Naavi’s proposition on Sanctions on Banks is reflected also in the EU guidelines

Posted on July 9, 2013 by Vijayashankar Na

“Mandatory Sanctions” as a part of the Information Security policy has been advocated by HIPAA way back in 1996 and is being increasingly accepted as a necessary part of a good Information Security policy. The theory of Information Security Motivation advocated by the undersigned also provides an important role for mandatory “Sanctions” to ensure that intended information security measures are implemented in practice.

Now the EU has issued a directive that indicates that employersSupervisory employees of organizations who donot take appropriate measures when cyber crimes are committed by their employees could themselves have to face the consequences.  The rules allow member states to serve punishment even if an employee carried out hacking without bosses’ knowledge.

The detailed text of the directive is available here.

Basically the directives impose a responsibility for “Due Diligence” and failing which criminal liability may attach on the executives of the company.

 This is the concept of “Vicarious Liability” inherent in ITA 2008 both under Section 85 and Section 79.

The directive expects that member states shall impose penalties that are effective, proportionate and dissuasive criminal penalties. An interesting provision is

Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 10(1) is punishable by effective, proportionate and dissuasive sanctions, which shall include criminal or non-criminal fines and which may include other sanctions, such as:
(a) exclusion from entitlement to public benefits or aid;
(b) temporary or permanent disqualification from the practice of commercial activities;
(c) placing under judicial supervision;
(d) judicial winding-up;
(e) temporary or permanent closure of establishments which have been used for committing the offence

Naavi writing on “Will RBI disclose “Sanction Mechanism” to enforce sanctity of Banking license conditions?” in the context of the new Banking licenses in India had highlighted the need for RBI to disclose what sanctions it would impose on the Banks for failing to meet the regulatory requirements.

In the past RBI has not been able to impose its own regulations on the Banks and hence Banks in India openly indulge in money laundering, flout ITA 2008, flout RBI guidelines on Internet Banking and force customers to accept illegal operating conditions. These have been increasingly exposed in some adjudication proceedings against leading Banks such as ICICI Bank, Punjab National Bank, Axis Bank etc. Violations of RBI guidelines and law have been brought to the attention of RBI also with a request for cancellation of the licenses of the erring branches. RBI however has failed to respond with such strict sanctions and allowed the weak information security in Banks to continue and take the toll of the customers.

RBI should now observe the clear directives in the EU guideline and see the merit in the demand of the undersigned that closure of a few erring branches of Banks will make them realize that they cannot continue to take the customers for granted.

Similarly when it comes to the norms for licensing that RBI has set up for the 26 applicants, RBI should ensure that along with the licensing norms, the sanctions for non compliance should also be disclosed and implemented without fear or favour.

Naavi

Posted in Bank, RBI | Leave a comment

New Banking Licensees- Beware of IT Companies who want to trap you.

Posted on July 9, 2013 by Vijayashankar Na

RBI has now invited applications for new banking license from private sector which has attracted 26 aspirants to make an application. Many of these are thinking of building their Banking empire on the edifice of technology.

Already, Indian Banking system has become extremely “Technology Dependent”. In fact RBI is making it mandatory even for RRBs to run on “Core Banking Platform”. RBI looks at Core Banking Software systems as a means of better information collection which may help RBI in the administration of its monetary policies. However, in the process RBI is forcing a banking platform which is unfamilar to the Bankers unmindful of the unsafe nature of the software.

The “Eurograbber” risk that has resulted in more than 36000 banking frauds across the European countries and is threatening to enter India. Once it hits the Indian shores, it can destabilize even the strongest of the strong Banks who are operating in India at present.

At this time the new Banking entrants appear to present an even higher risk for the Customers than the existing Bankers since their technology dependence is expected to be higher.

One of the reasons why these new Banks will be more technology dependent is that they will chase profits in a competitive world as late entrants they need to make money by being more efficient. This of course is a good strategy and perhaps even inevitable.

Even before the applicants can be sure about getting their licenses, the IT Companies are already behind them to sell their “Core Banking Applications”. Some of them may even like to be called “Partners” is setting up the new Banks. This again is a genuine marketing activity and is to be expected.

However in the process of listening to the high profile marketing pitch from IT Companies, the new Banks should be aware of the dangers of setting up their Banking entity as a dependent entity on the technology platform supplied by the IT Companies.

We must remember that all these companies are supplying “Core Banking Systems” that have not only failed to stop the Euro grabber type of Trojans but are also not cyber law compliant since they are using “Password based authentication systems” instead of “Digital Signature Based authentication systems”.

