Date of Examination       City      

ELECTRONIC BANKING QUESTIONNAIRE (02/03)

This document is to be viewed as a learning tool. Constructive

commentary is welcome. If you are already doing everything described in
the questionnaire, you probably have a sound e-banking platform. If not,
you should take into consideration the items not covered.

Please complete and sign the following questionnaire. These pages may be handwritten,
typewritten, or completed electronically.

For banks with telephone banking only, complete questions 1 - 2. For an informational
web site complete questions 1 - 43. An informational site that allows emails with sensitive
information complete questions 79 and 80 also. For a transactional web site complete
questions 1 - 93. If you have started offering electronic banking services within the last
two years also answer questions 94 - 97.

Refer to the last page for some terminology explanations.

Name of Bank under examination:      

Bank's web site address:      

1. Which of the following written plans and policies do you have (check the ones that you
have)?
If policies are available electronically -- please provide electronically (if not, please
provide a paper copy).

Strategic or business plan

Security
Contingency and Business Resumption
Password (If no policy, provide actual procedures followed. If providing Internet banking refer
to question #67)      
Email/Internet usage (If no policy, provide actual procedures followed)      
Privacy policy

For guidance with what should be included in some of the above plans or policies please
refer to the Division of Banking web site under the E-banking tab at www.idob.state.ia.us.

1
 TELEPHONE BANKING

2. When did the bank begin offering telephone banking?      

2
a. Who is it offered through?      

b. How does the customer access it?      

c. What is the customer able to do once they have accessed their accounts?      

PC BANKING

3. Do you offer? Yes No

4. How many customers utilize it?      

WEB SITE

5. When did the bank’s web site become active?     

6. Is the web site address reported on the bank's quarterly call reports?
Yes No

7. Where is the bank's web site hosted?

In house
Off site - Who is the host (name and location)?      

8. Who is responsible for maintaining (updating and/or changing information) the bank's web
site?      

9. Does the bank have a contract with the web site host?
Yes No If yes, provide a copy.
If yes, does it include the following:
Yes No Liability for data and confidential treatment of information.
Yes No Reasonable assurances for continuation of service through back up
arrangements in the event of a problem situation.
Yes No Security precautions on the part of the service provider.
Yes No Procedures to notify the bank of any unauthorized alteration and
malicious attacks.
Yes No Regular back up of web site information.

10. How does the bank connect to the Internet?

DSL cable 56k dial up ISDN
T1 line frame relay 28.8 dial up other
(describe)      

11. Is the bank's web site reviewed internally?

Yes No If yes, how often is it reviewed?      
Who reviews it?      
What do they look at?      

2
12. Does the web site undergo periodic review by any of the following?
Yes No Legal Counsel- If yes, provide a copy.
Yes No CPA - If yes, provide a copy.

13. Are links and interactive programs checked for accuracy and functionality?
Yes No If yes, who checks them and how frequently?      

14. If links are included on the web page.

Yes No Has the bank taken steps to ensure that the customer understands they are
leaving the bank's web site?

Yes No Does the bank provide some type of disclaimer of the bank’s liability for
transactions or information provided at these linked sites?

15. Are security measures in place to prevent the web site information from being altered?
Yes No If yes, what are they?      

16. a. How often is virus protection software updated on servers and workstations?      
How often is it run?      
Who is responsible for doing the updates?      

b. Are procedures in place for operating system updates?

Yes No If yes, what are the procedures?      

Who is responsible for implementing the updates?      

c. Are procedures in place for receipt of software updates/patches?

Yes No If yes, describe the procedures.      

Who is responsible for doing the implementation of the updates/patches?      

Are they tested before putting into production? Yes No

17. Is penetration testing done?

Yes No If yes, how frequently is it done?      
Who does it?      
Are they bonded? Yes No
Who is responsible for reviewing the results?      

18. Is an intrusion detection system in place?

Yes No If yes, how frequently is it tested?      
Who is responsible for testing it?      
Who is responsible for reviewing it and monitoring the activity?      

19. Are controls or procedures in place for any of the following?

Yes No Prevention of hackers from accessing the system
Yes No Prevention of line tapping
Yes No Discovered intrusion attacks
Yes No Attacks after hours
If any are yes, please explain.      

