1.

INTRODUCTION

The Indian Banking system has an old age legacy. Earlier there were indigenous bankers
who consisted mainly of unorganized moneylenders, mahajans and sahukars. Later, when
British came to India they brought with themselves the concept of organized banking.
British while leaving India left behind large number of small and privately held banks. In
1964, the first major banking reform took place when 14 banks were nationalized. It led to
the rising of Indian Public Sector Banks. The second banking reform was witnessed in
1990s when Indian Banking Sector underwent complete change after the recommendations
of the Narsimhan Committee. Private and MNC banks entered banks entered into the Indian
Banking arena and challenged the monopoly of the PSU banks. The Private and MNC
banks brought new technologies and technology intensive services with themselves. They
rendered quality service, which PSU banks were not providing, to service starved Indian
customers. There were a series of technological innovations and up-gradations, e.g., ATMs,
Internet Banking, credit cards and online banking, etc. Private banks and MNC banks had to

provide something extra and it was their service, which attracted a bulk of customer from
the PSU banks. Indian customers were lacking the world-class service in baking; they were
accustomed to the PSU (Sarkari) culture and the service of Private and MNC banks was a
delight for them.
When private and MNC banks initiated the world class service to their customers and
started snatching customers from Public Sector Banks, Public sectors banks were bound to
follow the path of Private Banks. The PSU banks felt the heat and realized their mistake.
They also followed the Private Banks in their technology initiatives and services.
The Indian Banking Sector with the progress in Technology is facing the biggest challenged
of rapidly changing customer expectations against the backdrop of LPG (Localization,
Privatization and Globalization). Retail banking clients today demand more care and extra
facilities. They want more mobility of investments, interactive accounts, and better
segmentation of banking products to cater to different segmental needs, convenience and
untimely hour services. Even the PSU culture could not adjust to the pace of the new
technology and changes. At present also it is
moulding and adapting itself to new needs and the dynamism of the environment.
Technology is helping the Indian Banks to cater to customer needs in a much more efficient
manner continuous and error free services to customers. With the help of computerization
and the use of modern software, which can be called the gift of technology, the banks have
been able to provide single window system to their customers. In a single window system,
all the needs of the customers are taken care at a single counter. It is like a multipurpose
counter where one can deposit cheque, receive payments and deposit cash etc. This has
been made possible only due to the use of technology. Earlier one had to move from one
counter to the other counter for different sort of works. Thus this type of service not only
helps in better customer service but also minimizes the customer service time as it avoids
duplication of work and unnecessary hassles to the customers. With the use of technology,
banks are trying to minimize there per customer service cost. According to industry
estimates, assume teller cost Re.1 per transaction, ATM transactions cost Re.0.45, phone
banking at Re.0.35, debit cards at Re.0.20 and Internet banking at Re.0.10 per transaction.
So, now the emphasis is

more on net banking then on real banking or brick and mortar banking. Indian Banking
system is moving from real banking realm to virtual banking realm. Banks are establishing
more and more ATMs at different convenient locations and interconnecting these ATMs
not only with their networks but also with their partner banks. Network with whom they
have got mutual understanding for sharing ATMs. With the least cost of Internet banking,
banks are paying higher emphasis on Internet banking.

The Indian Banking system has an old age legacy. Earlier there were indigenous bankers
who consisted mainly of unorganized moneylenders, mahajans and sahukars. Later, when
British came to India they brought with themselves the concept of organized banking.
British while leaving India left behind large number of small and privately held banks. In
1964, the first major banking reform took place when 14 banks were nationalized. It led to
the rising of Indian Public Sector Banks. The second banking reform was witnessed in
1990s when Indian Banking Sector underwent complete change after the recommendations
of the Narsimhan Committee. Private and MNC banks entered banks entered into the Indian
Banking arena and challenged the monopoly of the PSU banks. The Private and MNC
banks brought new technologies and technology intensive services with themselves. They
rendered quality service, which PSU banks were not providing, to service starved Indian
customers. There were a series of technological innovations and up-gradations, e.g., ATMs,
Internet Banking, credit cards and online banking, etc. Private banks and MNC banks had to

provide something extra and it was their service, which attracted a bulk of customer from
the PSU banks. Indian customers were lacking the world-class service in baking; they were
accustomed to the PSU (Sarkari) culture and the service of Private and MNC banks was a
delight for them.
When private and MNC banks initiated the world class service to their customers and
started snatching customers from Public Sector Banks, Public sectors banks were bound to
follow the path of Private Banks. The PSU banks felt the heat and realized their mistake.
They also followed the Private Banks in their technology initiatives and services.
The Indian Banking Sector with the progress in Technology is facing the biggest challenged
of rapidly changing customer expectations against the backdrop of LPG (Localization,
Privatization and Globalization). Retail banking clients today demand more care and extra
facilities. They want more mobility of investments, interactive accounts, and better
segmentation of banking products to cater to different segmental needs, convenience and
untimely hour services. Even the PSU culture could not adjust to the pace of the new
technology and changes. At present also it is
moulding and adapting itself to new needs and the dynamism of the environment.
Technology is helping the Indian Banks to cater to customer needs in a much more efficient
manner continuous and error free services to customers. With the help of computerization
and the use of modern software, which can be called the gift of technology, the banks have
been able to provide single window system to their customers. In a single window system,
all the needs of the customers are taken care at a single counter. It is like a multipurpose
counter where one can deposit cheque, receive payments and deposit cash etc. This has
been made possible only due to the use of technology. Earlier one had to move from one
counter to the other counter for different sort of works. Thus this type of service not only
helps in better customer service but also minimizes the customer service time as it avoids
duplication of work and unnecessary hassles to the customers. With the use of technology,
banks are trying to minimize there per customer service cost. According to industry
estimates, assume teller cost Re.1 per transaction, ATM transactions cost Re.0.45, phone
banking at Re.0.35, debit cards at Re.0.20 and Internet banking at Re.0.10 per transaction.
So, now the emphasis is
more on net banking then on real banking or brick and mortar banking. Indian Banking
system is moving from real banking realm to virtual banking realm. Banks are establishing
more and more ATMs at different convenient locations and interconnecting these ATMs
not only with their networks but also with their partner banks. Network with whom they
have got mutual understanding for sharing ATMs. With the least cost of Internet banking,
banks are paying higher emphasis on Internet banking.
OBJECTIVES OF THE STUDY

The objectives of the project “The Study Of Application of Information Technology In

Banking Sector” includes the following:
-

• To know the present condition of technology in Indian banking sector.

• To know about the electronic payment system.

• To know about the hackers and frauds in online banking.

• To know about the risk management policies of Indian banking sector.

• To know about the electronic banking sector.

NEED OF THE STUDY
Information Technology enables sophisticated product development, better market
infrastructure, implementation of reliable techniques for control of risks and helps the
financial intermediaries to reach geographically distant and diversified markets. Internet has
significantly influenced delivery channels of the banks.

SCOPE OF THE STUDY

The study covers the services offered by banks to the customers by the use of technology.
More specifically latest technological delivery channels, namely ATM/Debit card, Credit
card, Internet Mobile Banking etc. have been taken up for the purpose of study.This project
is an analytical study based on random sampling to ascertain the usage and satisfaction
level and customer attitude towards these channels. The study also gives an idea of
rendering secure, 24X7X365 E-banking services at a lower cost, without compromising
with the quality there by resulting in the widening of customer base.
LIMITATIONS OF THE STUDY

The scope of the project “ The Study Of Application Of Information Study In Banking
Sector” has been restricted to some extent i.e. the project does not include the following: -

• Supervision of Electronic Banking by Reserve Bank Of India

• Information Technology in Banks in International Scenario

• Software Application to Protect from Hackers & Frauds

• Case Studies Related To Hackers & Frauds

 RESEARCH METHODOLOGY

COLLECTION OF PRIMARY DATA:

The primary data has been collected from various sources which are as follows:
• Questionnaire method.

• Surveys in banks.

• Surveys in banks related offices such as agent’s office etc.

