I.T. in Banking Industry
Short Description
Download I.T. in Banking Industry...
Description
Shri chinai college of commerce &economics Andheri (e) Mumbai-400069 Project on IT in banking industry Project by PARESH J SUDRA T.Y .B.COM (BANKING& INSURANCE) ROLL NO -48 Project guide PROF. NISKIKANT JHA UNIVERSITY OF MUMBAI ACADEMIC YEAR 2007-2008
ACKNOWLEDGEMENT I am most thankful to my internal guide, Prof. NISHIKANT JHA., for his guidance through out the project and for encouraging me all the time. I value very much that he has been extremely available, even when his work schedule was very tight. I also value his generosity. There are many people to whom I feel obliged for their comments on the contents of the project. I thank to Prof. Mrs.Kruttika K.Sontakke, Prof. Parina Sangha. I am also grateful to my college friends: HITESH D. PADHIYAR, VINAY MALVAN, PANJAB SINGH.
DECLARATION I MR PARESH J. SUDRA student of T.Y.B.COM (BANKING & INSURANCE), SHRI CHINAI COLLEGE OF COMMERCE & ECONOMICS. Here by declare that I have completed this project on IT IN BANKING INDUSTRY in the academic year 2007-08. the information is true and original to the best on my knowledge.
( STUDENT OF STUDENT) (paresh j. sudra) CERTIFICATE I PRO. NISHIKANT JHA here by certified that PARESH J. SUDRA STUDENT OF T.Y.BCOM (BANKING & INSURANCE) SHRI CHINAI COLLEGE OF COMMERCE & ECONOMICS SEMESTER 5TH has completed project on IT IN BANKING INDUSTRY in the academic year 2007-08. The information submitted is true & original to the best of my knowledge.
SIGNATURE OF PROJECT GUIDE
TABLE OF CONTENT
1. INTRODUCTION a) OBJECTIVES OF THE STUDY b) LIMITATIONS OF THE STUDY c) RESEARCH METHODOLOGY 2. E-BANKING: IN NASCENT STAGE IN INDIA 3. ELECTRONIC CHEQUES & EVIDENTIARY VALUE 4. THE FUTURE OF PLASTIC MONEY 5. LEADING ISSUES IN BANKING TECHNOLOGY 6. TECHNOLOGY & FRAUDS 7. CREDIT CARD FRAUD ON INTERNET 8. INFORMATION TECHNOLOGY RISK IN BANKING: MANAGEMENT & MEASUREMENT 9. PRIMARY DATA & ANALYSIS 10.SECONDARY DATA & ANALYSIS 11. FINDINGS & CONCLUSIONS 12. SUGGESTIONS & RECOMMENDATIONS 13. BIBLIOGRAPHY
1. INTRODUCTION
The Indian Banking system has an old age legacy. Earlier there were indigenous bankers who consisted mainly of unorganized moneylenders, mahajans and sahukars. Later, when British came to India they brought with themselves the concept of organized banking. British while leaving India left behind large number of small and privately held banks. In 1964, the first major banking reform took place when 14 banks were nationalized. It led to the rising of Indian Public Sector Banks. The second banking reform was witnessed in 1990s when Indian Banking Sector underwent complete change after the recommendations of the Narsimhan Committee. Private and MNC banks entered banks entered into the Indian Banking arena and challenged the monopoly of the PSU banks. The Private and MNC banks brought new technologies and technology intensive services with themselves. They rendered quality service, which PSU banks were not providing, to service starved Indian customers. There were a series of technological innovations and up-gradations, e.g., ATMs, Internet Banking, credit cards and online banking, etc. Private banks and MNC banks had to
provide something extra and it was their service, which attracted a bulk of customer from the PSU banks. Indian customers were lacking the world-class service in baking; they were accustomed to the PSU (Sarkari) culture and the service of Private and MNC banks was a delight for them. When private and MNC banks initiated the world class service to their customers and started snatching customers from Public Sector Banks, Public sectors banks were bound to follow the path of Private Banks. The PSU banks felt the heat and realized their mistake. They also followed the Private Banks in their technology initiatives and services. The Indian Banking Sector with the progress in Technology is facing the biggest challenged of rapidly changing customer expectations
against
the
backdrop
of
LPG
(Localization,
Privatization and Globalization). Retail banking clients today demand more care and extra facilities. They want more mobility of investments, interactive accounts, and better segmentation of banking products to cater to different segmental needs, convenience and untimely hour services. Even the PSU culture could not adjust to the pace of the new technology and changes. At present also it is
moulding and adapting itself to new needs and the dynamism of the environment. Technology is helping the Indian Banks to cater to customer needs in a much more efficient manner continuous and error free services to customers. With the help of computerization and the use of modern software, which can be called the gift of technology, the banks have been able to provide single window system to their customers. In a single window system, all the needs of the customers are taken care at a single counter. It is like a multipurpose counter where one can deposit cheque, receive payments and deposit cash etc. This has been made possible only due to the use of technology. Earlier one had to move from one counter to the other counter for different sort of works. Thus this type of service not only helps in better customer service but also minimizes the customer service time as it avoids duplication of work and unnecessary hassles to the customers. With the use of technology, banks are trying to minimize there per customer service cost. According to industry estimates, assume teller cost Re.1 per transaction, ATM transactions cost Re.0.45, phone banking at Re.0.35, debit cards at Re.0.20 and Internet banking at Re.0.10 per transaction. So, now the emphasis is
more on net banking then on real banking or brick and mortar banking. Indian Banking system is moving from real banking realm to virtual banking realm. Banks are establishing more and more ATMs at different convenient locations and interconnecting these ATMs not only with their networks but also with their partner banks. Network with whom they have got mutual understanding for sharing ATMs. With the least cost of Internet banking, banks are paying higher emphasis on Internet banking. As per IDC estimates, the total number of registered users for Internet banking in India is over two million. But this figure needs to be adjusted for dormant users and multiple accounts (a user having accounts with more than one bank). India has one million active Internet Users populations. Thus, this is just around 0.1% of the total population; to represents 15% of the India’s Internet user (most of the people in India use internet from cyber café). Thus, indicating that the concept of Internet banking is surely catching on. India is far behind in the use of Internet banking than the other Asian countries like Korea and Singapore where nearly 10% of their population is banking over the Internet but India is fast catching up. In India, the biggest drawback for Internet banking is the Internet penetration
among the masses. We lack the infrastructure facility for providing Internet services but with the IT ministry keen on expanding the Internet penetration the day is not too far when greater part of our population would be using the Internet banking facilities. In India, ICICI bank was the pioneer to introduce Internet Banking. And later Citibank, HDFC Bank and other banks followed the suit. PSU banks have lagged far behind in adoption of the Internet banking facilities. But State Bank of India, which entered the arena of ATM banking quite late, was able to expand at a rapid pace and cover almost all the cities of India. Now ATM banking has become an integral part of traditional cheque or withdrawal based banking. These services have helped the PSU banks to maintain their customers. Now money is transferred more in electronic form than in physical form. With the cost of PC fast declining and the government’s initiative in providing the infrastructural facilities for net banking and the faster developments in the telecommunication sector would be helping in the adoption of new technology and ITbased banking services. Some authors’ view that the Internet banking is just the extension of the traditional banking services because it is the same service with customer friendly technological
interface. So, it is the value addition to the existing services. Banks are reaping following benefits with the use of technology:
•
With low investment, banks would be able to satisfy large
customer base. The technology has allowed the banks to move from brick and mortar building to virtual interface which cost less in comparison to the rising real estate prices which in turn leads to increase investment. Low investment in turn helps in satisfying large client base.
•
With modern facilities more and more customers get attracted
to the banks and they are viewed as technology savvy and modern or state-of-the –art banks. Brand image of the banks also get enhanced thus building their goodwill and brand equity. Even customers want to be associated with the brand personality of the banks.
•
With the increase in quality and competition, the customers
are having several choices among which to choose instead of Hobson’s choice in some case. Now banking services have become customer centric instead of service centric or bank centric
approaches as in earlier cases. Now, it is the customers market rather than a sellers (bankers) market. All the services are customer driven.
•
Network sharing by different banks is enabling the banks to
reduce their investment (sharing of ATMs of partner banks) and provide better services to the customers. This is also helping them in delivering quick services and it also reduces the risk of fraudulent practices as verification becomes quite easier and quick.
•
These practices are leading to lower service cost per customer.
Thus leading to enhance profitability for the banks, which in turn enhances the corporate image of the banks.
