Section III Retail Payment Systems
Section IV Plastic Money and E-Money
Section V Security Issues in E-Banking
Welcome to the digital age in banking. Over the last couple of decades, technology has assumed the vital role of not only a facilitator, but also a source of competitive advantage for banks. During the 1990s, efficiency and cost-cutting used to be the primary objectives of banks turning to new technology. At present, banks have evolved a strategic approach towards their investments in technology, since they have found that both revenue enhancement and cost-effectiveness count in their constant endeavour to improve their ROA and ROE.
The business of banking—especially financial services/retail banking—is undergoing a sea change, as business shifts increasingly to the online environment. The increasing number of customers transacting online woul move the ‘market place’ to ‘market space’, where banks would be forced to expand their product range to competitors’ products, while rapidly innovating their own value-added products.
Technology, and more specifically, the Internet, has evolved into an essential access channel. For banks, the Internet offers a cost effective means of innovating, publicizing and delivering services to the customer, as well as maintaining customer relationships. For the customer, the Internet has opened up enormous possibilities of convenience and choice.
Let us understand the role of technology as an enabler for improved transaction efficiency through the categorization provided in Figure 16.1.
FIGURE 16.1 CATEGORIZING FINANCIAL TRANSACTIONS THROUGH TECHNOLOGY
The effect of technology in banking has been dramatic. The bank-to-customer relationship has changed significantly, with open standards replacing proprietary front ends, and many-to-many networks substituting for single-line links. Most banks, today use Internet as their global expansion platform, offering an increasing array of financial services online.
The benefits of electronic banking (e-banking) for banks are as follows:
The benefits of e-banking for customers are as follows:
An important ingredient of an efficient and deep financial system is the ability of intermediaries to effect smooth and secure transfers of money and exchange financial claims embedded in financial instruments. The security of payment and settlement systems is critical for sustaining public trust in the financial intermediaries. (Please also see Chapter 1 where we discussed the role of ‘trust’ as the backbone of the financial system).
Hence central banks, as supervisors and regulators of payments and settlement systems through financial intermediaries, have to ensure development of efficient and secure systems to match the explosion in needs and sophistication of the financial sector.
Technology has been a primary contributor to new and innovative products and methods of payments and settlement in various countries around the world. Similarly, the power of technology has been harnessed to enable central banks to carry out their regulatory and supervisory roles as well.
The Committee on Payment and Settlement Systems (CPSS) was set up by the Bank for International Settlements (BIS, www.bis.org, please also refer to chapter on Capital Adequacy) as a standing committee, with the objectivet of strengthening financial market infrastructure through promoting sound and efficient payment and settlement systems.
CPSS was formed by G 10 central banks in 2001 with the specific objective of formulating broad supervisory standards and guidelines for payment and settlement systems. It serves as a forum for central banks to monitor and analyse developments in domestic payment, clearing and settlement systems as well as in cross-border and multicurrency settlement schemes. The membership of CPSS has widened beyond the G10 countries, to include about 25 central banks in 2009. The RBI is a member of CPSS.
The Committee has also forged relationships with many non-CPSS central banks in order to help strengthen payment systems globally. Apart from setting standards, the CPSS also publishes reference works on payment systems in select countries—widely known as the ‘Red book’.
After formalizing the ‘Core Principles of Systemically Important Payment Systems’ in 2001, CPSS published in 2002, along with IOSCO, its ‘Recommendations for Securities Settlement Systems (SSS)’. This was followed up with the CPSS-IOSCO ‘Recommendations for Central counter parties (CCP)’ in 2004. Box 16.1 summarizes the CPSS core principles and recommendations.
The CPSS defines payment systems as a ‘set of instruments, procedures and rules for the transfer of funds among system participants’. SIPS is further defined as the ‘payment systems which, if it is insufficiently protected against credit, liquidity, legal, operational and other risks, the disruptions within the system could trigger or transmit further disruptions among its participants, or generate systemic disruptions in the financial markets or more widely across the economy’. Accordingly, a system is considered SIPS if at least one of the following conditions is met—(a) it is the only or the principal payment system or the principal system in terms of the aggregate value of payments, (b) it handles mostly payments of high individual value, and (c) it is used for the settlement of financial market or other payment systems.
The 19 recommendations for SSS can be construed as ‘standards’ to enhance safety and efficiency. The recommendations/standards cover all aspects of securities settlements, particularly, the legal framework, settlement cycles, central counterparties, operational reliability, governance, transparency, regulation and oversight.
