Embed Size (px)
Citation preview
Shri chinai college of commerce &economics
Andheri (e) Mumbai-400069
Project on
IT in banking industry
Project by
PARESH J SUDRA
T.Y .B.COM (BANKING& INSURANCE)
ROLL NO -48
Project guide
PROF. NISKIKANT JHA
UNIVERSITY OF MUMBAI
ACADEMIC YEAR
2007-2008
ACKNOWLEDGEMENT
I am most thankful to my internal guide, Prof.
NISHIKANT JHA., for his guidance through out the
project and for encouraging me all the time. I value very
much that he has been extremely available, even when his
work schedule was very tight. I also value his generosity.
There are many people to whom I feel obliged for
their comments on the contents of the project. I thank to
Prof. Mrs.Kruttika K.Sontakke, Prof. Parina Sangha.
I am also grateful to my college friends: HITESH
D. PADHIYAR, VINAY MALVAN, PANJAB SINGH.
DECLARATION
I MR PARESH J. SUDRA student of T.Y.B.COM (BANKING & INSURANCE), SHRI CHINAI COLLEGE OF COMMERCE & ECONOMICS. Here by declare that I have completed this project on IT IN BANKING INDUSTRY in the academic year 2007-08. the information is true and original to the best on my knowledge.
( STUDENT OF STUDENT) (paresh j. sudra)
CERTIFICATE
I PRO. NISHIKANT JHA here by certified that PARESH J. SUDRA STUDENT OF T.Y.BCOM (BANKING & INSURANCE) SHRI CHINAI COLLEGE OF COMMERCE & ECONOMICS SEMESTER 5TH has completed project on IT IN BANKING INDUSTRY in the academic year 2007-08. The information submitted is true & original to the best of my knowledge.
SIGNATURE OFPROJECT GUIDE
TABLE OF CONTENT
1. INTRODUCTION
a) OBJECTIVES OF THE STUDY
b) LIMITATIONS OF THE STUDY
c) RESEARCH METHODOLOGY
2. E-BANKING: IN NASCENT STAGE IN INDIA
3. ELECTRONIC CHEQUES & EVIDENTIARY VALUE
4. THE FUTURE OF PLASTIC MONEY
5. LEADING ISSUES IN BANKING TECHNOLOGY
6. TECHNOLOGY & FRAUDS
7. CREDIT CARD FRAUD ON INTERNET
8. INFORMATION TECHNOLOGY RISK IN BANKING:
MANAGEMENT & MEASUREMENT
9. PRIMARY DATA & ANALYSIS
10.SECONDARY DATA & ANALYSIS
11. FINDINGS & CONCLUSIONS
12. SUGGESTIONS & RECOMMENDATIONS
13. BIBLIOGRAPHY
1. INTRODUCTION
The Indian Banking system has an old age legacy. Earlier
there were indigenous bankers who consisted mainly of unorganized
moneylenders, mahajans and sahukars. Later, when British came to
India they brought with themselves the concept of organized
banking. British while leaving India left behind large number of
small and privately held banks. In 1964, the first major banking
reform took place when 14 banks were nationalized. It led to the
rising of Indian Public Sector Banks. The second banking reform
was witnessed in 1990s when Indian Banking Sector underwent
complete change after the recommendations of the Narsimhan
Committee. Private and MNC banks entered banks entered into the
Indian Banking arena and challenged the monopoly of the PSU
banks. The Private and MNC banks brought new technologies and
technology intensive services with themselves. They rendered
quality service, which PSU banks were not providing, to service
starved Indian customers. There were a series of technological
innovations and up-gradations, e.g., ATMs, Internet Banking, credit
cards and online banking, etc. Private banks and MNC banks had to
provide something extra and it was their service, which attracted a
bulk of customer from the PSU banks. Indian customers were
lacking the world-class service in baking; they were accustomed to
the PSU (Sarkari) culture and the service of Private and MNC banks
was a delight for them.
When private and MNC banks initiated the world class
service to their customers and started snatching customers from
Public Sector Banks, Public sectors banks were bound to follow the
path of Private Banks. The PSU banks felt the heat and realized their
mistake. They also followed the Private Banks in their technology
initiatives and services.
The Indian Banking Sector with the progress in Technology is
facing the biggest challenged of rapidly changing customer
expectations against the backdrop of LPG (Localization,
Privatization and Globalization). Retail banking clients today
demand more care and extra facilities. They want more mobility of
investments, interactive accounts, and better segmentation of
banking products to cater to different segmental needs, convenience
and untimely hour services. Even the PSU culture could not adjust to
the pace of the new technology and changes. At present also it is
moulding and adapting itself to new needs and the dynamism of the
environment.
Technology is helping the Indian Banks to cater to customer
needs in a much more efficient manner continuous and error free
services to customers. With the help of computerization and the use
of modern software, which can be called the gift of technology, the
banks have been able to provide single window system to their
customers. In a single window system, all the needs of the customers
are taken care at a single counter. It is like a multipurpose counter
where one can deposit cheque, receive payments and deposit cash
etc. This has been made possible only due to the use of technology.
Earlier one had to move from one counter to the other counter for
different sort of works. Thus this type of service not only helps in
better customer service but also minimizes the customer service time
as it avoids duplication of work and unnecessary hassles to the
customers. With the use of technology, banks are trying to minimize
there per customer service cost. According to industry estimates,
assume teller cost Re.1 per transaction, ATM transactions cost
Re.0.45, phone banking at Re.0.35, debit cards at Re.0.20 and
Internet banking at Re.0.10 per transaction. So, now the emphasis is
more on net banking then on real banking or brick and mortar
banking. Indian Banking system is moving from real banking realm
to virtual banking realm. Banks are establishing more and more
ATMs at different convenient locations and interconnecting these
ATMs not only with their networks but also with their partner banks.
Network with whom they have got mutual understanding for sharing
ATMs. With the least cost of Internet banking, banks are paying
higher emphasis on Internet banking.
As per IDC estimates, the total number of registered users for
Internet banking in India is over two million. But this figure needs to
be adjusted for dormant users and multiple accounts (a user having
accounts with more than one bank). India has one million active
Internet Users populations. Thus, this is just around 0.1% of the total
population; to represents 15% of the India’s Internet user (most of
the people in India use internet from cyber café). Thus, indicating
that the concept of Internet banking is surely catching on. India is far
behind in the use of Internet banking than the other Asian countries
like Korea and Singapore where nearly 10% of their population is
banking over the Internet but India is fast catching up. In India, the
biggest drawback for Internet banking is the Internet penetration
among the masses. We lack the infrastructure facility for providing
Internet services but with the IT ministry keen on expanding the
Internet penetration the day is not too far when greater part of our
population would be using the Internet banking facilities.
In India, ICICI bank was the pioneer to introduce Internet
Banking. And later Citibank, HDFC Bank and other banks followed
the suit. PSU banks have lagged far behind in adoption of the
Internet banking facilities. But State Bank of India, which entered
the arena of ATM banking quite late, was able to expand at a rapid
pace and cover almost all the cities of India. Now ATM banking has
become an integral part of traditional cheque or withdrawal based
banking. These services have helped the PSU banks to maintain their
customers. Now money is transferred more in electronic form than
in physical form. With the cost of PC fast declining and the
government’s initiative in providing the infrastructural facilities for
net banking and the faster developments in the telecommunication
sector would be helping in the adoption of new technology and IT-
based banking services. Some authors’ view that the Internet
banking is just the extension of the traditional banking services
because it is the same service with customer friendly technological
interface. So, it is the value addition to the existing services. Banks
are reaping following benefits with the use of technology:
With low investment, banks would be able to satisfy large
customer base. The technology has allowed the banks to move
from brick and mortar building to virtual interface which cost
less in comparison to the rising real estate prices which in turn
leads to increase investment. Low investment in turn helps in
satisfying large client base.
With modern facilities more and more customers get
attracted to the banks and they are viewed as technology
savvy and modern or state-of-the –art banks. Brand image of
the banks also get enhanced thus building their goodwill and
brand equity. Even customers want to be associated with the
brand personality of the banks.
With the increase in quality and competition, the
customers are having several choices among which to choose
instead of Hobson’s choice in some case. Now banking
services have become customer centric instead of service
centric or bank centric approaches as in earlier cases. Now, it
is the customers market rather than a sellers (bankers) market.
All the services are customer driven.
Network sharing by different banks is enabling the banks
to reduce their investment (sharing of ATMs of partner banks)
and provide better services to the customers. This is also
helping them in delivering quick services and it also reduces
the risk of fraudulent practices as verification becomes quite
easier and quick.
These practices are leading to lower service cost per
customer. Thus leading to enhance profitability for the banks,
which in turn enhances the corporate image of the banks.