•
With the use of technology banks are in a position to obtain
the customer database with a press of key and this helps the bank to maintain high profile customers because it is an accepted marketing principle that 80% of the revenue are generated by 20% customers (20:80 principle). Thus, the modern technology helps in tracking the key customers and provides them better services or customized services.
•
The alternative channels of service helps the bankers to add
new products to their portfolio and it helps them to device new products according to customer needs. The banks can provide customized value added services or tailor-made service to each customer based on his/her requirement, e.g., foreign money transfer service, electronic money etc.
•
It helps the banks to manage their funds in a much better way
as the technology provides round the clock interface to the outside world and thus it helps in hedging the risk of the banks at real time. Banks are able to minimize the risk and maximize returns by investing in different avenues and they have greater control over the fund investments.
•
Technology helps in increasing the labor productivity because
it increases the output per labor to multifold. Earlier works had to be performed manually and it used to take days to complete in minutes or in seconds. So, it helps in updating the customer status as well as increased labor productivity.
•
The customer service cost decreases and the productivity of
the staff increases and this adds to the profitability of the banks. This helps the banks to take care of even larger customer base and this will ultimately ass up too the bottom-line of the banks.
Public sector banks have been shy in implementing new technology brick mortar banking in comparison to the technology driven banking while the client base of Private and MNC banks are mostly young people who are technology-savvy and who like to interface more with the technology than man. Aged people are not comfortable with the technological interface. They feel complexity and uncomfortable with technology intensive services. With the present avenues being saturated and greater competition due to the entry of more players in the arena, the banks are diversifying into new areas where they can use their financial expertise in financial consultancy, insurance sectors, and fee-based earnings instead of fund-based earnings. The mushrooming of the multichannel,
multifunction,
self-service
electronic
delivery
channels is fast replacing the brick and mortar branches (real to
virtual). There is a need to redefine the business model of the Indian banking sector so that to optimize the resources and deliver world class service in the light of modern day technology. Today’s concept is to minimize the visit of the customer to the bank and let him use the technology or let technology handle him-this is the new survival mantra in the cutthroat scenario for banks.
OBJECTIVES OF THE STUDY The objectives of the project “The Study Of Application of Information Technology In Banking Sector” includes the following: -
• To know the present condition of technology in Indian banking sector.
• To know about the electronic payment system.
• To know about the hackers and frauds in online banking.
• To know about the risk management policies of Indian banking sector.
• To know about the electronic banking sector.
LIMITATIONS OF THE STUDY
The scope of the project “ The Study Of Application Of Information Study In Banking Sector” has been restricted to some extent i.e. the project does not include the following: -
• Supervision of Electronic Banking by Reserve Bank Of India
• Information Technology in Banks in International Scenario
• Software Application to Protect from Hackers & Frauds
• Case Studies Related To Hackers & Frauds
RESEARCH METHODOLOGY COLLECTION OF PRIMARY DATA:The primary data has been collected from various sources which are as follows: • Questionnaire method. • Surveys in banks. • Surveys in banks related offices such as agent’s office etc.
COLLECTION OF SECONDARY DATA: The secondary data has been collected from various sources which are as follows: • Various books related to information technology. • Brochures of various banks. • Weekly journals. • Articles in newspapers.
SAMPLE FRAME: The data has been analyzed using ten samples of employees of three different banks viz., Bank of Maharashtra, HDFC Bank and ICICI Bank.
2.E-BANKING: IN NASCENT STAGE IN INDIA
To keep pace with the changing environment worldwide, Indian banking industry is fast adopting technology. It has embraced many new features like Internet banking, ATMs, Phone banking etc. With the help of new technology, banks are now able to offer products and services, which were difficult or impossible with traditional banking. But the banks in India still have to go a long way before making themselves technology savvy.
With IT integration, a paradigm shift in the banking norms is on cards. Banking fundamentals are thus facing major overhauls/ reengineering/ restructuring.
Two major trends have emerged in the transition of traditional banking to high-tech banking:
Advancements and restructuring through mergers, acquisition and alliances.
Universal banking where one stop shop provides all related products and services to a customer.
At this point, it should be emphasized that mergers, acquisitions, alliances, and adoption of Universal Banking concept are just outcomes of IT-banking integration.
Banking and IT Advancements and innovations in IT industry have created a revolution in the communication and distribution system of various products and services through Web networking. Networking, as we know has connected people around the globe, thus creating a revolution in modern business activities. Integration of these technological advances and existing banking structures has changed and will change the definition and faces of global banking. Internet banking has made banking a
commodity where quality is measured by efficient servicing and effective pricing and timeliness.
However, PC banking is not new. Bank of Scotland Started offering its Home Office Banking Services (HOBS), more than a decade ago, although it was only in 1996 that it was upgraded to make software work with the now dominant windows operating systems. HOBS later joined hands with TSB, which in 1996 launched banking services accessible through the CompuServe online network, nationwide.
Technology Solutions for Indian Banks Two types of technology stock bank products are available in the market. Hardware products like ATMs and
Software products like branch connectivity, cluster-banking software, and trade finance software.
3. ELECTRONIC CHEQUES AND EVIDENTIARY VALUE
The advancement in technology has led to the creation of electronic cheques, particularly in a business environment. Different countries have a choice of cheque systems, which are governed by the laws applicable to each country’s jurisdiction. The authentication of these electronic instruments is proposed to be endorsed by digital signature. In India, the enactment of the Information Technology Act, 2000 obligated amendments to The Negotiable Instruments Act, 1881 in order to impart legal validity to such electronic instruments. The authors in this article elucidate the amended provisions and examine the evidentiary value of such electronic instruments. The electronic cheque or simply the e-cheque is gradually replacing
the
longstanding
paper
cheque.
The
Negotiable
Instruments (Amendments and Miscellaneous Provisions) Act, 2002 was amended to include the phrase “electronic cheque” in the definition of a cheques in Section 6 reads as “ A ‘cheque’ is a bill of
exchange drawn on a specified banker and not expressed to be payable otherwise than on demand and it includes the electronic form. “Explanation I. – For the purpose of this section, the expression“A cheque in the electronic form” means a cheque which contains the exact mirror image of a paper cheque and is generate, written and signed in a secure system ensuring the minimum safety standards with the use of digital signature (with or without biometrics signature) and asymmetric cryptosystem.” An electronic cheque simply means a cheque in the electronic form, which is an exact replica of a physical cheque. It contains all the information that is found on a physical cheque, but it is “signed digitally” or “endorsed”. In an attempt to provide authentication, an apparatus commonly known as “signature” was evolved as a proof asserting intention. This involved appending a unique identifier to a message to identify the sender/recipient. Conventionally, handwritten signatures are affixed paper-based cheques. These signatures affixed using ink are used as an authentication tool to identify that the person signing the document has read and understood the contents.
In the anonymous digital world, where individuals may not actually communicate with each other, much emphasis is placed on the authentication of the electronic information. Therefore, it becomes necessary for evolving a secure authentication tool, which led to the promotion of digital signatures.
DIGITAL SIGNATURE – HOW IT OPERATES It is a data string, which associates a message in the digital form with some originating entry. It is created and verified by means of cryptography, the branch of applied mathematics that concerns itself with transforming messages into apparently meaningless forms and back again. It uses a scheme or mechanism consisting of signature generation algorithm with a method for formatting data into message to produce a digital signature, and a related signature verification algorithm with the method to recover data from the message to authenticate a digital signature. It is important to note that, the Information Technology Act, 2000, in Section 3(2) provides for a particular asymmetric cryptosystem and hash function as a means of authentication should be recognized as a source of legal risk.
The digital signature mechanism follows an “asymmetric cryptosystem”. In this method of creating and verifying a digital signature, there are two basic technical processes or functions: “Public key encryption”, where encryption is the process by which information is scrambled by the use of a code and “hash”. The process of a creation and verification of digital signatures using hash algorithm involves the following steps: • Create a data unit that is to be signed, e.g., precisely an encircled portion of data in digital form, which can be a text document, software or any other digital information. • Generate hash value called “Message Digest” or “Fingerprint” of the message. A hash function is a process that creates a relatively small number (called message digest) that represents a much larger amount of electronic data. • This hash value is computed from the data unit- a number using a hash algorithm, which creates the compressed digital signature. Digital signatures use a “one way hash function” and the important thing about such a hash value is that it is nearly impossible to derive the original data unit without
knowing the data unit used to create the hash value. Therefore, if the data unit is changed or otherwise tampered with, the hash value will no longer correspond to this data unit and produces an error message. • Encrypt hash value with the private key of the signatory. Encryption is a process of disguising a message in such a way so as to conceal its meaning and substance. It also consists of a procedure of converting plain text to a cipher text. Hence, the plain text refers to the original digital file, whereas the ciphertext refers to the disguised file. • Final step in the verification process, which involves the regeneration of the hash value on the basis of the same data unit and the same algorithm. The determined hash value is again computed with rhea public policy key, which is then compared with the signature attached to the data unit. If the product is matching, it will verify the signatory’s private key, which is used to sign and guarantee that the data unit has not been altered.
