E-BANKING

Security Implications of E-Banking In the Indo-Canadian Context

-- Dr. Jayant Kumar and Hitesh Bhatia

Electronic Banking or E-Banking is a matter of compulsion for modern day bankers all over the world. However, the efforts to provide a foolproof system for safe banking operations have not kept pace with technological improvements. As a result, customers remain skeptical of adapting to the new system. In the absence of suitable regulations and lackluster disposal mechanism, particularly in developing countries, the cyber thieves may remain potentially at large. This article studies some of the security implications of e-banking in the context of two diverse economies, India and Canada. The comparative study confirms the differences in intensity to which the security concerns are addressed in the two countries.

Young people of this millennium find it difficult to stand in queues to carry out their routine banking transactions. They demand those services which are just a click away and Electronic banking (E-Banking) promises to meets this need. E-Banking has not only improved the banking habits of people, but also reduced the cost of transaction and enhanced the productivity and profitability of banks. According to Association for Payment Clearing Services (APACS), the UK payments association, the number of people using online banking have increased from 3.5 mn in 2000 to 21 mn in 2007, a rise of 505%! According to the Industrial and Commercial bank of China, the number of online customers increased from 15.83 mn to 39.08 mn in 2007. In India, the advent of private and multinational banks like ICICI and Citi Bank, since 1996, have created the much needed competitive environment. ICICI went online even before the Reserve Bank of India had framed any policy measures for e-banking. The PSU banks were slow and late in adopting the new technology. It was only since 2001 that the State Bank of India, the country's largest bank, started online services with its informational website.

In 2006, there were nearly 38.5 million internet users in India, of which 12%, i.e., 4.6 million, were banking online (IAMAI, 2006). This figure shows a healthy increase in comparison to just 1% online banking customers in 1998. Affordable costs of personal computers, large scale office automations, and falling cost of Internet charges have led to a widespread use of Internet among the urbanites in the country. However, using Internet and making online banking transactions are two different things. The bank customers, even if they are tech-savvy, prefer to follow traditional way of banking to save themselves from hackers. Thus, e-banking, in India, is limited to only a small fraction of the population, the rest due to socioeconomic limitations, are more inclined towards brick and mortar banking.

The Canadian Experience

The Canadian experience of online banking is in direct contrast to that seen in India. Canada's first bank was opened in 1817 Montréal by a group of merchants. Since then, the banking industry has developed manifold and contributed significantly to the country's economic development. By July 2002, there were 14 domestic banks, 33 foreign bank subsidiaries, and 20 foreign bank branches. These banks collectively owned nearly C$1.7 tn of assets. The enormous size of Canadian banking system is reflected from the fact that the banks in Canada account for nearly 70% of total assets of the Canadian Financial Service Sector. Moreover, the six largest domestic banks together own 90% of the assets of the banking sector. In 2002, there were about 8,000 branches and nearly 18,000 Automated Banking Machines (ABMs) in Canada. By 2005, the aggregate number of ABM rose to approximately 50,649. Not surprising, therefore, electronic banking transactions through ABMs stand highest in the world. With the working of highly-developed electronic mechanisms, such as debit cards, Internet banking and telephone banking, banks in Canada operate with the best of modern capabilities.

Canada accounts for 2.0% of the world Internet users. There were nearly 5.8 mn online customers by 2002. This clearly shows that there has been an increase of nearly 262% since 1997. According to Canadian Bankers Association, around 42% Canadians banked online in 2004. In 2001, approximately C$36.7 mn (Canadian dollars) payment transactions were made through online banking; this amount rose to C$133.3 mn in 2003 and to C$195.4 mn in 2005. Canadians also score high in terms of use of both debit and credit cards. Nearly, $85.2 bn, $116.0 bn and $137.4 bn worth of debit card transactions were made in 2001, 2003 and 2005 respectively. The value of credit card transactions during the same period were about $109.87 bn, $150.49 bn and $190.60 bn respectively.

Internet banking has played a significant role in the national clearing and settlement system. Canadian banks have the most effective payment systems in the world. In 2001, it cleared nearly 4.4 bn transactions of over C$33 tn. Telephone banking, which allows customers to make account inquiries, money transfers and bill payments over the telephone at any time in a day, attracted 9.7 million customers in 2000. Being one of the major employers, banks in Canada by 2000 have employed over 235,000 employees - at an astonishing payout of approximately C$ 16.1 bn.