COLLECTION OF SECONDARY DATA:

The secondary data has been collected from various sources which are as follows:
• Various books related to information technology.

• Brochures of various banks.

• Weekly journals.

• Articles in newspapers.

SAMPLE FRAME:

The data has been analyzed using ten samples of employees of three different banks viz.,
Bank of Maharashtra, HDFC Bank and ICICI Bank.
REVIEW OF LITERATURE

Aggarwal (2003), in his paper, hunted for such avenues wherever e- banking may play
important role in e-democracy. The author mentioned 2 case studies on the implementation
of e-banking in digital democracy. One was farmer service and different was e-seva.
Whereas applying e-banking in e-democracy services become safer, efficient, clear and
quick.It becomes a win-win state of affairs for all,for banks its low price, for presidency its
higher service.for business it’s quick and secure, and for voters its clear
and economical. The author evaluated that e-banking might be used for thriving e-banking
for online bill payment, online brokerage, online brokerage,online account management,
anyplace banking, etc.The author terminated that e-banking services give one stop
service and informational unit that gives nice advantages to banks, customers, employers
and government.

Arora (2003) created an effort to prove that technology had a definitive role in facilitating
transactions within the banking sector;and also the impact of technology had resulted into
the introduction of recent product and services by varied banks in Asian nation. The author
mentioned varied initiatives taken by the banks to manage transformation and these
intiatives had brought customers the convenience of anyplace,anytime banking. The author
ended that technology was a helper for advancement within the core business of banking
And not an finish in itself.

Hogarth and Hilgert (2004) highlighted that electronic banking technology represents a
spread of various services, starting from common common ATM services and direct deposit
to Automatic Automatic Bill Payment (ABP), Electronic Transfer of Funds funds (EFT)
and pc banking (PC banking). the utilization utilization of e-banking technologies had
grownup chop-chop within the USA, whereas others are adopting it slowly. The authors
explored such factors that have an effect on the adoption to adopt 3 e-banking have an
effect on the changes in these factors over banking technologies and e-banking technologies
couldn't time. They advised that class, and thus, “one size fits utilization of e-banking
depends helps in saving time, decrease inaccurate accounting and preventing of
information.
 2.E-BANKING: IN ANSCENT STAGE OF INDIA

To keep pace with the changing environment worldwide, Indian banking industry is fast
adopting technology. It has embraced many new features like Internet banking, ATMs,
Phone banking etc. With the help of new technology, banks are now able to offer products
and services, which were difficult or impossible with traditional banking. But the banks in
India still have to go a long way before making themselves technology savvy.

With IT integration, a paradigm shift in the banking norms is on cards. Banking

fundamentals are thus facing major overhauls/ reengineering/ restructuring.

Two major trends have emerged in the transition of traditional banking to high-tech
banking:

➢ Advancements and restructuring through mergers, acquisition and alliances.

➢ Universal banking where one stop shop provides all related products and services to
a customer.

At this point, it should be emphasized that mergers, acquisitions, alliances, and adoption of
Universal Banking concept are just outcomes of IT-banking integration.
Banking and IT

Advancements and innovations in IT industry have created a revolution in the

communication and distribution system of various products and services through Web
networking. Networking, as we know has connected people around the globe, thus creating
a revolution in modern business activities.
Integration of these technological advances and existing banking structures has changed and
will change the definition and faces of global banking. Internet banking has made banking a
commodity where quality is measured by efficient servicing and effective pricing and
timeliness.

However, PC banking is not new. Bank of Scotland Started offering its Home Office
Banking Services (HOBS), more than a decade ago, although it was only in 1996 that it was
upgraded to make software work with the now dominant windows operating systems.
HOBS later joined hands with TSB, which in 1996 launched banking services accessible
through the CompuServe online network, nationwide.

Technology Solutions for Indian Banks

Two types of technology stock bank products are available in the market.
➢ Hardware products like ATMs and

➢ Software products like branch connectivity, cluster-banking software, and trade

finance software.
 3.ELECTRONIC CHEQUES AND EVIDENTIARY VALUE

The advancement in technology has led to the creation of electronic cheques, particularly in
a business environment. Different countries have a choice of cheque systems, which are
governed by the laws applicable to each country’s jurisdiction. The authentication of these
electronic instruments is proposed to be endorsed by digital signature. In India, the
enactment of the Information Technology Act, 2000 obligated amendments to The
Negotiable Instruments Act, 1881 in order to impart legal validity to such electronic
instruments. The authors in this article elucidate the amended provisions and examine the
evidentiary value of such electronic instruments.
The electronic cheque or simply the e-cheque is gradually replacing the longstanding paper
cheque.
The Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002 was
amended to include the phrase “electronic cheque” in the definition of a cheques in Section
6 reads as “ A ‘cheque’ is a bill of exchange drawn on a specified banker and not expressed
to be payable otherwise than on demand and it includes the electronic

form. “Explanation I. – For the purpose of this section, the expression-

“A cheque in the electronic form” means a cheque which contains the exact mirror image of
a paper cheque and is generate, written and signed in a secure system ensuring the
minimum safety standards with the use of digital signature (with or without biometrics
signature) and asymmetric cryptosystem.”
An electronic cheque simply means a cheque in the electronic form, which is an exact
replica of a physical cheque. It contains all the information that is found on a physical
cheque, but it is “signed digitally” or “endorsed”.
In an attempt to provide authentication, an apparatus commonly known as “signature” was
evolved as a proof asserting intention. This involved appending a unique identifier to a
message to identify the sender/recipient. Conventionally, handwritten signatures are affixed
paper-based cheques. These signatures affixed using ink are used as an authentication tool
to identify that the person signing the document has read and understood the contents. In
the anonymous digital world, where individuals may not actually communicate with each
other, much emphasis is placed on the

authentication of the electronic information. Therefore, it becomes necessary for evolving a

secure authentication tool, which led to the promotion of digital signatures.
 DIGITAL SIGNATURE – HOW IT OPERATES

It is a data string, which associates a message in the digital form with some originating
entry. It is created and verified by means of cryptography, the branch of applied
mathematics that concerns itself with transforming messages into apparently meaningless
forms and back again. It uses a scheme or mechanism consisting of signature generation
algorithm with a method for formatting data into message to produce a digital signature,
and a related signature verification algorithm with the method to recover data from the
message to authenticate a digital signature.

It is important to note that, the Information Technology Act, 2000, in Section 3(2) provides
for a particular asymmetric cryptosystem and hash function as a means of authentication
should be recognized as a source of legal risk.

The digital signature mechanism follows an “asymmetric cryptosystem”. In this method of

creating and verifying a digital signature, there are two basic technical processes or
functions: “Public key encryption”, where encryption is the process by which information is
scrambled by the use of a code and “hash”.

The process of a creation and verification of digital signatures using hash algorithm
involves the following steps:

• Create a data unit that is to be signed, e.g., precisely an encircled portion of data in
digital form, which can be a text document, software or any other digital information.

• Generate hash value called “Message Digest” or “Fingerprint” of the message. A

hash function is a process that creates a relatively small number (called message digest) that
represents a much larger amount of electronic data.

• This hash value is computed from the data unit- a number using a hash algorithm,
which creates the compressed digital signature. Digital signatures use a “one way hash
function” and the important thing about such a hash value is that it is nearly impossible to
derive the original data unit without knowing the data unit used to create the hash value.
Therefore, if the data unit is changed or otherwise tampered with, the hash value will no
longer correspond to this data unit and produces an error message.

• Encrypt hash value with the private key of the signatory.

Encryption is a process of disguising a message in such a way so as to conceal its meaning

and substance. It also consists of a procedure of converting plain text to a cipher text.
Hence, the plain text refers to the original digital file, whereas the ciphertext refers to the
disguised file.
• Final step in the verification process, which involves the regeneration of the hash
value on the basis of the same data unit and the same algorithm. The determined hash value
is again computed with rhea public policy key, which is then compared with the signature
attached to the data unit. If the product is matching, it will verify the signatory’s private
key, which is used to sign and guarantee that the data unit has not been altered.