We have seen in earlier chapters that the role of a CCP is to reduce risk to market participants by interposing itself between counterparties to financial contracts, imposing controls and enhancing liquidity. However, failure of risk management of a CCP could have catastrophic consequences on markets as well as payment and settlement systems. The 15 recommendations (in the nature of standards) for CCPs broadly cover the legal and participation requirements, risk management procedures, operational reliability, efficiency, governance, transparency, regulation and oversight.
It is to be noted that CPSS has not set specific standards for Retail Payment Systems.
The RBI has spearheaded a vast change in the use of technology for making banking in India safer, more secure, smoother and more efficient. RBI was empowered in 2007 through the enactment of the Payment and Settlement Act, 2007, to regulate and supervise payment and settlement systems in India, formulate relevant policies and provide a legal basis for multilateral netting and settlement finality. To operationalize the Act, RBI framed the ‘Board for Regulation and Supervision of Payment and Settlement Systems Regulations, 2008’ and ‘Payment and Settlement Systems Regulations, 2008’.
Payment systems in India can be bifurcated into ‘paper-based’ and ‘electronic’ payment systems. Another classification, based on users, can be into ‘large-value payment systems’ and ‘retail payment systems’. See Figure 16.2 for the components of each classification.
FIGURE 16.2 ALTERNATE CLASSIFICATION OF PAYMENT SYSTEMS
We can infer from Figure 16.2, that while the classification ‘paper-based’ versus ‘electronic’ conveys the mode of payment and settlement, the alternate classification—‘large value’ versus ‘retail’—convey their relative importance to the stability of the financial system.
The large-value system (sometimes also termed ‘bulk payment system’) is characterized by relatively low volumes but high values, as contrasted with retail payment systems where high volumes (number of transactions) and low values are typical. Being high value, the large value payment system carries systemic risks that could affect the stability of the payment systems of the financial sector as a whole. Therefore, according to the BIS (CPSS) standards, both high-value clearing and RTGS would be classified as SIPS.
Though retail payments are not termed ‘SIPS’, their relative importance to the economy cannot be undermined due to the sheer volume and geographical coverage that these systems demand.
Box 16.2 describes the salient features of RTGS, the fastest growing segment of SIPS.
The Rationale
The traditional payment system involves settlement of payments on a settlement day (next day, 2 days after and so on) and interest is invariably computed to accrue on a daily basis. Even in the inter-bank foreign exchange and money market contracts, spot transaction means 2 business days. Settlement for clearing cheques presented to clearing houses takes place on a netting basis at a particular time either on same day or on the next day. These conventions make sense, when book-keeping is done manually. However, this system gives rise to risks, such as credit risk, liquidity risk, operational risk, legal risk and systemic risk. Such risks could cause widespread liquidity problems.
The RTGS, was introduced to solve these problems in the banking sector. It is a software package which provides an online settlement of payments between financial institutions, i.e., bank to bank fund transfer and settlement same day. In this system, payment instructions between banks are processed and settled individually and continuously throughout the day. This is in contrast to net settlement that takes place only afterwards, typically at the end of the day. Under the RTGS system, payee banks and their customers receive funds during the day, enabling them to use the funds immediately without exposing themselves to risk. To initiate a fund transfer, the bank has to send a payment message, which is subsequently routed to the central bank and to the receiving bank as the system processes and settles the transfer. The RTGS system settles payments on a transaction-by-transaction basis as soon as they are accepted by the system. It is a large-value fund transfer system whereby financial intermediaries can settle inter-bank transfers for their own account as well as for their customers.
RTGS in India
Operationalized as part of SIPS in March 2004, the RTGS began with four banks settling only interbank transactions. In 2006, it was expanded to customer transactions (multilateral net settlement). The RTGS operated with 105 members in 2009.
The first transaction was put through by the State Bank of India, which made an interbank payment. The RTGS system now allows high-value customer payments to happen through this system. High value for the purpose of RTGS is defined as transactions of ₹1 lakh (0.1 million) and above. Subsequently, all customer payments would be enabled on the RTGS system.
The RTGS system is owned and operated by the RBI. Direct membership is restricted and open to commercial banks, primary dealers, clearing houses and others as decided by RBI. The commercial banks are called ‘type A’ members, which enables them to submit customer-based transactions. Primary dealers are ‘type B’ and clearing houses ‘type D’ members. RTGS membership and operations are governed by RTGS Membership Regulations and Business Operating guidelines, 2004 (and subsequent amendments).
Settlement of RTGS transactions are done in the RBI books. To enable them transact, members open an ‘RTGS settlement account’ with the RBI, Mumbai. The member has to fund this account at the beginning of every RTGS processing day from the member‘s current account with RBI. At the end of the day, the balance in the account is swept back to the member’s current account.