Since many of the new Bank license applicants are not fully conversant with the Information Risk environment in the Banks and at least some of them are new to the Banking system itself, they could end up becoming over dependent on the software in driving their Banking business.

Bankers should understand that it is not Infosys or Oracle or Tata Consultancy that will determine how the Banks need to carry on their Banking activities. IT is only a tool with which Banks do their business as defined by the Banking regulation act 1949.

In the past these IT Companies have hoisted under performing software on the industry which is one of the root causes for the information risk inherent in the industry today. These IT companies sell software which is convenient to them and not what is safe for the customers. This is the reason why the “Eurograbber” or “Zeus” type of trojans can make merry in the system.

Unless the Bank owners demand a “Secure Banking Software” as a pre-condition these IT Companies will continue to make money at the expense of Bank customers.

Even the Banks need to ensure that they have enough internal expertise in “Core Banking” with which they can evaluate the functional aspects of a software and identify the security loopholes. Unfortunately many of the new generation Banks think banking to be a “Customer Acquisition Marketing program” and engage professionals who are good in marketing but have little knowledge of the domain. They consider each customer as a “Profit Center” and try to maximize the profit per customer. In the process, if the customer collapses, they donot mind and move onto the next customer.

We need “Customer Centric Bankers” who keep the interest of long term customer relationship as the key principle of banking and convert it into software specifications. The present situation where Banks are reluctant to use Digital Signatures for banking authentication and ignore the need to use “Real time risk management software” are indications of the fact that most Bankers are not able to understand the Banking risks and how it translates into information risk in a technology banking area.

Though there has been an improvement of information security practices in some Banks in the last 6 months, many Banks are far below the expected level of security.

The new Banking license aspirants should therefore avoid falling a prey to the IT Companies by accepting their proposals on the dotted line and demand that the software vendors assume the responsibility for frauds arising out of technology issues.

Customers are indifferent as to whether the technology vendors bears the risk of technology frauds or the Bankers but are keen that RBI makes Cyber Crime Insurance mandatory for the new Banks as a part of the licensing regime.

Older Banks may be happy with the proposal since it will create an additional barrier to the new Banks. It is left to the RBI to decide if Cyber Crime Insurance should be made mandatory even for the existing Banks. But even if Cyber Crime insurance is not mandatory for existing Banks and becomes mandatory only for the new generation Banks, it could become a factor of differentiation with which new Banks may promote their deposit products.

Whether the Banks are happy or not, if RBI makes Cyber Crime Insurance mandatory for new Banks, it would make the customers of the new Banks happy.

This should also add to the viability of the new Banks amidst the pressures of Financial Inclusion and Priority Sector lending. Since the technology platform of these Banks is being created afresh, it is possible for the Cyber Crime Insurance industry to work in close alliance with the technology vendors, Information Security professionals and the user Banks and ensure that the systems are tweaked to improve the security levels to levels higher than at present.

We can therefore look for more interesting and exciting times ahead for the Banking industry in India.

Naavi

Related Article:

Indian IT companies chase banking licence hopefuls

Earlier articles on New Banking License

Posted in Bank, Cyber Crime, RBI | Tagged , , , , , , , | 1 Comment

The Thief who stole Rs 286 crores from Banks coming to India

Posted on July 9, 2013 by Vijayashankar Na

Recently all across Europe, the “Euro Grabber” stealthily stole around 36 million euro (Rs 286 crores) from Bank customers. These were all customers who thought that

a) Their money in the Bank was safe.

b) Internet Banking was a great way to do Banking

The Banks thought that they had introduced the “Two Factor Authentication” which was a sophisticated system and made Internet Banking safe.

However, there came a great thief called “Euro Grabber” along with his team of assistants and invaded thousands of  PCs and Mobiles and finally stole money from around 30000 retail and corporate customers of different Banks across different parts of Europe.

“Eurograbber” is a new variant of the Zeus Trojan which steals the credentials of the banking customer both at the desktop and the associated mobile. Hence it easily bypasses the 2 Factor authentication system and is able to execute unauthorized transactions in the customer’s accounts. The trojan is currentlly known to have successfully attack the mobile systems using Android, Blackberry and Symbian operating system which in other words may mean more than 95% of the systems in usage.

The “Eurograbber” is an intelligent trojan which is often dropped through “Drive by Download” method. In otherwords, the infection does not require the user answering a “Phishng Mail”. All those Bankers who are crying from rooftops that “We donot ask for your passwords” and then say “Password can never be compromised unless the customer answers a phishing mail” must realize that  the methodologies used by trojan droppers are above all these routine security warnings. Customers may get infected when they have visited a news paper site or clicked on an unrelated google search result or some times even by visiting the Bank’s own website. (Eg: Bank of India infection in 2007).