In this context, digital signatures are created when the drawer of the cheque runs, the
cheque through a one-way function creating

a message digest. The private key used by the drawer of the cheque is known only to him.
The drawer encrypts the resulting message digest by using an asymmetric cryptosystem will
allow the paying banker to verify the signature by using it to decrypt the cheque.
 EVIDENTIARY VALUE OF DIGITAL SIGNATURE ON E- CHEQUES

Generally, authentication is achieved by what is known as security procedure, but from the
legal perspective, the security procedure requires to be recognized by the law as a substitute
for signature.
With the emergence of cyberspace it became necessary to amend certain provision of the
Indian Evidence Act to make electronic evidence admissible in courts of law. Accordingly,
the second schedule to the Information Technology Act has amended the Indian Evidence
Act, 1872 to remove any obstacle to the legal acceptance and validity of electronic
evidence.
According to the amended Section 3 of the Evidence Act, electronic records stand on par
with paper-based documents and will be deemed as documentary evidence in a court of law.

While Section 22(A) of the Information Technology Act amends Section 17 of the Indian
Evidence Act, 1872 to provide that oral admission as to the contents of the electronic
records are relevant, the written admission of the content of any document or electronic
record can be proved under Section 65 of the Evidence Act.
Section 39 of the Indian Evidence Act provides, “when any statement of which evidence is
given forms part of a longer statement, or is contained in a document which forms part of a
book, or is contained in part of electronic record or of a connected series of letters or
papers, evidence shall be given of so much and no more of the statement, conversation,
document, electronic record, book or series of letters or papers as the court considers
necessary in that particular case to the full understanding of the nature and effect of the
statement, and of the circumstances under which it was made.” It can be inferred from this
provision that where entry of an electronic cheque forms a part of an electronic record, only
that part which is relevant may be taken as evidence before the court. Again what part

is relevant depends on the discretion of the court. The court must exercise this discretion
judicially to determine such relevance.
Accordingly, Section 5 of the Information Technology Act 2000 prescribes, “ Where any
law provides that information or any other matter shall be authenticated by affixing the
signature or any other document shall be signed or bear the signature of any person then,
not withstanding any document contained in such law, such requirement shall be deemed to
have been satisfied, if such information or matter is authenticated by means of digital
signature affixed in such manner as may be prescribed by the Central Government.”
Explanation- For the purposes of this section, “signed”, with its grammatical variations and
cognate expression, shall, with reference to a person, mean affixing of his handwritten
signature or any mark on any document and the expression “signature” shall be constructed
accordingly”.
This provision explicitly explains that a digital signature is legally recognized as the method
of authentication. The authority to use digital signatures in the government and its agencies
is accorded
in Section 6 of the Information Technology Act, 2000, which reads as-
“ 1) Where any law provides for-

a) This filing of any form, application or any other document with any office,
authority, body or agency owned or controlled by the appropriate government in a
particular manner.

b) The issue or grant of any license, permit, sanction or approval by whatever name
called in a particular manner.

c) The receipt or payment of money in a particular manner, then, notwithstanding

anything contained in any other law for the time beginning in force, such requirement shall
be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case
may be, is effected by means of such electronic form as may be prescribed by the
appropriate government”.

The words in Section 6(1)(C) “ the receipt or payment of money in a particular manner …
is affected by means of such electronics forms as may be prescribed by appropriate
government” may be understood to include e-cheque.
A system of digital signature like handwritten signature is use to protect confidential
information. Form the legal perspective, two presumptions that could be raised in respect of
digital signature are:

• Signatory’s personal participation in the Act of signing or any person

authorized by him.

• The intention of the signatory to endorse or approve authorship of a text and

the fact that the signatory had been at a given place and time.

The presence of intention has an integral part of a signature is essential as lack of intention
could be raised with regard to circumstances including fraud and unconscionable conduct.

To regulate the use of digital signature, the Central Government is empowered to lay down
rules under Section 10 of the Information Technology Act, 2000 that reads, “The central
government may, for the purposes of this Act, by rules, prescribe-
• The type of a digital signature;

• The manner and format in which the digital signature shall be affixed;

• The manner or procedure which facilitates identification of the person affixing the
digital signature;

• Control processes and procedures to ensure adequate integrity, security and

confidentiality or electronic records or payments; and

• Any other matter which is necessary to give legal effect to digital signature.”

In India, evidentiary value of the digital signature has been in question for long. A genre of
evidence dominating the digital transaction world leads to be recognized by the Indian
Evidence Act, 1872, by making the necessary amendments there in.
The IT Act 2000 provides for specific evidentiary value for secure records and secure
digital signatures. Subsequently, sub- section (2) to Section 85B of the Indian Evidence Act
has been inserted to be in consonant with the IT Act to provide that, “ In any proceedings,
involving secure digital signature, the court shall presume unless the contrary is proved
that-

• The secured digital is affixed by the subscriber with the intention of signing
or approving the electronic records;

• Except in the case of a secure electronic record or a secured digital signature,

nothing in this Section shall create any presumption relating to authenticity an integrity of
the electronic record or any digital signature.”

The section limits its opinion to a secure digital signature by indicating that there shall be
no presumption relating to authenticity and integrity of a digital signature except where it is
a secure
digital signature. If, by application of a security procedure agreed to by the parties
concerned it can be verified that a digital that a digital signature, at the time it was affixed,
was-
• Unique to the subscriber affixing it

• Capable of identifying such a subscriber

• Created in a manner or using means under the exclusive control of the subscriber
and is linked to the electronic record to which it relates in such a manner that if the
electronics record was altered the digital signature would be invalidated then such a digital
signature shall be deemed to be a secure digital signature.

As distinct from such a secure digital signature, Section 67A of the Indian Evidence Act
provides for proof as to the digital

signature, and Section 73A prescribes the method by which such a digital signature may be
proved. According to Section 67A of the Indian Evidence Act, “ Except in case of a secure
digital signature, if the digital signature of any subscriber is alleged to have been affixed to
an electronic record the fact that such digital signature is the digital signature of the
subscriber must be proved.”
The Information Technology Act by inserting a new Sub- Section A to Section 47
recognizes opinions of third parties not relevant as evidence unless specifically provided for
Section 47A reads as, “ When the court has to form an opinion as to the digital signature of
any person, the opinion of the certifying authority, which has issued the Digital Signature
Certificate, is an relevant fact”. An opinion of third parties is in admissible and as evidence
except in certain cases when the court requires an opinion of experts. With this insertion,
opinion of third parties became relevant
 4.THE FUTURE OF PLASTIC MONEY

Use of plastic Money is growing at an unprecedented rate in India. Lesser number of

installed Point-of sale (PoS) terminals is the major obstacle in the growth of debt cards;
smart card has many innovative features, which may spurt the use of cards in India. Smart
card is safer to use in electronic form than the present form of cards

“ Credit card business is a volume game and initially highly capital intensive.”
- A senior banker

Plastic money is growing by leaps and bounds in India. Today, many banks are offering
cards. Though the foreign banks have a dominant share, aggressive entry of the Indian
banks like SBI, ICICI and HDFC Bank may soon change the rules of the game. Today,
SBI-GE is the third largest issuer of credit cards.
The credit card market in India is projected to grow at the rate of 20-25% per annum in the
coming years. There are currently around 3.8 million credit card users compared to 3.0
million in 1990.
Visa credit card grew by 46.4% in India while the growth in Asia Pacific was only 6% for
Q3 of 2003. The competition among banks has been growing and they are offering so many
add-on incentives like waiver of first year annual fee, discount on retail stores, personal
loans etc., to woo the customers.
Debit card is another segment, which is catching up fast. There are only 80,000 to 90,000
merchants having point-of-sale (PoS) terminals installed and majority of them are located in
metros, which is the major obstacle to the growth of debit cards. To increase the usage of
debit cards, banks should concentrate on increasing installation of PoS terminals in semi-
urban and rural areas.

