Internet banking

Name Hemal Patel Abhishek Tinjani Subject Research Methodology

Report Internet banking

Submitted to Mr.Shreekant Iyenger

Date 20 December 2012

Internet banking

Contents:

Page No.

Introduction............................................................................... 4 Literature review....................................................................... 6 The Indian Scenario................................................................ Types of risks associated with Internet banking..................... Security Standards for Internet Banking............................... Legal Issues involved in Internet banking.............................. 7 9 12 14

Regulatory and supervisory concerns...................................... 16 Recommendations................................................................... References and bibliography................................................. 18 20

Internet banking

Objectives (Indian context):

1. To study: internet banking versus conventional banking 2. To study consumers perception about the internet banking 3. To analyze the present and future market of internet banking 4. To discover the barriers in adoption of e-banking technology

Internet banking

Introduction Online banking (or Internet banking or E-banking) allows customers of a financial institution to conduct financial transactions on a secure website operated by the institution, which can be a retail or virtual bank, credit union or building society.It may include of any transactions related to online usage To access a financial institution's online banking facility, a customer having personal Internet access must register with the institution for the service, and set up some password (under various names) for customer verification. The password for online banking is normally not the same as for telephone banking. Financial institutions now routinely allocate customer numbers (also under various names), whether or not customers intend to access their online banking facility. Customer numbers are normally not the same as account numbers, because a number of accounts can be linked to the one customer number. The customer will link to the customer number any of those accounts which the customer controls, which may be cheque, savings, loan, credit card and other accounts. To access online banking, the customer would go to the financial institution's website, and enter the online banking facility using the customer number and password. Some financial institutions have set up additional security steps for access, but there is no consistency to the approach adopted. The technology has advanced a lot in these years and so the internet banking. The internet banking has increased in last few years because of the ease of access and the people can get transactions done from just clicking from home. Features: The common features fall broadly into several categories

A bank customer can perform some non-transactional tasks through online banking, including

viewing account balances viewing recent transactions downloading bank statements for example in PDF format viewing images of paid cheques ordering cheque books Downloading applications for M-banking, E-banking etc.
4

Internet banking

Bank customers can transact banking tasks through online banking, including

Funds transfers between the customer's linked accounts Paying third parties, including bill payments (see, e.g., BPAY) and

telegraphic/wire transfers

Investment purchase or sale Loan applications and transactions, such as repayments of enrolments

Financial institution administration Management of multiple users having varying levels of authority Transaction approval process

There are many advantages of online Banking. It is convenient, it isnt bound by operational timings, there are no geographical barriers and the services can be offered at a minuscule cost. Electronic banking has experienced explosive growth and has transformed traditional practices in banking.(Singhal & Padhmanabhan, 2008)

Internet banking

Literature Review Internet banking changed both the banking industry as well as banks services to its customers. Anywhere banking came to be recognized as an opportunity also for differentiated and competitive services. Ancillary online services like checking account status, fund transfer, ordering demand drafts, loan applications, credit card verifications, shopping portals etc. as well as not requiring a visit to the branch during office hours were viewed as high-value offerings and increasingly started to become a necessity rather than a service.(Iyengar & Belvalkar) Types of Internet Banking (Sarma & Singh, 2010) Understanding the various types of Internet Banking products will help examiners assess the risks involved. Currently, the following three basic kinds of Internet banking are being employed in the marketplace: Informational: This is the basic level of Internet banking. Typically, the bank has

marketing information about the bank products and services on a stand-alone server. The risk is relatively low, as informational systems typically have no path between the server and the banks internal network. This level of Internet banking can be provided by the bank or outsourced. While risk to a bank is relatively low, the server or website may be vulnerable to alternation. Appropriate controls therefore must be in place to prevent unauthorized alternations to the banks server or website. Communicative: This type of Internet banking system allows some interaction between the banks systems and the customer. The interaction may be limited to electronic mail, account inquiry, loan applications, or static file updates. Because these servers may have a path to the banks internal networks, the risk is higher with this configuration than with informational systems. Appropriate controls need to be in place to prevent, monitor, and alert management of any unauthorized attempt to access the banks internal networks and computer systems. Virus controls also become much more critical in this environment. Transactional: This level of Internet banking allows customers to execute transactions. Since a path typically exists between the server and the banks or outsourcers internal network, this is the highest risk architecture and must have the strongest controls. Customer transaction can include accessing accounts, paying bills, transferring funds, etc.

