966
AZ
E-CBAR
Methodological Guidelines on supply and security of electronic banking services in the Republic of Azerbaijan

Approved at
Resolution of the
Management Board
of the Central Bank of the
Republic of Azerbaijan
dated 21 December 2015

Protocol №__43__
S/Register №__316_


Methodological Guidelines on supply and security of electronic banking services in the Republic of Azerbaijan

 



1. General provisions

These Methodological Guidelines determine the requirements on the types, delivery and use of and recommendations on boosting reliability and security of e-banking services in the Republic of Azerbaijan.


2. Definitions

2.1. The definitions used herein bear the following meanings:
2.1.1. electronic banking service (hereinafter – the e-banking service) – bank operations on a related account and/or data acquisition allowing user’s remote access by means of relevant software, electronic authentication and communication facilities;
2.1.2. user – a bank account-holder using e-banking services and a person entitled to use e-banking services;
2.1.3. electronic authentication – is the process of authorization of a user and an operation by means of various hardware and/or software (electronic signature, user name and password, OTPs, symmetric encryption, use of simple session keys and others) when using e-banking services;
2.1.4. transaction’s reference number – a unique identifier assigned to each transaction conducted via e-banking service;
2.1.5. security procedures – information security related software and hardware and a set of organizational measures provided for identification of users and transactions during electronic development, processing, sending and receiving of payment documents.

3. Types of e-banking services

3.1. The e-banking service is divided into informational and transactional e-banking depending on functional capabilities delivered to users and the level of potential risk:
3.1.1. The informational e-banking service is based upon data acquisition by a user. A bank or the national operator of postal communication (hereinafter – the bank) delivers information to users on bank accounts, conducted transactions and on its products and services via this service.
3.1.2. The transactional e-banking service allows users to make payments, transfer funds from accounts, convert currency and conduct other banking services.
3.2. The following types of the e-banking service is included to the scope of these Methodological Guidelines:
3.2.1. PC banking – e-banking services provided by communication channels over electronic devices by installation of dedicated software;
3.2.2. Internet banking – e-banking services by communication channels over electronic devices not installing dedicated software;
3.2.3. mobile banking – e-banking services by mobile communication channels (GSM, CDMA, 3G, HSPA+, WiFi, LTE etc.) over mobile devices (mobile phones, tablets, computers etc) installing or not installing dedicated software.

4. Maintenance and use of e-banking services

4.1. The e-banking service is based upon an agreement (soft or hard copy) signed between a bank and a user.
4.2. The bank briefs the user on the terms of use of e-banking service, an integral part of the agreement.
4.3. When supplying an e-banking service the bank:
4.3.1. eunsures safety of the server room, communication facilities and devices, as well as security of software used to conduct electronic transactions;
4.3.2. may provide users with authentication means (e-token, e-signature certificates etc) and relevant software;
4.3.3. regularly implements remote e-banking attacks prevention measures, specified in Annex 1, the integral part of these Methodological Guidelines;
4.3.4. identifies and verifies users under the requirements of the Law of the Republic of Azerbaijan on Prevention of the Legalization of Criminally Obtained Funds or other Property and the Financing of Terrorism;
4.3.5. accordingly notifies users (except for the cases specified in the Law of the Republic of Azerbaijan on Prevention of the Legalization of Criminally Obtained Funds or other Property and the Financing of Terrorism) in the order and under the period provided for in the agreement, if the cases specified in Item 4.6. herein occur;
4.3.6. provides the user with information on payment transactions periodically or at his/her request to validate whether the e-banking payment transaction is ordered and executed properly;
4.3.7. provides users with statements on the current status of payment transactions and on accounts;
4.3.8. ensures maintenance of information on payment transactions in line with the legislation.
4.4. The Bank informs the user without fail on the necessity of delivery of notification to the bank if:
4.4.1. funds in the bank account are used without authorization;
4.4.2. any error or mismatch is detected in transactions with the bank account;
4.4.3. suspicious cases on unauthorized access to authentication data are detected;
4.4.4. e-banking related technical malfunction is available or error occurs in identification methods.
4.5. The Bank notifies the user on maintaining secrecy of use of e-banking service and means of electronic authentication (keys, passwords etc.) according to the rules and procedures it has established and contractual terms and conditions.
4.6. The Bank should be entitled to temporarily halt or cancel supply of the e-banking service for the user in the following cases:
4.6.1. if the user violates bank’s e-banking related rules and procedures or terms and conditions of the agreement signed between the bank and the user;
4.6.2. if supply of the e-banking service is technically impossible;
4.6.3. other cases specified in the legislation.
4.7. After the cases leading to suspension of supply of the e-banking service by the bank specified in Item 4.6 herein are eliminated, the bank accordingly notifies the user in the order and under the term specified in the rules and procedures or in the order specified in the agreement.
4.8. At least the following information is stored in the bank’s internal information system on bank transactions conducted via the transactional e-banking service:
4.8.1. type of the e-banking service;
4.8.2. transaction’s reference number;
4.8.3. transaction date and time;
4.8.4. transaction purpose;
4.8.5. transaction amount;
4.8.6. transaction currency;
4.8.7. requisites of the issuer bank (the one serving the payer) and the beneficiary bank (the one serving the payee);
4.8.8. requisites of the payer and the payee.