Once infected, the Eurograbber, when the customer visits the Bank website, it starts injecting instructions within the running session asking the customer to upgrade security etc. Since these instructions appear during a session initiated by the customer himself he believes that the instructions are from the Bank and proceeds to provide information that compromises his identity including the mobile number. The trojan then sends an SMS message to the mobile with similar instructions ensuring that the customer clicks on a link that infects the mobile also.

With both the desktop and the mobile being infected, the trojan then is able to manipulate both the banking instructions and the OTP password interception and is able to carry out fraudulent transactions.

When such “Unauthorized Transactions” are carried on during a valid session opened by the customer, it creates a huge evidentiary problem for the customers since the time of the transaction coincides with the time of a valid session. Even the IP address of the transaction initiation may tally with the IP address of the customer. Unless the judge hearing the case therefore understands the way these trojans function, it would be near impossible for the hapless customer to convince that the transaction was “Unauthorized”.

Who is to be blamed for placing the Bank Customer in such a situation?

It is clear that Banks are mainly responsible for operating a system of Internet Banking without the adequate  security which places its customers in a compromising position.

To some extent, RBI also should share the blame since it places lot of thrust on the 2 Factor authentication through the mobile.  Users are increasingly being coerced into the use of “Mobile Banking” with false promises. Banks also adopt the policy of  “No Mobile-No account” and mandate the use of mobiles for Internet Banking. 

In this scenario, it will not be long before we will witness a huge Banking fraud emerging in India on the back of the “Eurograbber” trojan.

Naavi

 

Related Article:

Inside Eurograbber: How SMS Was Used to Pilfer Millions

A Case Study on Eurograbber

Posted in Bank, Cyber Law, RBI | Leave a comment

New Banking Licenses in India

Posted on July 7, 2013 by Vijayashankar Na

The recent decision of RBI to  invite fresh applications for new Banking licenses have evoked response from 26 applicants. The undersigned who joined the Banking industry in 1973 and has been in working in the industry upto 1987 and later around the industry in Marketing of Banking services since 2000, diversified  as a consultant in Information Security for Banks particularly working for “Safe E Banking” environment.

With this background, some of my thoughts on the new licencing aspects have been placed on this website.

Here is a summary of articles so far placed on the website.

1. Should Indian Post be granted Banking license?… Do they need one?

2.Which of the 26 applicants deserve Bank license

3.Banking License aspirants should disclose business plans to public.

4.Will RBI disclose “Santion Mechanism” to enforce sanctity of Banking license conditions?

5. Not all Eligible applicants to get Banking license

6. New Bank Licenses-Make Cyber Crime Insurance Mandatory

7. “Deep Pockets” need not be the sole criteria for Bank licenses

8.Banking Licenses and Public Sector aspirants

9. New Banking License-Let’s remember Gandhian Principles of Banking

Naavi

Posted in Bank, RBI | Tagged , , , , , , , | Leave a comment

Should Indian Post be granted Banking license?..Do they need one?

Posted on July 7, 2013 by Vijayashankar Na

The decision of Indian Postal Department to seek a Banking license from RBI through the Licensing Scheme meant for private sector has been an object of discussion since the announcement was made.  The application is a source of embarrassment to  RBI which now has the challenge of deciding whether to grant a license to Indian Post or not as a traditional Bank.

There have been many positive reviews by experts indicating why Indian Post deserves a Banking license. However, I am personally not convinced that it is a good idea for Indian Post to become a “Commercial Bank”. In fact Indian Post has a greater future by simply modernizing its traditional services rather than becoming a Bank. By converting itself into a Bank, India will lose a great  digital post service that can be developed by only the department of post and not by any other entity in future.

Let me present some of my preliminary views in this regard so that E&Y instead of advising the Postal department to convert itself into a Bank can work on how to modernize the postal system into a “Digital Postal System”.

To start with, we can recognize that the Postal department is today a department of the Government of India which meets its costs from out of the Consolidated Fund of India. It is stated that  in the fiscal year 2012, it suffered a loss of Rs 6346 crores. Had it not been debited to the consolidated fund of India, perhaps the Postal department would be considered as a “Sick” company and wound up.

Post offices accept Savings Bank accounts, Recurring deposits, Time deposits and also sells long term investment instruments. The deposits in the system  are stated to be in the region of Rs 6 trillion (600,000 crores) . It is therefore the largest Bank in the country as regards deposit mobilization. It has over 150000 offices with nearly 89% of them in rural areas making it the largest institution in financial services across the country.