In this context, digital signatures are created when the drawer of the cheque runs, the cheque through a one-way function creating a message digest. The private key used by the drawer of the cheque is known only to him. The drawer encrypts the resulting message digest by using an asymmetric cryptosystem will allow the paying banker to verify the signature by using it to decrypt the cheque.
EVIDENTIARY VALUE OF DIGITAL SIGNATURE ON ECHEQUES Generally, authentication is achieved by what is known as security procedure, but from the legal perspective, the security procedure requires to be recognized by the law as a substitute for signature. With the emergence of cyberspace it became necessary to amend certain provision of the Indian Evidence Act to make electronic evidence admissible in courts of law. Accordingly, the second schedule to the Information Technology Act has amended the Indian Evidence Act, 1872 to remove any obstacle to the legal acceptance and validity of electronic evidence.
According to the amended Section 3 of the Evidence Act, electronic records stand on par with paper-based documents and will be deemed as documentary evidence in a court of law.
While Section 22(A) of the Information Technology Act amends Section 17 of the Indian Evidence Act, 1872 to provide that oral admission as to the contents of the electronic records are relevant, the written admission of the content of any document or electronic record can be proved under Section 65 of the Evidence Act. Section 39 of the Indian Evidence Act provides, “when any statement of which evidence is given forms part of a longer statement, or is contained in a document which forms part of a book, or is contained in part of electronic record or of a connected series of letters or papers, evidence shall be given of so much and no more of the statement, conversation, document, electronic record, book or series of letters or papers as the court considers necessary in that particular case to the full understanding of the nature and effect of the statement, and of the circumstances under which it was made.” It can be inferred from this provision that where entry of an electronic
cheque forms a part of an electronic record, only that part which is relevant may be taken as evidence before the court. Again what part is relevant depends on the discretion of the court. The court must exercise this discretion judicially to determine such relevance. Accordingly, Section 5 of the Information Technology Act 2000 prescribes, “ Where any law provides that information or any other matter shall be authenticated by affixing the signature or any other document shall be signed or bear the signature of any person then, not withstanding any document contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government.” Explanation- For the purposes of this section, “signed”, with its grammatical variations and cognate expression, shall, with reference to a person, mean affixing of his handwritten signature or any mark on any document and the expression “signature” shall be constructed accordingly”. This provision explicitly explains that a digital signature is legally recognized as the method of authentication. The authority to
use digital signatures in the government and its agencies is accorded in Section 6 of the Information Technology Act, 2000, which reads as“ 1) Where any law provides for-
a) This filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate government in a particular manner.
b) The issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner.
c) The receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time beginning in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate government”.
The words in Section 6(1)(C) “ the receipt or payment of money in a particular manner … is affected by means of such electronics forms as may be prescribed by appropriate government” may be understood to include e-cheque. A system of digital signature like handwritten signature is use to protect confidential information. Form the legal perspective, two presumptions that could be raised in respect of digital signature are:
•
Signatory’s personal participation in the Act of
signing or any person authorized by him.
•
The intention of the signatory to endorse or
approve authorship of a text and the fact that the signatory had been at a given place and time.
The presence of intention has an integral part of a signature is essential as lack of intention could be raised with regard to circumstances including fraud and unconscionable conduct.
To regulate the use of digital signature, the Central Government is empowered to lay down rules under Section 10 of the Information Technology Act, 2000 that reads, “The central government may, for the purposes of this Act, by rules, prescribe-
• The type of a digital signature;
• The manner and format in which the digital signature shall be affixed;
• The manner or procedure which facilitates identification of the person affixing the digital signature;
• Control processes and procedures to ensure adequate integrity, security and confidentiality or electronic records or payments; and
• Any other matter which is necessary to give legal effect to digital signature.”
In India, evidentiary value of the digital signature has been in question for long. A genre of evidence dominating the digital transaction world leads to be recognized by the Indian Evidence Act, 1872, by making the necessary amendments there in. The IT Act 2000 provides for specific evidentiary value for secure records and secure digital signatures. Subsequently, subsection (2) to Section 85B of the Indian Evidence Act has been inserted to be in consonant with the IT Act to provide that, “ In any proceedings, involving secure digital signature, the court shall presume unless the contrary is proved that-
•
The secured digital is affixed by the subscriber
with the intention of signing or approving the electronic records;
•
Except in the case of a secure electronic record or
a secured digital signature, nothing in this Section shall create any presumption relating to authenticity an integrity of the electronic record or any digital signature.”
The section limits its opinion to a secure digital signature by indicating that there shall be no presumption relating to authenticity and integrity of a digital signature except where it is a secure digital signature. If, by application of a security procedure agreed to by the parties concerned it can be verified that a digital that a digital signature, at the time it was affixed, was-
•
Unique to the subscriber affixing it
•
Capable of identifying such a subscriber
• exclusive
Created in a manner or using means under the control of the subscriber and is linked to the
electronic record to which it relates in such a manner that if the electronics record was altered the digital signature would be invalidated then such a digital signature shall be deemed to be a secure digital signature.
As distinct from such a secure digital signature, Section 67A of the Indian Evidence Act provides for proof as to the digital signature, and Section 73A prescribes the method by which such a digital signature may be proved. According to Section 67A of the Indian Evidence Act, “ Except in case of a secure digital signature, if the digital signature of any subscriber is alleged to have been affixed to an electronic record the fact that such digital signature is the digital signature of the subscriber must be proved.” The Information Technology Act by inserting a new SubSection A to Section 47 recognizes opinions of third parties not relevant as evidence unless specifically provided for Section 47A reads as, “ When the court has to form an opinion as to the digital signature of any person, the opinion of the certifying authority, which has issued the Digital Signature Certificate, is an relevant fact”. An opinion of third parties is in admissible and as evidence except in certain cases when the court requires an opinion of experts. With this insertion, opinion of third parties became relevant.
4. THE FUTURE OF PLASTIC MONEY
Use of plastic Money is growing at an unprecedented rate in India. Lesser number of installed Point-of sale (PoS) terminals is the major obstacle in the growth of debt cards; smart card has many innovative features, which may spurt the use of cards in India. Smart card is safer to use in electronic form than the present form of cards
“ Credit card business is a volume game and initially highly capital intensive.”
- A senior banker
Plastic money is growing by leaps and bounds in India. Today, many banks are offering cards. Though the foreign banks have a dominant share, aggressive entry of the Indian banks like SBI, ICICI and HDFC Bank may soon change the rules of the game. Today, SBI-GE is the third largest issuer of credit cards.
The credit card market in India is projected to grow at the rate of 20-25% per annum in the coming years. There are currently around 3.8 million credit card users compared to 3.0 million in 1990. Visa credit card grew by 46.4% in India while the growth in Asia Pacific was only 6% for Q3 of 2003. The competition among banks has been growing and they are offering so many add-on incentives like waiver of first year annual fee, discount on retail stores, personal loans etc., to woo the customers. Debit card is another segment, which is catching up fast. There are only 80,000 to 90,000 merchants having point-of-sale (PoS) terminals installed and majority of them are located in metros, which is the major obstacle to the growth of debit cards. To increase the usage of debit cards, banks should concentrate on increasing installation of PoS terminals in semi-urban and rural areas.
Smart Card: A Future Card Smart cards are the wave of the future for consumer use, commercial use and terminal network security. Smart cards are in much wider use in Europe than in US.