With the use of technology banks are in a position to
obtain the customer database with a press of key and this
helps the bank to maintain high profile customers because it is
an accepted marketing principle that 80% of the revenue are
generated by 20% customers (20:80 principle). Thus, the
modern technology helps in tracking the key customers and
provides them better services or customized services.
The alternative channels of service helps the bankers to
add new products to their portfolio and it helps them to device
new products according to customer needs. The banks can
provide customized value added services or tailor-made
service to each customer based on his/her requirement, e.g.,
foreign money transfer service, electronic money etc.
It helps the banks to manage their funds in a much better
way as the technology provides round the clock interface to
the outside world and thus it helps in hedging the risk of the
banks at real time. Banks are able to minimize the risk and
maximize returns by investing in different avenues and they
have greater control over the fund investments.
Technology helps in increasing the labor productivity
because it increases the output per labor to multifold. Earlier
works had to be performed manually and it used to take days
to complete in minutes or in seconds. So, it helps in updating
the customer status as well as increased labor productivity.
The customer service cost decreases and the productivity
of the staff increases and this adds to the profitability of the
banks. This helps the banks to take care of even larger
customer base and this will ultimately ass up too the bottom-
line of the banks.
Public sector banks have been shy in implementing new
technology brick mortar banking in comparison to the technology
driven banking while the client base of Private and MNC banks are
mostly young people who are technology-savvy and who like to
interface more with the technology than man. Aged people are not
comfortable with the technological interface. They feel complexity
and uncomfortable with technology intensive services.
With the present avenues being saturated and greater
competition due to the entry of more players in the arena, the banks
are diversifying into new areas where they can use their financial
expertise in financial consultancy, insurance sectors, and fee-based
earnings instead of fund-based earnings. The mushrooming of the
multichannel, multifunction, self-service electronic delivery
channels is fast replacing the brick and mortar branches (real to
virtual). There is a need to redefine the business model of the Indian
banking sector so that to optimize the resources and deliver world
class service in the light of modern day technology. Today’s concept
is to minimize the visit of the customer to the bank and let him use
the technology or let technology handle him-this is the new survival
mantra in the cutthroat scenario for banks.
OBJECTIVES OF THE STUDY
The objectives of the project “The Study Of Application of
Information Technology In Banking Sector” includes the following:
-
To know the present condition of technology in Indian
banking sector.
To know about the electronic payment system.
To know about the hackers and frauds in online banking.
To know about the risk management policies of Indian
banking sector.
To know about the electronic banking sector.
LIMITATIONS OF THE STUDY
The scope of the project “ The Study Of Application Of
Information Study In Banking Sector” has been restricted to some
extent i.e. the project does not include the following: -
Supervision of Electronic Banking by Reserve Bank Of India
Information Technology in Banks in International Scenario
Software Application to Protect from Hackers & Frauds
Case Studies Related To Hackers & Frauds
RESEARCH METHODOLOGY
COLLECTION OF PRIMARY DATA:-
The primary data has been collected from various sources
which are as follows:
Questionnaire method.
Surveys in banks.
Surveys in banks related offices such as agent’s office etc.
COLLECTION OF SECONDARY DATA:
The secondary data has been collected from various sources
which are as follows:
Various books related to information technology.
Brochures of various banks.
Weekly journals.
Articles in newspapers.
SAMPLE FRAME:
The data has been analyzed using ten samples of employees of
three different banks viz., Bank of Maharashtra, HDFC Bank and
ICICI Bank.
2.E-BANKING: IN NASCENT STAGE IN INDIA
To keep pace with the changing environment worldwide, Indian
banking industry is fast adopting technology. It has embraced
many new features like Internet banking, ATMs, Phone banking
etc. With the help of new technology, banks are now able to
offer products and services, which were difficult or impossible
with traditional banking. But the banks in India still have to go a
long way before making themselves technology savvy.
With IT integration, a paradigm shift in the banking norms is on
cards. Banking fundamentals are thus facing major overhauls/
reengineering/ restructuring.
Two major trends have emerged in the transition of traditional
banking to high-tech banking:
Advancements and restructuring through mergers, acquisition
and alliances.
Universal banking where one stop shop provides all related
products and services to a customer.
At this point, it should be emphasized that mergers, acquisitions,
alliances, and adoption of Universal Banking concept are just
outcomes of IT-banking integration.
Banking and IT
Advancements and innovations in IT industry have created a
revolution in the communication and distribution system of various
products and services through Web networking. Networking, as we
know has connected people around the globe, thus creating a
revolution in modern business activities.
Integration of these technological advances and existing
banking structures has changed and will change the definition and
faces of global banking. Internet banking has made banking a
commodity where quality is measured by efficient servicing and
effective pricing and timeliness.
However, PC banking is not new. Bank of Scotland Started
offering its Home Office Banking Services (HOBS), more than a
decade ago, although it was only in 1996 that it was upgraded to
make software work with the now dominant windows operating
systems. HOBS later joined hands with TSB, which in 1996
launched banking services accessible through the CompuServe
online network, nationwide.
Technology Solutions for Indian Banks
Two types of technology stock bank products are available in
the market.
Hardware products like ATMs and
Software products like branch connectivity, cluster-banking
software, and trade finance software.
3. ELECTRONIC CHEQUES AND EVIDENTIARY VALUE
The advancement in technology has led to the creation of
electronic cheques, particularly in a business environment. Different
countries have a choice of cheque systems, which are governed by
the laws applicable to each country’s jurisdiction. The authentication
of these electronic instruments is proposed to be endorsed by digital
signature. In India, the enactment of the Information Technology
Act, 2000 obligated amendments to The Negotiable Instruments Act,
1881 in order to impart legal validity to such electronic instruments.
The authors in this article elucidate the amended provisions and
examine the evidentiary value of such electronic instruments.
The electronic cheque or simply the e-cheque is gradually
replacing the longstanding paper cheque. The Negotiable
Instruments (Amendments and Miscellaneous Provisions) Act, 2002
was amended to include the phrase “electronic cheque” in the
definition of a cheques in Section 6 reads as “ A ‘cheque’ is a bill of
exchange drawn on a specified banker and not expressed to be
payable otherwise than on demand and it includes the electronic
form. “Explanation I. – For the purpose of this section, the
expression-
“A cheque in the electronic form” means a cheque which
contains the exact mirror image of a paper cheque and is generate,
written and signed in a secure system ensuring the minimum safety
standards with the use of digital signature (with or without
biometrics signature) and asymmetric cryptosystem.”
An electronic cheque simply means a cheque in the electronic
form, which is an exact replica of a physical cheque. It contains all
the information that is found on a physical cheque, but it is “signed
digitally” or “endorsed”.
In an attempt to provide authentication, an apparatus
commonly known as “signature” was evolved as a proof asserting
intention. This involved appending a unique identifier to a message
to identify the sender/recipient. Conventionally, handwritten
signatures are affixed paper-based cheques. These signatures affixed
using ink are used as an authentication tool to identify that the
person signing the document has read and understood the contents.
In the anonymous digital world, where individuals may not actually
communicate with each other, much emphasis is placed on the
authentication of the electronic information. Therefore, it becomes
necessary for evolving a secure authentication tool, which led to the
promotion of digital signatures.
DIGITAL SIGNATURE – HOW IT OPERATES
It is a data string, which associates a message in the digital
form with some originating entry. It is created and verified by means
of cryptography, the branch of applied mathematics that concerns
itself with transforming messages into apparently meaningless forms
and back again. It uses a scheme or mechanism consisting of
signature generation algorithm with a method for formatting data
into message to produce a digital signature, and a related signature
verification algorithm with the method to recover data from the
message to authenticate a digital signature.
It is important to note that, the Information Technology Act,
2000, in Section 3(2) provides for a particular asymmetric
cryptosystem and hash function as a means of authentication should
be recognized as a source of legal risk.
The digital signature mechanism follows an “asymmetric
cryptosystem”. In this method of creating and verifying a digital
signature, there are two basic technical processes or functions:
“Public key encryption”, where encryption is the process by which
information is scrambled by the use of a code and “hash”.
The process of a creation and verification of digital signatures
using hash algorithm involves the following steps:
Create a data unit that is to be signed, e.g., precisely an
encircled portion of data in digital form, which can be a text
document, software or any other digital information.
Generate hash value called “Message Digest” or “Fingerprint”
of the message. A hash function is a process that creates a
relatively small number (called message digest) that
represents a much larger amount of electronic data.
This hash value is computed from the data unit- a number
using a hash algorithm, which creates the compressed digital
signature. Digital signatures use a “one way hash function”
and the important thing about such a hash value is that it is
nearly impossible to derive the original data unit without
knowing the data unit used to create the hash value.
Therefore, if the data unit is changed or otherwise tampered
with, the hash value will no longer correspond to this data unit
and produces an error message.