Security Implications of E-Banking

It is the responsibility of the banks to maintain integrity and confidentiality of customers. A cyber fraud can trigger unprecedented exigencies and can expose banks to reputational risks. This may prove to be detrimental for potential customers. Besides, e-banking activities, today, involve not just banks and their customers, but third parties as well and this is forcing the banks to tighten their e-security norms. The major e-security concerns include checking for unauthorized transactions and preventing unauthorized data alteration, primarily during the transmission and subsequently during storage. `Money laundering', `phishing', `pharming', `smurfing', and `identity theft' are the modern e-crimes related to financial transactions. Such crimes have their roots all over the world.

Money laundering refers to the course of action whereby 'unclean money', created through illegal activities, is malformed into clean money by investing the same into financial system; the source of which remains intricate to be traced. Three stages of money laundering are witnessed globally. In the first stage, known as the `Placement Stage' - money is separated from the act of crime; in the second stage, i.e., the `layering Stage', funds are moved through e-transfers among numerous accounts across several countries within a period of time and, in the final stage, which is the `Integration Stage', the entire money is given a legitimate look, enabling the hackers to use it freely. The act of money laundering has direct connotation to other illegal activities, such as drug trafficking, smuggling, extortion, bribery, manipulation in stock exchanges, forgery, fraud, etc. According to IMF, 2 to 5% of the world's GDP, amounting to $590 bn to $1.5 tn, is lost annually due to money laundering alone.

A common form of money laundering is `smurfing', which refers to the act of an individual who deposits cash in different banks, branches or deposit institutions in small amounts so that it does not attract anybody's attention. This also helps people to distance themselves from getting affiliated to the source of illicit funds.

`Theft of identity' is another form of criminal act, having the objective of financial gain through forgery or fraud'. Identity theft is facilitated by information technology. In the today's Internet era, identity theft is often associated with e-mail `phishing'. Under this, millions of sophisticated e-mails, which appear to be genuine, are sent to attract customers/Internet users. Such e-mails contain exact details and looks of original websites, along with names and logos of financial institutions and other business agencies. This is done with the intention of stealing confidential/personal details. A successful phishing operation could bring in thousands of fresh account numbers, along with other identity details, like names, residential addresses, phone numbers, passwords and PINs.

Like phishing, pharming also intends to obtain personal details of consumers but, unlike the former, it is done through domain spoofing. No individual emails are posted. Pharming poisons the Domain Name Server (DNS) and redirect the user's request elsewhere. The victim's browser will mistakenly show that he is on the correct website, and shall continue to put-up his personal information like passwords, etc., making the act of pharming grave and more difficult to be detected. Ontario Provincial Police (OPP), Royal Canadian Mounted Police (RCMP) and the Competition Bureau, Canada, collectively found that in 2003, nearly 13,359 victims of identity theft incurred whopping losses of C$21.8 mn. According to Canada's Phone Busters, nearly 42% of identity theft cases was committed through credit cards in 2003-2004. Yet other estimates given by the Canadian Council of Better Business Bureaus, suggest that Canadian economy losses approximately C$2.5 bn every year due to identity theft. (Criminal Intelligence Service Canada, 2005)

Several organized crime groups who are involved in innumerable illegal activities, generating huge profits are operating in Canada. They have innovative hideouts for unaccounted money along with avenues for reinvestment in both legal and illegal ventures. Since the advent of e-banking, money laundering and other e-crimes have become an integral part of overall criminal activities in Canada involving bn of dollars (FINTRAC, 2003). Both individuals and organized criminal groups are now more often using these methods to transform their illicit earnings into apparently more legitimate looking incomes. `Deposit institutions, international wire transfers, online casinos, ATMs, money service business like currency exchanges, are increasingly being used by criminals to launder money'. (Criminal Intelligence Service Canada, 2005)