A smart card is a plastic card with an imbedded computer chip that has been stored inside the card. It has the capacity to store up to 80 times more information than other magnetic stripe cards. This mini-computer using an intelligent chip, stores payment information similar to a magnetic stripe card, but it also includes additional information such as online authorization controls, credit limits, stored value (gift card), reward points (loyalty), Personal Identification Number (PIN), etc. Smart cards can be contact less, suggesting that the chip transfers data via a built-in antenna without physically touching the smart card reader. There are over 3 billion smart cards in use currently. Today, smart cards are used worldwide and it is the most flexible payment option available in the world. Smart cards have been used in Europe for over 10 years and now they are the accepted mode of payment. In developing countries and continents such as Africa and Asia, the use of smart cards has been growing rapidly. In the US, major retailers, banks and processors are preparing to accept global cards and some are adding smart gift cards and promotional application to build loyalty for the growth of their business. American Express and Financial Institutions have issued over 21 million PIN-secured smart
cards to their customers. By the end of 2005, there will be over 100 million smart cards to their customers. By the end of 2005, there will be over 100 million smart cards in use in the United States.
In order to accept smart cards, the business must have an EMV ready smart card Point-of-Sale (PoS) terminal. Merchants can be standalone PoS smart card terminals or smart card readers that are integrated with cash registers. Currently, over 90% PoS terminals are not EMV smart card ready.
Smart Cards and Internet Payment Issues of security and fraud are major drawbacks to using credit and debit cards over the Internet. Unlike the hand-written receipts, there are no signed sales receipts associated with today’s ecommerce transactions. Without such evidence, it is difficult as much as 84% of all electronic commerce transactions. At the same time, consumers are holding back on making Internet purchases due to lingering security concerns. According to Master Card, 90% of Internet non-buyers worry that their personal and financial information may fall into the hands of hackers. It is
this reluctance that is the real barrier to building an online business. Using smart cards along with a strong Internet authentication will help overcome these issues.
American Express, Master Card and Visa smart cards currently support Internet authentication and payment using built-in digital certificates and digital signatures. For smart cards to be successful, the cardholders must connect an EMV approved smart card reader to their PCs. Smart cards have the capacity to replace the thirty plus years old magnetic stripe cards.
5. LEADING ISSUE IN BANKING TECHNOLOGY
Many Indian banks are adopting the information technology not merely as a frill, but as a dire need. It is helping the banks in many core and diversified functions. Technology is key business enabler in six critical areas of banks. These are augmentation profit pool,
operation
efficiency,
customer
management,
product
innovation, distribution and reach, and efficient payment and settlement system. For the success of any IT program, integration of IT and business strategy is crucial factor. Banking basics have undergone radical shifts, thanks to the advent of modern technology, increasing pace of globalization and the need for stronger fundamentals to operate in the fiercely competitive environment. The digital divide among Indian banks that was quite discernible before the millennium has considerably narrowed down with many banks taking to technology not merely as
a frill, but as a dire necessity. Technology today catalyzes many core and diversified functions in banks, including issues like transaction automation and multiple delivery channels, product innovation, data warehousing and effective MIS, secured storage mechanisms and a real-time based payment and settlement system. Seen in the present context, technology is a key business enabler in six critical areas of banking. Augmenting Profit Pool; Operational Efficiency; Customer Management; Product Innovation; Distribution and Reach; Efficient Payment and Settlement.
Augmenting Profit Pool Sustained profits and profitability have been major yardsticks for assessing the true health of banks in a fiercely competitive and compelling business environment. Technology has proved, at least in case of new generation banks and major public sector banks to be a major profit driver. With progressive decline in interest rates, banks’ spreads have come under pressure, which per se, affects their profitability. However, technology had a favorable effect in terms of reducing the operating cost and improving the burden to a
considerable extent. Technology also enable commissioning of new products like Net banking, mobile banking and other forms of 24X7 banking like ATMs and Networked services across branches like anywhere banking, electronic funds transfer, customer relationship management, call centers across the banks. Hi-tech and hi-touch services, it goes without saying, have also enlarged the clientele base in
banks
and
commanded
considerable
customer
loyalty.
Technology has created an enabling environment for banks to diversify into various fee-based activities like bancassurance and funds transfer arrangements.
Operational Efficiency Operational efficiency, in terms of optimum utilization of resources, has been one of the most positive offshoots of technological application in banks. Thanks to greater technological application, banking system has seen a near consistent improvement in the intermediation efficiency and consequent decline in transaction cost. Yet, technology application has been by and large confined, especially in the state-owned banks, towards cost saving
and improved service standards through product innovation. While savings in cost and improvement in service quality could turn out to be short-term in nature, it is essential that technology is leveraged as a long-term and efficient cross-functional application. It is also time that the focus of technology shifts from product innovation to process innovation commonly referred to as Business Process Reengineering (BRP), for banks to gain long-term operational efficiency.
Customer Management Technology also spells significant benefits on the realm of customer research and management. In a predominantly buyers’ market and high propensity if customers to switch service providers, customer management need no longer be a front office function, but a bank-wide obsession. Many banks have duly realized the significance of such functions and introduced new models like the High Net Worth clients’ branch, imbued with state of the art technology, exquisite ambience and quickest possible processing of transactions. Customer management is a very sensitive issue entity hears only from 4% of its dissatisfied customer, while 96% of its
customers quietly go away of which 91% never come back. Technology, thus, already implemented the tech aided e-CRM application as strategic tool to retain as well as expand their customer base. The bottom line is that banking products are getting commodities and price wars are slowly leading to a zero-sum game. In such a scenario, technology backed customer orientation will hold the key to take service standards anywhere near to world-class.
Product Research In the field of product research as well, technology plays a decisive role, in terms of swift product innovation, an active R&D set up effective pricing of products to protect banks’ margins and safeguard customers’ interests. Banking product life cycles are getting shorter day by day and more than delivery, product servicing defines competitive edge for banks. Marked to market product processes are equally important for sustained improvement in the value chain of services and command ‘top of the mind recall’ from the customers. Technology also aids product profitability research and review, which have not adequate attention in many of the banks.
Distribution Reach The thumb rule for strategic management masters is that structure must follow strategy in any business reorganization. Technology, thus, calls for attendant restructuring endeavors that will be in tune with the level of technology application. For instance, many banks need to put in a place a leaner structure and remove intermediate decision-making tiers. That is how one can see that many of the regional outfits of banks are slowly being dismantled while branch expansion is not being accorded the thrust it used to be given earlier. Rightsizing of human and physical overheads is a major strategy adopted by many banks wherein the role of the earlier brick and mortar banking is slowly getting dissipated. In turn, devices like Internet and mobile banking. Technology, thus, facilitates downsizing of overheads cost without compromising much on clientele reach. Public sector in the rural and semi-urban areas. Many of these branches are not performing to their potential mainly because of their typical business mix, cost diseconomies and lack of technology-based services offered in these branches. Technology can facilitate the branch rationalization exercise such as setting up mobile branches and satellite branches, especially in the
rural areas, and bring many of those into the “Performing” category without affecting the extent of client reach.
Efficient Payment and Settlement Innovation in technology and worldwide revolution in information and communication technology have emerged as dynamic sources of productivity growth. This is true about banking as well as its relationship with technology has become symbiotic fundamentally. Payment system is probably the most important mechanism in the banking sector where technology’s interactive dynamics is getting manifested in an increasing measure each day. Banking system has adopted a holistic approach for designing a modern, robust, efficient and integrated payment system. The approach to the modernization of the payment and settlement system has been basically three pronged – consolidation, development and integration. Consolidation of the payment system has revolved round strengthening computerized cheque clearing and expanding the reach of electronic clearing services through state-of-the-art technology. Critical elements under the developmental strategy related to the opening of new clearing houses, interconnectivity of
clearing houses through INFINET and optimizing the development of resources the Negotiated Dealing System, Structured Financial Messaging System (SFMS) and the recently introduced Real-Time Gross Settlement (RTGS) system. Integration is the next stage that the banking system is currently going through which is premised on a high degree of standardization within a bank and seamless interfaces across banks, leading to Straight Through Processing (STP) of transaction on a regular basis. Further, cheque truncation system will also pave way to expedite settlement of payments process. However, so far as integration is concerned, Indian banks still have a fair distance to traverse. In order to efficiency leverage an integrated payment and settlement systems, banks, especially those in the public sector, need to address certain core issues expeditiously. These include the following:
• Toning up of infrastructure in terms of standardization and build up security features like firewalls, Intrusion Detecting System (IDS) and implementing a security policy. • Total inter-branch connectivity.
• Popularization of electronic funds transfer mechanism. • Institute collaborative arrangements, including outsourcing of IT expertise. In addition to the above, banking sector is also confronted with a classic dilemma. It relates to differentiating between and mapping the role of business vis-à-vis the role of information technology, a feature typifying an enterprise wide technology initiative. This is where the significance of integrating business and IT plans comes to the fore.
