my wife Saroja
and our twin daughters Kavya and Kruthi. Thanks also to our son Karthik
who prepared the diagrams used in the book.
Any comments, suggestions, and inadvertent inaccuracies that are entirely my responsibility can be sent to me at


Foreword

R

isk Management in Electronic Banking is a comprehensive study
of the concepts and best practices in electronic banking. It fills a
badly needed global requirement for not only bankers but also all users
of electronic banking. The book gives an excellent review of the wide
scope of electronic banking on traditional banking and business methods.
It then delves into the risks inherent in e-banking, including strategic,
operational, compliance, reputational, and others.
The author’s five-pillar approach used to manage risks gives practitioners a structured foundation with each of the five pillars covered in
book. Of particular interest are the sections on outsourcing management
and business continuity management. In the chapter on product and
service-specific risks, the sections on transactional websites and aggregation services cover those new and unique e-banking requirements. Top
management will be particularly interested in reading the section on
business continuity. IT managers will want to study the section on data
centers and alternate sites. Compliance managers will want to read the
Compliance Function section. The High-level Review Checklist and
Glossary at the end of the book are also particularly useful.
Jayaram Kondabagil has produced an excellent work that will be the
key reference for anyone involved in electronic banking.
Mark Mobius

Managing Director
Templeton Asset Management Ltd


Risk Management in Electronic Banking: Concepts and Best Practices
by Jayaram Kondabagil
Copyright © 2007 John Wiley & Sons (Asia) Pte. Ltd.

Part I

Introduction to E-Banking


Risk Management in Electronic Banking: Concepts and Best Practices
by Jayaram Kondabagil
Copyright © 2007 John Wiley & Sons (Asia) Pte. Ltd.

CHAPTER

1

E-Banking Basics

EVOLUTION OF E-BANKING
Banks are deemed to be the early users of technology and the main
drivers of technological revolution. The first applications of the computer
age within banking were the use of mainframes, and later minicomputers, to process data such as customer accounts, bank inventories, personnel records, and accounting packages that ultimately evolved into
spreadsheets. The use of technology was as a support tool for banking
operations, helping staff to do their work faster, more conveniently, and
with less human errors.

The idea of direct customer services was less clear, but the first ATM
(automated teller machine) came into commercial use in 1968. ATMs
were the first visible face of electronic banking. From being mere currency dispensers they have now evolved into multifunctional devices
enabling customers to conduct a whole range of transactions from account
management, funds transfer, to bill payments. It took nearly 16 years for
the first 100,000 ATMs to be operational, whereas the next 100,000 were
in place in a mere four years. The day of smart ATMs that use biometrics
to recognize customers and cross-sell financial products with a fair
knowledge of the investment and purchasing preferences of customers
is not far off.
The next step in providing direct customer service came with the
extended use of debit and credit cards in merchants’ shops through EPOS
(electronic point of sale) technology. Electronic fund transfers was another
application where technology was used extensively, mainly to cut down
on costs and to speed up payments. This led to the development of specialized products like corporate cash management systems.
3


4

Risk Management in Electronic Banking

The proliferation of the Internet gave a real boost to electronic banking
and moved banking services from back-end applications to customercentric front ends. The open networked environment provided instant
global access to information, products, and services, so now the customers could bank from the comfort of their homes. It is estimated that as at
March 2007 about 16.9% of the world’s population are Internet users.
Globally, the number of broadband subscribers by the end of 2006 was
estimated to be about 281 million and is expected to cross 400 million by
2010, underlining the potential. The developments in Internet technology
have led to the development of new products such as aggregation

services, bill presentment and payment, and personalized financial
portals.
The advances in telecommunication technology have helped the
development of a new facet of electronic banking; namely, mobile
banking. Wireless is estimated to be growing at more than three times
the rate of landlines globally. With the number of connections estimated
at 2.6 billion as at the end of 2006, and expected to cross 4 billion by 2010,
mobile banking is set to become a major delivery channel.
An indicative list of common e-banking services is provided in
Table 1.1 below.

TABLE 1.1 Common e-banking services
Financial information news
Product and service information
Branch and ATM locators
Account management
Cash management
Business-to-business payments
New account opening
Employee benefits administration
Pension administration
Insurance
Depository services

Person-to-person payments
Interest rates and currency rates
Promotions and cross-selling
Helpline information
Bill payment and presentment
Funds transfer to different accounts

Consumer/commercial wire transfers
Investment/brokerage services
Loan application and approval
Account aggregation
Credit cards

This is only an indicative list, and the services and products are of varied complexity.

IMPACT ON TRADITIONAL BANKING
Banking has traditionally been built on the branch-banking model
with two basic competitive advantages; namely, a brand name and


E-Banking Basics

5

customer relationships. The speed of change and advancements in
information technology (IT) have brought changes to the way banking
has been done for centuries and will continue to influence future banking
trends.
The nature of distribution channels has changed dramatically. Today
the competition in the banking sector is determining the success of a bank
by its ability to deliver innovative products and services in a technologically advanced way that meets the changing needs of the customer.
Some of the perceptible changes are as follows.