Smart Card: A Future Card

Smart cards are the wave of the future for consumer use, commercial use and terminal
network security. Smart cards are in much wider use in Europe than in US.
A smart card is a plastic card with an imbedded computer chip that has been stored inside
the card. It has the capacity to store up to 80 times more information than other magnetic
stripe cards. This mini-computer using an intelligent chip, stores payment

information similar to a magnetic stripe card, but it also includes additional information
such as online authorization controls, credit limits, stored value (gift card), reward points
(loyalty), Personal Identification Number (PIN), etc. Smart cards can be contact less,
suggesting that the chip transfers data via a built-in antenna without physically touching the
smart card reader.
There are over 3 billion smart cards in use currently. Today, smart cards are used
worldwide and it is the most flexible payment option available in the world. Smart cards
have been used in Europe for over 10 years and now they are the accepted mode of
payment. In developing countries and continents such as Africa and Asia, the use of smart
cards has been growing rapidly. In the US, major retailers, banks and processors are
preparing to accept global cards and some are adding smart gift cards and promotional
application to build loyalty for the growth of their business. American Express and
Financial Institutions have issued over 21 million PIN-secured smart cards to their
customers. By the end of 2005, there will be over 100 million smart cards to their
customers. By the end of 2005, there will be over 100 million smart cards in use in the
United States.

In order to accept smart cards, the business must have an EMV ready smart card Point-of-
Sale (PoS) terminal. Merchants can be standalone PoS smart card terminals or smart card
readers that are integrated with cash registers. Currently, over 90% PoS terminals are not
EMV smart card ready.

Smart Cards and Internet Payment

Issues of security and fraud are major drawbacks to using credit and debit cards over the
Internet. Unlike the hand-written receipts, there are no signed sales receipts associated with
today’s e- commerce transactions. Without such evidence, it is difficult as much as 84% of
all electronic commerce transactions.
At the same time, consumers are holding back on making Internet purchases due to
lingering security concerns. According to Master Card, 90% of Internet non-buyers worry
that their personal and financial information may fall into the hands of hackers. It is this
reluctance that is the real
barrier to building an online business. Using smart cards along with a strong Internet
authentication will help overcome these issues.

American Express, Master Card and Visa smart cards currently support Internet
authentication and payment using built-in digital certificates and digital signatures. For
smart cards to be successful, the cardholders must connect an EMV approved smart card
reader to their PCs. Smart cards have the capacity to replace the thirty plus years old
magnetic stripe cards.
 5.LEADING ISSUE IN BANKING TECHNOLOGY

Many Indian banks are adopting the information technology not merely as a frill, but as a
dire need. It is helping the banks in many core and diversified functions. Technology is key
business enabler in six critical areas of banks. These are augmentation profit pool, operation
efficiency, customer management, product innovation, distribution and reach, and efficient
payment and settlement system. For the success of any IT program, integration of IT and
business strategy is crucial factor.
Banking basics have undergone radical shifts, thanks to the advent of modern technology,
increasing pace of globalization and the need for stronger fundamentals to operate in the
fiercely competitive environment. The digital divide among Indian banks that was quite
discernible before the millennium has considerably narrowed down with many banks taking
to technology not merely as a frill, but as a dire necessity. Technology today catalyzes
many core and diversified functions in banks, including issues like transaction automation
and multiple delivery channels, product innovation, data

warehousing and effective MIS, secured storage mechanisms and a real-time based
payment and settlement system.
Seen in the present context, technology is a key business enabler in six critical areas of
banking.
Augmenting Profit Pool; Operational Efficiency; Customer Management; Product
Innovation; Distribution and Reach; Efficient Payment and Settlement.

Augmenting Profit Pool

Sustained profits and profitability have been major yardsticks for assessing the true health
of banks in a fiercely competitive and compelling business environment. Technology has
proved, at least in case of new generation banks and major public sector banks to be a major
profit driver. With progressive decline in interest rates, banks’ spreads have come under
pressure, which per se, affects their profitability. However, technology had a favorable
effect in terms of reducing the operating cost and improving the burden to a considerable
extent. Technology also enable commissioning of new products like Net banking, mobile
banking and other forms of 24X7 banking like ATMs and Networked services across
branches like

anywhere banking, electronic funds transfer, customer relationship management, call

centers across the banks. Hi-tech and hi-touch services, it goes without saying, have also
enlarged the clientele base in banks and commanded considerable customer loyalty.
Technology has created an enabling environment for banks to diversify into various fee-
based activities like bancassurance and funds transfer arrangements.
Operational Efficiency

Operational efficiency, in terms of optimum utilization of resources, has been one of the
most positive offshoots of technological application in banks. Thanks to greater
technological application, banking system has seen a near consistent improvement in the
intermediation efficiency and consequent decline in transaction cost. Yet, technology
application has been by and large confined, especially in the state-owned banks, towards
cost saving and improved service standards through product innovation. While savings in
cost and improvement in service quality could turn out to be short-term in nature, it is
essential that technology is leveraged as

a long-term and efficient cross-functional application. It is also time that the focus of
technology shifts from product innovation to process innovation commonly referred to as
Business Process Reengineering (BRP), for banks to gain long-term operational efficiency.

Customer Management

Technology also spells significant benefits on the realm of customer research and
management. In a predominantly buyers’ market and high propensity if customers to switch
service providers, customer management need no longer be a front office function, but a
bank-wide obsession. Many banks have duly realized the significance of such functions and
introduced new models like the High Net Worth clients’ branch, imbued with state of the
art technology, exquisite ambience and quickest possible processing of transactions.
Customer management is a very sensitive issue entity hears only from 4% of its dissatisfied
customer, while 96% of its customers quietly go away of which 91% never come back.
Technology, thus, already implemented the tech aided e-CRM application as strategic tool
to retain as well as expand their

customer base. The bottom line is that banking products are getting commodities and price
wars are slowly leading to a zero-sum game. In such a scenario, technology backed
customer orientation will hold the key to take service standards anywhere near to world-
class.
Product Research

In the field of product research as well, technology plays a decisive role, in terms of swift
product innovation, an active R&D set up effective pricing of products to protect banks’
margins and safeguard customers’ interests. Banking product life cycles are getting shorter
day by day and more than delivery, product servicing defines competitive edge for banks.
Marked to market product processes are equally important for sustained improvement in the
value chain of services and command ‘top of the mind recall’ from the customers.
Technology also aids product profitability research and review, which have not adequate
attention in many of the banks.

Distribution Research

The thumb rule for strategic management masters is that structure must follow strategy in
any business reorganization.

Technology, thus, calls for attendant restructuring endeavors that will be in tune with the
level of technology application. For instance, many banks need to put in a place a leaner
structure and remove intermediate decision-making tiers. That is how one can see that many
of the regional outfits of banks are slowly being dismantled while branch expansion is not
being accorded the thrust it used to be given earlier. Rightsizing of human and physical
overheads is a major strategy adopted by many banks wherein the role of the earlier brick
and mortar banking is slowly getting dissipated. In turn, devices like Internet and mobile
banking. Technology, thus, facilitates downsizing of overheads cost without compromising
much on clientele reach. Public sector in the rural and semi-urban areas. Many of these
branches are not performing to their potential mainly because of their typical business mix,
cost diseconomies and lack of technology-based services offered in these branches.
Technology can facilitate the branch rationalization exercise such as setting up mobile
branches and satellite branches, especially in the rural areas, and bring many of those into
the “Performing” category without affecting the extent of client reach.