Internet banking

The Indian Scenario Private Banks in India were the first to implement internet banking services in the banking industry. Private Banks, due to late entry into the industry, understood that the establishing network in remote corners of the country is a very difficult task. It was clear to them that the only way to stay connected to the customers at any place and at any time is through internet applications. They took the internet applications as a weapon of competitive advantage to corner the great monoliths like State Bank of India, Indian Bank etc. Private Banks are pioneer in India to explore the versatility of internet applications in delivering services to customers.(Singhal & Padhmanabhan, 2008) As many as 7% of account holders in the country are using the Internet for banking transactions, while branch banking has fallen by a full 15 percentage points, according to a report by global management consultancy McKinsey & Company.(India, 2011). The financial products and services have become available over the Internet, which has thus become an important distribution channel for a number of banks. Banks boost technology investment spending strongly to address revenue, cost and competitiveness concerns.

The purpose of present study is to analyze such effects of IB in India, where no rigorous attempts have been undertaken to understand this aspect of the banking business. A study on the Internet users, conducted by Internet and Mobile Association of India (IAMAI), found that about 23% of the online users prefer IB as the banking channel in India, second to ATM which is preferred by 53%. Out of the 6,365 Internet users sampled, 35% use online banking channels in India.

This shows that a significant number of online users do not use IB, and hence there is a need to understand the reasons for not using it. Until the advent of ATMs, people were unaware and/or not directly affected by the technological revolutions happening in the banking sector. ATMs became the major revelation for customers, since it offered the facility to avoid long queues in front of the cashiers in banks. It also provided them the flexibility of withdrawing money anytime, anywhere. In the study by IAMAI, it was found that the people are not doing financial transactions on the banks Internet sites in India because of reasons such as security concerns (43%), preference for face-to-face transactions (39%), lack of knowledge

Internet banking

about transferring online (22%), lack of user friendliness (10%), or lack of the facility in the current bank (2%). (Safeena, Date, & Kammani, 2011)

The Indian results closely track the global trends as well. Conducted among 19,216 people from 24 countries, the survey showed banking and keeping track of finances, shopping and searching for jobs are the main tasks of Internet users around the globe. Overall, 60% of people surveyed used the web to check their bank account and other financial assets in the past 90 days, making it the most popular use of the internet, Ipsos said.

Internet banking

Internet Banking Risks (Ramakrishan, 2001) Internet banking does not open up new risk categories, but rather accentuates the risks that any financial institution faces. The board and senior management must be cognizant of these risks and deal with them appropriately. These risks, which often overlap, are briefly described below:

Strategic risk- This is the current and prospective risk to earnings and capital arising from adverse business decisions or improper implementation of business decisions. Many senior managers do not fully understand the strategic and technical aspects of Internet banking. Spurred by competitive and peer pressures, banks may seek to introduce or expand Internet banking without an adequate cost-benefit analysis. The organization structure and resources may not have the skills to manage Internet banking.

Transaction risk- This is the current and prospective risk to earnings and capital arising from fraud, error, negligence and the inability to maintain expected service levels. A high level of transaction risk may exist with Internet banking products, because of the need to have sophisticated internal controls and constant availability. Most Internet banking platforms are based on new platforms which use complex interfaces to link with legacy systems, thereby increasing risk of transaction errors. There is also a need to ensure data integrity and non repudiation of transactions. Third-party providers also increase transaction risks, since the organization does not have full control over a third party. Without seamless process and system connections between the bank and the third party, there is a higher risk of transaction errors.

Compliance risk- This is the risk to earnings or capital arising from violations of, or non-conformance with, laws, regulations and ethical standards. Compliance risk may lead to diminished reputation, actual monetary losses and reduced business opportunities. Banks need to carefully understand and interpret existing laws as they apply to Internet banking and ensure consistency with other channels such as branch banking. This risk is amplified when the customer, the bank and the transaction are in more than one country. Conflicting laws, tax procedures and reporting requirements across different jurisdictions add to the risk. The need to keep customer data private and seek customers' consent before sharing the data also adds to compliance risk.
9

Internet banking

Customers are very concerned about the privacy of their data and banks need to be seen as reliable guardians of such data. Finally, the need to consummate transactions immediately (straight-through processing) may lead to banks relaxing traditional controls, which aim to reduce compliance risk.

