Transcript The French position

Séminaire d’initiation
La banque à distanceInternet banking law
Etienne Wéry
Attorney at law at the Brussels and Paris Bars
[email protected]
ULYS law firm
www.ulys.net
Introduction
 Séminaire - 6 modules :
 Notions et mutations/convergences du secteur :
features (I)
 Obligations d’information: Know your customerAnti-money laundering and the financing of
terrorism-Special liabilities (II)
 Securité/security : internet fraud (III)
 Services financiers par internet et e-payments (IV)
 Contrats : Study case (V)
 Synthèse de droit européen (VI)
Module I
Notions et mutations/convergences du
secteur : features
Notions
• Internet banking refers to the use of the Internet as a
remote delivery channel for banking services:
– services include the traditional ones, such as opening an account or
transferring funds to different accounts, and new banking services, such as
electronic online payments (allowing customers to receive and pay bills on
bank’s web site) or financial transactions (acquisition, transfer, sale of
securities etc.).
• Characteristics of Internet banking include
– the unprecedented speed of change related to technological and customer
service innovation
– the ubiquitous and global nature of the Internet
– the integration of Internet banking applications with legacy computer
systems, and
– the increasing dependence of banks on third parties that provide the
necessary information technology.
Notions (2)
• A bank can perform Internet activities in one or more of
the following ways :
– Informational: this is the basic level of Internet banking, marketing
information about the bank’s products and services on a standalone server
– Communicative : this type of Internet banking system allows some
interaction between the bank’s systems and the customer
(electronic mail, account inquiry, loan applications or static file
updates (name and address changes))
– Transactional : this level of Internet banking allows customers to
directly execute transactions with financial implications :
• basic transactional site only allows a transfer of funds between the
accounts of one customer and the bank
• advanced transactional site provides a means for generating payments
directly to third parties outside of the bank
Risks
Risks associated with Internet banking
– Consistency of technology
– Compliance with corporate policies and legal
requirements
– Data and service availability, including business
recovery planning
– Data integrity, including providing for safeguarding of
assets, proper authorisation of transactions and
reliability of the data flow
– Data confidentiality and privacy standards, including
controls over access by both employees and customers
Risks (2)
Security risks associated with Internet banking
–
–
–
–
–
–
–
–
–
Customer security practices / Authentication of customers
Nonrepudiation and accountability of transactions
Segregation of duties
Authorisation controls within systems, databases and applications
Internal or external fraud (See module III)
Data integrity of transactions, databases and records
Audit trails for transactions
Confidentiality of data during transmission
Third-party security risk
Mutations/Convergences
• The number of customers who choose online
banking as their preferred method of dealing with
their finances is growing rapidly.
• The day may come when cash will be obsolete.
• “Phénomène de convergence”
• For instance, banking via cellphone or PDA as the
next option seemed impossible, but technology
has already proved the skeptics wrong.
Module II
Obligations d’information
Know your customer- Anti-money
laundering and the financing of
terrorism – special liabilities
Know your customer
• Due diligence or enhanced due diligence (EDD) to
identify the clients and ascertain relevant
information pertinent to doing financial business
with them
– Committee on Banking Regulations and Supervisory
Practices of the G 10 : The Basle Statement of
Principles covers all aspects of laundering through the
banking system.
– Customer Identification - "Know your Customer"
(KYC).
– Financial Action Task Force on Money Laundering
(FATF) of G-7
Anti-money laundering
• All financial firms must demonstrate effective money
laundering procedures
• To be compliant firms must provide sufficient “Customer
Information” to prove customer identity for both new and
existing clients as follows:
– > Customer ID –electronic ID (who are they)
– > Risk Assessment (country of origin, any political affiliation,
movement of funds, etc)
– > Validification (on any black lists)
– > Existing customers need to be monitored in terms of their
transactional behaviour
Combating
the financing of terrorism
• Money laundering is the process where cash raised from criminal
activities is made to look legitimate for re-integration into the financial
system, whereas terrorist financing cares little about the source of the
funds, but it is what the funds are to be used for that defines its scope.
• International Convention for the Suppression of the Financing of
Terrorism (UN 1999)
• US Patriot Act
• European Regulation (EC) of 27 December 2001 on specific restrictive
measures directed against certain persons and entities with a view to
combating terrorism
• United Nations Resolution (sanction and freezing of assets of
terrorists) and Recommandations
• Groupe d’action financière sur le blanchiment des capitaux (GAFI)
Liabilities
Some specific legal issues
related to secure electronic banking
•
•
•
•
•
•
General duty of care in case of a professional service provider in the financial
sector
– role of service level agreements with key suppliers-outsourcing, industry
standards and best practices
– Basel Committee presented a document 'Risk Management Principles for
Electronic Banking' (risk management principles and sound practices)
Liability under Electronic Transfer of Funds legislations
Impact of possible application of consumer legislation.
Legal security obligations in case of personal data processing
Legal security obligation for publicly available communications services
US Sarbanes Oxley Act (“SOX”)
Module III
Securité/security : internet fraud
Securité/security : internet fraud
• Protection through password authentication not secure
enough for personal online banking applications
• Online banking user interfaces are secure sites generally
employing the https protocol and traffic of all information including the password - is encrypted : reduces possibility
for a third party to obtain or modify information after it is
sent.