Members are provided with a participant interface gateway server with which participants/members connect to the RBI system through the INFINET.1 The software is supplied by the RBI. The banks procure the hardware, which is specified by the RBI. Participants are advised to get a dedicated lease line link between PT gateway and the local hub of the RBI.
RTGS is a gross settlement system in which both processing and final settlement of fund transfer instructions take place continuously (i.e., in real time). As it is a gross settlement system, fund transfers are settled individually, without netting debits against credits. RTGS systems are able to minimize or eliminate the inter-bank risks in the settlement process.
The RTGS system has reduced the time for processing payments from 24 hours (which could go up to a week) for cheques at present, to a matter of a few minutes. The launch of the system is expected to phase out cheques from the banking system in due course. Importantly, RTGS systems can offer a powerful mechanism for reducing systemic risk. As central banks have a common interest in limiting systemic risk, this capability has often been the key motive for many central banks to adopt the RTGS system for larger-value money transfer.
Retail payment systems are required primarily for purposes such as payments for goods and services, bill payments, cash payments and so on. Figure 16.3 shows the major purposes for individuals to require e-banking facilities, and the instruments available to satisfy the requirements.
FIGURE 16.3 E-BANKING—PURPOSE AND INSTRUMENTS AVAILABLE
To achieve the purposes shown in Figure 16.3, retail customers can resort to paper-based clearing and settlement or electronic payment and settlement, as shown in Figure 16.2.
The paper-based payment and settlement mechanisms in vogue in India are as follows:
The Electronic clearing and settlement systems being operated are as follows:
While the volume of electronic transactions has grown over the years, the value of electronic transactions has far exceeded paper-based transactions during this period. One obvious inference is that electronic transactions have become more popular in high-value transactions than in retail payment systems.
Traveller’s cheques are also included in a bank’s net transaction accounts and are subject to reserve requirements.3 Traveller’s cheques issued by a bank are covered by deposit insurance.
The clearing and settlement of cheques drawn on different banks necessitates banks in the area coming together for transfer of funds and final settlement. This is done through ‘clearing houses’ at various centres. Further, where the process was manual hitherto, as in the 1029 non-MICR clearing houses at various centres, Magnetic Media-based clearing system is also implemented.
The clearing and settlement process takes two days—on day 1, the cheques are presented at the clearing house, and on day 2, the funds are settled or cheques returned.
The volume and value of paper-based cheques have been increasing over the years, but at a declining rate, presumably due to the impact of electronic payment systems (see Table 16.1).
TABlE 16.15 COMPARISON OF TRANSACTIONS UNDER SIPS
Truncation is the process of stopping the transit of a paper-based cheque from the drawer to the drawee branch of a bank. The physical cheque will be ‘truncated’ at some point en route to the drawee branch, and would be replaced by an electronic image of the cheque. Cheque truncation, thus is a more secure alternative to the actual movement of physical instruments from place to place.
Cheque truncation has been introduced in the national capital region (NCR), New Delhi on a pilot basis, and will be extended to more centres. The process is expected to be more efficient and cost effective, especially in the case of clearing and settlement of outstation cheques.
Member banks of clearing house in the NCR and INFINET can participate in the cheque truncation system.
Bulk and repetitive payments like interest/dividend are mostly paper-based involving printing of warrants (in costly MICR format), dispatching them by post and reconciliation thereof after payment by the agency banks. The difficulties are as follows:
ECS is a retail payment system that facilitates bulk payments (such as dividend payment) and bulk receipts (such as utility payments). These two aspects are handled by two components of the system—ECS (credit) and ECS (debit). The facility is available at 75 major centres as of 2009.
Settlement in this system currently takes place on (T + 0) basis and the cycle gets completed on (T + 1) basis. The clearing and settlement transactions through ECS occur at the respective centres.
The ECS systems works in the following steps:
Step 1:The corporate body institution (called user) which has to make payments to a large number of customers/ investors would prepare the payment data on a magnetic media (i.e., tape or floppy) and submit the same to its banker (sponsor bank).
Step 2: The sponsor bank would present the payment data to the local bankers’ clearing house (managed by the Reserve Bank of India at 15 centres and by the State Bank of India or associate banks at 31 other centres) authorizing the manager of the clearing house to debit the sponsor bank’s account and credit the accounts (destination bank) of the banks where the beneficiaries of the transactions maintain their accounts.
Step 3: On receiving this authorization, the clearing house will process the data and work out an inter-bank funds settlement.
Step 4: The clearing house will furnish to the service branches of the destination banks branch-wise credit reports indicating the beneficiary details, such as the names of the branches where the accounts are maintained, the names of the beneficiaries, account type, account numbers and the respective amounts.
Step 5: The service branches will, in turn, pass on the advices to the concerned branches of their bank, which will credit the beneficiaries’ accounts on the appointed date.