5. Recommendations on e-banking security

Recommendation 1: Risk management


5.1. The bank has dedicated procedures in place on e-banking security and risk management (hereinafter – security procedures).
5.2. Bank’s e-banking related security procedures are approved by the bank’s authorized management body and its implementation status is checked regularly.
5.3. E-banking related security procedures should provide for at least the following:
5.3.1. methods for maintaining data security to ensure information security;
5.3.2. methods for ensuring accuracy, reliability and integrity of the data sent, processed and stored between the bank and the user;
5.3.3. means for application of electronic authentication;
5.3.4. measures for authorized and physical access to data to limit user’s unauthorized access to information;
5.3.5. where a third party (software and network supplier) is involved in supply of e-banking service, measures to be taken if the third party suddenly suspends its activity or fails to fulfill its contractual obligations;
5.3.6. organization of regular workshops to ensure segregation of authorities of IT staff and increase their expertise.


Recommendation 2: Evaluation of risks


5.4. The Bank monitors e-banking related risks in light of technological solutions, third party services and users’ technical environment.
5.5. The Bank analyzes risk scenarios on main scenarios likely to impact e-banking services, and evaluates adequacy and effectiveness of security measures in place.
5.6. If risk evaluation reveals that changes should be made to existing e-banking related security measures, applied technologies and procedures, as well as services, the bank takes actions to minimize the probability and effect of possible incidents and frauds over the transition period required for changes.
5.7. Risk evaluation is analyzed at least annually and findings are presented to the bank’s related management body.


Recommendation 3: Monitoring and accountability of the incident occurred


5.8. The Bank registers and monitors occurred security incidents, including security related user complaints in a real time mode and delivers reports on incidents to the bank’s related management body and, if necessary, information on incident to the law-enforcement bodies.
5.9. The Bank maintains a register of e-banking related incidents, which includes at least:
5.9.1. type of e-banking (PC Internet and mobile banking);
5.9.2. transaction’s reference number;
5.9.3. the cause of incident;
5.9.4. the content of incident;
5.9.5. the date and time of the incident;
5.9.6. measures taken to eliminate the incident.


Recommendation 4: Security measures and control over their implementation


5.10. The bank has relevant security solutions to protect network, web-site, servers and communication channels from abuse and attacks. To restrict use of fake web-sites, the web-site of the bank that provide transactional e-banking service is identified by extended validation certificates.
5.11. The Bank has relevant functionalities to control, track and restrict logical and physical access to resources like network, systems, database and security modules. The Bank creates, maintains and analyzes relevant logs and audit files.
5.12. The Bank audits e-banking related security measures annually. Reliable and independent (internal or external) specialists are attracted to the audit.
5.13. The Bank ensures that agreements signed with third parties on e-banking services provide for recommendations on security of the service specified herein.
5.14. In the event the third party suddenly halts its activity or fails to discharge its obligations, the Bank predetermines e-banking related contingency plans, appropriate methods and facilities.