20. Does management keep up-to-date on addressing newly disclosed security threats to the
computer operating system and application software?
Yes No

3
21. Are firewalls in place? (For any that are yes, please list what type of firewall is in place at
that location.)
Yes No At the bank -      
Yes No At the web host -      
Yes No At the outsource vendor -      

22. Firewalls
a. Who is responsible for installing, configuring, and updating the firewalls?      

b. Who is responsible for monitoring firewall activity?      

c. How frequently are the firewalls being monitored?      

d. What type of activity is being monitored?      

e. Are reports available on the activity?      

f. If someone other than the bank is monitoring the firewalls are there monitoring and
maintenance agreements in place? Yes No

23. Are all unused services blocked at the firewall?

Yes No If yes, what ports are left open at the firewall?     

24. Are controls in place restricting physical access to computer hardware, software, and
communication equipment?
Yes No If yes, explain.      

25. Are loan and certificate of deposit rates posted to the bank's web site?
Yes No If yes, how often are they updated and who is responsible for updating?
     

26. Are any application forms available on the web site?

Yes No If yes, provide copies.      

27. If applications are available on the web site, how does the customer submit them?
Fax Online Mail In-person Other (explain)      

28. Does the bank verify the legitimacy of the customer who has submitted the application?
Yes No If yes, how is it verified?      

29. If accepting customers over the Internet are OFAC restrictions being considered? (OFAC
stands for Office of Foreign Asset Control)
Yes No

30. List all personnel involved with electronic banking and their duties. (If available, provide an
organizational chart.) Indicate the individual(s) responsible for the electronic banking area.
     

31. Does the bank have an Electronic Banking Committee (or something similar)?
Yes No If yes, list the members and their responsibilities.      
How often do they meet?      

32. What incentives does the bank provide for obtaining and retaining key IT personnel?
     

4
33. What is discussed with the Board of Directors regarding the bank's web site and services
offered? (Provide copies if not already provided for the examination.)
     

34. Is the Board fully informed of the risks involved with electronic banking and do they
understand those risks? (strategic, reputation, transaction, compliance)
Yes No
Yes No Is it noted in the minutes?

35. Is a review of electronic banking included in the annual Directors’ exam (or a separate
exam)?
Yes No
Yes No Were any exceptions found?
Yes No Have they been addressed?
Provide a copy of exceptions noted and management’s response.

36. Does the bank have legal counsel review literature distributed to the public?
Yes No If yes, provide a copy of any opinion received.

37. Please provide a copy of the bank's topology map (schematic diagram)

38. Electronic banking insurance policy - provide copy if separate from financial institution crime
bond
a. What company is it with?      
a b. What type of occurrence does the policy cover?      
b c. How many occurrences does it stipulate must take place before coverage applies?
     
c d. What directors, officers, or employees are covered?      
e. What is the dollar amount of coverage?      
d f. What is the deductible amount?      
g. What is the expiration date?      
h. Does it adequately cover the bank's capital?      
i. Is it approved by the board of directors? Yes No

39. Are the bank's hardware and phone lines protected from power surges, lightning strikes,
etc.?
Yes No If yes, how?      

40. Are there any pending lawsuits/contingent liabilities relating to electronic banking activities?
Yes No If yes, describe and provide an attorney's letter indicating the bank's liability
and potential for loss.      

41. Has the bank encountered any computer-related crime?

Yes No If yes, what was the nature of the crime and was a suspicious activity report
filed?      

42. Has the bank checked into similar domain names? (web addresses that are similar or could
be mistaken for the banks) Refer to FDIC Bank Technology Bulletin dated November 8, 2000.
Yes No

43. What future plans, changes or other services are you contemplating offering on your web site
within the next twelve months? (i.e. IT personnel, additional services, new or change in vendors,
software, hardware, or operating procedures.)
     

5
 TRANSACTIONAL WEB SITE

44. What is included on your transactional web site?

Internet banking Insurance services Trust services
Brokerage services Small business services Bill payment
Commercial business services Other (explain)
Portal services Aggregation services      

45. When did you start offering Internet banking?      

46. What options are available to the customer once they have accessed Internet banking?
Viewing of account balances
Bill payment
24/7 customer service by phone or email
Online mortgage and CD applications
IRA and brokerage account information
access
Viewing of account history
Ordering checks online
Transfer of funds between accounts
Bill presentment
Online application for checking and savings
accounts
Viewing of loan status and credit card
account information
Checkbook reconciliation
Viewing of digital checks online
Issuing stop payment orders online
Other

47. What vendor is used for Internet banking?      

48. What ongoing expenses are incurred - purpose and amount?      

49. Have letters of assurance been obtained as required by Section 524.218 of the Code of
Iowa?
Yes No

50. Has the FDIC been notified in relation to Section 7(c)(2) of the Bank Service Company Act?
(this form is not required if the bank is a Federal Reserve member)
Yes No