Benefit to an organization: The ECS system offers following benefits to an organization.
Benefit to the customer: The ECS system offers following benefits to the customers.
Electronic funds transfer system was introduced by RBI in 1997 as an inter-city, intra-city and inter-bank, intra-bank fund transfer mechanism by which funds can be transferred by any bank branch to any other bank branch from one city to another. EFTs process pre-authorized debits or credits from one bank account to another within a 48-hour period. It is similar to standing instructions maintained in customers’ accounts, which are carried out automatically at pre-appointed dates.
First, customers have to sign a form that authorizes the bank to deduct their payment on a certain date. Details, such as the payee and beneficiary’s account, amount and date are programmed into the account. According to the billing cycle, the amount of customers’ bill is then automatically debited from their checking account and deposited into the payees’ account. In the case of payroll, the account is debited and employee’s account is credited for each pay period.
The key benefits of EFTs are as follows.
The EFT system was replaced in November 2005 by the NEFT, an electronic message-based payment system using Public Key Infrastructure6 technology to ensure end to end security. NEFT uses the INFINET to connect bank branches for electronic transfer of funds. NEFT was available at about 63,000 branches of various banks at the end of 2009. To make NEFT more retail customer friendly, RBI has permitted initiation of transactions by accepting cash from walk in customers (earlier account to account transfers were mandatory), permitting credit card payments and extending settlement time. These measures have yielded tangible results in the forms of sizeable increase in retail electronic fund transfers during 2008–09 (please see Table 16.1). Several changes/upgraded versions of the software and security features are being released periodically by RBI.
Participants in the clearing and settlement process: Information technology has revolutionized the way payments and settlements are being done throughout the world. The Indian system has also seen several innovations, in line with international recommendations and standards (see Box 16.1), though some of them are yet to penetrate the entire market.
Box 16.3 provides an overview of the various participants in the clearing and settlement process
Clearing corporation: The clearing corporation is responsible for post-trade activities such as the risk management, confirmation, delivery and settlement of trades executed on a stock exchange.
Clearing members: Clearing members are responsible for settling these obligations as determined by the clearing house/ clearing corporation. They do so by making available funds and/or securities in the designated accounts with clearing bank/ depositories on the date of settlement.
Custodians: Custodians are clearing members but not trading members. They settle trades on behalf of trading members, when a particular trade is assigned to them for settlement. The custodian is required to confirm whether he is going to settle that trade or not. If he confirms to settle the trade, then clearing corporation assigns that particular obligation to him.
Clearing banks: Clearing banks are a key link between the clearing members and clearing corporation/house to effect settlement of funds. Every clearing member is required to open a dedicated clearing account with one of the designated clearing banks. Based on the clearing member’s obligation as determined through clearing, the clearing member makes funds available in the clearing account for the pay-in and receives funds in case of a pay-out.
Depositories: Depository holds securities in dematerialized form for the investors in their beneficiary accounts. Each clearing member is required to maintain a clearing pool account with the depositories. He is required to make available the required securities in the designated account on settlement day. The depository runs an electronic file to transfer the securities from accounts of the custodians/clearing member to that of clearing corporation/house and viceversa as per the schedule of allocation of securities.
Professional clearing member:NSCCL admits special category of members known as professional clearing members (PCMs). PCMs may clear and settle trades excuted for their clients (individuals, institutions, etc). In such cases, the functions and responsibilities of the PCM are similar to that of the custodians. PCMs also undertake clearing and settlement responsibilities of the trading members. The PCM in this case has no trading rights, but has clearing rights, i.e., he clears the trades of his associate trading members and institutional clients.
Plastic money refers to substitution of currency at the time when a payment is taking place by using a card normally made of plastic (hence the name, plastic cards) representing such substitution.
There can be several objectives for such substitution. Most important among these would be the need to postpone actual payment, or pre-purchase payment on the card that is issued. Whatever be the objective, the most important advantage of plastic money is protection to the user from the risks of carrying cash. Since it is the exclusive property of the cardholder, it means that it can be used only by him.
The prevalent types of plastic money are:
Credit cards started off as a type of payment cards issued by some merchants for the convenience of their customers. It is believed that the first such card was issued by Sears in 1910, which was quickly emulated by other retailers who issued cards containing vital information about the customer, which was recorded when the card was put through a processing device. The popular ‘Diner’s Club’ card was introduced in 1949 to be used in multiple restaurants that were willing to participate in the scheme. It is to be noted here that these cards had to be paid in full each month, and, therefore, had very little ‘credit’ or ‘loan’ component to them.