Reputation risk- This is the current and prospective risk to earnings and capital arising from negative public opinion. A bank's reputation can be damaged by Internet banking services that are poorly executed (e.g., limited availability, buggy software, poor response). Customers are less forgiving of any problems and thus there are more stringent performance expectations from the Internet channel. Hypertext links could link a bank's site to other sites and may reflect an implicit endorsement of the other sites.

Information security risk- This is the risk to earnings and capital arising out of lax information security processes, thus exposing the institution to malicious hacker or insider attacks, viruses, denial-of-service attacks, data theft, data destruction and fraud. The speed of change of technology and the fact that the Internet channel is accessible universally makes this risk especially critical.

Credit risk- This is the risk to earnings or capital from a customer's failure to meet his financial obligations. Internet banking enables customers to apply for credit from anywhere in the world. Banks will find it extremely difficult to verify the identity of the customer, if they intend to offer instant credit through the Internet. Verifying collateral and perfecting security agreements are also difficult. Finally, there could be questions of which country's (or state's) jurisdiction applies to the transaction.

Interest rate risk- This is the risk to earnings or capital arising from movements in interest rates (e.g., interest rate differentials between assets and liabilities and how these are impacted by interest rate changes). Internet banking can attract loans and deposits from a larger pool of customers. Also, given that it is easy to compare rates across banks, pressure on interest rates is higher, accentuating the need to react quickly to changing interest rates in the market.

Liquidity risk- This is the risk to earnings or capital arising from a bank's inability to meet its obligations. Internet banking can increase deposit and asset volatility, especially from customers who maintain accounts solely because they are getting a better rate. These customers tend to pull out of the relationship if they get a slightly better rate elsewhere.

10

Internet banking

Price risk- This is the risk to earnings or capital arising from changes in the value of traded portfolios or financial instruments. Banks may be exposed to price risk, if they create or expand deposit brokering, loan sales or securitization programs as a result of Internet banking activities.

Foreign exchange risk- This arises when assets in one currency are funded by liabilities in another. Internet banking may encourage residents of other countries to transact in their domestic currencies. Due to the ease and lower cost of transacting, it may also lead customers to take speculative positions in various currencies. Higher holdings and transactions in nondomestic currencies increase foreign exchange risk.

11

Internet banking

Security issues for Internet Banking: The Internet has provided a new and inexpensive channel for banks to reach out to their customers. It allows customers to access banks facilities round the clock and 7 days a week. It also allows customers to access these facilities from remote sites/home etc. However, all these capabilities come with a price. The highly unregulated Internet provides a less than secure environment for the banks to interface.

The banks planning to offer Internet banking should have explicit policies on security. An outline for a possible framework for security policy and planning has also been given.

1. Security: Security in Internet banking comprises both the computer and communication security. The aim of computer security is to preserve computing resources against abuse and unauthorized use, and to protect data from accidental and deliberate damage, disclosure and modification. The communication security aims to protect data during the transmission in computer network and distributed system.

2. Authentication: It is a process of verifying claimed identity of an individual user, machine, software component or any other entity. For example, an IP Address identifies a computer system on the Internet, much like a phone number identifies a telephone. It may be to ensure that unauthorized users do not enter, or for verifying the sources from where the data are received. It is important because it ensures authorization and accountability. Authorization means control over the activity of user, whereas accountability allows us to trace uniquely the action to a specific user. Authentication can be based on password or network address or on cryptographic techniques.

3. Access Control: It is a mechanism to control the access to the system and its facilities by a given user up to the extent necessary to perform his job function. It provides for the protection of the system resources against unauthorized access. An access control mechanism uses the authenticated identities of principals and the information about these principals to
12

Internet banking

determine and enforce access rights. It goes hand in hand with authentication. In establishing a link between a banks internal network and the Internet, we may create a number of additional access points into the internal operational system. In this situation, unauthorized access attempts might be initiated from anywhere. Unauthorized access causes destruction, alterations, theft of data or funds, compromising data confidentiality, denial of service etc. Access control may be of discretionary and mandatory types.