Integration of IT and Business Strategy Many banks, especially those in the public sector, are embarking on a comprehensive set of IT initiatives encompassing total branch automation, core banking solution, networking of ATMs, Internet and mobile banking, data warehousing and a comprehensive MIS backed decision support system. Contrary to popular perception, such initiatives are not merely because of competitive pressure from the foreign and new generation private banks. The avowed goal of these initiatives was to improve overall efficiency in terms of lower intermediation cost, swifter decision-
making process, grater customer convenience and effective internal control, including an objective risk management mechanism. It goes without saying that the fast pace of globalization and progressive move towards reaching global operational benchmarks also catalyzed the technology drive dividends to these banks although the need of the hour is to consolidate the gains so far and address the weak links. One such weak link relates to lack of integration between the IT strategies which, it is felt, is applicable to many of our banks. Technology introduction can offer significant benefits only when they are in total alignment with business strategies. Especially, in public sector banks, a phased approach is desirable in view of the heterogeneous nature of their branch architecture and vast area specific differentials in their branch functioning. In the current context, business strategies may differ from bank to bank, yet a core set of business objectively will, for sure, be common to all the banks. Such commonalities call for at least an open technology plan, in board consonance with the business objectives, and the same can be fine-tuned on an ongoing basis to suit the business model.
Recently, a study was conducted by National Institute of Bank Management, at the behest of RBI, for suggesting a methodology to integrate IT and business plans in banks. The study has proposed an ‘Enterprise Maturity Model’, for attaining total convergence of technology and business strategies with focus on selected, generic business strategies. The model suggests solutions not merely for business and technology, but for issues related to human resources and customers who form an integral part of banks’ strategic road map. The suggestions in the study promise to be useful benchmarks for banks in their complete switchover to the virtual mode. Application of the model can help banks to develop effective Executive Information System as effective decision support, integration of varied workflow processes, objective customer analysis and most importantly, devise simulative and real-time based tools to track business, profits and profitability. Effective and an objective technology application system will also enable a business process reengineering mechanism that will considerably enhance the real technological capabilities of banks.
Core Banking Solution In the light of ongoing emphasis on business process reengineering, one comes across many banks assiduously pursuing a centralized server-based system, better known as Core Banking Solution (CBS). CBS offers, among others, benefits like privilege of single window service to customer in order to facilitate a shift from “customer of the branch” to “customer of the bank” concept, online transfer of funds, longer business hours, lower transaction costs, slimmer staff structure at branches, effective monitoring of business, comprehensive MIS as a policy support and above al, improved visibility of the banks implementing CBS. A robust MIS also supports vital functions like ALM, risk management, product profitability and customer profitability analyses leading ultimately to efficient portfolio management in banks. CBS also leads to significant mileage in terms of staff and other overhead costs. Staff rendered surplus on account of CBs can also be put for marketing and recovery functions, which warrant dedicated staff in the present context. One major issue in CBS relates to security aspects and a host of operational risks that banks are confronted with. Be it system
failure or planned hacking or any kind of human error, centralized system is perennially susceptible to failure which may prove to be endemic across the financial system and result in vital data erosion. Retrieval of the same may also cost dearly to the banks and their associates. Security aspects like implementing a robust security policy, firewalls, IDS are, therefore, indispensable for preventing any systematic problem. There are even cases where multi-point security has not been able to check the fraudulent practices. Thus, security aspects need to be examined threadbare before putting core banking in place.
6. TECHNOLOGY AND FRAUDS
ATM CRIMES FRAUDS: ATM crimes and frauds are rising throughout the world. ATM industry and money other organizations are fighting with them in many ways like, by issuing security tips, making ATMs more innovative etc. In India, where the use of ATMs is growing by exponential, banks have to take benefit from international experiences and safeguard their customers from frauds. ATM crimes and frauds are mounting day by day. Even though they make up a small percentage of criminal activities they are not less important. Criminals are raiding millions every year.
Popular Ways to Card Frauds: Some of the popular techniques used to carry out ATM crime are:
Through Card Jamming ATM’s card reader is tampered with in order to trap a customer’s card. Later on the criminal removes the card.
Card Skimming is the illegal way of stealing the card’s security information from the card’s magnetic stripe. Card Swapping, through this customer’s card is swapped for another card without the knowledge of cardholder. Website Spoofing, here a new fictitious site is made which looks authentic to the user and customers are asked to give their card number, PIN and other information, which are used to reproduce the card for removing the cash.
Global Measures to Fight the Frauds To guard against these frauds ‘The Global ATM Security Alliance (GASA)’, which was formed in June 2003, has issued the customers guide and some tips to prevent against card-related frauds.
The World’s Top 20 tips for ATM Use to Enhance the ATM customer Experience and Security CHOOSING AN ATM Tip 1: Where possible, use ATMs with which you are most familiar. Alternatively, choose well-lit, well-placed ATMs where you feel comfortable.
Tip 2: Scan the whole ATM area before you approach it. Avoid using the ATM altogether if there are any suspicious-looking individuals around or if it looks too isolated or unsafe. Tip 3: Avoid opening your purse, bag or wallet while in the queue for the ATM. Have your card ready in your hand before you approach the ATM. Tip 4: Notice if anything looks unusual or suspicious about the ATM indicating it might have been altered. If the ATM appears to have any attachments to the card slot or keypad, do not use it. Check for unusual instructions on the display screen and for suspicious blank screens. If you suspect that the ATM has been interfered with, proceed to another ATM and inform the bank.
Tip 5: Avoid ATMs which have messages or signs fixed to them indicating that the screen directions have been changed, especially if the message is posted over the card reader. Banks and other ATM owners will not put up messages directing you to specific ATMs, nor would they direct you to use an ATM, which has been altered. USING AN ATM Tip 6: Is especially cautious when strangers offer to help you at an ATM, even if your card is stuck or you are experiencing difficulty with the transaction. You should not allow anyone to distract you while you are at the ATM. Tip 7: Check that other individuals in the queue keep an acceptable distance from you. Be on the lookout for individuals who might be watching you enter your PIN. Tip 8: Stand close to the other ATM and shield the keypad with your when keying in your PIN (you may wish to use the knuckle of your middle finger to key in the PIN). Tip 9: Follow the instructions on the display screen, e.g., do not key in your PIN until the ATM request you to do so.
Tip 10: If you feel the ATM is not working normally, press the cancel key and withdraw your card and then proceed to another ATM, reporting the matter to your financial institution. Tip 11: Never force your card into the card slots. Tip 12: Keep your printed transaction record so that you can compare your ATM receipts to your monthly statement. Tip 13: IF your card gets jammed, retained or lost, or if you are interfered with at an ATM, report this immediately to the bank and/or police using the help line provided or nearest phone.
Tip 14: Do not be in a hurry during the transaction, and carefully secure your card and in your wallet, handbag or pocket before leaving the ATM. MANAGING YOUR ATM USE Tip 15: memorize your PIN (if you must write it down, do so in a distinguished manner and never carry it with your card). Tip 16: NEVER disclose your PIN to anyone, whether to family member, bank staff or police. Tip 17: Do not use obvious and guessable numbers for your date of birth.
Tip 18: Change your PIN periodically, and, if you think it may have been compromised, change it immediately. Tip 19: Set your daily ATM withdrawal limit at your branch at levels you consider reasonable. Tip 20: Regularly check your account balance and bank statements and report any discrepancies to your bank immediately. While the ATM industry is aggressively addressing ATMrelated frauds and crimes, few in the industry know about these extraordinary efforts. Some of the important works are given below:
From time to time the Electronic Funds Transfer Association (EFTA) with the help of ATMIA is publishing tips on PIN security.
To combat the cross-border crimes, GASA is working in association with Interpol, the Metropolitan Police Flying Squad for New Scotland Yard and leading card issuers.
ATMIA is educating the people and ATM industry about most effective way of fighting ATM crimes and frauds and honoring with award that contributes significantly counter the fraud.
Fair Isaac Card Alert – it is a service, which analyzes millions of daily transaction, identifies the suspicious transactions and sends the card number and related information of suspicious transaction to the concerned bank. This services has helped a lot in solving many card-related frauds including high-profile skimming cases.