Efficient Payment and Settlement

Innovation in technology and worldwide revolution in information and communication

technology have emerged as dynamic sources of productivity growth. This is true about
banking as well as its relationship with technology has become symbiotic fundamentally.
Payment system is probably the most important mechanism in the banking sector where
technology’s interactive dynamics is getting manifested in an increasing measure each day.
Banking system has adopted a holistic approach for designing a modern, robust, efficient
and integrated payment system. The approach to the modernization of the payment and
settlement system has been basically three pronged – consolidation, development and
integration. Consolidation of the payment system has revolved round strengthening
computerized cheque clearing and expanding the reach of electronic clearing services
through state-of-the-art technology. Critical elements under the developmental strategy
related to the opening of new clearing houses, interconnectivity of clearing houses through
INFINET and optimizing the development of resources the Negotiated Dealing System,
Structured Financial Messaging System (SFMS) and the recently introduced Real-Time

Gross Settlement (RTGS) system. Integration is the next stage that the banking system is
currently going through which is premised on a high degree of standardization within a
bank and seamless interfaces across banks, leading to Straight Through Processing (STP) of
transaction on a regular basis. Further, cheque truncation system will also pave way to
expedite settlement of payments process.
However, so far as integration is concerned, Indian banks still have a fair distance to
traverse. In order to efficiency leverage an integrated payment and settlement systems,
banks, especially those in the public sector, need to address certain core issues
expeditiously. These include the following:

• Toning up of infrastructure in terms of standardization and build up security features

like firewalls, Intrusion Detecting System (IDS) and implementing a security policy.
• Total inter-branch connectivity.
• Popularization of electronic funds transfer mechanism
• Institute collaborative arrangements, including outsourcing of IT expertise.
In addition to the above, banking sector is also confronted with a classic dilemma. It relates
to differentiating between and mapping the role of business vis-à-vis the role of information
technology, a feature typifying an enterprise wide technology initiative. This is where the
significance of integrating business and IT plans comes to the fore.
Integration of IT and Business Strategy

Many banks, especially those in the public sector, are embarking on a comprehensive set of
IT initiatives encompassing total branch automation, core banking solution, networking of
ATMs, Internet and mobile banking, data warehousing and a comprehensive MIS backed
decision support system. Contrary to popular perception, such initiatives are not merely
because of competitive pressure from the foreign and new generation private banks. The
avowed goal of these initiatives was to improve overall efficiency in terms of lower
intermediation cost, swifter decision- making process, grater customer convenience and
effective internal control, including an objective risk management mechanism. It goes
without saying that the fast pace of globalization and progressive

move towards reaching global operational benchmarks also catalyzed the technology drive
dividends to these banks although the need of the hour is to consolidate the gains so far and
address the weak links.
One such weak link relates to lack of integration between the IT strategies which, it is felt,
is applicable to many of our banks. Technology introduction can offer significant benefits
only when they are in total alignment with business strategies. Especially, in public sector
banks, a phased approach is desirable in view of the heterogeneous nature of their branch
architecture and vast area specific differentials in their branch functioning. In the current
context, business strategies may differ from bank to bank, yet a core set of business
objectively will, for sure, be common to all the banks. Such commonalities call for at least
an open technology plan, in board consonance with the business objectives, and the same
can be fine-tuned on an ongoing basis to suit the business model.
Recently, a study was conducted by National Institute of Bank Management, at the behest
of RBI, for suggesting a methodology to integrate IT and business plans in banks. The study
has proposed an ‘Enterprise Maturity Model’, for attaining total convergence of

technology and business strategies with focus on selected, generic business strategies. The
model suggests solutions not merely for business and technology, but for issues related to
human resources and customers who form an integral part of banks’ strategic road map.
The suggestions in the study promise to be useful benchmarks for banks in their complete
switchover to the virtual mode. Application of the model can help banks to develop
effective Executive Information System as effective decision support, integration of varied
workflow processes, objective customer analysis and most importantly, devise simulative
and real-time based tools to track business, profits and profitability. Effective and an
objective technology application system will also enable a business process reengineering
mechanism that will considerably enhance the real technological capabilities of banks.
Core Banking Solution

In the light of ongoing emphasis on business process reengineering, one comes across many
banks assiduously pursuing a centralized server-based system, better known as Core
Banking

Solution (CBS). CBS offers, among others, benefits like privilege of single window service
to customer in order to facilitate a shift from “customer of the branch” to “customer of the
bank” concept, online transfer of funds, longer business hours, lower transaction costs,
slimmer staff structure at branches, effective monitoring of business, comprehensive MIS as
a policy support and above al, improved visibility of the banks implementing CBS. A
robust MIS also supports vital functions like ALM, risk management, product profitability
and customer profitability analyses leading ultimately to efficient portfolio management in
banks. CBS also leads to significant mileage in terms of staff and other overhead costs.
Staff rendered surplus on account of CBs can also be put for marketing and recovery
functions, which warrant dedicated staff in the present context.
One major issue in CBS relates to security aspects and a host of operational risks that banks
are confronted with. Be it system failure or planned hacking or any kind of human error,
centralized system is perennially susceptible to failure which may prove to be endemic
across the financial system and result in vital data erosion. Retrieval of the same may also
cost dearly to the banks and their

associates. Security aspects like implementing a robust security policy, firewalls, IDS are,
therefore, indispensable for preventing any systematic problem. There are even cases where
multi-point security has not been able to check the fraudulent practices. Thus, security
aspects need to be examined threadbare before putting core banking in place.
 6.TECHNOLOGY AND FRAUDS

ATM CRIMES FRAUDS:

ATM crimes and frauds are rising throughout the world. ATM industry and money other
organizations are fighting with them in many ways like, by issuing security tips, making
ATMs more innovative etc. In India, where the use of ATMs is growing by exponential,
banks have to take benefit from international experiences and safeguard their customers
from frauds.
ATM crimes and frauds are mounting day by day. Even though they make up a small
percentage of criminal activities they are not less important. Criminals are raiding millions
every year.

Popular Ways to Card Frauds:

Some of the popular techniques used to carry out ATM

crime are:

➢ Through Card Jamming ATM’s card reader is tampered with in order to trap a
customer’s card. Later on the criminal removes the card.
➢ Card Skimming is the illegal way of stealing the card’s security information from
the card’s magnetic stripe.
➢ Card Swapping, through this customer’s card is swapped for another card without
the knowledge of cardholder.
➢ Website Spoofing, here a new fictitious site is made which looks authentic to the
user and customers are asked to give
their card number, PIN and other information, which are used to reproduce the card for
removing the cash.

Global Measures to Fight the Frauds

To guard against these frauds ‘The Global ATM Security Alliance (GASA)’, which was
formed in June 2003, has issued the customers guide and some tips to prevent against card-
related frauds.

The World’s Top 20 tips for ATM Use to Enhance the ATM customer Experience and
Security
CHOOSING AN ATM

Tip 1: Where possible, use ATMs with which you are most familiar. Alternatively, choose
well-lit, well-placed ATMs where you feel comfortable.

Tip 2: Scan the whole ATM area before you approach it. Avoid using the ATM altogether if
there are any suspicious-looking individuals around or if it looks too isolated or unsafe.
Tip 3: Avoid opening your purse, bag or wallet while in the queue for the ATM. Have your
card ready in your hand before you approach the ATM.
Tip 4: Notice if anything looks unusual or suspicious about the ATM indicating it might
have been altered. If the ATM appears to have any attachments to the card slot or keypad,
do not use it. Check for unusual instructions on the display screen and for suspicious blank
screens. If you suspect that the ATM has been interfered with, proceed to another ATM and
inform the bank.
Tip 5: Avoid ATMs which have messages or signs fixed to them indicating that the screen
directions have been changed, especially if the message is posted over the card reader.
Banks and other ATM

owners will not put up messages directing you to specific ATMs, nor would they direct you
to use an ATM, which has been altered.
USING AN ATM

Tip 6: Is especially cautious when strangers offer to help you at an ATM, even if your card
is stuck or you are experiencing difficulty with the transaction. You should not allow
anyone to distract you while you are at the ATM.
Tip 7: Check that other individuals in the queue keep an acceptable distance from you. Be
on the lookout for individuals who might be watching you enter your PIN.
Tip 8: Stand close to the other ATM and shield the keypad with your when keying in your
PIN (you may wish to use the knuckle of your middle finger to key in the PIN).
Tip 9: Follow the instructions on the display screen, e.g., do not key in your PIN until the
ATM request you to do so.
Tip 10: If you feel the ATM is not working normally, press the cancel key and withdraw
your card and then proceed to another ATM, reporting the matter to your financial
institution.
Tip 11: Never force your card into the card slots.

