E Business Failures

Posted on March 3, 2013 by Vijayashankar Na

E Business is today part of every business. Managing E Business requires an assessment of E Business risks and managing them appropriately. As a person who was once in the Banking and Finance industry and engaged in project assessment for the purpose of financing, it has been interesting to observe the changes in the business environment and the consequential changes in the financial services industry.

Financing of projects had been traditionally done through equity from promoters and debt financing from institutions. This has changed in the E Business era with most of the funding coming in the form of equity from Venture capitalists. Even when institutions are involved, they prefer to invest through mutual funds in equity. During late 70s, I had seriously promoted the concept of “Equity Financing with Conversion to Debt at the borrower’s option” as a mode of financing SMEs. It was suggested as “Udyama Kranti Yojana” to the then Government in Karnataka as a means of encouraging Small Scale industries. Of late such hybrid investments are being pursued in case of financing of profitable projects by institutions.

In the recent budget discussions, it is being debated how India can encourage the manufacturing sector to ensure better growth in the economy. Financing of traditional manufacturing projects is based on established principles of risk assessments from four angles such as

a) Marketing Feasibility
b) technical feasibility
c) Managerial Feasibility and
d) Financial feasibility

In the light of the emergence of E Business as a prominent component of business, it is necessary to examine if our Bankers are capable of using these traditional financial tools to assess the feasibility of current day projects.

In this context, it was interesting to read an article on 10 Reasons for E Business Failures in bwired.com. The article speaks of various reasons which fall in the domains of the four feasibility approaches indicated above. However as a person who is involved in advising many E-projects from the point of view of drafting the privacy documents, terms and conditions documents etc., it appears that the article misses one important aspect of business failures namely “Non Compliance of Cyber Laws”.

We can recall here the experience of “Napster” which had to close down its business because of “Cyber Law Issues”. Similar “Non Compliance” issue hastened the sell out of Radiant Software, a Chennai based company. Many US companies are facing substantial liabilities on account of non compliance of HIPAA. Many Banks have also been facing huge liabilities on account of Cyber Frauds threatening their profitable existence.

In view of the above, I think it is necessary for all Financial institutions as well as Venture Capitalists to consider “Cyber law issues” as a Feasibility parameter in their assessment criteria. Cyber Law feasibility of a project can be best handled by “Techno Legal Consultants” who understand technology along with the relevant cyber laws. Naavi was one of the first in India to offer such services through Ujvala Consultants Pvt Ltd to new generation entrepreneurs and HIPAA projects.

In the coming days with financial institutions investing in more and more global businesses with a high level of E Business component, the need for Techno Legal Feasibility study as an additional factor of ” Project Feasibility” exercises to be undertaken by them has increased.

Such services would also be required during mergers and acquisitions as well as venture capital financing. These services will automatically ensure that projects will have required levels of “Information Security” from the zero day.

Once the project goes on stream, the project can be assessed under other usual frameworks of Information Assurance which takes into account the cyber law compliance along with other aspects of information security.

The seamless integration of “Techno Legal Feasibility Studies” with “Total Information Assurance Audits” is the approach recommended by Naavi for information technology projects. Hopefully entrepreneurs/financial institutions will appreciate the need and take necessary steps in this direction.

Posted in Uncategorized | Leave a comment

New RBI guidelines on IS Vs Damodaran Committee

Posted on March 2, 2013 by Vijayashankar Na

RBI has been advising Banks from time to time on the information security in Banks.

It was immediately after the ITA 2000 was notified in 2000 that RBI set out to first formulate its guidelines for cyber law compliant information security in Banks. It constituted the SR Mittal Working Group (SRMG) which gave its report in 2001. On June 14, 2001, the first operative “Internet Banking Guideline” was introduced by RBI.

Then again after ITA 2000 was amended in 2008, RBI constituted another committee on Working Group on Information Security, Electronic Banking,Technology Risk Management and Cyber Frauds more popularly knwon as the GGWG (G Gopalakrishna working group). The recommendations of the committee was notified on April 19, 2011. These have been discussed at length in Naavi.org here.

In both the SRMG and GGWG, there were attempts by representatives of Banks to push in recommendations that favour Banks visa vis the customers regarding liability on cyber frauds. Both times their efforts were unsuccessful. In the 2001 guidelines, RBI indicated that if Banks should pick up liability of cyber frauds and obtain insurance to cover their own risks. By the time GGWG came up the historical S.Umashankar Vs ICICI Bank judgement of the Adjudicator of Tamil Nadu was available and RBI reiterated that Banks may face liabilities under ITA 2008 in case of Cyber Frauds.

Close on the heels of the GGWG, on August 3, 2011 another important recommendation came forth in the form of the Damodaran Committee on Customer Service. This committee made several important recommendations to safeguard the interests of customers in the E banking scenario.

