Executive Summary

• ⇒

Internet is increasingly used by banks as a channel for receiving instructions and delivering their products
and services to their customers.

⇒ Different banks follow different levels for providing services on internet.

⇒ Compared to banks abroad, India banks offering online services still have a long way to go in terms of
number of users and sufficient infrastructure in place.

⇒ Various security options are in place or are being looked at; however, Certification Authority is still
missing in India.

⇒ Also there are various risks associated with internet banking such as Operational Risk, Security Risk,
Cross Border Risks, Legal Risk, etc.

⇒ The Basel Committee’s Electronic Banking Group (EBG) in late 1999, tried to develop risk
management guidance for Internetbanking that will guide bankers and promote effective and consistent
bank supervision around the world.

⇒ The use of Information Technology in banking enables the banks to provide Any Time Banking,
Customer Service, Telebanking, Home Banking, Plastic Card Services, etc., facilities.

⇒ However, these facilities alongwith certain advantages these have certain disadvantages too.

⇒ Concluding this, India is on threshold of a major banking revolution with the invasion of net banking and
with the concept of payment gateway coming in; banks are vying with one another for the lion’s share in the
market.

A. Internet Banking:-

a) Introduction: -

The delivery channels including direct dial-up connections, private networks, public
networks, etc. with the popularity of computers, easy access to Internet and World Wide
Web (WWW), Internet is increasingly used by banks as a channel for
receiving instructions and delivering their products and services to their customers. This
form of bankingis generally referred to as Internet Banking, although the range of
products and services offered by different banks vary widely both in their content and
sophistication.

b) Banking Services through Internet: -

i. The Basic Level Service is the banks’ web sites which disseminate information on different
products and services offered to customers and members of public in general. It may
receive and reply to customer’s queries through e-mail;

ii. In the next level are Simple Transactional Web sites which allows customers to submit
their instructions, applications for different services, queries in their account balances, etc.
but do not permit any fund-based transactions on their accounts;
iii. The third level of Internet banking service are offered by Fully Transactional Web sites
which allow the customers to operate on their accounts for transfer of funds, payment of
different bills, subscribing to other products of the bank and to transact purchase and sale
of securities, etc. The above forms of Internet banking service the customer or by new
banks, who deliver banking service primarily through Internet or other electronic delivery
channels as the value added services. Some of these banks are known as ‘Virtual’ banks or
‘Internet only’ banks and may not have physical presence in a country despite offering
different banking services.

c) The Indian Scenario: -

The entry of India banks into Net Banking

• Internet banking, both as a medium of delivery of banking services and as a strategic

tool for businessdevelopment.

• At present, the total internet users in the country are estimated at 9 lakh. However, this
is expected to grow exponentially to 90 lakh by 2003. Only about 1 percent
of Internet users did banking online in 1998. This is increased to 16.7 percent in March
2000.
- (India Research, May 29, 2000, Kotak Securities)

• Cost of banking service through the Internet from a fraction of costs through
conventional methods. Rough estimates assume teller cost at Re.1 per transaction, ATM
transaction cost at 45 paise, phone banking at 35 paise, debit cards at 20 paise
and Internet banking at 10 paise per transaction.
d) Product and Services Offered: -

• Banks in India are at different stages of the web-enabled banking cycle. Initially, a bank,
which is not having a web site, allows its customer to communicate with it through an e-
mail address communication, and is limited to a small number of branches and offices
which have access to this e-mail account.

• With gradual adoption of Information Technology, the bank puts up a web site that
provides general information on deposits products, application forms for downloading and
e-mail option for enquiries and feedback.

• Vijaya Bank provides information on its website about its NRI and other services.
Customers are required to fill in applications on the Net and can later receive loans or other
products requested for at their local branch.

• A few banks provide the customer to enquire into his DEMAT account (security/shares)
holding details, transaction details and status of instructions given by him. These web sites
still do not allow online transactions for their customers.

• Some of the banks permit customers to interact with them and transact electronically with
them. Such services include request for opening of accounts, requisition for cheque books,
stop payment of cheques, viewing and printing statements of accounts, movement of funds
between accounts within the same bank, querying on status or requests,instructions for
opening of Letter of Credit and Bank Guarantees, etc.
• These services are being initiated by banks like ICICI Bank Ltd., Citibank, Global Trust
Bank Ltd., UTI Bank Ltd., Bank of Madura Ltd., Federal Bank Ltd., etc.

