MANAGING RISKS IN INTERNET BANKING
AIJAZ AHMED SHAIKH
Dec 5 - 11, 2011
Today, the internet is well on its way to become a full-fledged delivery and distribution channel and among the consumer-oriented applications riding at the forefront of this evolution are electronic financial products and services.
Internet banking, an integral component of electronic banking, has boosted a revolution in the banking industry providing great benefits to both banks and consumers.
It allows a wide range of banking transactions via a bank's website thereby providing convenience and ubiquity to consumers.
The term, internet banking, is interchangeably used as PC banking, home banking, electronic banking and also, 'any time any where' banking. Most of the banks in Pakistan, in order to retain their competitiveness, have also introduced internet banking.
CATEGORIES: Considering the requirements of the consumers and the level of risk involved, the internet offerings have been classified into three main categories:
Informational: The consumer receives information about a bank's products and services. Since it does not allow any transaction or an access to bank's core application, it is considered as 'low risk'.
COMMUNICATIVE: Under this category, a bank offers account related information to consumers along with an access to update their personal data. Since access is allowed to a bank's core application, it is considered as 'high risk'.
Transactional: The consumer can conduct both financial and non-financial transactions by accessing a bank's core application. This category also carries 'high risk' element. Few banks in Pakistan also offer inter-bank fund transfer through internet banking.
INTERNET BANKING IN PAKISTAN: Registered internet banking users in Pakistan can perform a variety of retail transactions on internet such as cash management, account statements, utility bills payments, and lately introduced consumer2consumer (C2C) and consumer2business (B2C) fund transfers from one to another account.
According to the 'Payment Systems Quarterly Review' published by the State bank of Pakistan (SBP), as of December 31, 2010, 22 banks were offering internet banking nationwide. Askari Bank Limited, while taking the lead, started internet banking back in 2003.
Internet banking transactions has recorded a tremendous growth since few years. As mentioned in the review, the volume of internet banking transactions in 2010 was 2,962,000 valuing Rs141,239 million, recording a hefty growth of 41 per cent in terms of number and 107 per cent in value over 2009.
VOLUME AND VALUE OF INTERNET BANKING TRANSACTIONS
TRANSACTIONS FY 2006 FY 2007 FY 2008 FY 2009 FY 2010 Volume (ë000) 390 886 1,320 2,095 2,962 Value (Rs. Million) 17,047 27,756 43,807 68,366 141,239
RISKS: The advent of internet banking has not opened up new risks categories, but rather accentuated the risks that any financial institution faces. The senior management must, therefore, be cognized of these risks and deal with them appropriately by way of incorporating internet banking risk controls within their existing risk management structures. The major risks associated with internet banking are discussed below.
TRANSACTION RISK: The essence and success of internet banking lies in the continuous availability of service along with the integrity and non-repudiation of transactions. Keeping in view the complexities involving the internet technology and the magnitude of internal controls, the chances of transaction risk are usually high in internet banking. The increasing role of 3rd parties and growing outsourcing culture has further increased the level of transaction risk since the banks can not exercise full control over a third party.
REPUTATION RISK: A week communication infrastructure and legacy systems in use at various banks have significantly contributed towards creating reputation risk for banks offering internet banking. Consumers using internet banking in Pakistan are facing several problems such as poor or no response, limited availability and less user-friendly software in use by various banks etc.
INFORMATION SECURITY RISK: Upholding the consumer trust and safeguarding their sensitive personal information are prime responsibilities of the financial institutions.
Giving access to bank's core system through internet banking has further aggravated the situation thereby creating severe information security risks for banks. Few stories of hackers stealing online bank accounts in different countries are still afresh in our mind.
COMPLIANCE RISK: Banks in Pakistan need to comply with laws, regulations, guidelines, directions issued by the government as well as SBP. Any divergence will create unnecessary compliance risks and also the monetary loss with diminishing business opportunities.
RISKS MANAGEMENT: Internet banking follows the same principle as other risk management processes. Keeping in view the nature of the internet banking and its operations, the risks involving internet banking should neither be conceived as a technical problem nor should its solution be confined to information technology department. It is one of the general management issues and need attention from the higher management.
STRONG LEGAL & REGULATORY FRAMEWORK: The availability of legal and regulatory framework occupies a significant position in effectively managing various risks associated with the internet banking.
The enactment of Payment Systems and Electronic Fund Transfer Act in 2007 has provided a solid foundation for the development and safety of retail and wholesale payment systems including e-banking in the country by way of providing necessary guidelines and directions on protecting the consumer interest and maintaining the integrity, efficiency and reliability of payment systems in the country
The Act has defined various obligations for the central bank to develop a regulatory framework on payment systems and electronic fund transfers along with the issuance of standards, guidelines, or by-laws for the protection of consumer interest. It has laid emphasis on the need for determining respective rights and liabilities of the designated institutions, service providers, and other participants.
IMPLEMENTATION OF INTERNATIONAL PAYMENT SECURITY STANDARDS: There are various international payment security standards such as PCI-DSS, designed on different parameters and with single objective i.e. to protect the consumer interest.
The PCI-DSS called Payment Card Industry-Data Security Standard consists of 12 requirements defined at various levels of security covering hardware, applications and networks with an objective to ensure confidentiality and integrity of consumer related payment card information during its storage, transmission and processing. Its implementation will therefore substantially reduce the risks associated with electronic banking.
Realizing its importance in protecting consumer data and interest, Pakistan Banks' Association has constituted a technical committee on PCI-DSS and its implementation.
BANK MANAGEMENT OVERSIGHT AND STRONG INTERNAL CONTROLS: The bank's policies and procedures usually follow the legal and regulatory environment of a country. The board and senior management should design and oversee their policies and procedures including specific accountability and internal controls to manage these risks effectively.
Accordingly, higher management should clearly understand the role played by internet banking in meeting the bank's overall strategic objectives.
Senior management should set the tone in managing risks by establishing key delegations and reporting mechanisms, segregation of duties, and escalation procedures.
In addition, higher management should ensure that ongoing due diligence and risk analysis are performed as a bank initiates or expands internet banking activities. Finally, all internet based banking transactions should generate a clear audit trail.
Internet banking, though occupies an important position in e-banking portfolio of a bank, requires due attention and management support for better risk management and fraud mitigation.
Allowing remote access to a bank's critical systems and consumer data can create severe reputational and operational risks for a bank, which can however be avoided through strong internal controls and regularly fulfilling the regulatory requirements.
The writer is assistant professor at IBA, Sukkur.