51. What services (if any) are customers being charged for and how much?      

52. Does the bank have a written contract with the vendor? Yes No
At a minimum, does it include the following:
Yes No Access, ownership and control of customer data and other confidential
information.
Yes No Liability for data and confidential treatment of information.
Yes No Reasonable assurances for continuation of service through back up
arrangements in the event of a problem situation.
Yes No Subcontractors and other supporting vendors, if applicable, including their
roles and responsibilities.
Yes No Privacy of information with subcontractors.
Yes No Reasonable control and update of content and capabilities in a timely
manner.
Yes No Opportunities to review financial information, independent annual audits and
similar reports. (SAS 70)
Yes No Security precautions on the part of the service provider.
Yes No Does it prohibit assignment?
Yes No Hardware and software upgrades

6
 Yes No Price changes.
Yes No Reasonable penalty and cancellation provisions.
Yes No Training.
Yes No Problem resolution.
Yes No The bank’s ability to monitor, store and retrieve electronic transmissions
(including messages and data) between the bank and its customers.
Yes No Initial pricing, including down payments, and continuing costs.
Yes No Description of the work to be performed or service to be provided.
Yes No Provisions for handling disputes.
Yes No Protection if the vendor exits the business
Yes No Specify insurance is to be maintained by the vendor.

53. Did legal counsel review the vendor contract?

Yes No

54. Does the expiration date of the contract coincide with that of any subcontractors?
Yes No

55. Has management received assurance that the vendor has conducted due diligence reviews
of any subcontractors?
Yes No

56. Have you checked what insurance coverage the vendor has?
Yes No If yes, what do they have?      

57. Has the bank reviewed the vendor's contingency plan and procedures?
Yes No If yes, are you comfortable with the plan and/or procedures? Yes No

58. Are there stress (volume) testing procedures in place to determine the capacity of the
vendor's system?
Yes No If yes, give details.      

59. Have you had any problems with the vendor?

Yes No If yes, give details.      

60. Do you obtain financial information on the vendor?

Yes No If yes, how frequently do you receive it and when did you last get it?      
Who reviews it?      

61. Did you receive a copy of the most recent audit report on the vendor (SAS 70)?
Yes No If yes, please provide the report.
Yes No Was the management letter also requested and received? If yes, please
provide a copy.

62. Does the bank belong to any vendor user groups?

Yes No

63. How is the bank's internal network connected to the outsourcing vendor?
DSL Cable 56k dial up ISDN
T1 line Frame relay 28.8 dial up Other
(describe)     

64. What type of environment does the Internet banking site operate in?
real time (is the main frame updated immediately?) batch processing
memo post

7
65. If using batch processing, how and when is information transferred between the vendor and
the bank?      

66. List personnel authorized to access the management side of the bank's Internet banking
system and their levels of access. Who reviews this for appropriateness and how often is it
reviewed?      

67. Provide password procedures on the following:

EXTERNAL (customers)
e a. Authentication of user      
f b. Customer locked out of account      
g c. Initially issuing password      
h d. Frequency of password change and is it required      
e. Automatic log-off controls for user inactivity      
i f. Do excessive failed access attempts disable access and how many failed attempts is
excessive      
j g. Requirement for make-up of password      
k h. Customer loses or forgets password      
i. Any other procedure not listed above:      

INTERNAL (bank personnel)

l a. Frequency of password change and is it required?      
m b. Log off procedure when leaving station      
n c. Do excessive failed access attempts disable access and how many failed attempts is
excessive      
o d. Requirement for make-up of password      
p e. Any other procedure not listed above:      

68. Do employees have access to customer passwords?

Yes No

69. Other than applications, are any types of lending or loan advances done over the Internet?
Yes No If yes, provide procedures followed.      

70. Are procedures in place to prevent transfers of uncollected funds?

Yes No If yes, describe procedures.      

71. Are safeguards in place to detect and prevent duplicate transactions?

Yes No If yes, describe.      

72. Are there procedures for verifying the legitimacy of customer requests for changes to their
accounts or customer information?
Yes No If yes, describe the procedures.      

73. What vendor(s) is utilized for the bill payment function?      

74. How many customers are signed up for Internet banking and/or bill payment?      

75. Does the bank provide a guarantee or warranty when a payment is not properly made
through the bill payment system?
Yes No NA If yes, what is the guarantee or warranty?      
Yes No NA Has it been reviewed by legal counsel?      