• Some of the more aggressive players in this area such as ICICI Bank Ltd., HDFC Bank
Ltd., UTI Bank Ltd., Citibank, Global Trust Bank Ltd., and Bank of Punjab Ltd., offer the
facility of receipt, review and payment of bills online.

• The ‘Infinity’ service of ICICI Bank Ltd., also allows online real time shopping all
payments to be made by customers.

• HDFC Bank Ltd., has made e-shopping online and real time with the launch of its payment
gateway.

• Banks providing internet banking services have been entering into agreements with
their customers setting out the terms and conditions of the services.

• The terms and conditions include information on the access through user-ID and secret
password, minimum balance and charges, authority to the bank for carrying out
transactions performed through the service, liability of the user and the bank, disclosure of
personal information for statistical analysis and credit scoring also, non-transferability of
the facility, notices and termination, etc.

e) The Future Scenario: -

• Compared to banks abroad, India banks offering online services still have a long way to
go. For online banking to reach a critical mass, there has to be sufficient number of users
and the sufficient infrastructure in place.

• Various security options like Line Encryption, Branch Connection Encryption, Firewalls,
Digital Certificates, Automatic Sign-offs, Random Pop-ups and Disaster Recovery Sites are
in place or are being looked at; there is as yet noCertification Authority in India offering
Public Key Infrastructure, which is absolutely necessary for online banking.

• The communication bandwidth available today in India is also not enough to meet the
needs of high priority services like online banking and trading.

• Banks offering online facilities also need to calculate their downtime losses, because even
a few minutes of downtime in a week could mean substantial losses.

• Users of Internet Banking Services are required to fill up the application forms online
and send a copy of the same by mail or fax to the bank.

• A contractual agreement is entered into by the customer with the bank for using
the Internet banking services.

• Domestic customers, for whom other access points such as ATMs, Telebanking, Personal
Contact, etc. are available, are often hesitant to use the Internet banking services offered
 by Indian banks. Internet Banking, as an additional delivery channel, may, therefore, be
attractive/ appealing as a value added service to domestic customers. Non-resident
Indians, for whom, it is expensive and time consuming to access their bank accounts
maintained in India find net banking very convenient and useful.

• Cyber crimes are, therefore, difficult to be identified and controlled.

• In order to promote Internet banking services, it is necessary that proper legal

infrastructure is in place.

• The Department of Telecommunications (DoT) is moving fast to make available additional

bandwidth, with the result that internet access will become much faster in the future.

• Reserve Bank of India has constituted a group to examine different issues relating to I-
banking and recommend technology, security legal standards and operational standards
keeping in view the international best practices. In the following paragraphs a generic set of
risks discussed as the basis for formulating general risk control guidelines.

B. Risk & Rewards:-

a) Operational Risk: -

• ‘Operational Risk’, also referred to as ‘Transactional Risk’ is the most common form of risk
associated with I-banking.

• It takes them from of inaccurate processing of transactions, non-enforceability of

contracts, compromises in data integrity, data privacy and confidentiality, unauthorized
access / intrusion to bank’s systems and transaction, etc.

• Such risks can arise out of weaknesses in design, implementation and monitoring of
banks information system.

• Besides inadequacies in technology, human factors like negligence by customers and

employees, fraudulent activity of employees and crackers/ hackers, etc. can become
potential source of operational risk.

b) Security Risk: -

• Security Risk arises on account of unauthorized access to a bank’s critical information

stores like accounting system, risk management system, portfolio management system,
etc.

• Other related risks are loss of reputation, infringing customers’ privacy and its legal
implications, etc.

• Attackers could be hackers, unscrupulous vendors, disgruntled employee or even pure

thrill seekers.

• In addition to external attacks banks are exposed to security risk from internal sources
e.g. employee fraud. Employee being familiar with different systems and their weaknesses
become potential security threats in a loosely controlled environment. They can manage to
acquire the authentication data in order to access the customer accounts causing losses to
the bank.

• Unless specifically protected, all data/ information transfer over the internet can be
monitored or read by unauthorized persons.

c) System Architecture and Design: -

• Banks face the risk of wrong choice of technology, improper system design and
inadequate control processes.

• Numerous protocols are used for communication across internet. Each protocol is
designed for specific types of data transfer.

• A system allowing communications with all protocols, say HTTP (Hyper Text Transfer
Protocol), FTP (File Transfer Protocol), Telnet, etc. is more prone to attack than one
designed to permit say, only HTTP.