Leading ATM manufacturers are producing innovative ATMs, which are helping to counter the frauds. Biometric technology is one of the examples, which removes the need of Personal Identification Numbers (PINs). Biometric systems identify or authenticate a person’s
identity using different alternatives like face expressions, fingerprint, hand geometry, voice, retina, etc.
INTERNET BANKING AND FRAUDS Fraudsters are using innovative ways like Web and Mail spoofing, attacking the bank’s server etc. to break the security walls and commit fraud. There is a need for arrangements, which help presence of integrity, confidentiality and authorization of information.
“Thieves are not born, but made out of opportunities”
This quote exactly reflects the present environment related to technology, where it is changing very fast. By the time regulators come up with preventive measures to protect customers from innovative frauds, either the environment itself changes or new technology emerges. This helps criminals to find new areas to commit the fraud. Some common Internet banking frauds and their causes have been discussed here.
Attacking the Bank’s Server In this case, the fraudster takes control of the server of the
bank and by visiting the bank’s website carries out transaction through impersonation. These attacks are due to bad programming, which mostly prevail in general purpose software. Such attacks are called bufferover-flow attacks. Due to buffer-over-flow defects in the software,
fraudster can use the commands on the server without providing essential information like password etc.
Mail Spoofing In the mail spoofing or e-mail forgery, the fraudster sends the information to bank customers in such a form that it seems that information is from the authentic bank source. One such incident happened with ICICI Bank customers to disclose passwords and other information. The e-mail said: “For security purpose your account has been randomly chosen for verification. To verify your account information we are asking you to provide us with all the data we are requesting. Otherwise, we will not be able to verify your identity and access to your account will be denied. Please click on the link below to get to the ICICI secure page and verify your account details. Thank you.” Mail spoofing happens due to lack of criteria to verify the source address authenticity. Anyone can set up a mail server and can forge a mail posing as an authentic source.
Web Spoofing
In Web Spoofing, customers of the bank are lured to log in at the fraudster’s website, which is similar to the bank’s website. Once the customer provides sensitive information, they can be stolen easily by the fraudster, who uses the stolen sensitive information like password and username etc., to carry out the transaction on the bank as a real customer. In the whole case, the only loser is the customer because he does not have any means to prove that it was not he who did those transactions, but the fraudster. Ignorance of the customer to intercept Universal Resource Locator (URL) is the major cause of Web spoofing. Look at the following two URLs • http://secure.bankname.com/carloanfind/carloans.asp
• http://secure.bankname.com? @569857125/carloanfind/carloans.asp
It is very difficult for a normal customer to understand the difference between these two URLs. He can be easily cheated
because the first URL will drive him to the original site while the second one to the fraudster’s site.
Denying Service from Bank’s Server The fraudster’s intent here is not to commit any fraud but to create inconvenience for the banks. The customer here literally cannot access the services of the bank. Intervention of fraudster’s with Transmission Control Protocol/Internet Protocol (TCP/IP), the computer communication languages, Router Poisoning that help the customers to reach different parts of the network and Domain Name System (DNS) service, that helps the two computers to communicate through IP number are some reasons for such inconvenience.
It is clear that to plug all the loopholes is very difficult for any regulator. This is a challenge to the mission of fast automation. It is essential on the part of the banks, the regulators and the service providers to create a source and safe automation environment that has the confidence and trust of the customers.
7. CREDIT CARD FRAUD ON INTERNET
Credit card fraud has become regular on Internet. All the agencies involved in the transaction, cardholders, online merchants and the card issuers suffer losses. However, it is the online merchant who suffers the most. This article examines the nature of credit card fraud, types of credit card frauds, and the effects. This article also discusses the preventive measures.
Internet commerce is growing very fast. From a customer base of 28.8 million spending US$12 bn in 1999, Internet Commerce has grown exponentially during the past few years and is still growing. But, unfortunately, the growth is not on the expected lines. The credit card fraud, which has become common, has retarded the ecommerce growth. A 1999 survey by US National consumer’s league reported that 7% of customers were victims of the credit card fraud; recent surveys indicate that one out of three online customers
have become victims to this kind of fraud. Customers, credit card companies, banks and merchants are battling this problem; still this crime is on ascendancy.
Common Types of Card Frauds There are different types of frauds involving credit cards. The fraudulent activities start from the application process itself.
Application Fraud: In
application
fraud,
the
fraudster
obtains
personal
confidential information of the other person needed in the credit card applications, like social security number, date of birth using a variety of means. Internet search engines and databases are making these tasks easier. Using this information, he fills in an application for a credit card and after receiving it, uses it as if he is the true holder. The person in whose name the card is issued might come to know about this only after the damage is done.
Counterfeit Cards:
In this, a criminal gains access to a valid card number and other information. For example, the salesperson at the supermarket briefly takes possession of the customer’s card during payment process, which he runs on a terminal. But without the knowledge of the cardholder, the salesman can also run it on another machine, which can capture all the details in the card. Using this information and tools like embossing machines, a fraudster can create a counterfeit card. This process is known as ‘skimming’ and simple hand-held devices are now available for the purpose. Further, the information skimmed can also be used for purchases on the Internet or Telephone. Account Takeover: In account takeover, the fraudster first all the personal confidential information about the other person. Then impersonating as the other person, he informs the bank that there is a change in his residential or office address. Next, he informs them that his credit card is lost and request for a new card on the new address. After receiving the card, the criminal successfully takes over the account.
Stolen and Lost Cards:
By far, this is the most common form of fraud in the market place. When the criminal has access to a stolen or lost card, he also gains access to all the personal information. Apart from using this card fraudulently, the criminal can also use the information to ‘broaden’ the fraud by applying for new cards or fabricating new ones.
Other Forms: From the point of view of a merchant, credit card frauds can be divided into three ways. There are organized fraud, opportunistic fraud and cardholder fraud. The advantages offered by Internet are also attracting the criminals in a big way. In an organized criminal activity, the gang’s obtain credit cards using any of the means discussed above. They normally identify a drop location like a vacant house or warehouse, spend the card up to the maximum limit, and ask the merchandise to be dropped at this selected location. These gangs have a thorough understanding of the system and take advantage of the fact that there is normally a time gap of more on to the next card. Opportunistic fraud is committed normally by amateurs who get an opportunity of handling credit cards, like
waiters in restaurants. Cardholder fraud involves the cardholder himself who might claim that he never placed the order or he never received the goods. It could also involve one of his family members or friends who used the card without his knowledge.
Bust Out Fraud: According to Daniel Buttafogo of Juniper, an Internet-based credit card company, in this fraud, true customers gradually build up as much available credit card and then ‘bust out’ with large purchases of items that could easily resold like jewelry or draw large cash advances etc. Here the fraudster will draw bad checks on one account to pay when this cannot be done any longer, the customer does a vanishing act. This kind of fraud is the most difficult to catch, as the customer exhibits exemplary behavior till the last moment.
Friendly Fraud / Denial of Receiving Product: Friendly fraud occurs when the actual cardholder carries out a transaction but later denies or claims that his card was stolen or used without his authorization. Customers might deny receipt or signing or even ordering the product.
Nature of E-Commerce Transactions: In e-commerce transaction, face-to-face contact between the merchant and customer is absent and this causes most of the credit card frauds. In online transactions, after filling in the online order form, the customer is expected to give his credit card number to conclude the transaction. In real world, after the purchase, the customer hands over the credit card, which the merchant swipes using a terminal. The merchant also obtains the signature of the customer on the credit card receipt. He also verifies the charge authorization. In case of fraudulent use of a card like using a stolen card, the merchant or the customer are reimbursed by the credit card company. In online transactions, the card is not present during the transaction and there is no signature of the customer on the receipt. These transaction, treated as card not present transactions, in which the card issuing companies do not reimburse the merchant. In reality, speed, which is the most important benefit of the Internet, facilitates the fraud. A physical transaction takes several minutes; where as Internet transaction takes only a few seconds. Real-time transaction reduces the overheads, but at the same time, increase the
number of fraudulent transactions. For example, a fraudster can give the same fraudulent card number to a number of e-business sites simultaneously and there is no way the merchants can know about it.
8. INFORMATION TECHNOLOGY RISK IN BANKING: MANAGEMENT & MEASUREMENT
Information Technology (IT) is not merely a technical function, but a management process, which needs to be managed effectively. To measure the IT risk in banks there are various methodologies available. All of them at large follow the same primary steps like threat analyst etc. for technology risk assessment; American Banker Association has recommended various resources.