4. Data Confidentiality: The concept of providing for protection of data from unauthorized disclosure is called data confidentiality. Due to the open nature of Internet, unless otherwise protected, all data transfer can be monitored or read by others. Although it is difficult to monitor a transmission at random, because of numerous paths available, special programs such as Sniffers, set up at an opportune location like Web server, can collect vital information. This may include credit card number, deposits, loans or password etc. Confidentiality extends beyond data transfer and include any connected data storage system including network storage systems. Password and other access control methods help in ensuring data confidentiality.

5. Data Integrity: It ensures that information cannot be modified in unexpected way. Loss of data integrity could result from human error, intentional tampering, or even catastrophic events. Failure to protect the correctness of data may render data useless, or worse, dangerous. Efforts must be made to ensure the accuracy and soundness of data at all times. Access control, encryption and digital signatures are the methods to ensure data integrity.

6. Non-Repudiation: Non-Repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communication or transaction.

7. Security Audit Trail: A security audit refers to an independent review and examination of system's records and activities, in order to test for adequacy of system controls. It ensures compliance with established policy and operational procedures, to detect breaches in security,

13

Internet banking

and to recommend any indicated changes in the control, policy and procedures. Audit Trail refers to data generated by the system, which facilitates a security audit at a future date.

Legal issues for internet banking:

The legal framework for banking in India is provided by a set of enactments, viz., the Banking Regulations Act, 1949, the Reserve Bank of India Act, 1934, and the Foreign Exchange Management Act, 1999. Broadly, no entity can function as a bank in India without obtaining a license from Reserve Bank of India under Banking Regulations Act, 1949. Different types of activities which a bank may undertake and other prudential requirements are provided under this Act. Accepting of deposit from public by a non-bank attracts regulatory provisions under Reserve Bank of India Act 1934.

Under the Foreign Exchange Management Act 1999, no Indian resident can lend, open a foreign currency account or borrow from a non resident, including non-resident banks, except under certain circumstances provided in law. Besides these, banking activity is also influenced by various enactments governing trade and commerce, such as, Indian Contract Act, 1872, the Negotiable Instruments Act, 1881, Indian Evidence Act, 1872, etc.

As discussed earlier, Internet banking is an extension of the traditional banking, which uses Internet both as a medium for receiving instructions from the customers and also delivering banking services. Hence, conceptually, various provisions of law, which are applicable to traditional banking activities, are also applicable to Internet banking.

However, use of electronic medium in general and Internet in particular in banking transactions, has put to question the legality of certain types of transactions in the context of existing statute. The validity of an electronic message / document, authentication, validity of contract entered into electronically, non-repudiation etc. is important legal questions having a bearing on electronic commerce and Internet banking.

It has also raised the issue of ability of banks to comply with legal requirements / practices like secrecy of customers account, privacy, consumer protection etc. given the vulnerability of data / information passing through Internet. There is also the question of adequacy of law
14

Internet banking

to deal with situations which are technology driven like denial of service / data corruption because of technological failure, infrastructure failure, hacking, etc. Cross border transactions carried through Internet pose the issue of jurisdiction and conflict of laws of different nations.

Government of India has enacted The Information Technology Act, 2000, in order to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as electronic commerce.

The Act, which has also drawn upon the Model Law, came into force with effect from October 17, 2000. The Act has also amended certain provisions of the Indian Penal Code, the Indian Evidence Act, 1872, The Bankers Book of Evidence Act, 1891 and Reserve Bank of India Act 1934 in order to facilitate ecommerce in India.

In the course of providing Internet banking services the banks in India are facing new challenges relating to online opening of accounts, authentication, secrecy of customers accounts, non-repudiation, liability standards and consumer protection, etc., each of which has been examined in the context of existing legal framework.

15

Internet banking

Regulatory and supervisory concerns:

Banking on the Internet provides benefits to the consumer in terms of convenience, and to the provider in terms of cost reduction and greater reach. The Internet itself however is not a secure medium, and thus poses a number of risks of concern to regulators and supervisors of banks and financial institutions. World over, regulators and supervisors are still evolving their approach towards the regulation and supervision of Internet banking. Regulations and guidelines issued by some countries include the following.