Encrypt hash value with the private key of the signatory.
Encryption is a process of disguising a message in such a way
so as to conceal its meaning and substance. It also consists of
a procedure of converting plain text to a cipher text. Hence,
the plain text refers to the original digital file, whereas the
ciphertext refers to the disguised file.
Final step in the verification process, which involves the
regeneration of the hash value on the basis of the same data
unit and the same algorithm. The determined hash value is
again computed with rhea public policy key, which is then
compared with the signature attached to the data unit. If the
product is matching, it will verify the signatory’s private key,
which is used to sign and guarantee that the data unit has not
been altered.
In this context, digital signatures are created when the drawer
of the cheque runs, the cheque through a one-way function creating
a message digest. The private key used by the drawer of the cheque
is known only to him. The drawer encrypts the resulting message
digest by using an asymmetric cryptosystem will allow the paying
banker to verify the signature by using it to decrypt the cheque.
EVIDENTIARY VALUE OF DIGITAL SIGNATURE ON E-
CHEQUES
Generally, authentication is achieved by what is known as
security procedure, but from the legal perspective, the security
procedure requires to be recognized by the law as a substitute for
signature.
With the emergence of cyberspace it became necessary to
amend certain provision of the Indian Evidence Act to make
electronic evidence admissible in courts of law. Accordingly, the
second schedule to the Information Technology Act has amended
the Indian Evidence Act, 1872 to remove any obstacle to the legal
acceptance and validity of electronic evidence.
According to the amended Section 3 of the Evidence Act,
electronic records stand on par with paper-based documents and will
be deemed as documentary evidence in a court of law.
While Section 22(A) of the Information Technology Act
amends Section 17 of the Indian Evidence Act, 1872 to provide that
oral admission as to the contents of the electronic records are
relevant, the written admission of the content of any document or
electronic record can be proved under Section 65 of the Evidence
Act.
Section 39 of the Indian Evidence Act provides, “when any
statement of which evidence is given forms part of a longer
statement, or is contained in a document which forms part of a book,
or is contained in part of electronic record or of a connected series of
letters or papers, evidence shall be given of so much and no more of
the statement, conversation, document, electronic record, book or
series of letters or papers as the court considers necessary in that
particular case to the full understanding of the nature and effect of
the statement, and of the circumstances under which it was made.” It
can be inferred from this provision that where entry of an electronic
cheque forms a part of an electronic record, only that part which is
relevant may be taken as evidence before the court. Again what part
is relevant depends on the discretion of the court. The court must
exercise this discretion judicially to determine such relevance.
Accordingly, Section 5 of the Information Technology Act
2000 prescribes, “ Where any law provides that information or any
other matter shall be authenticated by affixing the signature or any
other document shall be signed or bear the signature of any person
then, not withstanding any document contained in such law, such
requirement shall be deemed to have been satisfied, if such
information or matter is authenticated by means of digital signature
affixed in such manner as may be prescribed by the Central
Government.”
Explanation- For the purposes of this section, “signed”, with
its grammatical variations and cognate expression, shall, with
reference to a person, mean affixing of his handwritten signature or
any mark on any document and the expression “signature” shall be
constructed accordingly”.
This provision explicitly explains that a digital signature is
legally recognized as the method of authentication. The authority to
use digital signatures in the government and its agencies is accorded
in Section 6 of the Information Technology Act, 2000, which reads
as-
“ 1) Where any law provides for-
a) This filing of any form, application or any other document
with any office, authority, body or agency owned or
controlled by the appropriate government in a particular
manner.
b) The issue or grant of any license, permit, sanction or approval
by whatever name called in a particular manner.
c) The receipt or payment of money in a particular manner, then,
notwithstanding anything contained in any other law for the
time beginning in force, such requirement shall be deemed to
have been satisfied if such filing, issue, grant, receipt or
payment, as the case may be, is effected by means of such
electronic form as may be prescribed by the appropriate
government”.
The words in Section 6(1)(C) “ the receipt or payment of
money in a particular manner … is affected by means of such
electronics forms as may be prescribed by appropriate government”
may be understood to include e-cheque.
A system of digital signature like handwritten signature is use
to protect confidential information. Form the legal perspective, two
presumptions that could be raised in respect of digital signature are:
Signatory’s personal participation in the Act of signing
or any person authorized by him.
The intention of the signatory to endorse or approve
authorship of a text and the fact that the signatory had been
at a given place and time.
The presence of intention has an integral part of a signature is
essential as lack of intention could be raised with regard to
circumstances including fraud and unconscionable conduct.
To regulate the use of digital signature, the Central Government
is empowered to lay down rules under Section 10 of the Information
Technology Act, 2000 that reads, “The central government may, for
the purposes of this Act, by rules, prescribe-
The type of a digital signature;
The manner and format in which the digital signature
shall be affixed;
The manner or procedure which facilitates identification
of the person affixing the digital signature;
Control processes and procedures to ensure adequate
integrity, security and confidentiality or electronic
records or payments; and
Any other matter which is necessary to give legal effect
to digital signature.”
In India, evidentiary value of the digital signature has been in
question for long. A genre of evidence dominating the digital
transaction world leads to be recognized by the Indian Evidence Act,
1872, by making the necessary amendments there in.
The IT Act 2000 provides for specific evidentiary value for
secure records and secure digital signatures. Subsequently, sub-
section (2) to Section 85B of the Indian Evidence Act has been
inserted to be in consonant with the IT Act to provide that, “ In any
proceedings, involving secure digital signature, the court shall
presume unless the contrary is proved that-
The secured digital is affixed by the subscriber with the
intention of signing or approving the electronic records;
Except in the case of a secure electronic record or a secured
digital signature, nothing in this Section shall create any
presumption relating to authenticity an integrity of the
electronic record or any digital signature.”
The section limits its opinion to a secure digital signature by
indicating that there shall be no presumption relating to authenticity
and integrity of a digital signature except where it is a secure digital
signature. If, by application of a security procedure agreed to by the
parties concerned it can be verified that a digital that a digital
signature, at the time it was affixed, was-
Unique to the subscriber affixing it
Capable of identifying such a subscriber
Created in a manner or using means under the exclusive
control of the subscriber and is linked to the electronic
record to which it relates in such a manner that if the
electronics record was altered the digital signature would be
invalidated then such a digital signature shall be deemed to
be a secure digital signature.
As distinct from such a secure digital signature, Section 67A
of the Indian Evidence Act provides for proof as to the digital
signature, and Section 73A prescribes the method by which such a
digital signature may be proved. According to Section 67A of the
Indian Evidence Act, “ Except in case of a secure digital signature, if
the digital signature of any subscriber is alleged to have been affixed
to an electronic record the fact that such digital signature is the
digital signature of the subscriber must be proved.”
The Information Technology Act by inserting a new Sub-
Section A to Section 47 recognizes opinions of third parties not
relevant as evidence unless specifically provided for Section 47A
reads as, “ When the court has to form an opinion as to the digital
signature of any person, the opinion of the certifying authority,
which has issued the Digital Signature Certificate, is an relevant
fact”. An opinion of third parties is in admissible and as evidence
except in certain cases when the court requires an opinion of experts.
With this insertion, opinion of third parties became relevant.
4. THE FUTURE OF PLASTIC MONEY
Use of plastic Money is growing at an unprecedented rate in
India. Lesser number of installed Point-of sale (PoS) terminals is the
major obstacle in the growth of debt cards; smart card has many
innovative features, which may spurt the use of cards in India. Smart
card is safer to use in electronic form than the present form of cards
“ Credit card business is a volume game and initially highly
capital intensive.”
- A senior banker
Plastic money is growing by leaps and bounds in India.
Today, many banks are offering cards. Though the foreign banks
have a dominant share, aggressive entry of the Indian banks like
SBI, ICICI and HDFC Bank may soon change the rules of the game.
Today, SBI-GE is the third largest issuer of credit cards.
The credit card market in India is projected to grow at the rate
of 20-25% per annum in the coming years. There are currently
around 3.8 million credit card users compared to 3.0 million in 1990.
Visa credit card grew by 46.4% in India while the growth in Asia
Pacific was only 6% for Q3 of 2003. The competition among banks
has been growing and they are offering so many add-on incentives
like waiver of first year annual fee, discount on retail stores,
personal loans etc., to woo the customers.
Debit card is another segment, which is catching up fast.
There are only 80,000 to 90,000 merchants having point-of-sale
(PoS) terminals installed and majority of them are located in metros,
which is the major obstacle to the growth of debit cards. To increase
the usage of debit cards, banks should concentrate on increasing
installation of PoS terminals in semi-urban and rural areas.
Smart Card: A Future Card
Smart cards are the wave of the future for consumer use,
commercial use and terminal network security. Smart cards are in
much wider use in Europe than in US.