• Security related operational risk include access control, use of firewalls, cryptographic
techniques, public key encryption, digital signature, etc.
d) Reputational Risk: -

• Reputational Risk is the risk of getting significant negative public opinion, which may
result in a critical loss of funding or customers. Such risks arise from actions which cause
major loss of the public confidence in the banks’ ability to perform critical functions or
impair bank-customer relationship. It may be due to banks’ own action or due to third
parties action.

• The main reasons for this risk may be system or product not working to the expectations
of the customers, significant security breach (both due to internal and external attack),
inadequate information to customers about product use and problem resolution procedures,
significant problems with communication networks that impair customers’ access to their
funds or account information especially if, there are, no alternative means of account
access.

e) Legal Risk: -

• Legal risk arises from violation of, or non-conformance with laws, rules, regulations, or
prescribed practices, or when the legal rights and obligations of parties to a transaction are
not well established.

• A customer inadequately informed about his rights and obligations, may not take proper
precautions in usingInternet banking products or services, leading to disputed
transactions, unwanted suits against the bank or other regulatory sanctions.

f) Cross-Border Risks: -

• Internet banking is based on technology that, by its very nature, is designed to extend
the geographic reach of banks and customers. Such market expansion can extend beyond
national borders. This causes various risks.

• Such considerations may expose banks to legal risks associated with non-compliance of
different national laws and regulations, including consumer protection laws, record keeping
and reporting requirements, privacy rules and money laundering laws.

• The foreign-based service provider or foreign participants in internet banking are

sources of country risk to the extent that foreign parties become unable to fulfill their
obligations due to economic, social or political factors.

g) Strategic Risk: -

• Strategic risk is the current and prospective impact on earnings or capital arising from
adverse business decisions, improper implementation of decisions, or lack of
responsiveness to industry changes.

• This risk is a function of the compatibility of an organization’s strategic goals, the

business strategies developed to achieve those goals, the resources deployed against these
goals, and the quality of implementation.

• For reducing such risk, banks need to conduct proper survey, consult experts from
various fields, establish achievable goals and monitor performance.

• Also they need to analyze the availability and cost of additional resources, provision of
adequate supporting staff, proper training of staff and adequate insurance coverage.

h) Other Risk: -

• Traditional banking risks such as credit risk, liquidity risk, interest rate risk and market
risk are also present ininternet banking.

• These risks get intensified due to the very nature of internet banking on account of use
of electronic channels as well as absence of geographical limits.

• Credit risk: Is the risk that a counterparty will not settle an obligation for full value, either
when due or at any time thereafter. Banks may not be able to properly evaluate the
creditworthiness of the customer while extending credit through
remote banking procedures, which could enhance the credit risk.

• Another facility of internet banking is electronic money. It brings various types of risks
associated with it. If a bank purchases e-money from an issuer in order to resell it to a
customer, it exposes itself to credit risk in the event of the issuer defaulting on its
obligation to redeem electronic money.

• Liquidity risk: It is important for a bank engaged in electronic money transfer activities
that it ensures that funds are adequate to cover redemption and settlement demands at
any particular time. Failure to do so, besides exposing the bank to liquidity risk, may even
give rise to legal action and reputational risk.

i) Risk of Unfair Completion: -

• Internet banking is going to intensify the competition among various banks. The open
nature of internet may induce a few banks to use unfair practices to take advantage over
rivals. Any leaks at network connection or operating system, etc. may allow them to
interfere in a rival bank’s system.
 Thus, one can find that along with the benefits internet banking carries various risks for
bank itself as well asbanking system as a whole.

2. Internet Banking: Challenges for Banks & Regulators

A. Internet Banking in the United States

⇒ New Risks

B. The Basel Committee’s Electronic Banking Group

C. E-Finance Oversight

D. Security Controls

E. Legal & Reputational Risk Management

A. Internet Banking in the United States: -

• An average industry estimates indicates the about 13 million US households banked online by the
end of 2000 – twice as many as in the previous years.

• At the beginning of 2001, 37% of all US national banks, including nearly all of the largest national
banks, were offering full transactional capabilities online – a near twofold increase in little over a
year.

• Banks offering Internet-based transaction service – and there are more of them each day – should
be well positioned to compete in the financial markets of the future.

⇒ New Risks: -

• Internet banking poses risks that are different from those that bank supervisors customarily
dealt with in assessing credit, market, or interest rate risk.

• First, banks must manage the unprecedented speed of technological change, and assess how it
relates to their technology investments and their ability to provide consistently high-quality
customer service.

• Second, bank is increasingly dependent on third parties to provide the necessary Information
Technology.