Major supervisory concerns: These concerns can be clubbed into the following:

1. Operational risk issues 2. Cross border issues 3. Customer protection and confidentiality issues 4. Competitiveness and profitability issues

Broad regulatory framework It would be necessary to extend the existing regulatory framework over banks to Internet banking also. Such an approach would need to take into account the provisions of both the Banking Regulation Act 1949 and the Foreign Exchange Management Act, 1999.

1. Only such banks which are licensed and supervised in India and have a physical presence here should be permitted to offer Internet banking products to residents of India.

2. These products should be restricted to account holders only and should not be offered in other jurisdictions.

3. The services should only offer local currency products and that too by entities who are part of the local currency payment systems.
16

Internet banking

4. The in-out scenario where customers in cross border jurisdictions are offered banking services by Indian banks (or branches of foreign banks in India) and the outin scenario where Indian residents are offered banking services by banks operating in cross-border jurisdictions are generally not permitted and this approach should be carried over to Internet banking also.

5. The existing exceptions for limited purposes under FEMA i.e. where resident Indians have been permitted to continue to maintain their accounts with overseas banks etc., would however be permitted transactions.

6. Overseas branches of Indian banks would be permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor in keeping with the supervisory approach outlined in the next section.

7. This extension of approach would apply to virtual banks as well. Thus, both banks and virtual banks incorporated outside the country and having no physical presence here would not, for the present, be permitted to offer Internet services to Indian depositors.

17

Internet banking

Recommendations

With the above approach in mind, the Group recommends that the regulatory and supervisory concerns relating to Internet banking can be met in the manner outlined in the following paragraphs. All banks which propose to offer transactional services on the Internet should obtain an in-principle approval from RBI prior to commencing these services. The application should be accompanied by a note put up to the Board of the bank along with Board resolution passed.

The Board note should cover the reasons for the bank choosing to enter into such business, the potential penetration it seeks to achieve, a cost-benefit analysis, a listing of products it seeks to offer, the technology and business partners for the products, and all third party support services and service providers with their track record and agreements with them, and the systems and the skills and capabilities it has in this regard and most materially the systems, controls and procedures it has put or intends to put in place to identify and manage the risks arising out of the proposed ventures.

The bank should also enclose a security policy framed in this regard which should cover all the recommendations made in and produce a certification from a reputed external auditor who is CISA or otherwise appropriately qualified that the security measures taken by the bank are adequate and meet the requirements and that risk management systems are in place to identify and mitigate the risks arising out of the entire gamut of Internet banking operations.

The RBI could require the bank together with the auditor to hold discussions with the RBI in this regard before granting such approval. After this initial approval is given,

18

Internet banking

the bank would be obliged to inform the RBI of any material changes in web-site content and launch of new products.

The assurance about security controls and procedures, which is sought from the specialist external auditors, should be periodically obtained, with the periodicity depending on the risk assessment of the supervisor.

Further, banks would also be required to report every breach or failure of the security systems and procedures to RBI, who may decide to subject the failure to an on-site examination or even commission an auditor to do so.

19

Internet banking

References and Bibliography:

1. The EDIFACT Standards John Berge, NCC Blackwell, 1991 2. Authentication systems for Secure networks Rolf Oppliger, Artech House, 1996 (www.artech-house.com, rolf.oppliger@esecurity.ch) 3. Introduction to PGP- Verisign (www.verisign.com) 4. Packet Magazine- Third Quarter 2000 Issue CISCO systems (packet@cisco.com) 5. Understanding Public Key Infrastructure RSA Security 6. A step by step guide for secure online commerce Verisign (www.versign.com) 7. Architecture for Public-Key Infrastructure (APKI) - The Open Group (www.opengroup.org/public/pubs/catalog/g801.htm) 8. The Secure Sockets Layer Protocol Netscape Communications Corporations (www.home.netscape.com/eng/ssl3/ssl-toc.htm) 9. The Risks of Key Recovery, Key Escrow & Trusted Third Party Encryption Adhoc Group of Cryptographers & Computer Scientists (www.cdt.org/crypto) 10. Intelligence-Based Threat Assessments for Information Networks and Infrastructures -A White Paper - Kent Anderson Global Technology Research, Inc. (www.aracnet.com/~kea/Papers/threat_white_paper.shtml)

20