How Risky Is Online Banking - Research Paper Example

Research Methods How Risky Is Online Banking Table of contents Introduction 2. Risk in Internet Banking 3. Risk Management 4. Internal & External Controls 5. Use of Technology 6. Outsourcing 7. Conclusion 8. References 9. Appendices Introduction Banking is no longer a luxury. It is a habit and a need that is constant. In the current environment Plastic (Cards) have replaced Cash and transactions have multiplied to unimaginable levels. The amount of transactions has run into billions per day. Internet Banking refers to the provision of banking services and products via electronic delivery channels based on computer networks or internet technologies, including fixed line, cellular or wireless networks, web-based applications and mobile devices. For the purpose of this paper, the generic reference to bank or banks includes financial institutions which provide online trading or other financial services and products on the internet and interconnected networks. Where appropriate, internet banking is to be regarded as synonymous with online financial services. (SMA)1 Banks and financial service companies are offering wireless account access for following reasons: Extension of applications over internet Delivery to highly portable cell phones & personal digital assistants More people getting devices Features improving as technologies advance Improve customer retention rates, especially technology oriented customer It is fairly common to have more than one account and often it is impossible for Banks to know the customer so well. Hence, with the proliferation of customers, cards and devices, each one operating from all and any location, fraud has become easier. The prey is both the Banks and their customers. Internet has changed our way of life. While many a good things can be said about it but it is a godsend to both honest and the dishonest alike. The web cannot distinguish one from the other and the Bank and its customer are both vulnerable to a conman. Still, Internet Banking is here to stay and it vast reach is getting bigger by the day. Banks are now delivering both Information and activity over the net and both forms are equally in demand by customers. Generally Banks offer the following services as routine: Cash Management Wire Transfer Automated Clearing House service Online Bill Payments Funds Transfers Balance inquiry and Mini statements Loan applications Portfolio Services Other value added services The main reasons behind these services are cost efficiency and competition. In the first case it is certainly less expensive to dispense these services over the internet than physically at branch levels. Cost of processing an internet transaction is estimated at one cent as against 25 cents through ATM’s and more than a dollar when done manually at Branch. (Booz, Allen & Hamilton).2 Times are also flexible and the convenience of transacting with the customer at his convenience and yet offer efficient and satisfactory service is a huge plus from the marketing angle too. In the second case since all Banks are now offering similar conveniences, the winner is the bank which offers the fastest processing of transaction in most secured environment. Since 2001 there have been significant legal and technological changes with respect to protection of customer information. 3 We need to study the various pitfalls the Bank is likely to face in its pursuit of Internet banking and to determine how risky it is to operate in this environment. Risk in Internet Banking Internet Banking comes at a risk, and has to be safeguarded very meticulously. Several different kinds of Risk’s have been identified and are detailed as under. Credit Risk – This is the risk inherent in all Bank Transactions whether they are in physical or Remote transactions. It is always an open question whether the customer will keep his part of the contract and pay up. However over the net, due to the impersonal nature and vast geographical areas involved, the risk becomes greater. Price Risk – Banks are particularly vulnerable when a transaction involves value of shares that are different in area and in currency and conducted over different time-zones. The swift changes pose a risk to both earnings and the capital of the bank. Foreign Exchange Risk - When the currency of lender and borrower are different this risk can actually become a threat due to the volatile nature of exchange markets. Transaction Risk – This is inherent in all varieties of transaction as this is the risk of someone trying to defraud the bank intentionally. However it increases manifold in an Internet transaction due to the impersonal nature. Almost anyone can get away with it if he has proper tools and information, which was fraudulently obtained in the first place. Compliance Risk – This is a risk that happens when some law or regulation is broken, intentionally or otherwise. This is highly possible when transactions are internationally conducted and the banks may not be fully geared up to measure the impact of the action. Risk to Reputation – This arises when there are negative perceptions or opinions in the public mind aired over a wide variety of media or may even be verbal. They act like the run-on-the-bank of the old era when a bank could go bankrupt with one small incident taking place anywhere. This can happen even today and this is a constant challenge. Interest Rate Risk – Because of quick movements in interest rates, particularly when transactions are convertible in different currencies and countries there is this risk that effect earnings and sometimes even the capital of the bank. Liquidity Risk – This poses a tough question as it is quite difficult to anticipate from which part of the world this can arise and have a snowballing effect on the entire operations of a bank. The geographic outreach is a phenomenon that can become a nightmare if not properly planned and monitored. Strategic Risk – Poor management of Internet resources could lead to poor business decisions resulting in loss of earnings or capital or both. Risk Management This brings us to the important question of Risk Management. The