Risk management approach had widely the baseline approach in which a baseline/ standard set of polices and practices are followed in taking business decision without considering the criticality of the business asset or decision. In business sense, risk is the probability of getting loss from taking or not taking a business decision. The loss can be tangible or intangible. Risks can be avoided, controlled, shared, transferred and accepted. Risks can be controlled through objectives, policies and procedures.
Risk management approach enables the management to give appropriate treatment to the business assets and decisions based on their criticality to business goals and business continuity. While the basic concepts remain the same, Information Technology introduces new vulnerabilities as well as new techniques for risk management. As such, technology risk management, while following the fundamentals, needs to address these new vulnerabilities.
Technology Risk Management Information Technology Risk is the risk that can arise due to use or non-use of technology in business or for business. The primary objective of an organization and its ability to conduct business. The business of IT in business is to see that the business continues. IT risks management has to ensure that this purpose is achieved. As such IT risk management process should not be treated as a mere technical function carried out by the IT people and should not just confine to IT assets. It is essentially a management function. However, the role of IT people is also vital because IT security and IT risk management are interrelated and an effective risk
management process is an important component of a successful IT security program. The broad objective of performing IT risk management is to enable the organization to achieve its business goals by better securing the IT systems and enabling management to make wellinformed risk management decisions in areas where technology is involved. IT risk management is to the process that helps to balance the operational and economic costs of risk mitigation measures and achieve gains by protecting the IT systems and data that support their organization’s goals. A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities. Various organizations worldwide have come out with risk management frameworks, policies, standards and principles that are quite useful in IT risk management and measurement. The committee set up Bank for International Settlement (BIS) has identified fourteen Risk Management Principles for Electronic Banking to help banking institutions expand their existing risk
management policies and processes to cover their electronic banking activities. Similarly, the Committee of sponsoring Organizations of the Tread way Commission (COSO) Board and Project Advisory Council took on the responsibility to expand and address the remodeled components of internal control. The end product of this is the COSO Enterprise Risk Management (ERM) Framework. The Information Systems Audit and Control Association (ISACA) has developed a framework called Control Objectives for Information and related Technologies (COBIT) which helps in IT risk management. The ERM and COBIT frameworks provide a useful evaluation tool for informing management, directors and other stakeholders about a process, procedure and policy to identify, measure, prioritize and respond to finding risk. In India, RBI has been providing much guidance in this area to Indian banks. There is a good number of references and guidelines provide in the reports of various RBI Committees. The report of the RBI Committee on computer audit provide a
comprehensive checklist covering many technology-related areas, which is useful in Technology Risk Assessment. Technology Risk Assessment/Measurement Risk assessment/measurement is a process used to identify and evaluate risks and their potential effect/exposure. Risk exposure is equal to the amount of probability multiplied with impact on business. Risk management covers three processes: Risk assessment, risk mitigation, and evaluation. Risk assessment is the first process in the risk management methodology and also is necessary for the extent of the potential threat and the risk associated with an IT system throughout is System Development Life Cycle (SDLC). The output of IT risk assessment process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. Unlike financial risk, technology risk cannot be easily quantified or measured. But, banks can gain financial and operational benefits by conducting an effective Technology Risk Assessment (TRA). These include enhancing corporate governance over IT activities, proactively identifying vulnerabilities and
implementing risk business imperatives, and efficiently using corporate risk management resource, including audit, in ensuring a cost-benefit control environment. Threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system to determine the likelihood of a future adverse event and its impact. Impact refers to the magnitude of harm that could be caused by a threat. The level of impact is governed by the potential impact on organizational goals and, in turn, determines the level of criticality of an IT asset/resource.
Technology Risk Assessment (TRA) Methodologies The quality of the technology risk assessment affects the effectiveness of risk-based decision of management. With the increasing interest in operational risk management and concerns about corporate governance, may proprietary enterprise riskmanagement methods/solutions came in the market to help banks to meet the assessment challenge. Since these methodologies are mostly developed for and by traditional risk managers, they are generally weak in areas relating to technology, although they
provide an adequate perspective from a credit, financial, and environmental standpoint.
Risk assessment methodology generally follows the following primary steps: • Threat and Vulnerability Identification • Probability/Likelihood Determination • Impact Analysis • Risk Determination • Control Recommendations • Results Documentation Technology Risk Assessment (TRA) methodologies are not much different from general risk assessment methodologies and they, too, follow these steps. However, the risk assessment tools would be different in case of technology risk because to assess adequately and to prioritize technology risk, the risk assessment tools must be supplemented with methodologies specifically geared to technology. As in the case of enterprise risk assessment tools, ready-made methods and tools developed by vendors can be used for TRA also.
However, a number of challenges are involved in using these readymade tools like vendor methodologies which may not continuously update the TRA throughout the year due to the costs involved; the outsourced methodology/tool may not understand the bank’s specific issues, etc. The American Bankers Association lists the following recommended resources for TRAs: • International Standards Organization (ISO) 17799 (ISO Standards) • Control Objectives for Information Technology (COBIT) • SysTrust • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) • National Institute of Standards and Technology (NIST) These resources are inexpensive to implement and serve the purpose in most cases. They are based on extensive research from government and professional security experts and are vendor neutral. These methodologies enjoy excellent reputation among corporate governance experts.
A summary description of each of the above TRA methods is as follows:
ISO Standards The ISO along with the International Electro-technical Commission
forms
the
specialized
system
for
worldwide
standardization. The stated purpose of the ISO standards is to “provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter organizational dealings.” Originally, developed in Britain, it is a favored TRA approach in Europe. The standard is often referenced and leveraged by other prominent methods and covers 10 areas namely, Security policy, Communications and operations management, Organizational security, Access control, Asset
classification
and
control,
System
development
and
maintenance, Personal security, Business continuity management, Physical and environment security, and Compliance.
COBIT
COBIT has been developed as a generally applicable and accepted standard for good IT security and control practices that provides a reference framework for IT governance. COBIT is sponsored by the IT Governance Institute, established by the Information Systems Audit and Control Association (ISACA), and addresses risk from both the business and technology perspectives. It is an internationally recognized tool, incorporating both operation management and audit concerns, which have been adopted in organizations including the US House of Representatives, Charles Schwab & Co., and Swift. The framework compromises 34 high-level control objectives belonging to four domains. For each control objective, audit procedures and management guidelines are provided. The latter guidelines uniquely provide COBIT with a business management perspective; maturity models, critical success factors, key goal indicators, and key performance indicators are provided for each of the high-level control objectives. COBIT focuses on processes and their ownership. It provides excellent methodology for various parts of an organization to have the same perspective at IT risk management. However, COBIT is
more of a general assessment tool and detailed issues are to be considered in the form of audit programs. As such some consider it to be too theoretical.
Sys Trust The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) introduced a service to provide assurance on the reliability of systems. The purpose of this service, known as Sys Trust, is to increase the comfort of management, customers and business partners with the systems that support a business or particular activity. The service considers four principles to evaluate whether a system is reliable.
• Availability: The system is available for operation and use at times set forth in service level statements or agreements.
•
Security: The system is protected against unauthorized
physical and logical access.
•
Integrity: System processing is complete, accurate,
timely and authorized. •
Maintainability: The system can be updated when
required in a manner that continues to provide for system availability, security and integrity. Although, SysTrust was not necessarily developed as a risk management tool, many organizations have found that the SysTrust principles could be adopted as an effective RA tool since the principle provide a stake holder’s perspective on the impact of technology on business activities. The AICPA/CICA is currently considering a new version of the SysTrust tool that would also incorporate e-commerce activities. Under the revision, five principles would replace the four above. Principles consider would include security, availability, processing integrity, online privacy and confidentiality. SysTrust provides good high-level questions for an overview on overall reliability but may not provide detailed methods for intended objectives. It is more of an executive level assessment perspective rather than at operational level. However, it also has provision for third party assessment and covers security also.
OCTAVE Developed by the Software Engineering Institute (SEI) at Carnegie Mellon University, OCTAVE is a comprehensive, selfdirected approach to TRA. It differs from traditional TRAs in that it first determines which information assets really need to be protected and then evaluates the technology infrastructure to determine the vulnerability of those assets. OCTAVE presents an exciting TRA to ORMs because the SEI is home to the CERT alerts and other information relating to managing security vulnerabilities. This robustness of tools, workshops, and publications relating to OCTAVE significantly enhances an effective assessment by the ORM. Specially, OCTAVE uses a three-phased approach to identify the technology risk management needs of an enterprise:
•
Build asset-based threat profiles: Identify important
information assets, the threats to those assets, security and current risk mitigation strategies.