Though the banks had failed to block undesirable recommendations in the SRMG and GGWG, they succeeded in ensuring that Damodaran Committee report was not notified since August 2011 till date. At the same time RBI did not reject the committee’s report also. For the last two years there is perhaps an internal struggle going in RBI with one section trying to push it through and the Banker’s lobby trying to stall it.

The February 28 2013 guidelines on Information Security issued now indicate that finally some action has been taken based on the Damodaran Committee report though no mention of this report has been made during the release of the guideline.

It is therefore interesting to observe what were the recommendations of the Damodaran Committee and how they compare with the 18 recommendations made under the February 28 guideline.

The following document tries to list the recommendations of the Damodaran Committee along with the February 28, 2013 guidelines.

Comparison of Damodaran Committee Recommendations and February 28 2013 guidelines on Information Security.

These now become part of the Banking regulations that need to be considered in any future GGWG audit. Additionally, the new guidelines have made it mandatory for Banks to look at PCI-DSS compliance which need to be applied not only at the credit card merchant’s level but also at the ATM stations. They also become relevant for the GGWG audit.

Ujvala Consultants Pvt Ltd which is a specialized Information Assurance Consultancy company engaged in GGWG Compliance audit will be integrating these recommendations into its audit standards along with the Basel III recommendations of “Operational Risk Assessment” since “Legal Risks” are part of the operational risks under Basel considerations.

We need to wait and see how the new guidelines which are to be implemented before June 30, 2013 be followed up by the RBI. We also need to wait and observe if other recommendations of the Damodaran Committee will also be separately notified in future in some form.

Related Previous Article

Naavi

Posted in Bank, Cyber Law, Information Assurance, ITA 2008, RBI | Leave a comment

New RBI guidelines on E Banking security..contd

Posted on March 1, 2013 by Vijayashankar Na

This is in continuation of the previous article on the new guidelines of RBI on E Banking security issued on February 28, 2013.

Apart from the card related security measures covered in the previous article, the RBI circular also touches on some of the aspects of RTGS,NEFT and IMPS.

The recommendations are

1.Customer induced options may be provided for fixing a cap on the value and mode of transactions/beneficiaries. Additional authorization may be insisted when the customer wants to exceed the cap.
2.Limiting the number of beneficiaries to be added per day to be considered.
3. System alert to be introduced for beneficiary addition.
4.Number of transactions per day/per beneficiary may be monitored for suspicious transactions
5. Introduction of additional factor of authentication (preferably dynamic) for unusual transactions to be authenticated on special request.
6.Banks may consider implementation of digital signature for large value payments for all customers, to start with for RTGS transactions.
7.IP address capture for transaction may be considered.
8. “Adaptive Authentication” (means of providing authentication for end users without them having to know it is as work)may be considered for fraud detection.

These suggestions are also on the lines suggested by the Damodaran Committee on Customer service.

Though the circular uses the word “may” while referring to these suggestions, it mentions at the end that all these suggestions are “Expected” to be put in place by banks by June 30, 2013.

Naavi.org is happy that our long fight for better security in E Banking is bearing fruit.

Now we need to watch if Banks actually implement these suggestions and whether RBI will enforce its dictum.

In the past, Banks have simply ignored RBI guidelines and faced adverse comments in inspections as a matter of routine. RBI is also aware of such tendencies in some Banks. Hopefully this time RBI will use its powers to enforce compliance. Public are with RBI if they take strong measures to protect E Banking.

Once again, I personally and Naavi.org as a representative of public congratulate RBI on its initiative in issuing this circular.

Naavi

Posted in Bank, Cyber Crime, Cyber Law, RBI | 1 Comment

RBI issues new guidelines for E Banking security

Posted on March 1, 2013 by Vijayashankar Na

Naavi.org has been pointing out that RBI appears to have a dual character when it comes to policy implementation. There are one set of executives probably closer to retirement but occupying the top echelons of RBI who are still oriented towards “Safe Banking” and “Customer Interests”. But there is an emerging set of executives in the mid management cadre who are easily swayed by the powerful bank lobbies into recommending measures which are often anti consumer.

Another evidence of this is the issue of a new circualr dated February 28, 2013 by RBI addressing some Risk mitigation measures for Electronic payment systems, in the midst of the controversial “Discussion Paper” on “Disincentivisation of Cheques”.

Copy of circular available here

Speaking of “Securing Card Payment Transactions”, the circular specifies that

1.new cards will be issued for use only within India. If international use is specifically requested by the customer, it may be allowed but only on a card with EMV chip and Pin enabled.This will be effective from June 30, 2013.

2.Existing cards which have been used internationally( E commerce and POS or ATM) at least once will have to be in the EMV/PIN format only and older magnetic strip cards will have to be replaced by June 30, 2013.

3.Until such time the EMV cards are issued, there would be an omnibus limit of USD 500/- on international payments of any magnetic strip card. Lower limits may be fixed by the Banks based on the customer profile.