Bank has to have a policy framework worked out based on the above potential risks and to draw comprehensive contingency plans to face any of them should the occasion arises. Banks must be able to manage and control risks in a manner that would allow them the capacity to absorb any related losses that may eventuate without jeopardizing their financial soundness and stability. When deciding on the adoption of alternative controls and security measures, management should also be conscious of their costs and effectiveness in respect of the risks being treated or mitigated. Conversely, it is also important that the bank does not offer a product or service on the internet if the necessary controls and security measures cannot be adequately implemented. (SMA)4 Banks need to have several controls to exercise effective risk management through use of technology. They must establish objectives and goals, set targets and then monitor them continuously to evaluate performance. Technology risks relate to any adverse outcome, damage, loss, disruption, violation, irregularity or failure arising from the use of or reliance on computer hardware, software, electronic devices, on line networks and telecommunications systems. These risks can also be associated with systems failures, processing errors, software defects, operating mistakes, hardware breakdowns, capacity inadequacies, network vulnerabilities, control weaknesses, security shortcomings, malicious attacks, hacking incidents, fraudulent actions and inadequate recovery capabilities. (SMA)5 The technology selection has to be based on following parameters: The Planning process – Determine the objective, understand the requirements and deliverables, design the technology on knowledge of the product required. Judgemental values must be continuously upgraded to fill in gaps in knowledge. The technology has to support the Banks strategic needs and the Bank must have skilled personnel to handle this technology. Implementation Process – to plan the implementation methods to become operative simultaneously and to be able to deliver data seamlessly at all locations dynamically. To train staff and upgrade them on the techniques and technology requirements to make accurate responses to needs. Both software and hardware are to be considered in tandem and vendors need to be selected in accordance with needs and deliverables. Previous experience is important. Controls have to be put in for effective risk management Monitoring Process – To put safety checks at all vulnerable points, identified in advance, for stage wise processing of any transaction and to place validations wherever required. Again having skills to do the above is of paramount importance. Audit – To have regular or continuous audit features to verify 1. That the technology provided is consistent in results 2. That Data is available at every point 3. That Disaster Recovery methods are in place and actually work 4. That Data Integrity is ensured and proper authorizations features are followed 5. That Data confidentiality is observed and privacy is ensured 6. That there is a reliable Management Information System in place The Audit will be successful only if following controls have been put in place. Internal Controls like transaction records and trial balances have to be in place to track and validate. Operational Controls like setting budgets and evaluating actual performance have to be actually decided and records have to be matched periodically to find out the gap areas. Administrative Controls like having internal and external audits with defined procedural guidelines need to be established and people have to be either trained or people with high standards of skill have to be hired. This is a very important aspect and no let up should occur here. Internal controls will be measured in terms of Preventive, Detective and Corrective controls. Each area will need to be defined and rules and procedures spelled out so that whenever an event takes place, there will be a system in place for taking required action. This will ensure that loss is either avoided or reduced substantially. Regular testing, reporting, improving is all hallmark of corrective controls. A very important aspect of controls is Disaster recovery. Business continuity planning are crucial in the development and preparation of contingency arrangements for restoring and resuming critical business operations following disaster that may occur at the primary data processing site. No system is infallible or invulnerable to mishaps. Effective means to rapid recovery is very critical. A bank must identify comprehensively what types of disasters are planned for in the recovery plan. Disasters can range from a total loss of service due to a natural calamity to a disastrous system failure caused by software faults or hardware break down. A substantial task in disaster recovery planning is putting together a consequential set of contingency operating procedures that cover varying scenarios of operational interruption or system breakdown.  Due Diligence and Complete Understanding of the Issues Controls need to be further scaled down to the transaction level. Here the potentials risk of each transaction is to be defined and risk or exposure calculated and the transactions is then modelled to have embedded features to prevent misuse by error or design. Trap and Trace Techniques are methods that are preventive in nature and must be used extensively. However care has to be taken that they do not become overbearing and the customer looses interest in the transaction itself and moves away to competition offering simpler methods. Great amount of skill is required to design these especially for products that involve foreign currencies and local laws and regulations. Again there will always be a need to upgrade these facilities from time to time as on the Internet we find a lot of enterprising people who test the ability of systems to survive a planned attack. Security Security is a huge concern and it just not ends with internal security but extends to external requirements too. A huge number of transactions are always flowing through the World Wide Web