•
Identify infrastructure vulnerabilities: Examine technology
infrastructure for vulnerabilities that can be compromised.
•
Develop security strategy and plans: Based on the results of
the first two phases, develop a strategy-based on business priorities to mitigate risks. OCTAVE is a full methodology with supporting tools and leverages from a combination of academic research and industry practices but, it is geared to larger institutions and the use of it without formal training is difficult.
NIST The Information Technology Laboratory (ITL) at the NIST in USA is a body, which provides technical leadership for the nation’s measurement and standards infrastructure. These include developing standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. Like the other organizations mentioned previously, NIST provides a detailed checklist of IT-related risk mitigation strategies that should be assessed as a part of a TRA. In addition to its detailed
coverage of security issues, the checklist enables to determine if risk is managed by using five “levels of effectiveness”.
1. Control objectives documented in a security policy.
2. Security controls documented as procedures.
3. Procedures have been implemented.
4. Procedures and security controls are tested and reviewed.
5. Procedures and security controls are fully integrated in to a comprehensive program. However, this is mostly followed by big government organizations and following these methodologies could be too burdensome in a smaller organization.
9. PRIMARY DATA & ITS ANALYSIS The primary data has been collected through surveys in banks (questionnaire) viz., Bank of Maharashtra, ICICI bank, HDFC bank. Q.1) I.T. in banks is much more advanced than traditional banking? Q Agree Disagree D Fifty-Fifty ANALYSIS: -
AGREE DISAGREE FIFTY-FIFTY
GRAPH: -
Bank of ICICI Maharashtra 96% 98% 3% 2% 1% 0%
HDFC 100% 0% 0%
100% 99% 98% 97% 96% 95% 94%
Bank of Maharashtra AGREE
ICICI
HDFC
DISAGREE
FIFTY-FIFTY
EXPLANATION: It is cleared from questionnaire method that every one agrees to the statement “I.T. in banks is much more advance than traditional banking”. Approximately ninety eight percent of bank employees agree to the above statement.
Q.2) The ratio of online transaction v/s manual transaction. 1 1:2 ANALYSIS: -
2 2:1
E Equal
Can’t Say
Bank of Maharashtra
ICICI
HDFC
1:2 2:1 Equal
30% 60% 0%
0% 100% 0%
0% 100% 0%
Can’t Say
10%
0%
0%
GRAPH: 100% 80% Can’t Say Equal 2:1 1:2
60% 40% 20% 0%
HDFC
ICICI
Bank of Maharashtra
EXPLANATION: -
According to the above data collected it is clear that approximately ten percentage of employees says that the ratio of online transaction v/s manual transaction is 1:2, eighty seven
percentage says it is 2:1, zero percent says it is equal & three percent cant say anything.
Q.3) Information technology in banks encouraging online frauds. Yes
No
To some extent
ANALYSIS: -
Bank of Maharashtra
Yes 90% No 6% To some extent 4% GRAPH: -
ICICI
HDFC
92% 5% 3%
98% 1% 1%
100% 80% 60%
To some extent
40%
No
20%
Yes
0%
Bank of Maharashtra
ICICI
HDFC
EXPLANATION: -
According to the above data collected it is clear that approximately ninety three percent of employees says yes, four percent says no and three percent says to some extent.
Q.4) Type of banking facility that will be friendly to illiterate customer. Online banking Manual-banking O M Both ANALYSIS: Bank of Maharashtra
Online banking 2% Manual banking 97% Both 1% GRAPH: -
ICICI
HDFC
0% 98% 2%
0% 100% 0%
0%
2%
1%
100% 80%
100%
98%
40%
97%
60%
20%
Online banking
ICICI
Manual banking
0%
Bank of Maharashtra
0%
2%
0%
HDFC
Both
EXPLANATION: According to the above data collected it is clear that approximately ninety seven percent of employees says that manual banking type of facility is friendly to illiterate customers, two percent says online banking and one percent says both online as well as manual banking is friendly to the illiterate customers.
Q.5) In what way I.T. in banks affects the work of the employees. Increases the work
Decreases the work
Same at both levels ANALYSIS: Bank of Maharashtra
Increases the work 45% Decreases the work 50% Same at both levels 5% GRAPH: -
ICICI
HDFC
30% 63% 7%
40% 55% 5%
5%
7%
55%
63%
60%
50%
80%
5%
100%
40%
Bank of Maharashtra
Increases the work
40%
0%
30%
45%
20%
ICICI
HDFC
Decreases the work
Same at both levels
EXPLANATION: According to the above data collected it is clear that approximately thirty eight percent says I.T. in banks increases the work of the employees, fifty six percent says decreases the work and six percent says it is same at both the levels.
Q.6) Does I.T. in banks increasing the cost of banking operations / banking transaction. Yes
No
Equal
ANALYSIS: -
Yes No Equal
GRAPH: -
Bank of Maharashtra
ICICI
HDFC
98% 2% 0%
94% 5% 1%
100% 0% 0%
0%
1% 5%
0% 2%
100% 80%
100%
ICICI
HDFC
98%
40%
94%
60%
20% 0%
Bank of Maharashtra Yes
No
Equal
EXPLANATION: According to the above data collected it is clear that approximately eighty seven percent of employees says yes i.e. I.T. increases the cost of banking operations or banking transactions, two percent says no and one percent says equal.
10. SECONDARY DATA AND ANALYSIS
Indian Scenario
Major players in the Indian Market Banks
Citibank Stan Chart SBI-GE
No. of cards in lakhs 2002 16
2003 20
14
18
9
13
According to an analyst, it is estimated that the Indian smart card industry is growing around 45% annually, would reach the size of $6 bn by 2010. In the next five years, the number of smart cards being used in the country can touch 400 million from around 50 million cards today. To standardize the smart card, the Government has recently standardized the technical aspects of smart cards. An operating system called “SCOSTA” (Smart Card Operating System for Transport Application) developed by IIT Kanpur has been chosen as the standard operating system for transport-related projects. India is planning to issue smart card based identity cards to citizens. State Governments are also planning to issue smart card based driving licenses.
Kerala
recently
tried
a
ration
card
project
at
Thiruvananthapuram. But the lack of resources with state governments may halt many such projects. States like Kerala have stopped several smart card related projects due to resources crunch. “ It is the market for SIM cards for mobile phone that is growing faster in India-at about 70-80% annually. Once the National Identity Card project is launched, the demand for smart cards will
skyrocket,” opines Sanjay Dharwadkar, Head of Systems Marketing, Smart Chip Ltd.
11. FINDINGS AND CONCLUSIONS According to the survey conducted in Bank of Maharashtra, ICICI Bank & HDFC Bank, the following points are concluded: 1. I.T. in banking sector is much more advanced than traditional banking. 2. Online transactions are widely used than manual transactions. 3. Manual banking facility is more friendly to illiterate customers. 4. I.T. in banks to some extents reduces the work of employees. 5. I.T. in banks to some extent encourages online frauds. 6. Online banking is much more costlier than manual banking. It increases the cost of banking operations. 7. Online banking facility can lead to progress of the banking sector.
12. SUGGESTIONS AND RECOMMENDATIONS
1. Some highly advanced softwares / programs should be implemented in banking sector in order to prevent hackers and frauds.
2. Online banking operations cost or banking transaction cost should be reduced so that middle class customer can have access to online banking facility.
3. Further research can be done in topics related to this project viz., software application in banking sector, technology and frauds.
4. Awareness programs related to online banking for middle class people.
BIBLIOGRAPHY REFERENCE RELATED TO BOOKS •
Katuri Nageshwara Rao & Yashpaul Pahuja, (2005), ‘IT IN BANKS – EMERGING TRENDS’
• Kamlesh k Bajaj & Debjani Nag, ‘ELECTRONIC COMMERCE- THE CUTTING EDGE OF BUSINESS’, Delhi, Tata McGraw Hill Publishing Co. Ltd.
JOURNALS AND MAGAZINES • Ravi Kumar Sharma, ‘PROFESSIONAL BANKER’, Nov.2005. RESEARCH REPORTS • THE EFFECT OF INFORMATION AND COMMUNICATION ON THE BANKING SECTOR AND PAYMENT SYSTEM -BY ARBUSSA REIXACH • INTERNET BANKING COMPTROLLERS HANDBOOK INTERNET •
www.banknetindia.com
•
www.microsoft.com
View more...
Comments