• Security is another area of significant risk. So far, relatively few financial institutions have
reported being victimized by online security violations.
B. The Basel Committee’s Electronic Banking Group: -

• The Basel Committee on Banking Supervision has taken the lead in this area through the creation
of its ElectronicBanking Group (EBG) in late 1999 – a group whose members represent 17 Central
Banks and Bank Supervisory Agencies.

• The major focus of the EBG’s work has been to develop risk management guidance
for Internet banking that will guide bankers and promote effective and consistent bank
supervision around the world.

• The EBG has identified fourteen Risk Management Principles for Electronic Banking to promote
sound risk management of e-banking. These principles are intended to help banking institutions
expand their existing oversight policies and processes to cover their e-banking activities.

C. E-Finance Oversight: -

• The EBG has dedicated considerable time and effort to communicating supervisory expectations
and guidance for home country supervisors to oversee cross-border Internet banking activity
conducted by their local institutions.

• In February of this year, the Financial Stability Forum’s Contact Group on E-Finance held its first
formal meeting. This group was formed to promote enhanced information-sharing among the
various international sector-basedworking groups dealing with e-finance supervisory issues – e-
banking, e-trading, retail payments systems, e-commerce, and so on.

C. Security Controls: -

• Authentication of e-banking customers.

• No repudiation and accountability for e-banking transaction of duties.

• Appropriate measures to ensure segregation of duties.

• Proper authorization controls within e-banking systems, databases and applications.

• Data integrity of e-banking transactions, records and information.

• Establishment of clear audit trails for e-banking transactions.

• Confidentiality of key bank information.

E. Legal & Reputational Risk Management: -

• Appropriate disclosure for e-banking services.

• Privacy of customer information.

• Capacity, business continuity and contingency planning to ensure availability of e-banking systems
 and services.

• Incident response planning. The complete EBG Report on Risk Management Principles for
Electronic Banking can be obtained at the Bank for International Settlements’ web site at
“www.bis.org”.

3. What do Computers do in Banks?

The Different Uses of Information Technology:

a) Single Window System
b) Any Time Banking
c) Automated Teller Machines
d) Shared Payment Network System
e) Customer Service
f) Telebanking
g) Home Banking
h) Electronic Fund Transfer
i) Plastic Cards as Media for Payment
1. Credit Card
2. Debit Card
3. Smart Card
4. ATM Card
j) Intra-bank and Inter-bank Applications

The Different Uses of Information Technology: -

a) Single Window System (SWS): -

• The cashier or teller who accepts the cash, keys in the data from his terminal after receipt of the amount.

• The amount is straight away posted to the system.

• If the customer wishes to update passbook the same is also updated through the security form
printer/pass book printer.

• If a customer wishes to obtain a draft, the clerk keys in the details of the account to be debited and the
particulars of the drafts to be issued on the machine.

• The customer’s account is debited and security form printer prints out draft and clerk can hand over the
same to customer duly signed.

b) Any Time Banking: -

• This refers to banking service available 24 hours a day and 365 days a year.
• Such facility is made available to the customer through the Automated Teller machine.

• Banking, being a service industry, is primarily driven by customers’ needs.

• Each customer is willing to pay a price for the services provided it is made available to him when he wants
and where he wants.

• In the present day of server competition, banking services are driven by technology, which is more
oriented towards providing better services to the customer.

• The concept of banking hours has been changed from the fixed 4 hours to 24 hours.

• This has been made possible through use of ATMs. Even under the manual service, the banks have stated
to extend the service from the traditional 4 hours to 5 hours and even up to 12 hours say from 8 AM to 8
PM.

• Some banks have introduced the practice of Sunday Banking or Holiday Banking.

c) Automated Teller Machine (ATM): -

• ATM is a machine in the nature of a computer in general sense, but is dedicated to do certain types of
specific jobs only.

• The hardware and the proprietary i.e. the software used in one machine cannot be used in one machine.

d) Shared Payment Network System (SPNS): -

• The SPNS, named SWADHAN, has been sponsored by the Indian Bank’s Association (IBA).

• It is a network of ATMs, points of sale terminals and Cash Dispensers with a view to pool the resources of
the banks and underlines the spirit of competition through cooperation.

• It became operational in Mumbai on 1st February 1997 and in two years about 150 ATMs were owned and
installed by 38 banks including foreign banks, public and private sector Indian commercial banks as also
cooperative banks.

• The biggest advantage of the network is that the ATM cards issued by different banks can used at any
member banks ATM.

• Banks can have as many ATM as they want and follow some standards set by the SPNS committee.