A smart card is a plastic card with an imbedded computer
chip that has been stored inside the card. It has the capacity to store
up to 80 times more information than other magnetic stripe cards.
This mini-computer using an intelligent chip, stores payment
information similar to a magnetic stripe card, but it also includes
additional information such as online authorization controls, credit
limits, stored value (gift card), reward points (loyalty), Personal
Identification Number (PIN), etc. Smart cards can be contact less,
suggesting that the chip transfers data via a built-in antenna without
physically touching the smart card reader.
There are over 3 billion smart cards in use currently. Today,
smart cards are used worldwide and it is the most flexible payment
option available in the world. Smart cards have been used in Europe
for over 10 years and now they are the accepted mode of payment.
In developing countries and continents such as Africa and Asia, the
use of smart cards has been growing rapidly. In the US, major
retailers, banks and processors are preparing to accept global cards
and some are adding smart gift cards and promotional application to
build loyalty for the growth of their business. American Express and
Financial Institutions have issued over 21 million PIN-secured smart
cards to their customers. By the end of 2005, there will be over 100
million smart cards to their customers. By the end of 2005, there will
be over 100 million smart cards in use in the United States.
In order to accept smart cards, the business must have an
EMV ready smart card Point-of-Sale (PoS) terminal. Merchants can
be standalone PoS smart card terminals or smart card readers that are
integrated with cash registers. Currently, over 90% PoS terminals
are not EMV smart card ready.
Smart Cards and Internet Payment
Issues of security and fraud are major drawbacks to using
credit and debit cards over the Internet. Unlike the hand-written
receipts, there are no signed sales receipts associated with today’s e-
commerce transactions. Without such evidence, it is difficult as
much as 84% of all electronic commerce transactions.
At the same time, consumers are holding back on making
Internet purchases due to lingering security concerns. According to
Master Card, 90% of Internet non-buyers worry that their personal
and financial information may fall into the hands of hackers. It is
this reluctance that is the real barrier to building an online business.
Using smart cards along with a strong Internet authentication will
help overcome these issues.
American Express, Master Card and Visa smart cards
currently support Internet authentication and payment using built-in
digital certificates and digital signatures. For smart cards to be
successful, the cardholders must connect an EMV approved smart
card reader to their PCs. Smart cards have the capacity to replace the
thirty plus years old magnetic stripe cards.
5. LEADING ISSUE IN BANKING TECHNOLOGY
Many Indian banks are adopting the information technology
not merely as a frill, but as a dire need. It is helping the banks in
many core and diversified functions. Technology is key business
enabler in six critical areas of banks. These are augmentation profit
pool, operation efficiency, customer management, product
innovation, distribution and reach, and efficient payment and
settlement system. For the success of any IT program, integration of
IT and business strategy is crucial factor.
Banking basics have undergone radical shifts, thanks to the
advent of modern technology, increasing pace of globalization and
the need for stronger fundamentals to operate in the fiercely
competitive environment. The digital divide among Indian banks
that was quite discernible before the millennium has considerably
narrowed down with many banks taking to technology not merely as
a frill, but as a dire necessity. Technology today catalyzes many core
and diversified functions in banks, including issues like transaction
automation and multiple delivery channels, product innovation, data
warehousing and effective MIS, secured storage mechanisms and a
real-time based payment and settlement system.
Seen in the present context, technology is a key business
enabler in six critical areas of banking.
Augmenting Profit Pool; Operational Efficiency; Customer
Management; Product Innovation; Distribution and Reach; Efficient
Payment and Settlement.
Augmenting Profit Pool
Sustained profits and profitability have been major yardsticks
for assessing the true health of banks in a fiercely competitive and
compelling business environment. Technology has proved, at least
in case of new generation banks and major public sector banks to be
a major profit driver. With progressive decline in interest rates,
banks’ spreads have come under pressure, which per se, affects their
profitability. However, technology had a favorable effect in terms of
reducing the operating cost and improving the burden to a
considerable extent. Technology also enable commissioning of new
products like Net banking, mobile banking and other forms of 24X7
banking like ATMs and Networked services across branches like
anywhere banking, electronic funds transfer, customer relationship
management, call centers across the banks. Hi-tech and hi-touch
services, it goes without saying, have also enlarged the clientele base
in banks and commanded considerable customer loyalty.
Technology has created an enabling environment for banks to
diversify into various fee-based activities like bancassurance and
funds transfer arrangements.
Operational Efficiency
Operational efficiency, in terms of optimum utilization of
resources, has been one of the most positive offshoots of
technological application in banks. Thanks to greater technological
application, banking system has seen a near consistent improvement
in the intermediation efficiency and consequent decline in
transaction cost. Yet, technology application has been by and large
confined, especially in the state-owned banks, towards cost saving
and improved service standards through product innovation. While
savings in cost and improvement in service quality could turn out to
be short-term in nature, it is essential that technology is leveraged as
a long-term and efficient cross-functional application. It is also time
that the focus of technology shifts from product innovation to
process innovation commonly referred to as Business Process
Reengineering (BRP), for banks to gain long-term operational
efficiency.
Customer Management
Technology also spells significant benefits on the realm of
customer research and management. In a predominantly buyers’
market and high propensity if customers to switch service providers,
customer management need no longer be a front office function, but
a bank-wide obsession. Many banks have duly realized the
significance of such functions and introduced new models like the
High Net Worth clients’ branch, imbued with state of the art
technology, exquisite ambience and quickest possible processing of
transactions. Customer management is a very sensitive issue entity
hears only from 4% of its dissatisfied customer, while 96% of its
customers quietly go away of which 91% never come back.
Technology, thus, already implemented the tech aided e-CRM
application as strategic tool to retain as well as expand their
customer base. The bottom line is that banking products are getting
commodities and price wars are slowly leading to a zero-sum game.
In such a scenario, technology backed customer orientation will hold
the key to take service standards anywhere near to world-class.
Product Research
In the field of product research as well, technology plays a
decisive role, in terms of swift product innovation, an active R&D
set up effective pricing of products to protect banks’ margins and
safeguard customers’ interests. Banking product life cycles are
getting shorter day by day and more than delivery, product servicing
defines competitive edge for banks. Marked to market product
processes are equally important for sustained improvement in the
value chain of services and command ‘top of the mind recall’ from
the customers. Technology also aids product profitability research
and review, which have not adequate attention in many of the banks.
Distribution Reach
The thumb rule for strategic management masters is that
structure must follow strategy in any business reorganization.
Technology, thus, calls for attendant restructuring endeavors that
will be in tune with the level of technology application. For instance,
many banks need to put in a place a leaner structure and remove
intermediate decision-making tiers. That is how one can see that
many of the regional outfits of banks are slowly being dismantled
while branch expansion is not being accorded the thrust it used to be
given earlier. Rightsizing of human and physical overheads is a
major strategy adopted by many banks wherein the role of the earlier
brick and mortar banking is slowly getting dissipated. In turn,
devices like Internet and mobile banking. Technology, thus,
facilitates downsizing of overheads cost without compromising
much on clientele reach. Public sector in the rural and semi-urban
areas. Many of these branches are not performing to their potential
mainly because of their typical business mix, cost diseconomies and
lack of technology-based services offered in these branches.
Technology can facilitate the branch rationalization exercise such as
setting up mobile branches and satellite branches, especially in the
rural areas, and bring many of those into the “Performing” category
without affecting the extent of client reach.
Efficient Payment and Settlement
Innovation in technology and worldwide revolution in
information and communication technology have emerged as
dynamic sources of productivity growth. This is true about banking
as well as its relationship with technology has become symbiotic
fundamentally. Payment system is probably the most important
mechanism in the banking sector where technology’s interactive
dynamics is getting manifested in an increasing measure each day.
Banking system has adopted a holistic approach for designing
a modern, robust, efficient and integrated payment system. The
approach to the modernization of the payment and settlement system
has been basically three pronged – consolidation, development and
integration. Consolidation of the payment system has revolved round
strengthening computerized cheque clearing and expanding the
reach of electronic clearing services through state-of-the-art
technology. Critical elements under the developmental strategy
related to the opening of new clearing houses, interconnectivity of
clearing houses through INFINET and optimizing the development
of resources the Negotiated Dealing System, Structured Financial
Messaging System (SFMS) and the recently introduced Real-Time
Gross Settlement (RTGS) system. Integration is the next stage that
the banking system is currently going through which is premised on
a high degree of standardization within a bank and seamless
interfaces across banks, leading to Straight Through Processing
(STP) of transaction on a regular basis. Further, cheque truncation
system will also pave way to expedite settlement of payments
process.
