Let's Build a Responsible Cyber Society




Organizational Responsibilities for Fraud Prevention

"Where there is Money, There will be Frauds" is a truth every financial professional knows. The increased use of technology in the Banking, Financial Services and Insurance (BFSI) business has introduced the dimension of "Fraud Management" as part of business responsibilities of BFSI business. Banks and other financial entities have been quick to adapt to the technological revolution and have converted most of their businesses online. This of course makes good commercial sense since costs might be reduced and customers may enjoy anytime anywhere services. However, what is necessary to take note is the increased fraud risks accompanied by the change in procedures accompanying the use of technology.

The use of technology in business has also changed the profile of the people who work in BFSI industries. Most of them are young and technically more skilled than their superiors. As a result, technology power and administrative responsibility is in different hands.

This situation of "Immature Procedures and disengagement of power and responsibility" is a sure recipe for proliferation of frauds. Hence we can foresee a quantum increase in financial frauds in the coming days and the BFSI industry will be the worst hit with this trend. It is therefore no surprise when "Cyber Crime Studies" show that there is an increasing number of "Organized attacks on Banking institutions". The Broking and Insurance industries may not be as much as in news as the Banks. The reason could be that the fraudsters are first milking the Banking industry and may look at other industries when the getting goes tough in the Banking. Alternatively it may be a fact that frauds in the Broking and Insurance industry are more subtle and difficult to find out.  Cyber Financial Frauds are therefore like time bombs ticking to explode some time and in some cases may even take the institution down under.

The impact of Frauds is often felt first by the customers. For example, a customer of a Bank is affected by a "Phishing Fraud" and loses money. Here the Bank may feel that there was negligence on the part of the customer and hence the loss should be borne by him. Bank considers itself not liable for the loss. Similarly there may be a "Pump and Dump Scam" in which a phishing mail in the name of an online broking firm might have been used. The Broking firm may feel that it is not liable for the loss.

But it is necessary for the BFSI managers to recognize that it will not be long before the liabilities will be shifted to the institutions from the customers. World wide, this is the trend. If some body wants to create a commercial venture built on a technology platform, it is the responsibility of the owner of the venture to make it safe for the customers. This principle is now part of the legal mandate and often manifests itself in the form of "Legal Compliance", and "Mandatory Information Security Audits".

A recent survey of U.S. Internet users by the Ponemon Institute agrees with this premise, finding that over three-fifths of the survey respondents believed it "unacceptable" for a bank to not respond to phishing schemes that use the bank's identity as the means of gaining the victim's trust. Nearly 96 percent of the respondents said that banks need to use technology to provide protection to their banking customers.

Naavi.org has been suggesting that "Phishing" involves Section 66 offence under ITA 2000. When this is read with Section 85 of ITA 2000, the responsibility for prevention of Phishing becomes part of the "Due Diligence" requirements envisaged under the Act, failure of which transfers the liability to the Bank and its executives. This view was upheld in  a recent German case, when a Bank has been held responsible for a Phishing loss by a customer.

Though the interpretation of responsibilities under GLBA is still not as strict as HIPAA, it is expected that other countries would soon follow the footsteps of the German case and expect a higher level of IS compliance from the Banks. The IS compliance is not considered complete just with the installation of a Firewall or a good Anti Virus system, it should be complete with all aspects of information security including encryption, use of digital signatures etc.

One of the most critical aspects of compliance is "Creation of Cyber Crime Awareness amongst Staff members". This should be the starting point for any security initiatives since  Staff participation is a part of any successful security practice. It is in this context that Naavi has been suggesting "Cyber Ethics Certification" for IT employees. Banking sector is perhaps the most suitable industry where such a certification should be made mandatory.

It is in this context that Cyber Law College has been suggesting "Cyber Ethics Certification" for IT employees. While it is expected that sooner or later the regulatory authorities may make it mandatory for Banks to conduct Cyber Crime Awareness programmes for all their staff members, progressive Banks need to consider being pro-active in making Cyber Ethics Certification as part of their recruitment and training policy.

Cyber Law College has pioneered a “Cyber Ethics Certification Programme” which consists of a half day “Awareness Workshop” including a presentation, Exit Test and signing of an “Ethical Declaration”.

Such a programme is being successfully implemented for the members of IT Companies engaged in Health Information Processing for US clients where HIPAA has made such training mandatory. Cyber Law College has also developed similar standards for Legal BPOs under the LIPS 1008 (Legal Information protection Standard) and is in the process of developing an Indian Financial Services Information Protection Standard (IFIPS) addressing the needs of Information Security needs of small Banks, online brokers and Insurance companies.

It is high time that RBI makes it mandatory for all Banks in India to undertake a training programme for its staff for certifying them as “Ethical Cyber Bankers”.



Nov 18, 2008

Related Article

Phishing Liability Concerns Online Banks

Banks are liable for phishing attacks on customers, says German court