Pages

Wednesday, June 5, 2013

Security System Weak in Banks

Why banks' current defences are not foolproof


As most banks urge customers to shift to the virtual space, their ability to create fortresses against cyber aggresses has come into the spotlight. ET argues that banks' current defences against online fraud are not unbreachable.

Two Indian payment processors, ElectraCard and Enstage, were in the spotlight recently for their alleged role in a $45-million credit card fraud impacting Indian and international banks.

* In the last week of May, phishers embezzled over Rs 5 lakh from the Andhra Pradesh State Road Transport Corporation's bank accounts through refunds after booking over 100 fake tickets and cancelling them.

* Last month, cyber criminals hacked into an RPG group company's bank account and siphoned off Rs 2.4 crore through the real time gross settlement system (RTGS).

* "The total amount involved in frauds relating to credit card, debit card and internet banking rose 74 % to Rs 38.4 crore in 2012." - IT minister to Rajyasabha

These are a few cases of online fraud that came to light recently. With electronic banking on the rise, lenders have become vulnerable to the risks of such transactions, even as regulations are becoming more stringent as far as know your customer (KYC) rules are concerned.

Internet banking still does not account for a significant portion of total transactions in India. In FY13, Rs 31.8 lakh crore was settled via 69.4 crore transactions through various retail electronic banking channels while Rs 18.6 lakh crore was settled through 64 crore card-related transactions, according to Reserve Bank of India's data. In addition, Rs 1,026 lakh crore through 6.85 crore transactions were settled through the real time gross settlement system, or RTGS, involving both retail and interbank transactions. The young generation is increasingly opting for net transactions to settle bills and all kinds of bank-related work from cash transfer and seeking cheque books to passwords for debit cards. Moreover, with banks — including public sector ones — urging customers to opt for net banking, the ability to shield customers from cyber threats will be crucial to gaining their confidence.

From just a few stray cases of identity thefts a few years ago, internet frauds have not only risen in scale but also gone high tech, so much so that it has become difficult to identify the origin of the crime and nail the culprit(s). Cyber heist is an issue that not just Indian banks are faced with. Cyber attacks ranked fourth among top global risks, in terms of likelihood, according to the 'World Economic Forum Report: Global Risks 2012'.

When internet banking was introduced in the country, it was felt that having a password-protected account was adequate to ensure safety, but not any more. The cyberthreat landscape has changed. Five to seven years ago, most frauds were related to identity thefts, the techniques adopted by fraudsters were easy to trace and these did not involve big money either.

But over the years, online heist has become an organised crime. Hackers are spread across the globe, from Africa to Russia and China, and each one has his or her own technique. The attacks involve compromising a bank's database with systemlevel implications. Apart from the internet, mobile transactions, that are finding favour among customers, could also be hit. Globally, targeted attacks rose 42% in 2012. India is ranked third globally in terms of vulnerability, accounting for 6.5% of the total targeted attacks in 2012, according to California-based Symantec's Internet Security Threat Report, 2013.

"Top emerging information security threats in the internet banking space are malware, social engineering, distributed-denial-of-service (DDoS) and phishing attacks," says Nitin Bhatnagar, head of business development SISA, an information security services provider.

Awareness, education key
From a customer perspective, awareness and education are the keys, which banks are taking seriously, as mandated by the RBI, through their websites and mails to clients. Banks are also investing in adding more security features to customers' accounts. One of the features that banks added recently is the 'digitised signature'.

Most frauds occur when customers show laxity in complying with security. Information for attack can also be gathered from a bank's staff. Awareness can act as a crucial fortress against cyber aggresses. KVS Manian, head of consumer banking Kotak Mahindra Bank says, "RBI has detailed guidelines on banks' IT policy which stipulates a board-approved policy, among other things. Customer education apart, we have to keep investing in upgrading systems as well."

Banks have started integrating their fraud management and internet-security systems. "Also, banks are getting more stringent with outsourcing. The security standards that banks adopt, is also used by their business partners," says Surinder Singh, regional director, India & SAARC, Websense, a security solutions provider. This would ensure that information does not leak through clients' data.

In February, replying to questions in Parliament, minister of state for finance Namo Narain Meena said 8,322 cases of frauds related to cards and internet banking were reported in 2012, involving Rs 52.7 crore. Given the value of frauds reported, these have not yet had any balance-sheet implications. But, there could be other implications "in terms of law suits, customer confidence and damage to reputation built over years," says Bhatnagar.