On June 29, 2000 `The Proceeds of Crime (Money Laundering) Act' (PCMLA) was enacted by the Canadian federal government to combat money laundering. The Act makes it compulsory for individuals and entities, together with the Chartered Accountants, to report comprehensively about some defined financial transactions to the `Financial Transactions and Reports Analysis Centre of Canada' (FINTRAC). This is done with an intention to assist the detection and deter money laundering in Canada (The Canadian Institute of Charted Accountants February, 2004). The comparative data regarding e-banking crime in India are not forthcoming due to a gap between comprehensive e-regulations and effective security of e-bank transactions. According to SYMENTIC, a premier IT Security Company, there are more then 7 million phishing attempts per day out of which 84% are targeted at banks and other financial institutions and it is difficult to detect money laundering and other e-crimes through traditional means of investigations. In India, the financial institutions, including commercial banks avoid reporting such e-crimes as they don't wish to damage their credibility in the market. India, being a developing economy, is still in the nascent stage in tackling e-crimes. However, since such crimes are global in nature, India should support and enhance its contribution to international measures being undertaken in this regard. For example, Anti-money laundering standards which are set by Financial Action Task Force (FATF), established in 1989 by G7 countries, should be complied with. Canada is one among 31 members of FATF; it was created with the purport of framing and promoting, national and international policies to combat money laundering and terrorist financing.

It is heartening to note that as per the Basel Committee norms, 2003, India scores 60% in the matter of anti-money laundering compliance; the comparative compliance for Canada is 80% and for Thailand only 40%. 60% compliance means the security norms are in the stage of enactment, 80% means the enacted compliance is in progress and 40% means only the intention of enactment of compliance is declared. The following 7 out of 14 risk management principles laid by Basel Committee on Banking Supervision are relevant to our study (Basel Committee, 2003).

• Identification and authorization of the customers must be authenticated by the banks before they conduct business through the Internet.

• In order to promote general acceptability of e-banking, banks should establish their accountability for e-banking transactions. This can be done by following suitable `transaction authentication methods'.

• Proper segregation of duties within e-banking systems, application and databases through suitable methods is an important pre-condition for successful development of e-banking in the country.

• E-Banking systems, application and databases also require adequate measures for authorization controls and access privileges.

• For the safety and security of e-banking transaction, appropriate measures must be adopted by the banks. This is also to protect the integrity of relevant data, records and information.

• Auditing of e-banking transaction must be made available and possible through proper storage of data and records by the concerned banks.

• The banks must take precautions to preserve the confidentiality of e-banking information depending upon the degree of sensitivity of such information.

The RBI, in its circular, in 2005, has taken the above compliance norms seriously and made an adaptation of these norms for banks and financial institutions in India. The IBA has given wide publicity of the above said RBI Circular for information and compliance by the banking and financial institutions. The government, though late, woke up to the need for urgent measures. The Indian Computer Emergency Response Team (CERT-In) has been appointed as the nodal agency for information security, set up by the Department of Information technology.

Conclusion

The aggressive infusion of information technology has brought in an exemplar shift in banking operations. It enabled banks to provide variety of services at reduced transactional costs, although, there is no conclusive study on the impact of e-banking on economies of scale in banking. E-Banking has helped to shrink geographical boundaries. It is imperative that the large banks, particularly private sector and foreign banks, are more likely to pioneer aggressively a variety of Internet services in the country. As for small banks, they need to focus more on core capabilities rather than on low volume-advanced features, in order to avoid e-risk concerns. This is true, particularly in the context of India.

Money laundering, phishing and pharming are adverse fallout of e-banking. Various countries are undertaking measures to deal with e-banking related crimes to provide adequate security and privacy to themselves and their customers. The Basel Committee recommendations on security concerns of e-banking are widely adhered to by the central banks of various countries in the world. Countries that are not members of the Bank for International Settlements (BIS) are also being exhorted to comply with the recommandations of the Basel Committee. However, the BIS is neither an enforcement agency nor a moral police for the banking industry. The central banks, all over the world, should take the words of BIS or the committee constituted by it as sensible words of advice. This will be of great help towards maintaining best international banking practices.

About the Authors

Jayant Kumar is a senior faculty member in the Department of Business Economics, Faculty of Commerce, The M S University of Baroda. The author can be reached at jyntkumar@yahoo.com. Hitesh Bhatia is a Faculty at INC, Vadodara. The author can be reached at hitesh262004@yahoo.com.