However, so far as integration is concerned, Indian banks
still have a fair distance to traverse. In order to efficiency leverage
an integrated payment and settlement systems, banks, especially
those in the public sector, need to address certain core issues
expeditiously. These include the following:
Toning up of infrastructure in terms of standardization and
build up security features like firewalls, Intrusion Detecting
System (IDS) and implementing a security policy.
Total inter-branch connectivity.
Popularization of electronic funds transfer mechanism.
Institute collaborative arrangements, including outsourcing
of IT expertise.
In addition to the above, banking sector is also confronted
with a classic dilemma. It relates to differentiating between and
mapping the role of business vis-à-vis the role of information
technology, a feature typifying an enterprise wide technology
initiative. This is where the significance of integrating business and
IT plans comes to the fore.
Integration of IT and Business Strategy
Many banks, especially those in the public sector, are
embarking on a comprehensive set of IT initiatives encompassing
total branch automation, core banking solution, networking of
ATMs, Internet and mobile banking, data warehousing and a
comprehensive MIS backed decision support system. Contrary to
popular perception, such initiatives are not merely because of
competitive pressure from the foreign and new generation private
banks. The avowed goal of these initiatives was to improve overall
efficiency in terms of lower intermediation cost, swifter decision-
making process, grater customer convenience and effective internal
control, including an objective risk management mechanism. It goes
without saying that the fast pace of globalization and progressive
move towards reaching global operational benchmarks also
catalyzed the technology drive dividends to these banks although the
need of the hour is to consolidate the gains so far and address the
weak links.
One such weak link relates to lack of integration between
the IT strategies which, it is felt, is applicable to many of our banks.
Technology introduction can offer significant benefits only when
they are in total alignment with business strategies. Especially, in
public sector banks, a phased approach is desirable in view of the
heterogeneous nature of their branch architecture and vast area
specific differentials in their branch functioning. In the current
context, business strategies may differ from bank to bank, yet a core
set of business objectively will, for sure, be common to all the
banks. Such commonalities call for at least an open technology plan,
in board consonance with the business objectives, and the same can
be fine-tuned on an ongoing basis to suit the business model.
Recently, a study was conducted by National Institute of Bank
Management, at the behest of RBI, for suggesting a methodology to
integrate IT and business plans in banks. The study has proposed an
‘Enterprise Maturity Model’, for attaining total convergence of
technology and business strategies with focus on selected, generic
business strategies. The model suggests solutions not merely for
business and technology, but for issues related to human resources
and customers who form an integral part of banks’ strategic road
map.
The suggestions in the study promise to be useful benchmarks
for banks in their complete switchover to the virtual mode.
Application of the model can help banks to develop effective
Executive Information System as effective decision support,
integration of varied workflow processes, objective customer
analysis and most importantly, devise simulative and real-time based
tools to track business, profits and profitability. Effective and an
objective technology application system will also enable a business
process reengineering mechanism that will considerably enhance the
real technological capabilities of banks.
Core Banking Solution
In the light of ongoing emphasis on business process
reengineering, one comes across many banks assiduously pursuing a
centralized server-based system, better known as Core Banking
Solution (CBS). CBS offers, among others, benefits like privilege of
single window service to customer in order to facilitate a shift from
“customer of the branch” to “customer of the bank” concept, online
transfer of funds, longer business hours, lower transaction costs,
slimmer staff structure at branches, effective monitoring of business,
comprehensive MIS as a policy support and above al, improved
visibility of the banks implementing CBS. A robust MIS also
supports vital functions like ALM, risk management, product
profitability and customer profitability analyses leading ultimately to
efficient portfolio management in banks. CBS also leads to
significant mileage in terms of staff and other overhead costs. Staff
rendered surplus on account of CBs can also be put for marketing
and recovery functions, which warrant dedicated staff in the present
context.
One major issue in CBS relates to security aspects and a host
of operational risks that banks are confronted with. Be it system
failure or planned hacking or any kind of human error, centralized
system is perennially susceptible to failure which may prove to be
endemic across the financial system and result in vital data erosion.
Retrieval of the same may also cost dearly to the banks and their
associates. Security aspects like implementing a robust security
policy, firewalls, IDS are, therefore, indispensable for preventing
any systematic problem. There are even cases where multi-point
security has not been able to check the fraudulent practices. Thus,
security aspects need to be examined threadbare before putting core
banking in place.
6. TECHNOLOGY AND FRAUDS
ATM CRIMES FRAUDS:
ATM crimes and frauds are rising throughout the world.
ATM industry and money other organizations are fighting with them
in many ways like, by issuing security tips, making ATMs more
innovative etc. In India, where the use of ATMs is growing by
exponential, banks have to take benefit from international
experiences and safeguard their customers from frauds.
ATM crimes and frauds are mounting day by day. Even
though they make up a small percentage of criminal activities they
are not less important. Criminals are raiding millions every year.
Popular Ways to Card Frauds:
Some of the popular techniques used to carry out ATM
crime are:
Through Card Jamming ATM’s card reader is tampered with
in order to trap a customer’s card. Later on the criminal
removes the card.
Card Skimming is the illegal way of stealing the card’s
security information from the card’s magnetic stripe.
Card Swapping, through this customer’s card is swapped for
another card without the knowledge of cardholder.
Website Spoofing, here a new fictitious site is made which
looks authentic to the user and customers are asked to give
their card number, PIN and other information, which are used
to reproduce the card for removing the cash.
Global Measures to Fight the Frauds
To guard against these frauds ‘The Global ATM Security
Alliance (GASA)’, which was formed in June 2003, has issued the
customers guide and some tips to prevent against card-related
frauds.
The World’s Top 20 tips for ATM Use to Enhance the ATM
customer Experience and Security
CHOOSING AN ATM
Tip 1: Where possible, use ATMs with which you are most familiar.
Alternatively, choose well-lit, well-placed ATMs where you feel
comfortable.
Tip 2: Scan the whole ATM area before you approach it. Avoid
using the ATM altogether if there are any suspicious-looking
individuals around or if it looks too isolated or unsafe.
Tip 3: Avoid opening your purse, bag or wallet while in the queue
for the ATM. Have your card ready in your hand before you
approach the ATM.
Tip 4: Notice if anything looks unusual or suspicious about the ATM
indicating it might have been altered. If the ATM appears to have
any attachments to the card slot or keypad, do not use it. Check for
unusual instructions on the display screen and for suspicious blank
screens. If you suspect that the ATM has been interfered with,
proceed to another ATM and inform the bank.
Tip 5: Avoid ATMs which have messages or signs fixed to them
indicating that the screen directions have been changed, especially if
the message is posted over the card reader. Banks and other ATM
owners will not put up messages directing you to specific ATMs,
nor would they direct you to use an ATM, which has been altered.
USING AN ATM
Tip 6: Is especially cautious when strangers offer to help you at an
ATM, even if your card is stuck or you are experiencing difficulty
with the transaction. You should not allow anyone to distract you
while you are at the ATM.
Tip 7: Check that other individuals in the queue keep an acceptable
distance from you. Be on the lookout for individuals who might be
watching you enter your PIN.
Tip 8: Stand close to the other ATM and shield the keypad with your
when keying in your PIN (you may wish to use the knuckle of your
middle finger to key in the PIN).
Tip 9: Follow the instructions on the display screen, e.g., do not key
in your PIN until the ATM request you to do so.
Tip 10: If you feel the ATM is not working normally, press the
cancel key and withdraw your card and then proceed to another
ATM, reporting the matter to your financial institution.
Tip 11: Never force your card into the card slots.
Tip 12: Keep your printed transaction record so that you can
compare your ATM receipts to your monthly statement.
Tip 13: IF your card gets jammed, retained or lost, or if you are
interfered with at an ATM, report this immediately to the bank
and/or police using the help line provided or nearest phone.
Tip 14: Do not be in a hurry during the transaction, and carefully
secure your card and in your wallet, handbag or pocket before
leaving the ATM.
MANAGING YOUR ATM USE
Tip 15: memorize your PIN (if you must write it down, do so in a
distinguished manner and never carry it with your card).
Tip 16: NEVER disclose your PIN to anyone, whether to family
member, bank staff or police.
Tip 17: Do not use obvious and guessable numbers for your date of
birth.
Tip 18: Change your PIN periodically, and, if you think it may have
been compromised, change it immediately.
Tip 19: Set your daily ATM withdrawal limit at your branch at
levels you consider reasonable.
Tip 20: Regularly check your account balance and bank statements
and report any discrepancies to your bank immediately.
While the ATM industry is aggressively addressing ATM-
related frauds and crimes, few in the industry know about these
extraordinary efforts. Some of the important works are given below:
From time to time the Electronic Funds Transfer Association
(EFTA) with the help of ATMIA is publishing tips on PIN
security.
To combat the cross-border crimes, GASA is working in
association with Interpol, the Metropolitan Police Flying
Squad for New Scotland Yard and leading card issuers.
