Administrators Roles of the Administrators Responsibilities of the Administrators Password Protection Reducing the Risk of Fraud
a) BOL is designed to give Customers a high level of control over their own financial affairs, reducing reliance on the Bank for general administration of the service. This increased level of autonomy allows for greater control and provides efficiencies for the customer.
b) The role of the Administrator(s) is a fundamental feature of the system and may differ from other electronic banking systems in existence.
c) The Customer must satisfy itself as to the integrity and suitability of the person whom it has chosen as Administrator(s).
d) The person(s) appointed as Administrator(s) at the Customer site is/are responsible for setting up Authorised Users and has full responsibility for the level of access provided to Authorised Users.
e) The Bank recommends the appointment of two Administrators. Administrators should be co-located as they will share a dual logon. To facilitate this, two Administrator Passwords are issued one to be held by each Administrator.
f) Each Password should be treated with utmost secrecy and confidentiality. These Passwords are system generated; therefore if one is forgotten or lost a new one will have to be issued by the Bank.
g) This may result in delays of at least three working days for the re-issue of Personal Identification Numbers (PINs).
Role of Administrator(s)
a) The Administrator controls who has access to the service and what their Authorised Users are permitted to do.
b) The Administrator registers and maintains all User Details on BOL
c) The Administrator issues Authorised User IDs and Passwords to the other Authorised Users and can at any stage change a Password or prevent an Authorised User from logging onto the system.
d) The Administrator controls the Authorised Users' ability to prepare and authorise payments as well as their individual authorisation limits. They must make the Authorised Users aware of their responsibility to check the status of pending payment instructions on the system.
The Audit Log shows a list of the critical actions performed by the Administrator(s)
Responsibility of Administrator(s)
a) To log-on to the Administrator function, it is necessary for the Administrator Passwords to be entered. Thereafter all Administrator functions can be performed by the Administrator. However, as a matter of company policy, you may wish to require that both Administrators are present for the discharge of all functions. The Administrator function should be exited immediately once the necessary duties have been performed.
b) It is the responsibility of the Administrator to ensure that a review of the customer audit log takes place on a regular basis. The customer audit log records changes made by the Administrator to the identity and access levels of users.
c) If an irregularity is identified, the Administrator should verify the authenticity of transactions with the relevant Authorised Users and verify that all Passwords remain secure and uncompromised. If there is still concern regarding irregularities, the Bank's Customer Support Unit should be contacted immediately.
d) Once training is provided by the Bank, i.e. onsite, phone, tutorial or Quick Start Guide, it is the Administrator responsibility to train all other Authorised Users, including both existing and new Authorised Users.
e) It is solely the responsibility of the Administrator to communicate company guidelines on the use of BOL to the Authorised Users and to ensure compliance with those guidelines.
Given the level of responsibility held by an Administrator, Bank of Ireland strongly recommends that:
A member of the Customer's senior management should review the activities of the Administrator on a regular basis, including reviewing these activities on the audit log.
Because Passwords are the key to BOL, it is essential that they be kept safely. It is the Customer's responsibility to ensure that Passwords are not disclosed to unauthorised personnel. For more details refer to the ‘Security Guidelines’ available on the Customer website.
Use of Passwords
To ensure maximum protection it is mandatory that:
a) Customer changes Passwords frequently (regular prompts will be given by the system)
b) The log-on Password must be 8 characters long.
c) The Payments Password (Digital Certificate Password) must be between 8-15 characters and must be made up of alpha and numeric.
d) New Passwords must be different from the last six Passwords used.
e) Blank spaces must not be used in Passwords.
f) Authorised Users must keep passwords secret at all times.
g) Unauthorised personnel should not be able to gain access to a Password.
h) Whenever an Authorised User suspects his/her Password has been compromised, it should be changed immediately.
i) Obvious Passwords, such as those using any identifiable sequences such as names or dates of birth, should never be used. They should be easy for the Authorised User to remember, but difficult for anyone else to guess, eavesdrop or discover quickly by trial and error.
j) Passwords should never be written down unless they are stored in a secure place (such as in a signed and sealed envelope in an office safe).
k) If an Authorised User forgets his/her Password he or she should ask the Administrator for a new one
l) If the Administrator's Password is lost or forgotten it may take at least three working days to receive a new one from the Bank.
Reducing the Risk of Fraud
There are a number of procedures that Customers can put in place to reduce the risk of exposure to fraud:
The Customer Administrator should be either a senior manager or report directly to one. The Administrator is in charge of BOL on the Customer's site and is solely responsible for granting or denying access to it by authorised personnel and the ability of Authorised Users to initiate or authorise payments. When a Customer Administrator sets up and assigns a role to an Authorised User, the Bank will accept transactions from that Authorised User in good faith and act on them accordingly. As a result, Customers are liable for transactions carried out using their Password.
To limit exposire to fraud the Customer should:
a) Split the power to initiate a transaction from the power to authorise it, so that no one can do both.
b) Set authorisation thresholds to limit exposure. Only employees who have full security clearance to all company financial information should be allowed to authorise payments.
2. Control Access:
Physical, logical and network access should be stringently controlled on all PCs used for BOL.
Physical access should be restricted to only those persons who need it (e.g. whenever the room in which the P.C. is located is unoccupied the door should be locked).
Logical access should be controlled by use of a 'power-on password'. (Consult the PC operating manual for details). It is better to use a secure operating system that incorporates strong logical access control, such as Windows NT configured for security. (It is important to note that if NT is configured with default settings it may not provide sufficient security.) This should be confirmed with your technology supplier.
Network access controls should be in place to ensure network integrity before connecting to BOL Such controls should cover, for example, network administration, audit trail review and change management procedures.
None of these controls individually will provide comprehensive security, but working together they can help to create a secure electronic banking environment.
3. Knowledge of Procedures:
Make sure that staff are made aware of the procedures which need to be followed for accessing BOL Customers should make sure that all staff using BOL understand that the procedures are issued for their own protection, as well as for the protection of the Customer. Customers should also ensure, for their own protection that the procedures in this handbook are strictly adhered to, as any deviation (e.g. sharing of passwords) could expose the Customer to internal fraud.
4. Report Deviations from the Norm:
There should be a logical explanation for everything that occurs on BOL and any deviation or unexplained event should be reported immediately to senior management.
5. Updating Procedures:
Ensure that there is a procedure for setting up and removing access to BOL From time to time people move jobs and their responsibilities change. All information should be current.
6. Daily Control Limit:
A daily control limit, limits the overall value of payments (excluding EFT or BACS payments) that can be authorised on a Business On Line profile. BOL Profiles originally set up on service level 1 will have a daily control limit automatically applied at the point of set up. There is no daily control limit in place for level 2 or 3. Daily control limits are altered as a result of a profile changing from one service level to another. A daily control limit can be added to an existing profile or amended from an existing daily control limit through a written request from the nominated administrator(s) and requires sign-off from an authorised signature in the branch.