Today, credit cards are synonymous with a form of short term, revolving credit to the cardholder. As pointed out in the chapter on bank lending, a revolving credit replenishes automatically when loan installments are met. For typical card accounts in the form of revolving credit, the cardholders are billed monthly for purchases made with the credit card. Every month, cardholders have the option of paying back the entire outstanding amount on the credit card, or the minimum payment stipulated, say 2 per cent or 3 per cent of the outstanding balance. Typically, a grace period of about a month or more is granted, during which no interest will be charged on the ‘loan’. Cardholders who pay the minimum amount every month are considered current on their account. If one payment is not made on time, the account would be considered delinquent after a predetermined period. Hence, it is evident that credit card is very similar to a loan account with a bank.
Credit cards can be issued through various channels. The most common are ‘general purpose’ cards, such as Visa or MasterCard. These are accepted by most merchants/retailers. It is also the practice of individual banks to issue co-branded cards with Visa or Master network.
Credit cards can be broadly classified into three types. These are as follows:
The following are the principal players in credit card transactions:
The role of each party in credit card transactions is described briefly in the following paragraphs:
Of course, credit cards also mean cost to the bank—the cost of marketing the credit cards, making of the card with tamper proof features, credit information, processing, investigation, follow up to recover receivables, bad debt losses at the other end of the spectrum—that can be quite high.
Box 16.4 describes how credit card settlements are made in practice where affiliates are involved.
When a purchase is made, the credit card holder agrees to pay the card issuer. The cardholder gives his or her consent to pay, by signing a receipt with a record of the card details and indicating the amount to be paid or by entering a Personal Identification Number (PIN). Also, many merchants now accept verbal authorizations in person or via telephone and electronic authorization using the Internet, known as a Card Not Present (CNP) transaction.
Electronic verification systems allow merchants to verify, almost immediately, that the card is valid and the credit card customer has sufficient credit to cover the purchase. The verification is performed using a credit card payment terminal or Point of Sale (POS) system with a communications link to the merchant’s acquiring bank. Data from the card is obtained from a magnetic stripe or chip on the card.
The process works as follows:
Step 1: A Visa or MasterCard cardholder makes a purchase from an ME.
Step 2: The ME transmits the transaction information to his bank—called the ‘acquirer’. The acquirer contacts the card-issuing bank with the details through the card association (Master or Visa) requesting authorization of the transaction.
Step 3: The card-issuing bank verifies that the transaction is bona fide, and passing the transaction would keep the outstanding balance on the card within sanctioned limits. Thereafter, the transaction is authorized.
Step 4: The ME now requests for payment from his bank, which in turn, routes the request to the card association.
Step 5: The card association processes the request for payment with the acquirer and the issuer, and requests the issuer to make payment.
Step 6: The card association forwards payment to the acquirer, after deducting its fees for mediation, as well as the issuer’s fee for the transaction
Step 7: The issuing bank transmits funds (less its fee) to the card association
Step 8: The acquirer pays the ME for the cardholder’s purchase, after deducting its fee.
Step 9: The cardholder gets his monthly statement from the issuing bank at the end of the billing cycle, reflecting the payment to the ME.
There are three main sources of income for credit card issuers—fees paid by MEs, interest on cardholder balances and other fees charged to cardholders. A Visa or Mastercard affiliation involves more than a simple transaction between customer and the ME, as we can see from the process described above. In this case, the issuing bank takes a major share of the merchant’s discount (say ₹1.50 out of ₹2 on every ₹100 transaction), while the acquiring bank would take ₹0.50. Apart from interest payable by the cardholder on unpaid balances on the credit card, the issuing bank earns from other charges, such as annual charges, penalty fees for late payments, over the limit transactions, fees for cash advances and so on.
The ‘expenses’ of credit card issuers can be classified into four main categories—(a) marketing and operations that account for a bulk of the expenses; (b) cost of funds (see chapter on loan pricing); (c) losses due to delinquencies or write-offs where outstanding balances could not be recovered; and (d) losses due to frauds. (We will discuss ‘Internet frauds’ in the following section.).
The marketing and operations expenses increase as card issuers compete to differentiate themselves in the market. It is not uncommon to see and own cards with additional benefits such as insurance coverage, purchase protection, rewards or points-based programmes and cash back offers.
It can thus be seen that while credit card companies do levy hefty charges on their customers, their profitability will have to be monitored closely due to the possibility of expenses shooting up due to competition and other factors. As discussed in our earlier chapter on ‘Loan pricing,’ since the delinquency rates are high, they have to be compensated by higher risk premiums, translating into higher interest rates.
To summarize, the following benefits accrue to customers from the usage of credit cards:
The benefits to merchants are as follows:
To a customer, credit and debit cards may be look-alikes. Both are almost the same size, provide the same payment function and may also carry the Master/Visa card logo that makes them acceptable at merchant establishments where credit cards are accepted. But debit cards are quite different from credit cards.