76. Other than Internet banking or bill payment, has the bank contracted with any other vendors
for services on the web site? (list vendor name, location, and service)      

8
77. What exception reports are received for any transactional functions on the bank's web site?
(provide a sample of reports received)      

a. How often are they reviewed and by who?      

78. What activity reports are received? (provide a sample of reports received)      

a. How often are they reviewed and by who?      

b. Do they track the nature, volume, speed, and trends?      

c. How do the results compare to bank projections?      

79. Is the bank using digital signatures and/or digital certificates?

Yes No Digital signatures Yes No Digital certificates (or ID)

80. At what level is sensitive data encrypted?

40-bit 128-bit other (describe)      

81. Does the bank have procedures in place for when there is an interruption in service of
Internet banking for the customer (contingency plan)?
Yes No Due to disaster (natural, human, technological) at the bank level.
Yes No Due to disaster (natural, human, technological) or lack of capacity at the
vendor level.

82. Do IT personnel participate in training programs?

Yes No If yes, what types of programs?      

83. Is electronic banking training provided to other officers and employees of the bank?
Yes No

84. Does the bank or outsource vendor have a software escrow agreement in place?
Yes No If yes, how often is the escrowed software independently verified as being
current and complete?      

85. Does the bank have a target market or trade area for the Internet?
Yes No Target market - If yes, what is it?      
Yes No Trade area - If yes, what is it?      

86. Are any policies and procedures in place to address activities beyond the traditional trade
area?
Yes No If yes, what are they?      

87. Did the bank do a cost analysis specifically on electronic banking?

Yes No If yes, provide a copy.

88. Are income and expense items, related to electronic banking, included in the annual budget?
Yes No

89. Are guidelines for retention of source documents supporting electronic banking activities in
place?
Yes No

9
90. Has management established programs and/or procedures for the following?
Yes No Customer service, support, and education - If yes, describe.      
Yes No Customer demands, problems, and complaints - If yes, describe.      

91. Where nondeposit investment products are offered or promoted on the bank's web site are
the following disclosures included (at a minimum)?
Yes No Not FDIC insured
Yes No Not a bank deposit, bank obligation, or guaranteed by the bank
Yes No Subject to investment risk, including potential loss of principal
Yes No NA If required, was approval received from the Superintendent of
Banking?

92. Are you allowing customers to advertise on the bank's web site?
Yes No If yes, what disclosures are included on the page?     

93. Have steps been taken to safeguard information in regards to Graham-Leach-Bliley (GLBA)
501(b)?
Yes No

IF THE BANK BEGAN OFFERING ELECTRONIC BANKING SERVICES WITHIN THE LAST
TWO YEARS - PLEASE ANSWER THE QUESTIONS BELOW:

94. What was your reasoning for offering Internet banking and/or any other electronic banking
services?
Profit Convenience Retain customers
Competition New customers Customers' request
Other (explain)      

95. How did you choose which vendor to use?      

96. What was the initial set-up cost?      

97. Was testing done with employees before offering to customers?

Yes No If yes, what date did testing with employees start?      

What date did you start offering to customers?

     

Signature of person in charge of electronic banking:

______________________________________________________

Date signed: _________________

10
DEFINITIONS:

Web site - The bank's home page and other proprietary pages located on the World Wide Web

Three types of web sites:

LEVEL 1 - site is informational only and may allow nonsensitive emails (informational).
LEVEL 2 - level one with the addition of allowing sensitive information emails (interactive).
LEVEL 3 - fully transactional, including facilitating electronic funds transfer and other financial
transactions (If you offer Internet banking, you are a transactional site) (transactional)

Electronic banking - Delivery of banking services through the use of electronic communications,
primarily the Internet. Electronic banking may include: Internet banking, ATM's, wire transfer,
telephone banking, EFT, and debit cards.

Internet banking - Banking services available through the bank's web site

Security administrator - Person directly responsible for the security controls.

System administrator - Individual responsible for managing a multi-user computer system.

Software escrow agreement - Many vendors do not release the source code to the purchaser.
This is intended to protect their system's integrity and copyright. The application system is
installed in object code. An alternative to receiving the source programs is to establish an escrow
agreement. In this agreement, which should be part of the service contract or exist as a separate
document, the financial institution would be allowed to access source programs under certain
conditions, such as discontinued product support or financial insolvency by the vendor. Adequate
programming and system documentation should also be required. A third party would retain
these programs and documents in "escrow". Financial institutions should determine periodically
that the source code maintained in escrow is up-to-date. This can be done by a third party
independently verifying the version number of the software.

11