Tip 12: Keep your printed transaction record so that you can compare your ATM receipts to
your monthly statement.
Tip 13: IF your card gets jammed, retained or lost, or if you are interfered with at an ATM,
report this immediately to the bank and/or police using the help line provided or nearest
phone.
Tip 14: Do not be in a hurry during the transaction, and carefully secure your card and in
your wallet, handbag or pocket before leaving the ATM.
MANAGING YOUR ATM USE

Tip 15: memorize your PIN (if you must write it down, do so in a distinguished manner and
never carry it with your card).
Tip 16: NEVER disclose your PIN to anyone, whether to family member, bank staff or
police.
Tip 17: Do not use obvious and guessable numbers for your date of birth.
Tip 18: Change your PIN periodically, and, if you think it may have been compromised,
change it immediately.
Tip 19: Set your daily ATM withdrawal limit at your branch at levels you consider
reasonable.

Tip 20: Regularly check your account balance and bank statements and report any
discrepancies to your bank immediately.
While the ATM industry is aggressively addressing ATM- related frauds and crimes, few in
the industry know about these extraordinary efforts. Some of the important works are given
below:

❑ From time to time the Electronic Funds Transfer Association (EFTA) with the help
of ATMIA is publishing tips on PIN security.
❑ To combat the cross-border crimes, GASA is working in association with Interpol,
the Metropolitan Police Flying Squad for New Scotland Yard and leading card issuers.
❑ ATMIA is educating the people and ATM industry about most effective way of
fighting ATM crimes and frauds and honoring with award that contributes significantly
counter the fraud.
❑ Fair Isaac Card Alert – it is a service, which analyzes millions of daily transaction,
identifies the suspicious transactions and sends the card number and related information of
suspicious transaction to the concerned bank. This services has helped a

lot in solving many card-related frauds including high-profile skimming cases.

❑ Leading ATM manufacturers are producing innovative ATMs, which are helping to
counter the frauds. Biometric technology is one of the examples, which removes the need of
Personal Identification Numbers (PINs).
Biometric systems identify or authenticate a person’s identity using different alternatives
like face expressions, fingerprint, hand geometry, voice, retina, etc.
INTERNET BANKING AND FRAUDS

Fraudsters are using innovative ways like Web and Mail spoofing, attacking the bank’s
server etc. to break the security walls and commit fraud. There is a need for arrangements,
which help presence of integrity, confidentiality and authorization of information.
“Thieves are not born, but made out of opportunities”

This quote exactly reflects the present environment related to technology, where it is
changing very fast. By the time regulators come up with preventive measures to protect
customers from innovative frauds, either the environment itself changes or new technology
emerges. This helps criminals to find new areas to commit the fraud.
Some common Internet banking frauds and their causes have been discussed here.

❑ Attacking the Bank’s Server

In this case, the fraudster takes control of the server of the bank and by visiting the bank’s
website carries out transaction through impersonation.
These attacks are due to bad programming, which mostly prevail in general purpose
software. Such attacks are called buffer- over-flow attacks. Due to buffer-over-flow defects
in the software, fraudster can use the commands on the server without providing essential
information like password etc.

❑ Mail Spoofing

In the mail spoofing or e-mail forgery, the fraudster sends the information to bank
customers in such a form that it seems that information is from the authentic bank source.
One such incident happened with ICICI Bank customers to disclose passwords and other
information. The e-mail said:
“For security purpose your account has been randomly chosen for verification. To verify
your account information we are asking you to provide us with all the data we are
requesting. Otherwise, we will not be able to verify your identity and access to your account
will be denied. Please click on the link below to get to the ICICI secure page and verify
your account details. Thank you.”
Mail spoofing happens due to lack of criteria to verify the source address authenticity.
Anyone can set up a mail server and can forge a mail posing as an authentic source.
❑ Web Spoofing

In Web Spoofing, customers of the bank are lured to log in at the fraudster’s website, which
is similar to the bank’s website. Once the customer provides sensitive information, they can
be stolen easily by the fraudster, who uses the stolen sensitive information like

password and username etc., to carry out the transaction on the bank as a real customer.
In the whole case, the only loser is the customer because he does not have any means to
prove that it was not he who did those transactions, but the fraudster.
Ignorance of the customer to intercept Universal Resource Locator (URL) is the major
cause of Web spoofing. Look at the following two URLs
• http://secure.bankname.com/carloanfind/carloans.asp

• http://secure.bankname.com? @569857125/carloanfind/carloans.asp

It is very difficult for a normal customer to understand the difference between these two
URLs. He can be easily cheated because the first URL will drive him to the original site
while the second one to the fraudster’s site.

Denying Service from Bank’s Server

The fraudster’s intent here is not to commit any fraud but to create inconvenience for the
banks. The customer here literally cannot access the services of the bank.
Intervention of fraudster’s with Transmission Control Protocol/Internet Protocol (TCP/IP),
the computer communication languages, Router Poisoning that help the customers to reach
different parts of the network and Domain Name System (DNS) service, that helps the two
computers to communicate through IP number are some reasons for such inconvenience.

It is clear that to plug all the loopholes is very difficult for any regulator. This is a challenge
to the mission of fast automation. It is essential on the part of the banks, the regulators and
the service providers to create a source and safe automation environment that has the
confidence and trust of the customers.
 7.CREDIT CARD FRAUD ON INTERNET

Credit card fraud has become regular on Internet. All the agencies involved in the
transaction, cardholders, online merchants and the card issuers suffer losses. However, it is
the online merchant who suffers the most. This article examines the nature of credit card
fraud, types of credit card frauds, and the effects. This article also discusses the preventive
measures.

Internet commerce is growing very fast. From a customer base of

28.8 million spending US$12 bn in 1999, Internet Commerce has grown exponentially
during the past few years and is still growing. But, unfortunately, the growth is not on the
expected lines. The credit card fraud, which has become common, has retarded the e-
commerce growth. A 1999 survey by US National consumer’s league reported that 7% of
customers were victims of the credit card fraud; recent surveys indicate that one out of three
online customers have become victims to this kind of fraud. Customers, credit card
companies, banks and merchants are battling this problem; still this crime is on ascendancy.

Common Types of Card Frauds

There are different types of frauds involving credit cards. The fraudulent activities start
from the application process itself.

Application Fraud:

In application fraud, the fraudster obtains personal confidential information of the other
person needed in the credit card applications, like social security number, date of birth
using a variety of means. Internet search engines and databases are making these tasks
easier. Using this information, he fills in an application for a credit card and after receiving
it, uses it as if he is the true holder. The person in whose name the card is issued might
come to know about this only after the damage is done.
Counterfeit Cards:

In this, a criminal gains access to a valid card number and other information. For example,
the salesperson at the supermarket briefly takes possession of the customer’s card during
payment process, which he runs on a terminal. But without the knowledge of

the cardholder, the salesman can also run it on another machine, which can capture all the
details in the card. Using this information and tools like embossing machines, a fraudster
can create a counterfeit card. This process is known as ‘skimming’ and simple hand-held
devices are now available for the purpose. Further, the information skimmed can also be
used for purchases on the Internet or Telephone.
Account Takeover: In account takeover, the fraudster first all the personal confidential
information about the other person. Then impersonating as the other person, he informs the
bank that there is a change in his residential or office address. Next, he informs them that
his credit card is lost and request for a new card on the new address. After receiving the
card, the criminal successfully takes over the account.

Stolen and Lost Cards:

By far, this is the most common form of fraud in the market place. When the criminal has
access to a stolen or lost card, he also gains access to all the personal information. Apart
from using this card fraudulently, the criminal can also use the information to

‘broaden’ the fraud by applying for new cards or fabricating new ones.