• The heart of the network is the Switch and its main components are: Tandem Mainframe Computer, BASE
24 Software, Motorola networking equipments and the leased lines.
e) Customer Services: -

The following customer services are offered through the system:

i) Cash withdrawal (up to a specified limit)

ii) Cheque/Cash deposit (the receipt being only for the deposit of the envelope containing cash but not for
the amount therein)
iii) Enquiry about balances
iv) Printing of statement of accounts
v) Request for cheque book and standing instructions.
vi) Transfer of funds
vii) PIN change

f) Telebanking: -

• From the conventional banking, where the services were provided manually across the table, it has come
to a stage where the customer is not required to visit the bank enquiry of balance in the account, sending a
remittance, to get a statement of account, etc.

• The concept has become so popular that in USA customers do not visit the bank for 97% of their
transactions and these are done from either customer’s residence or office using a telephone or a home PC.

• In telebanking the customer is required to open the account with the bank initially by visiting the bank.

• Telebanking services are, generally, provided by the bank over the telephone on a special number.

• The number at the bank is connected to a terminal in the bank, which is either handled manually or is
automated by connecting the same to the computer network.

• Where the system is automated, two types of technology are used.

g) Home Banking: -

• Under home banking the customer is served at his residence and there is no need for the customer to
visit the bank’s premises for a number of routine transactions.

• If the customer needs some information the same can be got by contacting the bank over the phone as
described in the telebanking.

• If the customer wants to put through transaction and wishes to see his account or to get a statement of
his account, he may have to use a PC.

• This type of facility is available with a town, city or metropolitan area.

• Under such a situation the customer should have a:

 PC
 Modem
 Telephone line
 A compatible software for the home PC

• The home banking service can be broadly classified under two groups, one without using the information
technology and another using information technology.
• When customer contacts the bank o the phone no specific technology is involved and the service of
telebanking is provided to him.

h) Electronic Fund Transfer (EFT): -

• In India the fund transfers are basically done through Mail Transfer, Draft or Telegraphic Transfer.

• In case of Telegraphic Transfer (TT) again the Department of Telecommunication was the sole provider of
Telephone, Telex and Telegram facilities.

• With the process of liberalization private operators have started providing alternative voice communication
channels through mobile phones and vast communication as an alternative channels for data
communication.

• It was normal for any TT to be credited to the beneficiary’s account after delay of 2 to 4 days

• The different forms of EFT prevalent in the use are:

 EFT through Electronic Data Interchange
 BANKNET
 RBINET
 IDRBT VSAT Network
 EFT from Point of Sales
 Electronic Cash
 SWIFT- Global System for Funds Transfer
 Electronic Clearing Settlement
i) Plastic Cards as Media for Payment: -

There are four types of plastic cards being used as media for making payments. These are:
1. Credit Card
2. Debit Card
3. Smart Card
4. ATM Card

1. Credit Cards: -

The credit card enables the cardholders to:

 Purchase any item like clothes, jewellery, railway/air tickets, etc.
 Pay bills for dining in a restaurant or boarding and lodging in a hotel
 Avail of any service like car rental, etc.

2. Debit Cards: -

A debit card is issued on payment of a specified amount by the issuing company like a telephone company
to a customer on cash payment or on debiting his account by a bank.

Thus it is like an electronic purse, which can be read and debited by the required amount.

It may be noted that while through a credit card, the customer first makes a purchase or avails service and
pays later on, but for getting the debit card, a customer has to first pay the due amount and then make a
purchase or avail the service. For this reason, debit card are not as popular as credit cards.

3. Smart Cards: -
Smart Cards have a built-in microcomputer chip, which can be used for storing and processing information.
For example, a person can have a smart card from a bank with the specified amount stored electronically on
it. As he goes on making transactions with the help of the card, the balance keeps on reducing
electronically. When the specified amount is utilized by the customer, he can approach the bank to get his
card validated for a further specified amount. Such cards are used for paying small amounts like telephone
calls, petrol bills, etc.

In India, a smart card, suiting Indian banking environment, is being developed and tested at IIT, Mumbai,
in collaboration with the RBI and SBI. The card is being used as an experimental tool for promoting cashless
society in and around the IIT Campus. The latest smart card being developed will combine all the features of
electronic purses, credit cards and ATM cards.

4. ATM Cards: -

The card contains a PIN (Personal Identification Number) which is selected by the customer or conveyed to
the customer and enables him to withdraw cash up to the transaction limit for the day. He can also deposit
cash or cheque.