The affected customers may sever their relationship with banks, which in turn could impact their business adversely. "Cyber security is not just an IT issue, but a core business issue requiring top management attention. In addition to updating technology and mitigating cyberfraud risks, banks must continue to educate their customers on such emerging threats," says Darshan Patel, executive director, forensic services, PwC India.

Internet security experts say that one of the problems is that Indian banks do not report fraud, in contrast to many advanced economies where there is a legal mandate to do so. "Unfortunately, there is no legislation to make frauds public. In India, banks are not legally mandated to put frauds in the public domain," says Singh. Only 21% of victims reported cybercrime to the police, according to a KPMG report of May 2012.


Penalties on banks in India ‘peanuts’: Subbarao


In the backdrop of recent violations of banking norms by some public sector as well as private banks, RBI Governor D. Subbarao believes that penalties for such offences in India amounted to “peanuts” compared to those in the West.
Erring banks can face a maximum penalty of Rs 1 crore in India, he told PTI, adding that it was up to the lawmakers to decide whether this should be increased.
Barclays was penalised $450 million, he said in a reference to the fine imposed on the British bank last year to settle charges of manipulating key interest rates.
Asked about the recent expose in which officials of these banks were shown purportedly expressing their willingness to indulge in a whole lot of violations, Subbarao said the RBI planned to take early action against the errant banks.
“What action? I cannot tell you because action on this has to be taken at a lower level at the RBI. So it is premature to conclude that the RBI is going soft or harsh on this.
“We got to follow a process. Just because media is investigating today, we can’t say the RBI has to penalise tomorrow otherwise it is soft,” he told PTI in an interview.
The Governor said that under rule of law, there is a process to be followed and it was being followed.
“After the process comes to a close, which I hope is sooner rather than later, you believe the penalty has been too soft or too harsh, you have a privilege to make a statement,” he said.
Referring to the special investigation that was done into Cobrapost’s expose on some major private banks, Subbarao said the bank managements were issued show-cause notices and action will be taken accordingly.
He said RBI alone cannot check money laundering and banks too cannot ascertain the source of money while taking deposits.
“Is this money laundering, we do not know...we are not saying there is no money laundering. I am saying whether this money laundering has to be investigated by a much bigger process involving much bigger agencies,” Subbarao

Banks need to correct asset liability mismatch before they reduce lending rates: India Ratings & Research

KOLKATA: Indian banks may have to address funding gaps before they could aspire to lower lending rates for revival in investments, a research report said. 

India Ratings & Research said banks are relying more on short term deposits for giving long term loans, creating huge asset liability mismatches for many banks. 

Deposits maturing under one year accounted for 45% of total deposits in 2013 up from 33% in 2002, while average loan life in most government banks have lengthened with 25% of them having a maturity span of five years as the share of infrastructure and home loans increased in banks since 2008. 

For these banks, the cumulative negative gap up to one year was 17.5% of assets at end-March 2012, compared with under 4% in 2002. The gap was over 20% in eight banks; of particular concern were three government banks where the negative gap was higher than the stock of government securities and cash. 

India Ratings & Research said the mismatch has built refinance pressure on them and made it difficult for them to reduce deposit rates. As a result, banks have been slow to reduce their lending rates and base rates for the banking system have fallen by an average 40 basis points since April 2012, compared with 125 bps reduction in repo rate. 

"The trend of high funding gaps in the banking system is not sustainable, since apart from policy challenges it could also put pressure on net interest margins if lending rates were to reduce ahead of deposit rate cuts," the rating company said. 

Banks are allowed to raise long terms funds in infrastructure bonds but none has issued them while they continued to rely on retail deposit to reduce maturity profile and try to boost net interest margin in a competitive market. 

Banks have been trying to reduce the structural imbalance by encouraging long-term deposits. However, their availability is limited to large banks. "A sustainable source of long-term liabilities is therefore needed to match the growth in long-term infrastructure and residential mortgage loans.

Regulations do not permit banks to issue senior bonds in the domestic market unless they are backed by infrastructure loans, which is yet to take off," the company said, underscoring the need to consider allowing banks issue senior long-term debt within limits.

No comments:

Post a Comment