ATMIA is educating the people and ATM industry about
most effective way of fighting ATM crimes and frauds and
honoring with award that contributes significantly counter the
fraud.
Fair Isaac Card Alert – it is a service, which analyzes millions
of daily transaction, identifies the suspicious transactions and
sends the card number and related information of suspicious
transaction to the concerned bank. This services has helped a
lot in solving many card-related frauds including high-profile
skimming cases.
Leading ATM manufacturers are producing innovative
ATMs, which are helping to counter the frauds. Biometric
technology is one of the examples, which removes the need of
Personal Identification Numbers (PINs).
Biometric systems identify or authenticate a person’s
identity using different alternatives like face expressions,
fingerprint, hand geometry, voice, retina, etc.
INTERNET BANKING AND FRAUDS
Fraudsters are using innovative ways like Web and Mail spoofing,
attacking the bank’s server etc. to break the security walls and
commit fraud. There is a need for arrangements, which help
presence of integrity, confidentiality and authorization of
information.
“Thieves are not born, but made out of
opportunities”
This quote exactly reflects the present environment
related to technology, where it is changing very fast. By the time
regulators come up with preventive measures to protect customers
from innovative frauds, either the environment itself changes or new
technology emerges. This helps criminals to find new areas to
commit the fraud.
Some common Internet banking frauds and their causes have
been discussed here.
Attacking the Bank’s Server
In this case, the fraudster takes control of the server of the
bank and by visiting the bank’s website carries out transaction
through impersonation.
These attacks are due to bad programming, which mostly
prevail in general purpose software. Such attacks are called buffer-
over-flow attacks. Due to buffer-over-flow defects in the software,
fraudster can use the commands on the server without providing
essential information like password etc.
Mail Spoofing
In the mail spoofing or e-mail forgery, the fraudster sends
the information to bank customers in such a form that it seems that
information is from the authentic bank source. One such incident
happened with ICICI Bank customers to disclose passwords and
other information. The e-mail said:
“For security purpose your account has been randomly chosen
for verification. To verify your account information we are asking
you to provide us with all the data we are requesting. Otherwise, we
will not be able to verify your identity and access to your account
will be denied. Please click on the link below to get to the ICICI
secure page and verify your account details. Thank you.”
Mail spoofing happens due to lack of criteria to verify the source
address authenticity. Anyone can set up a mail server and can
forge a mail posing as an authentic source.
Web Spoofing
In Web Spoofing, customers of the bank are lured to log in at
the fraudster’s website, which is similar to the bank’s website. Once
the customer provides sensitive information, they can be stolen
easily by the fraudster, who uses the stolen sensitive information like
password and username etc., to carry out the transaction on the bank
as a real customer.
In the whole case, the only loser is the customer because he
does not have any means to prove that it was not he who did those
transactions, but the fraudster.
Ignorance of the customer to intercept Universal Resource
Locator (URL) is the major cause of Web spoofing. Look at the
following two URLs
http://secure.bankname.com/carloanfind/carloans.asp
http://secure.bankname.com?
@569857125/carloanfind/carloans.asp
It is very difficult for a normal customer to understand the
difference between these two URLs. He can be easily cheated
because the first URL will drive him to the original site while the
second one to the fraudster’s site.
Denying Service from Bank’s Server
The fraudster’s intent here is not to commit any fraud but to
create inconvenience for the banks. The customer here literally
cannot access the services of the bank.
Intervention of fraudster’s with Transmission Control
Protocol/Internet Protocol (TCP/IP), the computer communication
languages, Router Poisoning that help the customers to reach
different parts of the network and Domain Name System (DNS)
service, that helps the two computers to communicate through IP
number are some reasons for such inconvenience.
It is clear that to plug all the loopholes is very difficult for
any regulator. This is a challenge to the mission of fast automation.
It is essential on the part of the banks, the regulators and the service
providers to create a source and safe automation environment that
has the confidence and trust of the customers.
7. CREDIT CARD FRAUD ON INTERNET
Credit card fraud has become regular on Internet. All the agencies
involved in the transaction, cardholders, online merchants and the
card issuers suffer losses. However, it is the online merchant who
suffers the most. This article examines the nature of credit card
fraud, types of credit card frauds, and the effects. This article also
discusses the preventive measures.
Internet commerce is growing very fast. From a customer base of
28.8 million spending US$12 bn in 1999, Internet Commerce has
grown exponentially during the past few years and is still growing.
But, unfortunately, the growth is not on the expected lines. The
credit card fraud, which has become common, has retarded the e-
commerce growth. A 1999 survey by US National consumer’s
league reported that 7% of customers were victims of the credit card
fraud; recent surveys indicate that one out of three online customers
have become victims to this kind of fraud. Customers, credit card
companies, banks and merchants are battling this problem; still this
crime is on ascendancy.
Common Types of Card Frauds
There are different types of frauds involving credit cards. The
fraudulent activities start from the application process itself.
Application Fraud:
In application fraud, the fraudster obtains personal
confidential information of the other person needed in the credit card
applications, like social security number, date of birth using a
variety of means. Internet search engines and databases are making
these tasks easier. Using this information, he fills in an application
for a credit card and after receiving it, uses it as if he is the true
holder. The person in whose name the card is issued might come to
know about this only after the damage is done.
Counterfeit Cards:
In this, a criminal gains access to a valid card number and
other information. For example, the salesperson at the supermarket
briefly takes possession of the customer’s card during payment
process, which he runs on a terminal. But without the knowledge of
the cardholder, the salesman can also run it on another machine,
which can capture all the details in the card. Using this information
and tools like embossing machines, a fraudster can create a
counterfeit card. This process is known as ‘skimming’ and simple
hand-held devices are now available for the purpose. Further, the
information skimmed can also be used for purchases on the Internet
or Telephone.
Account Takeover: In account takeover, the fraudster first all
the personal confidential information about the other person. Then
impersonating as the other person, he informs the bank that there is a
change in his residential or office address. Next, he informs them
that his credit card is lost and request for a new card on the new
address. After receiving the card, the criminal successfully takes
over the account.
Stolen and Lost Cards:
By far, this is the most common form of fraud in the market
place. When the criminal has access to a stolen or lost card, he also
gains access to all the personal information. Apart from using this
card fraudulently, the criminal can also use the information to
‘broaden’ the fraud by applying for new cards or fabricating new
ones.
Other Forms:
From the point of view of a merchant, credit card frauds can
be divided into three ways. There are organized fraud, opportunistic
fraud and cardholder fraud. The advantages offered by Internet are
also attracting the criminals in a big way. In an organized criminal
activity, the gang’s obtain credit cards using any of the means
discussed above. They normally identify a drop location like a
vacant house or warehouse, spend the card up to the maximum limit,
and ask the merchandise to be dropped at this selected location.
These gangs have a thorough understanding of the system and take
advantage of the fact that there is normally a time gap of more on to
the next card. Opportunistic fraud is committed normally by
amateurs who get an opportunity of handling credit cards, like
waiters in restaurants. Cardholder fraud involves the cardholder
himself who might claim that he never placed the order or he never
received the goods. It could also involve one of his family members
or friends who used the card without his knowledge.
Bust Out Fraud:
According to Daniel Buttafogo of Juniper, an Internet-based
credit card company, in this fraud, true customers gradually build up
as much available credit card and then ‘bust out’ with large
purchases of items that could easily resold like jewelry or draw large
cash advances etc. Here the fraudster will draw bad checks on one
account to pay when this cannot be done any longer, the customer
does a vanishing act. This kind of fraud is the most difficult to catch,
as the customer exhibits exemplary behavior till the last moment.
Friendly Fraud / Denial of Receiving Product:
Friendly fraud occurs when the actual cardholder carries out a
transaction but later denies or claims that his card was stolen or used
without his authorization. Customers might deny receipt or signing
or even ordering the product.
Nature of E-Commerce Transactions:
In e-commerce transaction, face-to-face contact between the
merchant and customer is absent and this causes most of the credit
card frauds. In online transactions, after filling in the online order
form, the customer is expected to give his credit card number to
conclude the transaction. In real world, after the purchase, the
customer hands over the credit card, which the merchant swipes
using a terminal. The merchant also obtains the signature of the
customer on the credit card receipt. He also verifies the charge
authorization. In case of fraudulent use of a card like using a stolen
card, the merchant or the customer are reimbursed by the credit card
company. In online transactions, the card is not present during the
transaction and there is no signature of the customer on the receipt.
These transaction, treated as card not present transactions, in which
the card issuing companies do not reimburse the merchant. In
reality, speed, which is the most important benefit of the Internet,
facilitates the fraud. A physical transaction takes several minutes;
where as Internet transaction takes only a few seconds. Real-time
transaction reduces the overheads, but at the same time, increase the
number of fraudulent transactions. For example, a fraudster can give
the same fraudulent card number to a number of e-business sites
simultaneously and there is no way the merchants can know about it.