If credit cards advocate ‘pay later’, debit cards signify ‘pay now’. The debit card is a product through which the customer’s own account with the card issuer is debited immediately to the extent of the transaction value. Further, the debit card does not allow the customer to ‘borrow’, nor does it provide ‘revolving credit’.
Since debit cards do not provide the ‘benefits’ provided by credit cards, why would customers prefer them?
Customers who prefer debit cards do so because they do not want to go into debt for their necessary or luxury purchases. Customers cannot spend beyond what their account holds. More importantly, there is no monthly bill-ing or interest charges.
The debit card programme requires a ‘POS’ terminal at the member establishment. The debit card, behind which there is a magnetic strip, is inserted into the machine by the customer at the time of billing for purchases made. The merchant keys in the transaction amount. There are two types of debit system followed at the point of payment—one a ‘signature-based’ card, where the customer swipes the card and signs the sales receipt, and the second a ‘PIN-based’ transaction.
The PIN is known only to the cardholder and the issuing bank. Once the PIN is entered, the machine places an automatic call to the bank, checks the balance in the customer’s account, and reduces the balance to the extent of the transaction value. The merchant’s account is credited for the transaction value.
The following are the benefits enjoyed by the customers:
Benefits to the merchants are as follows:
The key differences between debit and credit cards are summarized in TABLE 16.2.
TABLE 16.2 KEY POINTS OF DIFFERENCE BETWEEN CREDIT AND DEBIT CARDS
The data shows a deceleration in growth rates of both credit and debit cards (volume and value) in 2008–09, presumably a reflection of the global credit crisis and the consequent economic slowdown. More remarkable is the fact that the decline is more marked in the case of credit cards than in debit cards, evidencing the reluctance of the Indian consumer to spend on consumer goods on credit. Another noteworthy feature is that debit cards are primarily value-added ATM (ATM, defined later in the chapter) cards. As a result, while the number of debit cards in circulation are substantially higher than the number of credit cards, the number of transactions recorded using debit cards at POS terminals (used for purchases) are very low. The debit cards are mainly used as ATM cards. This is reflected in the fact that the monthly usage of debit cards at ATM machines is around 179 million and the number of transaction at POS terminals is 8.7 million in March 2008.
Despite the development of electronic payment systems, customers still prefer cash for various transactions. Cash delivery is increasingly being done on the huge base of Automated Teller Machines (ATMs), which are being increasingly networked together to permit customers to collect cash from different banks as well as in other countries. ATM and credit card networks are linked in, and VISA and MasterCard holders have long enjoyed the facility to draw cash from ATMs. ATM networks are increasingly being developed by non-banking organizations as well.
As ATMs gain popularity, banks in India have started looking at alternative uses for the investment made. Some banks have tapped the vast potential of ATM structures to provide innovative and value-added services to customers, such as funds transfers, bill payment services, mobile phone recharge and so on.
The rapid spread of the ‘mobile phone’ era has helped banks use this mode for transactions. Mobile banking can be used for small-value payments at relatively lower costs, and, therefore is being used in many developing countries as a delivery channel to facilitate financial inclusion.8 In countries where mobile banking has been introduced, there are two distinct models that can be operated—the bank-led and telecom company-led models. India has adopted the bank-led model, while the telecom company led-model may be preferred in countries with relatively lower coverage of formal banking facilities (an example of this being Kenya).
RBI provided guidelines for mobile banking transactions in India in October 2008. The salient features of these guidelines are (a) banks have to obtain RBI approval for providing mobile banking facility to customers, (b) the facility can be provided only in Indian rupees to the banks’ own customers, or holders of debit/credit cards, and (c) banks should adhere to prescribed technology and security standards and limits set. The guidelines also mandate inter-operability among service providers, so that monopolistic practices by a few operators are avoided.
These are payment instruments, such as smart cards, magnetic strip cards, Internet accounts, Internet wallets, mobile accounts, mobile wallets and so on, where value is stored in advance to be used when required. The ‘value stored’ is the value paid by cash, debit or credit card by the instrument holder. Purchase of goods and services is made against the stored value in the prepaid instruments. Hence, these instruments serve as a convenient and relatively risk-free mode of payment in lieu of cash, and for e-payments through Internet/mobile. More than convenience or efficiency, the safety and security of these payment instruments and the underlying technology have to be ensured.
The flow of information and funds for a generic stored value card is provided in Box 16.5.
