When you conduct an ATM transaction, do you have the lurking fear that your debit card details might be skimmed by fraudsters and your account emptied?
Are you worried that you might become a victim of ‘phishing' attack, whereby a bank customer gets directed to a fraudulent replica of his bank's Web site when he clicks on the links to enter information (username, password or other personal information), and the fraudster cleans out your account?
‘vishing' attack
Then there is ‘vishing' – a combination of "voice" and phishing – attack that you have to contend with. In vishing, a scammer calls and pretends to be a bank representative seeking to verify account information, thus exploiting the public's trust in landline telephone services. It is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
While banks will do their utmost to protect customers' interests to avoid reputation risks and undermining public confidence, customers, on their part, need to be on guard while using information technology enabled alternate banking delivery channels.
Now, consider the crisis situation that a couple of banks found themselves in when on July 26, 2005, Mumbai faced an unprecedented deluge. With their data centres tripping, the banks' tried to activate their disaster recovery sites (DRS) in other geographical locations, but in vain. Reason: due to breakdown in air connectivity to and from the city, they couldn't move their personnel to the DRS, which were then unmanned.
Huge challenges
Given their dependence on technology for conducting their day-to-day operations, banks are up against huge challenges such as technology obsolescence, dependence on vendors due to outsourcing of IT services, vendor-related concentration risk, and external threats leading to cyber frauds/ crime.
Further, banks face challenges in the form of higher impact due to intentional or unintentional acts of internal employees, new social engineering techniques employed to acquire customers confidential credentials, need for governance processes to adequately manage technology and information security, need for appreciation of cyber laws and their impact, and to ensure continuity of business processes in the event of major exigencies.
Technology risks not only have a direct impact – operational risks – on a bank but can also exacerbate other risks such as credit risks and market risks, cautioned the Reserve Bank of India's working group report on electronic banking.
Strategic risk
Inadequate technology implementation can also induce strategic risk as decision making could be based on inaccurate data/ information. Compliance risk is also an outcome in the event of non-adherence to any regulatory or legal requirements arising out of the use of IT. These issues, according to the report, ultimately have the potential to impact the safety and soundness of a bank and in extreme cases may lead to systemic crisis.
In view of the new age challenges being faced by banks on information security, electronic banking, technology risk management and cyber frauds, the working group exhaustively covered various areas such as IT governance, information security, electronic banking channels such as Internet, mobile, ATMs, IT operations, IT services outsourcing, information system audit, cyber frauds, business continuity planning, customer education and legal issues.
Following the submission of the report to the RBI in January 2011, the Indian Banks' Association along with the Institute for Development & Research in Banking Technology have been tasked with the responsibility of putting in place industry-wide measures to translate the recommendations of the working group into concrete action so as to realise tangible benefits for the banking industry.
The central bank wants actionable and time bound measures on the relevant recommendations in consultation with other stakeholders.
The IBA, according to its Deputy Chief Executive, Mr K Unnikrishnan, has marshalled the expertise available both within and outside the banking sector to work out the modalities of implementing the recommendations contained in the working group report and make industry-wide bank security framework more robust and dynamic.
Major recommendations
The Association has formed various sub-committees for tackling implementation of major recommendations of the RBI report. These sub-committees are looking into:
The feasibility of having an exclusive forum for Chief Information Officers and senior IT officials to enable experience sharing and issues of contemporary relevance for the benefit of the industry.
The possibility of putting in place a forum for Chief Information Security Officers to interact and share experiences regarding information security threats. This forum can draw the attention of stakeholders such as the RBI and IBA on any specific information security issues.
The need for creating customised indigenous certification courses to certify specific knowledge and skill sets in IT/ information security area for bank personnel to create a large and diverse pool of requisite talent within the banking system and reduce dependence on vendors.
Maintaining caution lists and scoring for service providers, with the IBA facilitating requisite data sharing between banks to maintain scoring information for existing and new service providers.
Enhancement of investigation skills of the staff in fraud risk management, a training institute for financial forensic investigation could be set up by banks.
The experience of controlling/ preventing frauds in banks should be shared between banks on a regular basis. Banks should start sharing the details of employees who defrauded them so that they do not get hired by other banks/ financial institutions.
There needs to be a multilateral agreement amongst banks to deal with online banking frauds.
In each State, a Financial Crime Review Committee needs to be set up on frauds. This committee could oversee the creation of awareness by banks amongst law enforcement agencies on new fraud types, especially technology based frauds.
Examine modalities for creating industry wide business continuity planning for incorporating all dimensions of the banking industry, including the RBI, financial institutions and financial market infrastructure.
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.