In terms of security, it is advised that

1. all POS systems should be certified for PCI-DSS and PA-DSS compliance by June 30, 2013

2. Banks should frame rules based on transaction pattern of the card usage to prevent frauds.

3.All acquiring infrastructure based on IP based solutions should be mandatorily put through PCI-DSS and PA-DSS certification.

4.Real time fraud monitoring system should be introduced at the earliest.

5.Card blocking through SMS should be enabled.

6.Two factor authenticaiton should be applied even for international payment of cards.

7. Call referral system should be introduced. Under this system the issuer may respond to the merchat with a “Call issuer” decision. Merchant may then call the acquiring bank with details after which the acquirer calls the issuing bank and seeks authorization. Before authorization, the issuing bank will speak to the customer. After the authorization, merchant has to swipe the card again.

The above measures will go a long way in mitigating the card related frauds. Some of these suggestions are on the lines suggested by the Damodaran Committee.

It is time to congratulate RBI for this move.

(More to follow)

Naavi

Posted in Bank, Cyber Crime, Cyber Law, Netizen's Forum, RBI | 1 Comment

Who is trying to hide Cyber Fraud scam in Indian Banks?

Posted on February 27, 2013 by Vijayashankar Na

It has been pointed out that the answer given by the Government on the status of Bank frauds in India does not appear to contain correct information. It was pointed out that the figure of frauds for 2009 quoted in the February 22,2013 press release places the frauds at Rs 4048.94 lakhs where as for the same period, reply given to a Parliamentary question on 30.7.2010 stated the fraud value as Rs 16.69 crores.

At the same time we also pointed out that an RTI reply from RBI to DNA Mumbai had placed the frauds in 2006-2011 to be of the order of around Rs 4500 crores just in the top 5 cities of India with Mumbai alone accounting for Rs 1882 crores.

Today a report in TOI  reiterates that Cyber Frauds are around Rs 130 crores in three years based on the PIB release.

It is also known that RBI has earlier been stating that the Fraud reports that it obtains from Banks donot cyber frauds separately. However the PIB press release of 22nd February clearly points out that the figure is for Cyber Frauds. It is not clear how RBI was suddenly able to get these figures.

Also according to the Fraud guidelines all frauds reported in Banks should be reported to the Police by the Banks. According to the PIB release there were 8322 cyber fraud cases in 2012 alone. In 2011 and 2010, the number of frauds were 9588 and 15018 respectively. This means that a total of 32,928 Cyber fraud complaints should have been registered all over India by Banks. These should have reflected as “Cyber Crimes” int he NCRB statistics.

However, NCRB statistics donot show these numbers.

From these various observations it is clear that either the Government is trying to mislead the Parliament and the public about the real status of Cyber fraud incidence in Banks or neither the Government nor RBI is even aware of the actual position.

If RBI and the Government donot know the actual fraud situation, then they it reflects a gross incompetence. If they are aware and are misleading the public, we need to investigate why they are concealing the facts and whether there is any attempt to hide a scam in the Banking industry.

The industry observers estimated the extent of Cyber Frauds in Indian Banks to be way above the figures quoted in the recent reports. The belief is that the frauds are in the region of Rs 6500-8000 crores per annum as against Rs 50 crores now being talked about.

There is therefore a prima facie evidence that there is some thing fishy about the PIB release. There is an apparent motive to suppress the Cyber Fraud situation with vested interests who are promoting disincentivisation of cheques and it is possible that the same people are behind this misinformation.

There needs to be some investigation and a clarification in the Parliament. I wish some MPs such as Rajeev Chandrashekar should take up this matter and seek the clarification from the Finance Ministry.

Naavi

Posted in Bank, Cyber Crime, RBI | Leave a comment

Government misleading Parliament on Bank fraud information

Posted on February 26, 2013 by Vijayashankar Na

The PIB press release of 22nd February 2013 has provided some data on Bank frauds. According to this press release the fraud information for the last three years were as follows.

bank_fraud_data_2013

The Bankwise data is also available here

According to these figures which it is presumed must have been given to the Parliament in response to a question, the total frauds reported in 2010 was Rs 4048.94 lakhs.

On 30.7. 2010, the Government in reply to a Loksabha unstarred question no 1072 had stated that the total frauds reported in 2010 was Rs 1669.83 lakhs.

It appears that the Government does not have correct figures and it is misleading the Parliament by giving false information on the status of Bank frauds.

Naavi.org had earlier carried a report of DNA Mumbai which had stated that according to an RTI reply from RBI, Bank frauds in 2006-11 in 5 major cities was of the order of Rs 4500 crores. (See report here). It appears that RBI has no proper information on this key performance parameter of the Banking industry.

Will some MP clarify the position?

Naavi

Posted in Bank, Cyber Crime, RBI | 1 Comment