If the department needs to obtain Banking license then the “Banking Arm” has to be carved out as a “Public Sector Company” and run as a “Profit Center”. It cannot enjoy the benefit of “Money on tap” from the Government and has to earn money out of lending operations. It needs to also maintain SLR and CRR on the deposits.

From the depositor’s angle, the rates of interest paid by the Post office today may go down in the Banking arm. Secondly, the deposits which now have an “Unlimited Deposit Insurance” will come under the limited guarantee scheme of the DICGC. Hence the deposit products of the Indian Postal Bank would be inferior to the current products of the Indian post office.

If this inferior product is offered with the current service levels of the Postal department vis a vis an ICICI Bank or a Kotak Mahindra Bank, it is not possible for the Indian Postal Bank to retain its current customer base of around 23.8 crore customers (Savings Bank).

What will therefore happen is that the postal department will have to continue its operations in the present form while its own sister organization will cannibalize into its present activities. As a result the department will continue to carry the unprofitable part of its operations which has resulted in the loss of Rs 6436 crores in 2012 and will also be burdened with commercial competition from its Banking arm to wean away profitable niche of the current business portfolio.

At the same time, the need to undertake “Lending” as a new activity will create a complete upheaval in the system. At present the manpower in post office is not geared towards any lending activity and hence it has to borrow the entire lending portfolio from outside.

The proposal therefore is neither good for the Postal department nor is rosy for the Banking subsidiary. It would be beneficial for both the Postal department and the Banking industry as well as for the people if Indian Post continues to be “Deposit only Institution” backed for repayment by the Government of India.

The Banking subsidiary of the postal department will essentially be a Government owned Bank much like the REPCO Bank presently owned by the Ministry of Home Affairs (as a Society). This trend of each ministry having a Bank of its own is unhealthy from the point of view of a central regulator like RBI.

Once an Indian Postal Bank comes into existence, its staff mostly drawn from outside will be in a higher remuneration package compared to the existing employees. The existing employees in rural areas will end up doing all the dirty business as agents of their Bank counterparts who will be entrenched in the district head quarters in air conditioned chambers. Sooner or later this will give raise to a huge HR conflict and makes the entire business unviable.

We now have the example of Air India and Public Sector Hotel businesses suffering from the competition fuelled by sell out from within by corrupt politicians. The fate of Indian Postal Bank cannot be different.  We can therefore anticipate that the risk of failure of the Indian Postal Bank is relatively higher than in the case of any other private sector owned Bank.

It must be remembered that “Risk of Failure” is inherent in every financial business and hence it cannot be eliminated in Banking. We can only take precautions so that risks are identified at an early time and mitigated before it becomes unmanageable. From the RBI’s point of view, risk management strategy within the banking system is better administered if the risk can be contained within a “Failed Entity”. If the failure of one Bank can bring down other stable businesses, it would mean bad risk management. In this respect, failure of “Indian Post Bank” has the potential of developing into a major scam that can spread the risk to the consolidated fund of India.

In my opinion it is not logical for RBI to create this new risk.

Further, going by the legal structure in India, it is possible that the prospect of “Indian Post” turning into a “Commercial Venture” either directly or indirectly may be in conflict with the constitutional framework. Hence the Banking license to Indian Post could be challenged.

I would like Dr Subramanya Swamy to provide his views on this aspect.

While therefore giving my firm view that Indian Postal Department should withdraw its application (rather than RBI rejecting the same), I would like to express that the Indian Postal Department can contribute to the “Financial Inclusion” objective without setting up a Bank.

For example, as is already happening, Postal department can continue to be the “Disbursal Agent” for any Government subsidy. By simply linking the E Money order scheme to the disbursement chain, the objectives can be achieved without any additional investment from the side of the postal department.

Postal department can also modernize its IT infrastructure so that the efficiency of operation can be improved. Even today, the Speed Post is actually more efficient than private courier service though many in the public donot realize it. May be we need to introduce 24X7 speed post counters and more customer friendly operators to manage the counters. The back end can be stream lined and just as Premium couriers charge upto Rs 400 for guaranteed next day delivery, Postal authorities may also introduce “Guaranteed Speedpost Delivery” as a premium service.

The postal letter system can also be revolutionized with E-Letters being delivered electronically from one end to another end so that while Telegrams might have gone extinct, all letters would be delivered at the speed faster than the telegrams. The system would require a vending machine where the letter posted would be scanned and delivered to the destination post office where a print out would be delivered to the addressee. This will eliminate the movement of the cards in physical form. This system is similar to the Truncated Cheques or E Cheques conceptualized under the NI Act.