Changing Customer Profile
Previously customers changed banks only in extreme circumstances.
Now they can do so at the click of a mouse. A comparison by customers
of the products and services offered by the different banks is facilitated

by the easy availability of information on the Internet. This enables customers to shop around for the best offer. Further, the costs of switching
are lower in the case of electronic banking, which could reduce customer
loyalty and compel them to buy the most attractive product from each
bank. On the darker side there is information overload. Many a time,
customers are confused as to whom they are dealing with and on what
terms. They have also become more vulnerable to scams and frauds.

Market Transparency
The market has become more transparent due to easy availability of
information. This means that banks are obtaining more information
about the product ranges of the competitors as soon as they are launched.
New innovative products are being copied more rapidly, thereby accelerating product standardization and commoditization.

Cross-selling
The availability of information about customer banking trends and preferences gives banks the potential to cross-sell other financial products
and services. Many major banks have for some time now recognized this
and they are in fact no longer in the business of banking, defined to be
the provision of loans and advances, deposits, and transaction payment
services. They are instead in the business of financial services, providing
an integrated and one-stop package of services comprising life and


6

Risk Management in Electronic Banking

general insurance, mutual funds, stock-broking, depository services,
housing finance, and the like.

Brand Names

The importance of banking brand names is increasing. In an e-banking
environment where personal contact is limited and where products and
services can be copied rapidly, the brand name is an instrument with
which banks can distinguish themselves from their competitors. A
number of banks have already set up subsidiaries for providing e-banking
services under a new brand name or under the name of the parent bank.

Transaction Costs
E-banking transactions are much cheaper than transactions conducted at
the branch. Recent estimates indicate direct costs of a banking transaction
effected through branch, ATM, and the Internet to be $1.27, $0.27, and
$0.01 respectively. This has turned yesterday’s competitive advantage of
a large branch network into a comparative disadvantage to many banks.

Branches
There were many doomsday prophecies about the gradual demise of
branches. But branches have again bounced back into the strategic plans
of the banks, though with decreased numbers and a structural change.
Some activities – like personal banking services, direct enquiries, processing loan requests, and financial advice – require the individual attention
of a professional bank manager and are better handled at the local branch
level.

Internet-only Banks
Pure Internet banks created a lot of euphoria a couple of years back. Their
market share is still very small and many have been forced out of the
market. The main reasons are the online privacy and security fears of
consumers, the lack of human interaction, and the lack of trust due to
the dotcom debacle.
The advent of the electronic banking era was set to be the most fundamental transformation ever faced by the industry. In days to come
technology will be used to maximize revenues rather than to minimize

costs, and electronic banking services will be complementary to, rather


E-Banking Basics

7

than a substitute for, branches. In the long run, traditional elements such
as branding, customer loyalty, physical locations, people, and cultures
will continue to matter in determining which banks succeed in the electronic age.

E-BANKING COMPONENTS
The role of technology in supporting the e-banking function has become
increasingly complex. IT operations traditionally housed in a computer
data center with user connections through terminals have become more
dynamic and include distributed environments, integrated applications,
telecommunication options, Internet connectivity, and an array of computer operating platforms. As the complexity of technology has grown,
banks have increased their reliance on vendors, partners, and other third
parties for a variety of technology solutions and services.
Normally the two alternatives are:
•

•

One or more technology service providers host the e-banking
application and numerous network components, including the
institution’s website, Internet banking server, and firewall and
intrusion detection system. While the institution does not have to
manage the daily administration of these component systems, its
Board and senior management remain responsible for the content,

performance, and security of the e-banking system.
The institution hosts all or a larger portion of its e-banking system
internally. The core processing system of the institution is directly
linked to the Internet through the components mentioned above.
The system administration responsibility rests with the institution.

The overall system configuration adopted for the various components
of an e-banking system is a combination of internal and outsourced
solutions. The potential components and processes seen in a typical
institution, which work together to deliver e-banking services, are given
in Table 1.2 on page 8. The final configuration depends on a number of
factors:
•
•
•
•

the strategic objectives of e-banking
the scope, scale, and complexity of equipment, systems, and
activities
technology expertise
security and internal control requirements.


8

Risk Management in Electronic Banking

TABLE 1.2 Examples of e-banking components
Operational processes

ICT infrastructure

Applications

Operational aspects

Service providers

For different products and services offered; for example,
net-banking and aggregation services
Servers for net-banking, email, and internal networks
Communication systems
Storage area networks (SAN)
Item processing equipment such as MICR coders
ATMs
Operating systems
Core banking processing system
E-banking applications such as bill pay
Automated decision-support systems
System performance monitoring
Intrusion detection systems
Programming support
Network administration
Security management
Firewall configuration and management
Configuration management
Website design and hosting
Disaster recovery services

Technical configurations become more complex in tune with the advancements in technology, and many specialized service providers enter the

market catering to specific aspects of e-banking operations.

REGULATORY APPROVAL
Banks wishing to provide or enhance existing transactional electronic
banking services should normally seek prior approval from the regulators in the countries where they intend to provide such services.
The Basel Committee on Banking Supervision report, Core Principles
Methodology, issued in October 2006, has enunciated the following principle with regard to licensing criteria.
Principle 3.9: Licensing criteria
The licensing authority reviews the proposed strategic and operating
plans of the bank. This includes determining that an appropriate system
of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as
well as the oversight of proposed outsourced functions, will be in place.
The operational structure is required to reflect the scope and degree of
sophistication of the proposed activities of the bank.