Assume the customer buys a stored-value card, say a Petro card, with cash or with a debit or credit card. The purchase of the card sets off a chain of settlement transactions. When the customer pays with a stored-value card, the system transfers electronic notations, or tokens, from the card to the merchant’s electronic cash register. The merchant periodically contacts the computer network connected to the bank issuing the stored-value cards and presents the tokens for payment. The network then informs the customer’s bank to pay the amount of purchase to the merchant’s bank, and the two banks make a net settlement. The banks keep a percentage of the payment (the discount) as compensation for the services they and the networks have provided.
These and other issues have been addressed in the RBI guidelines for ‘Issuance and operation of prepaid instruments in India’ dated 27 April 2009 that can be accessed at the RBI Web site.
The salient features of these guidelines are summarized as follows:
It is evident that e-banking is here to stay. However, the advent of high technology has also brought with it new operational risks in the form of security risks. The safety of banks, the integrity of the country’s payment and settlement systems, and the trust that customers impose in the safety of the system are all intertwined to ultimately contribute to financial stability. The challenge for the future will be to identify and address risks to banking safety and security without hampering technological innovations in banking.
Internet-banking has evolved into a mass market product—an essential service whose quality can affect the customers’ loyalty to and satisfaction with their bank. And, not surprisingly, it is Internet-banking that is posing the gravest risk to banks’ viability and sustenance. Hackers and fraudsters have realized the immense potential of Internet-banking to give them ill-gotten monetary gains.
Therefore, as new technologies evolve to make banking faster and more convenient for customers, the concerns about e-payment security have increased. The ‘conventional’ risks of unauthorized access, identity theft or network attacks have been exacerbated by ‘contemporary’ threats—phishing and pharming, spear phishing, carding and skimming, crimeware and spyware, money laundering, mules, scams, spams, Nigerian advance fee fraud—and still counting.
Real Life Example 1
Nordea lost more than $1,000,000 in aggregate due to a sophisticated malware attack, which recorded user’s account details and sent them to fraudsters. These transfers were made in several small amounts between 2005 and 2007, in order to circumvent the bank’s fraud detection mechanisms
Often inadequately protected, personal computers are the first point of attack for cyber criminals. Users are attracted to various offers that seem to be coming in from their banks and fall prey to Internet fraud.
The most prevalent types of Internet frauds are discussed as follows:
Some of the largest identity thefts have happened in the US (Table 16.3), as reported by McAfee.
TABLE 16.311 SOME EXAMPLES OF DATA LOSS INCIDENTS IN THE US
Real Life Example 2
Stephen Watt was a member of a conspiracy which, between 2003 and 2008, unlawfully gained electronic access to corporate computer networks using various techniques, downloaded customers’ credit and debit card information, and fraudulently used that information and sold the information to others for fraudulent use. Watt modified and provided a ‘sniffer’ program used by the conspirators to monitor and capture the data crossing TJX’s computer network.
Watt pleaded guilty to conspiracy charges on 28 October 2008. He was sentenced to 2 years’ imprisonment, to be followed by 3 years of supervised release, a condition of which was electronic monitoring of any computer use. He was ordered to pay restitution in the amount of $171.5 million dollars.
‘Skimming’ constitutes the unnoticed duplication of electronic data from a payment card. A copying device is installed in front of the original card slot of an ATM, which transcribes the information from the magnetic stripe on a card inserted by a customer. Sometimes these devices could be a camera or a fake touch pad to duplicate the keystrokes used for password entry.
The vital information obtained by these methods enables fraudsters to easily create duplicate cards and withdraw money from the accounts in question. Instances of skimming can also occur at cash registers.
Real Life Example 3
In May 2008, McAfee12 found a set of bank accounts for sale. The most expensive was also the most highly funded: an account at European bank BNP Paribas with a balance of €30,792, selling online for just €2,200. In addition to the discounted rate, the seller offered a 24-hour guarantee: if the buyer could not log in within that period or if the account no longer contained the money, a replacement account would be provided!
Phishing can take on several forms such as the following:
The malware (such as ‘trojans’) gets installed when a customer opens an email attachment or downloads a file from a Web site. Just visiting a web site, or viewing an email, may be sufficient for a fraudster to install malware without the customer’s permission or knowledge. In some cases, criminals tamper with existing genuine Web sites, so that they will infect their visitors. The customer is unlikely to notice the difference, as it is believed that as much as 80 per cent of new malware is undetected by anti-virus software. Normal web browsing will be unaffected, but the malware will recognize when the customer visits their online bank Web site. Then, the malware can freely alter the web page as it is displayed to the customer, and modify the requests sent back to the bank. For example, in case of funds transfer made by the customer, the malware could change the amount transferred and the destination account number to that of the fraudster. Similarly, once the bank confirms that the transfer has occurred, the malware will change what is displayed to the customer, making the customer believe that the intended original transaction has been executed.