8. INFORMATION TECHNOLOGY RISK IN BANKING:
MANAGEMENT & MEASUREMENT
Information Technology (IT) is not merely a technical function, but a
management process, which needs to be managed effectively. To measure the
IT risk in banks there are various methodologies available. All of them at large
follow the same primary steps like threat analyst etc. for technology risk
assessment; American Banker Association has recommended various resources.
Risk management approach had widely the baseline approach
in which a baseline/ standard set of polices and practices are
followed in taking business decision without considering the
criticality of the business asset or decision. In business sense, risk is
the probability of getting loss from taking or not taking a business
decision. The loss can be tangible or intangible. Risks can be
avoided, controlled, shared, transferred and accepted. Risks can be
controlled through objectives, policies and procedures.
Risk management approach enables the management to give
appropriate treatment to the business assets and decisions based on
their criticality to business goals and business continuity. While the
basic concepts remain the same, Information Technology introduces
new vulnerabilities as well as new techniques for risk management.
As such, technology risk management, while following the
fundamentals, needs to address these new vulnerabilities.
Technology Risk Management
Information Technology Risk is the risk that can arise due to
use or non-use of technology in business or for business. The
primary objective of an organization and its ability to conduct
business. The business of IT in business is to see that the business
continues. IT risks management has to ensure that this purpose is
achieved. As such IT risk management process should not be treated
as a mere technical function carried out by the IT people and should
not just confine to IT assets. It is essentially a management function.
However, the role of IT people is also vital because IT security and
IT risk management are interrelated and an effective risk
management process is an important component of a successful IT
security program.
The broad objective of performing IT risk management is to
enable the organization to achieve its business goals by better
securing the IT systems and enabling management to make well-
informed risk management decisions in areas where technology is
involved.
IT risk management is to the process that helps to balance the
operational and economic costs of risk mitigation measures and
achieve gains by protecting the IT systems and data that support
their organization’s goals. A well-structured risk management
methodology, when used effectively, can help management identify
appropriate controls for providing the mission-essential security
capabilities.
Various organizations worldwide have come out with risk
management frameworks, policies, standards and principles that are
quite useful in IT risk management and measurement.
The committee set up Bank for International Settlement (BIS)
has identified fourteen Risk Management Principles for Electronic
Banking to help banking institutions expand their existing risk
management policies and processes to cover their electronic banking
activities.
Similarly, the Committee of sponsoring Organizations of the
Tread way Commission (COSO) Board and Project Advisory
Council took on the responsibility to expand and address the
remodeled components of internal control. The end product of this is
the COSO Enterprise Risk Management (ERM) Framework.
The Information Systems Audit and Control Association
(ISACA) has developed a framework called Control Objectives for
Information and related Technologies (COBIT) which helps in IT
risk management.
The ERM and COBIT frameworks provide a useful evaluation
tool for informing management, directors and other stakeholders
about a process, procedure and policy to identify, measure, prioritize
and respond to finding risk.
In India, RBI has been providing much guidance in this area
to Indian banks. There is a good number of references and
guidelines provide in the reports of various RBI Committees. The
report of the RBI Committee on computer audit provide a
comprehensive checklist covering many technology-related areas,
which is useful in Technology Risk Assessment.
Technology Risk Assessment/Measurement
Risk assessment/measurement is a process used to identify
and evaluate risks and their potential effect/exposure. Risk exposure
is equal to the amount of probability multiplied with impact on
business.
Risk management covers three processes: Risk assessment,
risk mitigation, and evaluation. Risk assessment is the first process
in the risk management methodology and also is necessary for the
extent of the potential threat and the risk associated with an IT
system throughout is System Development Life Cycle (SDLC). The
output of IT risk assessment process helps to identify appropriate
controls for reducing or eliminating risk during the risk mitigation
process.
Unlike financial risk, technology risk cannot be easily
quantified or measured. But, banks can gain financial and
operational benefits by conducting an effective Technology Risk
Assessment (TRA). These include enhancing corporate governance
over IT activities, proactively identifying vulnerabilities and
implementing risk business imperatives, and efficiently using
corporate risk management resource, including audit, in ensuring a
cost-benefit control environment.
Threats to an IT system must be analyzed in conjunction with
the potential vulnerabilities and the controls in place for the IT
system to determine the likelihood of a future adverse event and its
impact. Impact refers to the magnitude of harm that could be caused
by a threat. The level of impact is governed by the potential impact
on organizational goals and, in turn, determines the level of
criticality of an IT asset/resource.
Technology Risk Assessment (TRA) Methodologies
The quality of the technology risk assessment affects the
effectiveness of risk-based decision of management. With the
increasing interest in operational risk management and concerns
about corporate governance, may proprietary enterprise risk-
management methods/solutions came in the market to help banks to
meet the assessment challenge. Since these methodologies are
mostly developed for and by traditional risk managers, they are
generally weak in areas relating to technology, although they
provide an adequate perspective from a credit, financial, and
environmental standpoint.
Risk assessment methodology generally follows the following
primary steps:
Threat and Vulnerability Identification
Probability/Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendations
Results Documentation
Technology Risk Assessment (TRA) methodologies are not
much different from general risk assessment methodologies and
they, too, follow these steps. However, the risk assessment tools
would be different in case of technology risk because to assess
adequately and to prioritize technology risk, the risk assessment
tools must be supplemented with methodologies specifically geared
to technology.
As in the case of enterprise risk assessment tools, ready-made
methods and tools developed by vendors can be used for TRA also.
However, a number of challenges are involved in using these ready-
made tools like vendor methodologies which may not continuously
update the TRA throughout the year due to the costs involved; the
outsourced methodology/tool may not understand the bank’s specific
issues, etc.
The American Bankers Association lists the following
recommended resources for TRAs:
International Standards Organization (ISO) 17799 (ISO
Standards)
Control Objectives for Information Technology (COBIT)
SysTrust
Operationally Critical Threat, Asset and Vulnerability
Evaluation (OCTAVE)
National Institute of Standards and Technology (NIST)
These resources are inexpensive to implement and serve the
purpose in most cases. They are based on extensive research from
government and professional security experts and are vendor neutral.
These methodologies enjoy excellent reputation among corporate
governance experts.
A summary description of each of the above TRA methods is
as follows:
ISO Standards
The ISO along with the International Electro-technical
Commission forms the specialized system for worldwide
standardization. The stated purpose of the ISO standards is to
“provide a common basis for developing organizational security
standards and effective security management practice and to provide
confidence in inter organizational dealings.” Originally, developed
in Britain, it is a favored TRA approach in Europe. The standard is
often referenced and leveraged by other prominent methods and
covers 10 areas namely, Security policy, Communications and
operations management, Organizational security, Access control,
Asset classification and control, System development and
maintenance, Personal security, Business continuity management,
Physical and environment security, and Compliance.
COBIT
COBIT has been developed as a generally applicable and
accepted standard for good IT security and control practices that
provides a reference framework for IT governance. COBIT is
sponsored by the IT Governance Institute, established by the
Information Systems Audit and Control Association (ISACA), and
addresses risk from both the business and technology perspectives. It
is an internationally recognized tool, incorporating both operation
management and audit concerns, which have been adopted in
organizations including the US House of Representatives, Charles
Schwab & Co., and Swift.
The framework compromises 34 high-level control objectives
belonging to four domains. For each control objective, audit
procedures and management guidelines are provided. The latter
guidelines uniquely provide COBIT with a business management
perspective; maturity models, critical success factors, key goal
indicators, and key performance indicators are provided for each of
the high-level control objectives.
COBIT focuses on processes and their ownership. It provides
excellent methodology for various parts of an organization to have
the same perspective at IT risk management. However, COBIT is
more of a general assessment tool and detailed issues are to be
considered in the form of audit programs. As such some consider it
to be too theoretical.
Sys Trust
The American Institute of Certified Public Accountants
(AICPA) and the Canadian Institute of Chartered Accountants
(CICA) introduced a service to provide assurance on the reliability
of systems. The purpose of this service, known as Sys Trust, is to
increase the comfort of management, customers and business
partners with the systems that support a business or particular
activity. The service considers four principles to evaluate whether a
system is reliable.
Availability: The system is available for operation and use at
times set forth in service level statements or agreements.
Security: The system is protected against unauthorized
physical and logical access.
Integrity: System processing is complete, accurate, timely
and authorized.
Maintainability: The system can be updated when required
in a manner that continues to provide for system availability,
security and integrity.
