The guiding light for Indian banks when it comes to taking precautions against cyber fraud is the report by the RBI ‘Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, 2011’.
Another influential document is ‘Cyber Crime, Securities Markets and Systemic Risk’ by IOSCO and World Federation of Exchanges. The recommendations of the first report guide all Indian banks. The recommendations of the latter report guide all Financial Market Intermediaries (FMIs) registered with stock market regulator SEBI.
Now let’s take a slightly deeper dive into the recommendations followed by all Indian banks, leaving aside FMIs for now.
FRAUD RISK MANAGEMENT GROUP
In all Indian banks, fraud prevention, monitoring, and investigation are owned and carried out by an independent group known as the Fraud Risk Management Group (FRMG). This group sets up fraud review councils for the bank’s various businesses. These councils are expected to meet every quarter. The FRMG periodically conducts vulnerability assessments. Mystery shopping is an important part of such assessments.
In addition to the FRMG, all Indian banks are expected to set up a special committee of the board to exclusively monitor and follow up frauds involving amounts of Rs 1 crore and above.
The FRMG sets up limits on frauds for all businesses of the bank. When the loss amount reaches 90% of the limit set, the FRMG is required to review the processes with the concerned group. Again, all frauds involving amounts of Rs 10 lakh and above have to be reviewed immediately by the FRMG. Same goes for cyber frauds where criminals used a new mode of operation to conduct the fraud. The bank is expected to use the findings of such reviews to redesign its products and processes to prevent such frauds in future.
Methods used for fraud detection:
• System alerts on exceptional transactions.
• Channels to take note of disputes involving customers and employees
• Mystery shopping exercises
• Encouraging customers and employees to report suspicious transactions
CAN-HAVE FACILITIES FOR BANKS
The Working Group Report suggests that banks can put in place the following mechanisms to reduce the risk of cyber fraud:
• Dedicated email IDs for customers to report fraud.
• A dedicated team to reply to customer concerns through the above email IDs.
• A fraud helpline for customers and employees to report suspected frauds.
Only an audit will reveal how many Indian banks have set up such facilities.
ONUS FOR FRAUD INVOLVING MULTIPLE BANKS
In cases of fraudulent credit of money into an account in one bank through another bank, the Working Group has made it clear that the investigation and reporting should be done by the bank whose customer has received the money.
There could be transactions involving misuse of PoS terminals by merchants who swipe stolen or skimmed cards and abscond before the charge back of the funds. In such cases, the Working Group has made it clear that the reporting to RBI should be done by the bank which provided the (acquiring services) PoS terminal.
There could be transactions involving multiple banks when a fraud is done at an ATM of one bank using a card issued by another bank. In such cases, the Working Group has made it clear that the bank acquiring the transaction (in other words, the bank which owns the ATM) should report the fraud to RBI.
Banks are expected to file police complaints at the nearest Cyber Cell for all instances where the value of the fraud exceeds Rs 2 lakh, and cases involving staff where the value of the fraud exceeds Rs 20,000/. Besides, banks are also expected to notify the regulatory organization CERT-IN.
e.o.m.
Another influential document is ‘Cyber Crime, Securities Markets and Systemic Risk’ by IOSCO and World Federation of Exchanges. The recommendations of the first report guide all Indian banks. The recommendations of the latter report guide all Financial Market Intermediaries (FMIs) registered with stock market regulator SEBI.
Now let’s take a slightly deeper dive into the recommendations followed by all Indian banks, leaving aside FMIs for now.
FRAUD RISK MANAGEMENT GROUP
In all Indian banks, fraud prevention, monitoring, and investigation are owned and carried out by an independent group known as the Fraud Risk Management Group (FRMG). This group sets up fraud review councils for the bank’s various businesses. These councils are expected to meet every quarter. The FRMG periodically conducts vulnerability assessments. Mystery shopping is an important part of such assessments.
In addition to the FRMG, all Indian banks are expected to set up a special committee of the board to exclusively monitor and follow up frauds involving amounts of Rs 1 crore and above.
The FRMG sets up limits on frauds for all businesses of the bank. When the loss amount reaches 90% of the limit set, the FRMG is required to review the processes with the concerned group. Again, all frauds involving amounts of Rs 10 lakh and above have to be reviewed immediately by the FRMG. Same goes for cyber frauds where criminals used a new mode of operation to conduct the fraud. The bank is expected to use the findings of such reviews to redesign its products and processes to prevent such frauds in future.
Methods used for fraud detection:
• System alerts on exceptional transactions.
• Channels to take note of disputes involving customers and employees
• Mystery shopping exercises
• Encouraging customers and employees to report suspicious transactions
CAN-HAVE FACILITIES FOR BANKS
The Working Group Report suggests that banks can put in place the following mechanisms to reduce the risk of cyber fraud:
• Dedicated email IDs for customers to report fraud.
• A dedicated team to reply to customer concerns through the above email IDs.
• A fraud helpline for customers and employees to report suspected frauds.
Only an audit will reveal how many Indian banks have set up such facilities.
ONUS FOR FRAUD INVOLVING MULTIPLE BANKS
In cases of fraudulent credit of money into an account in one bank through another bank, the Working Group has made it clear that the investigation and reporting should be done by the bank whose customer has received the money.
There could be transactions involving misuse of PoS terminals by merchants who swipe stolen or skimmed cards and abscond before the charge back of the funds. In such cases, the Working Group has made it clear that the reporting to RBI should be done by the bank which provided the (acquiring services) PoS terminal.
There could be transactions involving multiple banks when a fraud is done at an ATM of one bank using a card issued by another bank. In such cases, the Working Group has made it clear that the bank acquiring the transaction (in other words, the bank which owns the ATM) should report the fraud to RBI.
Banks are expected to file police complaints at the nearest Cyber Cell for all instances where the value of the fraud exceeds Rs 2 lakh, and cases involving staff where the value of the fraud exceeds Rs 20,000/. Besides, banks are also expected to notify the regulatory organization CERT-IN.
e.o.m.
RSS Feed