In 2006, Citibank customers were targeted by a Man in the Middle attack. An email asked customers to confirm their address, stating that suspicious activity was detected. The site asked for account details, including the one-time password from the tokens issued to customers. If they were incorrect, the customers were asked to re-enter them.
Real Life Example 5
AT&T’s back-end systems were broken into by attackers. This system stored data on customers who had ordered certain equipment. The attackers sent emails to many of these customers, quoting authentic information already provided by them to create confidence, and then asking them to provide further personal information.
Real Life Example 6
In 2007, ABN AMRO’s online banking service suffered a malware-based attack. Customers were sent emails with attachment, claiming to be from the bank itself. The customers responding to the email would visit the bank site that would redirect them to a fake site that asked for account details. Even though ABN AMRO deployed two-factor card reader-based authentication, the fraudsters were able to get away with transactions while the one-time password was still valid.
It can be seen that this fraud technique can circumvent security measures since it is more sophisticated than simply gathering details from the customer. This technique has already been instrumental for large amounts of losses, and has gone to such levels of sophistication that ‘kits’ are available from the Internet, enabling even relatively unskilled fraudsters to launch advanced attacks.
Phishing activities as well as anti phishing measures have reached such levels of frenzied activity, that an Anti Phishing Working group (APWG) has been formed as a ‘global pan industrial and law enforcement association, focussed on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types’. The APWG publishes periodical research reports on phishing activity, as well as customer guidance and other helplines that can be accessed at www.antiphishing.org.
Mules earn sizeable sums of money—deducting 5 per cent to 10 per cent of the transferred amount as fee for their ‘services’. The money is transferred through anonymous transfer services, such as Western Union or e-gold.13
Contrary to popular belief, mules are not innocent people tricked into illegal business. They are typically mercenary volunteers with scant respect for the law—and for this very reason, they are turning ‘professionals.’
Real Life Example 7—Money Mules in India
As the number of online job seekers increase exponentially in India, so do online frauds. Many ‘money mules’ are individuals desperately seeking jobs online, and are lured into the ‘profession’ due to their greed to make quick money. They are ‘recruited’ as money mules, and follow ‘instructions’ without being aware of their implications, and ultimately end up in prison.
The recruitment operation takes place as follows. A foreign company, pretending to have clients in India, calls for application for an India branch manager responsible for ‘collections’. When an online job seeker expresses interest, an online interview is conducted and the job seeker is appointed with the responsibility of transferring money deposited into his personal account by the foreign company’s clients. In the bargain, the ‘recruit’ earns around 10 per cent commission apart from the monthly ‘salary’ promised to him. The ‘recruit’ is the ‘money mule’.
The action then moves to other gullible people lured either by promises of lottery wins or job offers abroad. They are instructed to contact the money mule and deposit a specified amount in the mule’s bank account. The mule then transfers say 90 per cent to the fraudster abroad. Both the mule and the deceived persons may land in trouble later with the Indian authorities for illegal acts.
The police confirm that online frauds are increasing, and many of them originate in Nigeria (see ‘Nigerian advance fee fraud’ in Real life example 9).
Real Life Example 8—Nigerian Advance Fee Fraud (419 fraud)
The fraud is named after the Nigerian law that covers it. The fraud begins with the arrival of an email from a family member of an (usually) African dignitary, who claims that following the death of an influential family member, a huge sum of money is locked up in a bank account at some location. The sender of the email solicits the recipient’s help to release the money, and lures the recipient with hefty compensation for the help. Once the unwitting recipient is tempted, the fraudsters demand an ‘advance’—either in the form of a bank account opened for this purpose or a fee. Once this is accomplished, there may be a series of expenses the victim has to contend with, sometimes leading to physical threats. The victim realizes after some time that the blocked money does not exist, and that he has been hoodwinked.
McAfee and other e-security experts predict heightened security threats in 2010 and thereafter. An illustrative description is given as follows:
The examples and discussion so far show that security issues pose grave threats to users and stiff challenges to those responsible for tackling and controlling them. Cyber crime also poses systemic risk. A single user’s loss may be limited but the consequences of such attacks would entail indirect costs—identification and legal proof of fraudulent transactions, cleaning of records, issuing/devising new instruments/payment systems, the threat of contagion to other payment systems—all of which would involve system-wide responses.
Feature | Credit Cards-rank | Debit Cards-rank | Prepaid Cards-rank |
Which card is the safest for the user? | |||
Which card is the safest for the banker/ issuer? | |||
Which card is the safest for the merchant? | |||
Which card is the most convenient for the user? | |||
Which card is the most convenient to the merchant? | |||
Which card is the most convenient to the issuer? |