Recommendation 5: Tracking of transactions


5.15. The Bank enables users to track all e-banking transactions, including the process of confirmation to execute transactions.
5.16. The Bank creates logs of any additions, changes or deletions to database on tracked transactions.


Recommendation 6: User identification and notification


5.17. Prior to delivery of the e-banking service the Bank discloses the following information to users in soft or hard copy:
5.17.1. register, technical specification, proper and safe use of equipment, software and other necessary facilities (antivirus programs, firewall etc.), as well as customized tools (PIN codes, e-tokens etc.);
5.17.2. steps of obtaining information, including entry and authorization of payment transactions in the system and/or results of each transaction;
5.17.3. measures to be taken in case of loss or theft of e-authentication facilities or devices and software to conduct payment transaction;
5.17.4. procedures applied in fraudulent and suspicious cases.


Recommendation 7: Stronger user authentication


5.18. Stronger user authentication is used depending on the amount of e-banking transaction and the level of risk.
5.19. The Bank may employ user friendly unified authentication methods for e-banking services.


Recommendation 8: Registration and supply of authentication methods and/or software delivered to users


5.20. To enable users to use e-banking services, the Bank ensures safe delivery and registration of authentication means and software to them.
5.21. Using Internet resources, the Bank ensures whole and intact delivery of software to users.


Recommendation 9: Attempts to access the system, session expiry and authentication accuracy


5.22. The Bank sets limits on attempts to enter passwords and/or the system’s inactivity time during log-in to the e-banking system.
5.23. When using OTPs for authentication, the bank sets limits on their validity according to the preset minimum requirement.


Recommendation 10: Monitoring of transactions


5.24. The Bank uses the systems that detect and prevent frauds to detect suspicious transactions prior to their authorization.
5.25. The Bank has procedures in place for remote monitoring and evaluation of transactions within a reasonable timeframe for delivery and timely execution of e-banking payment transaction.
5.26. When the Bank has suspicions with regard to any payment transaction, it blocks the transaction in question and promptly notifies the user accordingly until security issues are resolved.


Recommendation 11: Protection of payment data


5.27. The Bank ensures security of all information used to identify and authenticate users and user interface means from unauthorized access and changes to them.
5.28. During exchange of e-banking payment data the Bank ensures encryption between the parties to maintain data confidentiality and integrity.


Recommendation 12: Raising awareness of users and organization of communication with them


5.29. The Bank creates at least one communication facility for ongoing communication to enable proper and safe use of e-banking services by users and informs them on directions for its use.
5.30. If any of the cases specified in Item 4.4 herein occurs, the Bank provides uninterrupted 24-hour receiving of user notifications by all possible communication means (at least telephone, mobile, Internet) (indicating the date, time (hour and minute) of receiving the notification and details of the case).
5.31. The Bank educates users on the following to minimize risks during use of e-banking services:
5.31.1. protection of e-banking service access authentication means and other information;
5.31.2. maintenance of PC security on installation and updates of security elements (antivirus programs, firewall, patches) to the computer;
5.31.3. user should take into account considerable threats and risks he may be exposed to with respect to downloading software using Internet he is not sure of;
5.31.4. use of bank’s authentic website.


Recommendation 13: Setting notifications and limits


5.32. Limits on the amount of e-banking payment transactions are set in bank’s internal regulations and procedures and/or on the basis of the agreements signed with users.
5.33. If the bank detects suspicious payment transactions it notifies the user by possible communication facilities (phone, SMS, e-mail etc.).


Recommendation 14: Issue of payment order and user’s obtaining information on the status of execution


5.34. The Bank provides users with information on the date and time of last system use, as well as the date and time of failed access at e-banking user’s appeal.
5.35. The Bank enables the user to control the status of execution of e-banking transaction he has conducted, as well as balance of the account.

2022-04-05-11-34-26

2022-04-05-11-34-37

2022-04-05-11-34-48

2022-04-05-11-34-55

2022-04-05-11-35-01

2022-04-05-11-35-07

2022-04-05-11-35-14

2022-04-05-11-35-20

2022-04-05-11-35-26

2022-04-05-11-35-32