on open and feely accessible information highway. Although some amount of dedicated server capacity is possible but when geographies do not matter and access is available from any corner of the globe, such dedication is impossible. The institutions like banks too are not located everywhere but their customers will be found everywhere. This leads to collaborations, joint ventures and limited partnerships as well as associations and representations amongst themselves. All such participating activities leave the systems vulnerable and security then assumes high priority. Here is where the preventive, detective and corrective internal controls, mentioned earlier become pivotal. Today software has scaled such heights that sniffers can obtain passwords, account numbers, card details and others despite all kinds of controls.. Firewalls are a good mean to stop unlawful intrusions but they need to be configured well. However they have been known to have been penetrated too. A continuous upgradation to maintain efficiency and effectiveness is necessary in this case. Authentication is necessary and can prevent these issues. This enables a bank to verify its customer who is entering a transaction. In this case the use of public/private keys enable the bank to verify and check on the customer involved. While the private key is known only to the customer the public key has been issued to him by the bank. An authentication of both helps determines the correctness of the transaction. An effective authentication system is necessary for compliance with requirements to safeguard customer information,6 another compliance requirement is prevention of money laundering and terrorist financing.7 Encryption has been around for a long time and is a legacy of the world wars. But this has become a refined science now and this is a comparatively safe option. But various levels of encryptions are desirable depending on the nature of transaction as the more complex one slows down the system. Agency guidelines have elaborated on this risk-based and “layered” approach to information security.8 Special attention is to be given to recent phenomena of “phishing, pharming and malware, as they have now assumed alarming proportions. They are all intentional programs and not innocent and unintentional attacks. Outsourcing An important question that arises is whether the Banks or Financial Institution should carry out all work of developing systems, designing softwares and performing monitoring and audit, all by themselves or should they outsource these jobs. In this era of specialization there are specialists who can perform these jobs better but the argument against them is that the controls then become either too rigid or too lax and the bank and its customers loose the close connection between themselves. In recent times we have seen the case of JP Morgan who had outsourced their activities to IBM but even after 2 years it was considered a disaster and they both parted ways.9 This is not to say that per se such an outsourcing is not beneficial to either party, but these must be considered very carefully before a major decision is taken. A lot of Human Resource problems occur and insecurities of changeover dominate the minds of the existing workers which lead to fall in quality of service. Conclusions As stated above Internet Banking is here to stay and prosper. For a bank that wishes to introduce Internet Banking for enhancing its business, the risk management will be top priority. The following steps are suggested for smooth entry into this sector, Customer Orientation Programme. This can be done by offering the whole setup on the bank’s website and by offering a tour of same to customers. This will make the customer more comfortable when the system comes into operation. To begin with offer simpler services like account and balance information, bank statements on line, tracking of a transaction, cheque book issue and other similar Next the bank should offer services like fund transfers, issue of Bankers Cheques or Demand drafts, acceptance of standing instructions, management of fixed deposits recording of loss of cards Finally advanced banking features are to be introduced. These will be account settlements, loans, hire-purchase transactions and other corporate transactions. Banks who offer Internet-based products need to adopt very reliable methods and use sophisticated tools for authentication of the customers and the transaction. The level of such authentication will largely depend upon the risk perceived and involved. Therefore it is a great necessity to conduct a thorough investigation to determine the risk and its various levels for different kind of products. Where it becomes that a single factor based authentication will fail to contain risk then a multi layered authentication is required to be factored in. Reasonable calculated factors will mitigate these risks. Under all laws and regulations, all agencies are agreed upon one fact that, a single factor authentication as the only controlling element is totally inadequate to protect information about the customer or to movement of funds between two or more parties. There is a fair amount of risk involved with Online Banking, but if proper precautions are taken, systematic controls are established, diligent practices are followed and adequate provisions are made, then Online Banking is as safe as any other normal commercial venture. Reference: 1. Singapore Monetary Authority, Technology Risk Management Guidelines 2003 2. Survey by Booz, Allen and Hamilton, April 1998. 3. Interagency Guidelines Establishing Information Security Standards. (IGEISS)Sec I.C.2.12CFR Part 30, app.B(OCC); etc. 4. Singapore Monetary Authority, Technology Risk Management Guidelines 2003. 5. Singapore Monetary Authority, Technology Risk Management Guidelines 2003. 6. IGEISS sec ^01 (b) of Gramm-Leach-Bliley Act, 15 USC 6801. 7. US Patriot Act, 31 USC # 5318(1) Sec 326. 8. FFIEC IT Examination Handbook, Security Booklet Dec 2002. and e-Banking Booklet, August 2003. 9. IDG News Service, September 15, 2004. Appendices: Source: Survey conducted by Booz, Allen & Hamilton in April 1998 Read More