Other Forms:

From the point of view of a merchant, credit card frauds can be divided into three ways.
There are organized fraud, opportunistic fraud and cardholder fraud. The advantages
offered by Internet are
also attracting the criminals in a big way. In an organized criminal activity, the gang’s
obtain credit cards using any of the means discussed above. They normally identify a drop
location like a vacant house or warehouse, spend the card up to the maximum limit, and ask
the merchandise to be dropped at this selected location. These gangs have a thorough
understanding of the system and take advantage of the fact that there is normally a time gap
of more on to the next card. Opportunistic fraud is committed normally by amateurs who
get an opportunity of handling credit cards, like waiters in restaurants. Cardholder fraud
involves the cardholder himself who might claim that he never placed the order or he never
received the goods. It could also involve one of his family members or friends who used the
card without his knowledge.
Bust Out Fraud:

According to Daniel Buttafogo of Juniper, an Internet-based credit card company, in this

fraud, true customers gradually build up as much available credit card and then ‘bust out’
with large purchases of items that could easily resold like jewelry or draw large cash
advances etc. Here the fraudster will draw bad checks on one account to pay when this
cannot be done any longer, the customer does a vanishing act. This kind of fraud is the most
difficult to catch, as the customer exhibits exemplary behavior till the last moment.

Friendly Fraud / Denial of Receiving Product:

Friendly fraud occurs when the actual cardholder carries out a transaction but later denies or
claims that his card was stolen or used without his authorization. Customers might deny
receipt or signing or even ordering the product.

8.Nature of E-Commerce Transactions:

In e-commerce transaction, face-to-face contact between the merchant and customer is

absent and this causes most of the credit

card frauds. In online transactions, after filling in the online order form, the customer is
expected to give his credit card number to conclude the transaction. In real world, after the
purchase, the customer hands over the credit card, which the merchant swipes using a
terminal. The merchant also obtains the signature of the customer on the credit card receipt.
He also verifies the charge authorization. In case of fraudulent use of a card like using a
stolen card, the merchant or the customer are reimbursed by the credit card company. In
online transactions, the card is not present during the transaction and there is no signature of
the customer on the receipt. These transaction, treated as card not present transactions, in
which the card issuing companies do not reimburse the merchant. In reality, speed, which is
the most important benefit of the Internet, facilitates the fraud. A physical transaction takes
several minutes; where as Internet transaction takes only a few seconds. Real-time
transaction reduces the overheads, but at the same time, increase the number of fraudulent
transactions. For example, a fraudster can give the same fraudulent card number to a
number of e-business sites simultaneously and there is no way the merchants can know
about it.
 9.INFORMATION TECHNOLOGY RISK IN BANKING:
MANAGEMENT & MEASUREMENT

Information Technology (IT) is not merely a technical function, but a management process,
which needs to be managed effectively. To measure the IT risk in banks there are various
methodologies available. All of them at large follow the same primary steps like threat
analyst etc. for technology risk assessment; American Banker Association has
recommended various resources.
Risk management approach had widely the baseline approach in which a baseline/ standard
set of polices and practices are followed in taking business decision without considering the
criticality of the business asset or decision. In business sense, risk is the probability of
getting loss from taking or not taking a business decision. The loss can be tangible or
intangible. Risks can be avoided, controlled, shared, transferred and accepted. Risks can be
controlled through objectives, policies and procedures.
Risk management approach enables the management to give appropriate treatment to the
business assets and decisions based on their criticality to business goals and business
continuity. While the basic concepts remain the same, Information Technology introduces
new vulnerabilities as well as new techniques for risk management.

As such, technology risk management, while following the

fundamentals, needs to address these new vulnerabilities.

Technology Risk Management

Information Technology Risk is the risk that can arise due to use or non-use of technology
in business or for business. The primary objective of an organization and its ability to
conduct business. The business of IT in business is to see that the business continues. IT
risks management has to ensure that this purpose is achieved. As such IT risk management
process should not be treated as a mere technical function carried out by the IT people and
should not just confine to IT assets. It is essentially a management function. However, the
role of IT people is also vital because IT security and IT risk management are interrelated
and an effective risk management process is an important component of a successful IT
security program.
The broad objective of performing IT risk management is to enable the organization to
achieve its business goals by better securing the IT systems and enabling management to
make well-
informed risk management decisions in areas where technology is involved.
IT risk management is to the process that helps to balance the operational and economic
costs of risk mitigation measures and achieve gains by protecting the IT systems and data
that support their organization’s goals. A well-structured risk management methodology,
when used effectively, can help management identify appropriate controls for providing the
mission-essential security capabilities.
Various organizations worldwide have come out with risk management frameworks,
policies, standards and principles that are quite useful in IT risk management and
measurement.
The committee set up Bank for International Settlement (BIS) has identified fourteen Risk
Management Principles for Electronic Banking to help banking institutions expand their
existing risk management policies and processes to cover their electronic banking activities.
Similarly, the Committee of sponsoring Organizations of the Tread way Commission
(COSO) Board and Project Advisory Council took on the responsibility to expand and
address the

remodeled components of internal control. The end product of this is the COSO Enterprise
Risk Management (ERM) Framework.
The Information Systems Audit and Control Association (ISACA) has developed a
framework called Control Objectives for Information and related Technologies (COBIT)
which helps in IT risk management.
The ERM and COBIT frameworks provide a useful evaluation tool for informing
management, directors and other stakeholders about a process, procedure and policy to
identify, measure, prioritize and respond to finding risk.
In India, RBI has been providing much guidance in this area to Indian banks. There is a
good number of references and guidelines provide in the reports of various RBI
Committees. The report of the RBI Committee on computer audit provide a comprehensive
checklist covering many technology-related areas, which is useful in Technology Risk
Assessment.
Technology Risk Assessment/Measurement

Risk assessment/measurement is a process used to identify and evaluate risks and their
potential effect/exposure. Risk exposure

is equal to the amount of probability multiplied with impact on business.

Risk management covers three processes: Risk assessment, risk mitigation, and evaluation.
Risk assessment is the first process in the risk management methodology and also is
necessary for the extent of the potential threat and the risk associated with an IT system
throughout is System Development Life Cycle (SDLC). The output of IT risk assessment
process helps to identify appropriate controls for reducing or eliminating risk during the risk
mitigation process.
Unlike financial risk, technology risk cannot be easily quantified or measured. But, banks
can gain financial and operational benefits by conducting an effective Technology Risk
Assessment (TRA). These include enhancing corporate governance over IT activities,
proactively identifying vulnerabilities and implementing risk business imperatives, and
efficiently using corporate risk management resource, including audit, in ensuring a cost-
benefit control environment.
Threats to an IT system must be analyzed in conjunction with the potential vulnerabilities
and the controls in place for the IT

system to determine the likelihood of a future adverse event and its impact. Impact refers to
the magnitude of harm that could be caused by a threat. The level of impact is governed by
the potential impact on organizational goals and, in turn, determines the level of criticality
of an IT asset/resource.

Technology Risk Assessment (TRA) Methodologies

The quality of the technology risk assessment affects the effectiveness of risk-based
decision of management. With the increasing interest in operational risk management and
concerns about corporate governance, may proprietary enterprise risk- management
methods/solutions came in the market to help banks to meet the assessment challenge.
Since these methodologies are mostly developed for and by traditional risk managers, they
are generally weak in areas relating to technology, although they provide an adequate
perspective from a credit, financial, and environmental standpoint.
Risk assessment methodology generally follows the following primary steps:

• Threat and Vulnerability Identification

• Probability/Likelihood Determination

• Impact Analysis

• Risk Determination

• Control Recommendations

• Results Documentation

Technology Risk Assessment (TRA) methodologies are not much different from general
risk assessment methodologies and they, too, follow these steps. However, the risk
assessment tools would be different in case of technology risk because to assess adequately
and to prioritize technology risk, the risk assessment tools must be supplemented with
methodologies specifically geared to technology.
As in the case of enterprise risk assessment tools, ready-made methods and tools developed
by vendors can be used for TRA also. However, a number of challenges are involved in
using these ready- made tools like vendor methodologies which may not continuously
update the TRA throughout the year due to the costs involved; the
outsourced methodology/tool may not understand the bank’s specific issues, etc.
The American Bankers Association lists the following recommended
resources for TRAs:
• International Standards Organization (ISO) 17799 (ISO Standards)
• Control Objectives for Information Technology (COBIT)

