IBA and DSCI are hosting a Security Summit in Mumbai with the theme of Enhancing Trust in Electronic Banking. The discussion is timely since Banks are pushing forward with several technology based services in pursuance of bigger and bigger profits while customers are reeling under the adverse impact of the insecurity inherent in the experimental technological framework.
The Summit is likely to be attended mainly by the Banking community and hence the voice of the Bank customers is unlikely to be heard during the summit. I am therefore placing before the public some of my views with a request that the summit will give due consideration to these apprehensions. In particular, I would like the RBI officials who are the custodians of the public faith in Banking to ensure that development of Banks on the technology front is not at the cost of increased risks to customers.
The need for this discussion has arisen because some of the recent developments within the RBI have given raise to apprehensions about whether RBI is being properly guided in the matter of technology introduction in commercial Banks. One such development was part of the set of recommendations placed by the G Gopalakrishna Working Group (GGWG) regarding Electronic Banking and Information Security which were distinctly anti customer. This working group recommendations consisted of some recommendations which were ultra vires ITA 2008 and which could be interpreted as dilution of security from the perspective of the Customer.
It is important to note that â€œSecurityâ€ cannot be viewed only from the perspective of â€œDataâ€ and in the interest of Banks avoiding liabilities. The central focus of the Banking business is the customer and â€œSecurityâ€ should be â€œCustomer Orientedâ€.
Banking is an institution that accepts deposits from the public for the purpose of lending (Remembering this basic definition has become necessary since there is a feeling that current day Bankers may not understand their role beyond â€œcreating a customer who is a profit generation center for the Bankâ€). The biggest expectation from the Customers from their Bankers is â€œSafetyâ€ of funds handed over to the Bank in the form of deposits. â€œConvenienceâ€ and â€œReturnâ€ are add on features that have no meaning if the funds are not secure.
Given an option, every Bank customer would opt for security even at the cost of convenience. Today Banks have forgotten this basic principle of security and fighting on service parameters as if they alone matter in Banking.
Technology therefore is relevant only to enhance value of the safe keeping of Bank deposits and additional convenience in the form of â€œAnytimeâ€ or â€œAnywhereâ€Â banking cannot beÂ at the expense of safety.
When a customer is apprehensive thatÂ money kept in the bankÂ may vanish because of Phishing or insider frauds, technology becomes a bane rather than a boon.
The anytime anywhere banking is being used by fraudsters to commit frauds from anywhere and anytime and the current systems of Banking used donot have adequateÂ transaction risk identificationÂ capabilities and unable to warn the bank about the frauds.
Customers want only “Secure Banking” where their money is safe even if it is not anywhere and not anytime.
I would request RBI to keep this perspective of security in mind and any introduction of technology has to be tested against â€œWill the customerâ€™s funds will be safer?â€
Presently technology is being introduced so that the cost of administration for the Banks come down. At the same time, he cost of services from the Customerâ€™s perspective has only gone up.
Additionally, Banks are short changing on security so that they can make more profits.
When Internet Banking itself is not yet safeguarded, banks are pushing for mobile banking and taking banking risks to new levels. RBI needs to evaluate if Customers are comfortable with the security aspects of banking either with internet and mobile.
If Customers are not satisfied with the current levels of security, then it is the responsibility of RBI to wait for enhancement of trust of customers before any new security guidelineÂ is introduced.
The SR Mittal Working group which gave its recommendations on the Internet banking based on which the first guidelines of Internet Banking was released by RBI in 2001 was categorical that the customers should be provided with legal shield and Banks must obtain Cyber Crime insurance. The Gopalakrishna working group report has also endorsed the earlier recommendations of the Mittal Group though there was and there continues to be efforts to persuade RBI to change their views.
I call uponÂ RBI to ensure that the consumer point of view of security is not given a go by in the discussions during the summit. Since RBI may be unable to improve the technical security in the short term, they should put a break on introduction of mobile banking and also have a special risk management framework put in place for banking transactions that arise beyond the regular banking hours and beyond the known location of the customer. These restrictionsÂ may be relaxed only if Banks satisfy RBI about the security in place and also if Banks have covered themselves through insurance against frauds so that customers are not put to difficulty because of technology risks they donot understand.
I wish the Summit discusses these aspects in addition to discussing the technical and commercial aspects of security.
Naavi of Naavi.org