• Encryption alone does not rule out the possibility of
hackers gaining access to vulnerable home PCs and
intercepting the password as it is typed in (keystroke
logging); danger of password cracking and physical theft
of passwords written down by careless users.
Internet fraud
• Second layer of security
– use of transaction numbers or TANs (single use passwords)
– use of two passwords, only random parts of which are entered at
the start of every online banking session;
– providing customers with security token devices capable of
generating single use passwords unique to the customer's token
(the two-factor authentication or 2FA);
– using digital certificates, which digitally sign or authenticate the
transactions, by linking them to the physical device (e.g. computer,
mobile phone, etc).
• Setting up a combination of controls that recognize a customer's
computer, ask additional challenge questions for risky behavior, and
monitor for fraudulent behavior.
• Increasingly criminal practice to gain access to a user's finances is
phishing, whereby the user is persuaded to hand over thispassword(s)
to a fraudster
Exemple récent
en Belgique
•
•
•
•
•
Depuis 2005, il y a eu en Belgique 52 cas de comptes bancaires gérés via
internet qui ont été pillés. Près de 800.000 euros ont été soustraits des comptes.
Pour la première fois en 2007, c'était l'œuvre du crime organisé, la mafia russe,
s'est attaquée à trois banques belges.
Pour la CBFA, il faut relativiser le phénomène : 52 cas alors que 500.000
transactions sont réalisées quotidiennement via des comptes gérés à l'aide
d'internet. De plus, les clients qui ont été victimes de fraude utilisaient tous des
logiciels copiés.
"Les gens doivent faire preuve d'un minimum d'hygiène en matière
informatique".
Depuis ces dernières attaques, les institutions visées ont pris des mesures de
protection supplémentaires. Résultat : il n'y a plus eu de tentatives réussies en
Belgique de pillage de comptes gérés via internet depuis le mois de juin. Les
clients qui ont été victimes de cette fraude ont été remboursés.
Application
• Ecobank webiste study case:
– https://www.tib.ecobank.com/scripts/ecobank.dll
• Belgian Online Bank samples :
– https://secure.ing.be/eb/homebank/EN/index.jsp
– https://www.fortisbanking.be/pics/BE/F/fr/anon/priv/News/securite
_internet_2_.html
– http://www.dexia.be/Fr/Particulier/BankingManagement/ViaDexia
DirectNet/demonstrations.htm
Module IV
Services financiers par internet et epayments
Services financiers par internet :
exemples belges et français
- Architecture du droit des services financiers à distance en
droit européen, belge et français
- Définitions des “services financiers” et du “contrat à
distance”
- Prospection commerciale et techniques de communication
à distance
- Obligation d’information et communication des
conditions contractuelles
- Droit de rétractation
- Questions de DIP
Monnaie électroniquesituation harmonisée
au niveau européen
• Contrôle prudentiel : agrément et exemptions
• Transparence des conditions régissant les services de
paiement
• Droits et obligations liés à la prestation et à l’utilisation de
services de paiement
– Autorisation des opérations de paiement
• Consentement, surveillance, irrévocabilité, droit au
remboursement, preuve, contestation, archivage, responsabilité
– Exécution d’une opération de paiement
• Acceptation et refus d’un ordre de paiement, montants et
commission, délai d’exécution, disponibilité des fonds, datevaleur, problème d’exécution
Module V
Contrats : Study case
Module VI
Synthèse de droit européen
SEPA
• Création d’un espace unique des paiements en
euros : Single Euro Payments Area
• Instruments de paiement SEPA
– SCT ou SEPA Credit Transfer
– SDD ouu SEPA Direct Debit
– SCF ou SEPA Card Framework
MiFID
• MiFID (Markets in Financial Instruments Directive) : nouveau
cadre réglementaire sur les marchés d'instruments financiers, objectif
de promouvoir la prestation transfrontalière de services
d'investissement, en instaurant un régime harmonisé dans tous les Etats
membres, tout en renforçant la protection des investisseurs
• Know your customer—The directive, requires firms to update their
client service processes in order to handle data for:
– a) Customer classification (professional, non-professional, eligible
counterpart)
– b) Proof of information provided related to classification
– c) Proof of management of situations of “conflict of interest”
• New rules of conduct.
MiFID (2)
• Customer order handling—Best execution, classification, driven
order handling and transparent pricing.
• Transparency—Fulfillment of real time and deferred reporting.
Market data feed, pre-trade and post-trade transparency, customers'
confirmations, information access for customers, and reporting to
regulators
• Internal organization: investment firms are required to meet higher
organizational standards, including new rules on the compliance
functions, conflict of interests controls, record-keeping, safeguarding
of money and assets, outsourcing arrangements, complaint handling
mechanisms, personal transactions or inducements.
What next ?
•
•
•
•
AML – EU 3rd Directive December 2007
MiFID III
Basel II
New e-payments directive
Litterature
•
•
•
Internet : http://www.droit-technologie.org
Journal of internet banking and commerce : http://www.arraydev.com/commerce/jibc/
Books : Internet Banking and the Law in Europe: Regulation, Financial Integration and
Electronic Commerce, by Apostolos Ath. Gkoutzinis
(www.cambridge.org/us/9780521860710)
Thank you for your attention
[email protected]
Belgium : Tel : +32 (0) 2 340 88 10 / Fax : +32 (0) 2 345 35 80
France : Tel +33 (0) 1 40 70 90 11 / Fax +33 (0) 1 40 70 01 38
www.ulys.net