Although, SysTrust was not necessarily developed as a risk
management tool, many organizations have found that the SysTrust
principles could be adopted as an effective RA tool since the
principle provide a stake holder’s perspective on the impact of
technology on business activities. The AICPA/CICA is currently
considering a new version of the SysTrust tool that would also
incorporate e-commerce activities. Under the revision, five
principles would replace the four above. Principles consider would
include security, availability, processing integrity, online privacy
and confidentiality.
SysTrust provides good high-level questions for an overview
on overall reliability but may not provide detailed methods for
intended objectives. It is more of an executive level assessment
perspective rather than at operational level. However, it also has
provision for third party assessment and covers security also.
OCTAVE
Developed by the Software Engineering Institute (SEI) at
Carnegie Mellon University, OCTAVE is a comprehensive, self-
directed approach to TRA. It differs from traditional TRAs in that it
first determines which information assets really need to be protected
and then evaluates the technology infrastructure to determine the
vulnerability of those assets. OCTAVE presents an exciting TRA to
ORMs because the SEI is home to the CERT alerts and other
information relating to managing security vulnerabilities. This
robustness of tools, workshops, and publications relating to
OCTAVE significantly enhances an effective assessment by the
ORM.
Specially, OCTAVE uses a three-phased approach to identify
the technology risk management needs of an enterprise:
Build asset-based threat profiles: Identify important
information assets, the threats to those assets, security and current
risk mitigation strategies.
Identify infrastructure vulnerabilities: Examine technology
infrastructure for vulnerabilities that can be compromised.
Develop security strategy and plans: Based on the results of
the first two phases, develop a strategy-based on business priorities
to mitigate risks.
OCTAVE is a full methodology with supporting tools and
leverages from a combination of academic research and industry
practices but, it is geared to larger institutions and the use of it
without formal training is difficult.
NIST
The Information Technology Laboratory (ITL) at the NIST in
USA is a body, which provides technical leadership for the nation’s
measurement and standards infrastructure. These include developing
standards and guidelines for the cost-effective security and privacy
of sensitive unclassified information in federal computer systems.
Like the other organizations mentioned previously, NIST
provides a detailed checklist of IT-related risk mitigation strategies
that should be assessed as a part of a TRA. In addition to its detailed
coverage of security issues, the checklist enables to determine if risk
is managed by using five “levels of effectiveness”.
1. Control objectives documented in a security policy.
2. Security controls documented as procedures.
3. Procedures have been implemented.
4. Procedures and security controls are tested and reviewed.
5. Procedures and security controls are fully integrated in to a
comprehensive program.
However, this is mostly followed by big government
organizations and following these methodologies could be too
burdensome in a smaller organization.
9. PRIMARY DATA & ITS ANALYSIS
The primary data has been collected through surveys in banks (questionnaire) viz., Bank of Maharashtra, ICICI bank, HDFC bank.
Q.1) I.T. in banks is much more advanced than traditional banking? Agree Disagree Fifty-Fifty
ANALYSIS: -
Bank of Maharashtra
ICICI HDFC
AGREE 96% 98% 100%DISAGREE 3% 2% 0%FIFTY-FIFTY 1% 0% 0%
GRAPH: -
EXPLANATION: -It is cleared from questionnaire method that every one agrees
to the statement “I.T. in banks is much more advance than traditional banking”. Approximately ninety eight percent of bank employees agree to the above statement.
Q.2) The ratio of online transaction v/s manual transaction.
1:2 2:1 Equal Can’t Say
ANALYSIS: -
Bank of Maharashtra ICICI HDFC
1:2 30% 0% 0%
2:1 60% 100% 100%
Equal 0% 0% 0%
Can’t Say 10% 0% 0%
GRAPH: -
EXPLANATION: -
According to the above data collected it is clear that
approximately ten percentage of employees says that the ratio of
online transaction v/s manual transaction is 1:2, eighty seven
percentage says it is 2:1, zero percent says it is equal & three percent
cant say anything.
Q.3) Information technology in banks encouraging online frauds.
Yes No To some extent
ANALYSIS: -
Bank of Maharashtra ICICI HDFC
Yes 90% 92% 98%
No 6% 5% 1%
To some extent 4% 3% 1%
GRAPH: -
EXPLANATION: -
According to the above data collected it is clear that
approximately ninety three percent of employees says yes, four
percent says no and three percent says to some extent.
Q.4) Type of banking facility that will be friendly to illiterate customer.
Online banking Manual-banking Both
ANALYSIS: -
Bank of Maharashtra ICICI HDFC
Online banking 2% 0% 0%
Manual banking 97% 98% 100%
Both 1% 2% 0%
GRAPH: -
EXPLANATION: -
According to the above data collected it is clear that
approximately ninety seven percent of employees says that manual
banking type of facility is friendly to illiterate customers, two
percent says online banking and one percent says both online as well
as manual banking is friendly to the illiterate customers.
Q.5) In what way I.T. in banks affects the work of the employees.
Increases the work Decreases the work Same at both levels
ANALYSIS: -
Bank of Maharashtra ICICI HDFC
Increases the work 45% 30% 40%
Decreases the work 50% 63% 55%
Same at both levels 5% 7% 5%
GRAPH: -
EXPLANATION: -
According to the above data collected it is clear that
approximately thirty eight percent says I.T. in banks increases the
work of the employees, fifty six percent says decreases the work and
six percent says it is same at both the levels.
Q.6) Does I.T. in banks increasing the cost of banking operations /
banking transaction.
Yes No Equal
ANALYSIS: -
Bank of Maharashtra ICICI HDFC
Yes 98% 94% 100%
No 2% 5% 0%
Equal 0% 1% 0%
GRAPH: -
EXPLANATION: -
According to the above data collected it is clear that approximately eighty seven percent of employees says yes i.e. I.T. increases the cost of banking operations or banking transactions, two percent says no and one percent says equal.
10. SECONDARY DATA AND ANALYSIS
Indian Scenario
Major players in the Indian Market
Banks No. of cards in lakhs
Citibank
Stan Chart
SBI-GE
2002 2003
16
14
9
20
18
13
According to an analyst, it is estimated that the Indian smart
card industry is growing around 45% annually, would reach the size
of $6 bn by 2010. In the next five years, the number of smart cards
being used in the country can touch 400 million from around 50
million cards today.
To standardize the smart card, the Government has recently
standardized the technical aspects of smart cards. An operating
system called “SCOSTA” (Smart Card Operating System for
Transport Application) developed by IIT Kanpur has been chosen as
the standard operating system for transport-related projects. India is
planning to issue smart card based identity cards to citizens. State
Governments are also planning to issue smart card based driving
licenses. Kerala recently tried a ration card project at
Thiruvananthapuram. But the lack of resources with state
governments may halt many such projects. States like Kerala have
stopped several smart card related projects due to resources crunch.
“ It is the market for SIM cards for mobile phone that is
growing faster in India-at about 70-80% annually. Once the National
Identity Card project is launched, the demand for smart cards will
skyrocket,” opines Sanjay Dharwadkar, Head of Systems Marketing,
Smart Chip Ltd.
11. FINDINGS AND CONCLUSIONS
According to the survey conducted in Bank of Maharashtra, ICICI Bank & HDFC Bank, the following points are concluded:
1. I.T. in banking sector is much more advanced than traditional banking.
2. Online transactions are widely used than manual transactions.3. Manual banking facility is more friendly to illiterate
customers.4. I.T. in banks to some extents reduces the work of employees.5. I.T. in banks to some extent encourages online frauds.6. Online banking is much more costlier than manual banking. It
increases the cost of banking operations.7. Online banking facility can lead to progress of the banking
sector.
12. SUGGESTIONS AND RECOMMENDATIONS
1. Some highly advanced softwares / programs should be
implemented in banking sector in order to prevent hackers and
frauds.
2. Online banking operations cost or banking transaction cost
should be reduced so that middle class customer can have access to
online banking facility.
3. Further research can be done in topics related to this project viz.,
software application in banking sector, technology and frauds.
4. Awareness programs related to online banking for middle class
people.
BIBLIOGRAPHY
REFERENCE RELATED TO BOOKS
Katuri Nageshwara Rao & Yashpaul Pahuja, (2005), ‘IT
IN BANKS – EMERGING TRENDS’
Kamlesh k Bajaj & Debjani Nag, ‘ELECTRONIC
COMMERCE- THE CUTTING EDGE OF BUSINESS’,
Delhi, Tata McGraw Hill Publishing Co. Ltd.
JOURNALS AND MAGAZINES
Ravi Kumar Sharma, ‘PROFESSIONAL BANKER’,
Nov.2005.
RESEARCH REPORTS
THE EFFECT OF INFORMATION AND
COMMUNICATION ON THE BANKING SECTOR AND
PAYMENT SYSTEM
-BY ARBUSSA REIXACH
INTERNET BANKING
COMPTROLLERS HANDBOOK
INTERNET
www.banknetindia.com
www.microsoft.com