Postal authorities can also develop the “Postal ID” into a biometric based personal ID which can automatically be a “Postal Aadhar”. Then there could be bio-metric-cum face recognition based Assisted Money Vending systems in its rural Post offices which  can be used as universal money disbursal systems for various government disbursements and also support other Banks which donot have such a network.

 Additionally, Postal authority can and should develop a national e-mail exchange backbone with a secured server farm equivalent to the infrastructure of gmail so that all emails from within the country can be handled through this “Indian postal email”. Creating a commercially viable gmail alternative would be a great service that Indian Postal authorities could do to the people of India instead of rushing to become a Bank for which they are ill equipped.

It is regrettable that E &Y has failed to provide the correct guidance to the department for maximizing its service potential by upgrading and extending its present services rather than setting out to be a Banking institution which eventually may turn out to be a bad decision.

Many of the arguments presented above will with some modification apply in principle to the application of LIC Housing Finance also. Hence I donot consider it desirable that neither Indian Post nor LIC Home Finance should be considered for license.

Continuing from our previous discussion  we are now left with 6 applicants only who need to be short listed for the license.

Naavi

Related Articles:

Why India Post should get a banking licence

India Post plans to enter banking businsess

Dept Of Posts To Move Cabinet Note To Apply For Bank License

Post Bank of India?

India Post needs to become a corporate for banking foray

India Post Bank?

Indian Postal Service a Research Report

Posted in Bank, Cyber Law, RBI | Tagged , , , , | Leave a comment

Which of the 26 applicants deserve Bank license?

Posted on July 6, 2013 by Vijayashankar Na

As the debate on the choice of probable licensees hots up, here is an interesting debate in moneycontrol.com between three experts

See Copy of the Detailed debate here

The three experts who have expressed their views are R Jagannathan, the Editor Firstpost, Haseeb Drabu former chairman J&K Bank and former editor Business Standard and a columnist with Livemint, and B D Narang former chairman of Oriental Bank of Commerce and now director of many companies. The experts have concluded that they would prefer to categorize the applicants into different categories namely NBFCs-pure play, NBFCs backed by Corporates, NBFCs backed by Government,  Brokerage and Real Estate Firms, Corporates in the private sector, Public sector companies and Government owned entities.

All experts are unanimous on rejecting the applications of the brokerage firms and real estate companies. Most also eliminate corporates on the basis of conflict of interest. Pure play NBFCs are being preferred with Shriram and SREI Infrastructure Finance as preferred candidates in this category. In the corporate backed NBFCs, Bajaj FInServe and L&T Finance are preferred. In the Government sector, Postal Department is the preferred applicant with LIC Housing Finance the next preference. One of the experts have preferred both Tatas and Birlas for the license though other two have not shown the inclination.

We thus have six candidates who seem to have passed this short listing exercise and if we add the Tatas and Birlas, it adds upto 8 inthe short list.

I am happy to note that the experts have given weightage to the “Financial Inclusion Capability” as one of the criteria for selection. I cannot but agree with this criteria as the main parity breaker as I have indicated in my earlier post.

Based on the views of the experts the following 18 applicants are considered as not suitable for the award of the license.

1.India Infoline Ltd., Mumbai
2.Religare Enterprises Limited, New Delhi.
3.J M Financial Limited, Mumbai
4.Muthoot Finance Limited, Kochi
5.UAE Exchange & Financial Services Ltd., Kochi
6.INMACS Management Services Limited, Gurgaon.
7.Smart Global Ventures Pvt. Ltd., Noida.
8.Indiabulls Housing Finance Limited, New Delhi
9.Suryamani Financing Company Limited, Kolkata.
10.Janalakshmi Financial Services Pvt. Ltd., Bangalore
11.Magma Fincorp Limited, Kolkata
12.Bandhan Financial Services Pvt. Ltd., Kolkata
13.Edelweiss Financial Services Limited, Mumbai
14.Tourism Finance Corporation of India Limited, New Delhi
15.IFCI Limited, New Delhi
16.IDFC Limited, Mumbai
17.Value Industries Limited, Aurangabad
18.Reliance Capital Limited, Mumbai

This leaves the following 8  candidates in the fray as preferred candidates  namely

1. TATA Sons Limited, Mumbai.
2. Aditya Birla Nuvo Ltd., Mumbai.

3.Bajaj Finserv Ltd., Pune
4. L & T Finance Holdings Limited, Mumbai

5.Shriram Capital Limited, Chennai.
6.SREI Infrastructure Finance Limited, Kolkata

7. Department of Posts, New Delhi.
8. LIC Housing Finance Ltd., Mumbai

I will expand on my comments in my next post.

Naavi

Posted in Bank, RBI | Tagged , , , , | Leave a comment