• SysTrust

• Operationally CriticalThreat, Asset and Vulnerability Evaluation (OCTAVE)

• National Institute of Standards and Technology (NIST)

These resources are inexpensive to implement and serve the purpose in most cases. They
are based on extensive research from government and professional security experts and are
vendor neutral. These methodologies enjoy excellent reputation among corporate
governance experts.
A summary description of each of the above TRA methods is as follows:

ISO Standards

The ISO along with the International Electro-technical Commission forms the specialized
system for worldwide standardization. The stated purpose of the ISO standards is to
“provide a common basis for developing organizational security standards and effective
security management practice and to provide confidence in inter organizational dealings.”
Originally, developed in Britain, it is a favored TRA approach in Europe. The standard is
often referenced and leveraged by other
prominent methods and covers 10 areas namely, Security policy, Communications and
operations management, Organizational security, Access control, Asset classification and
control, System development and maintenance, Personal security, Business continuity
management, Physical and environment security, and Compliance.
COBIT

COBIT has been developed as a generally applicable and accepted standard for good IT
security and control practices that provides a reference framework for IT governance.
COBIT is sponsored by the IT Governance Institute, established by the Information
Systems Audit and Control Association (ISACA), and

addresses risk from both the business and technology perspectives. It is an internationally
recognized tool, incorporating both operation management and audit concerns, which have
been adopted in organizations including the US House of Representatives, Charles Schwab
& Co., and Swift.
The framework compromises 34 high-level control objectives belonging to four domains.
For each control objective, audit procedures and management guidelines are provided. The
latter guidelines uniquely provide COBIT with a business management perspective;
maturity models, critical success factors, key goal indicators, and key performance
indicators are provided for each of the high-level control objectives.
COBIT focuses on processes and their ownership. It provides excellent methodology for
various parts of an organization to have the same perspective at IT risk management.
However, COBIT is more of a general assessment tool and detailed issues are to be
considered in the form of audit programs. As such some consider it to be too theoretical.

Sys Trust

The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute
of Chartered Accountants (CICA) introduced a service to provide assurance on the
reliability of systems. The purpose of this service, known as Sys Trust, is to increase the
comfort of management, customers and business partners with the systems that support a
business or particular activity. The service considers four principles to evaluate whether a
system is reliable.

• Availability: The system is available for operation and use at times set forth in
service level statements or agreements.

• Security: The system is protected against unauthorized physical and logical access.

• Integrity: System processing is complete, accurate, timely and authorized.

• Maintainability: The system can be updated when required in a manner that

continues to provide for system availability, security and integrity.
Although, SysTrust was not necessarily developed as a risk management tool, many
organizations have found that the SysTrust principles could be adopted as an effective RA
tool since the principle provide a stake holder’s perspective on the impact of technology on
business activities. The AICPA/CICA is currently considering a new version of the
SysTrust tool that would also incorporate e-commerce activities. Under the revision, five
principles would replace the four above. Principles consider would include security,
availability, processing integrity, online privacy and confidentiality.
SysTrust provides good high-level questions for an overview on overall reliability but may
not provide detailed methods for intended objectives. It is more of an executive level
assessment perspective rather than at operational level. However, it also has provision for
third party assessment and covers security also.

OCTAVE

Developed by the Software Engineering Institute (SEI) at Carnegie Mellon University,

OCTAVE is a comprehensive, self- directed approach to TRA. It differs from traditional
TRAs in that it first determines which information assets really need to be protected and
then evaluates the technology infrastructure to determine the vulnerability of those assets.
OCTAVE presents an exciting TRA to ORMs because the SEI is home to the CERT alerts
and other information relating to managing security vulnerabilities. This robustness of tools,
workshops, and publications relating to OCTAVE significantly enhances an effective
assessment by the ORM.
Specially, OCTAVE uses a three-phased approach to identify the technology risk
management needs of an enterprise:

• Build asset-based threat profiles: Identify important information assets, the threats to
those assets, security and current risk mitigation strategies.
• Identify infrastructure vulnerabilities: Examine technology infrastructure for
vulnerabilities that can be compromised.

• Develop security strategy and plans: Based on the results of the first two phases,
develop a strategy-based on business priorities to mitigate risks.
OCTAVE is a full methodology with supporting tools and leverages from a combination of
academic research and industry practices but, it is geared to larger institutions and the use
of it without formal training is difficult.

NIST

The Information Technology Laboratory (ITL) at the NIST in USA is a body, which
provides technical leadership for the nation’s measurement and standards infrastructure.
These include developing standards and guidelines for the cost-effective security and
privacy of sensitive unclassified information in federal computer systems.
Like the other organizations mentioned previously, NIST provides a detailed checklist of
IT-related risk mitigation strategies that should be assessed as a part of a TRA. In addition
to its detailed coverage of security issues, the checklist enables to determine if risk is
managed by using five “levels of effectiveness”.

1. Control objectives documented in a security policy.

2. Security controls documented as procedures.

3. Procedures have been implemented.

4. Procedures and security controls are tested and reviewed.

5. Procedures and security controls are fully integrated in to a comprehensive program.

However, this is mostly followed by big government organizations and following these
methodologies could be too burdensome in a smaller organization.
10.PRIMARY DATA & ITS ANALYSIS

The primary data has been collected through surveys in banks(questionnaire) viz.,
Bank of Maharashtra, ICICI bank, HDFC bank.

 I.T. in banks is much more advanced than traditional banking?Agree Disagree

Fifty-Fifty

ANALYSIS: -

Bank of ICICI HDFC

Maharashtra
AGREE 96% 98% 100%
DISAGREE 3% 2% 0%
FIFTY-FIFTY 1% 0% 0%

GRAPH: -

100%
99%
98%
97%
96%
95% Bank of ICICI HDFC
Maharashtra
AGREE DISAGREE FIFTY-FIFTY

EXPLANATION: -
It is cleared from questionnaire method that every one agrees to the statement
“I.T. in banks is much more advance than traditionalbanking”. Approximately ninety
eight percent of bank employees agree to the above statement.
 The ratio of online transaction v/s manual transaction.

1:2 2:1 Equal Can’t Say

ANALYSIS: -
Bank of Maharashtra ICICI HDFC

1:2 30% 0% 0%
2:1 60% 100% 100%
Equal 0% 0% 0%

Can’t Say 10% 0% 0%

GRAPH: -

100%

80%

60% Can’t Say

Equal
40%
2:1
20% 1:2

0%
HDFC ICICI Bank of
Maharashtra

EXPLANATION: -

According to the above data collected it is clear that approximately ten

percentage of employees says that the ratio of online transaction v/s manual transaction
is 1:2, eighty seven percentage says it is 2:1, zero percent says it is equal & three percent
cant say anything.
 Information technology in banks encouraging online frauds.

Yes No To some extent

ANALYSIS: -

Bank of Maharashtra ICICI HDFC

Yes 90% 92% 98%

No 6% 5% 1%
To some extent 4% 3% 1%

GRAPH: -

100%
80%
60%
40% No
20% Yes

0%
ICICI HDFC
Maharashtra

EXPLANATION: -

According to the above data collected it is clear that approximately ninety three
percent of employees says yes, four percent says no and three percent says to some
extent.
 Type of banking facility that will be friendly to illiteratecustomer.

1%

0%
2%
Online banking Manual-banking Both
ANALYSIS: -
Bank of Maharashtra ICICI HDFC

100%
97%

98%
2%

0%

0%
Online banking 2% 0% 0%
Manual banking 97% 98% 100%
Both 1% 2% 0%

GRAPH: -

100%
80%
60%
40%
20%
0%
Bank of ICICI HDFC
Maharashtra

Online banking Manual banking Both

EXPLANATION: -

According to the above data collected it is clear that approximately ninety seven
percent of employees says that manual banking type of facility is friendly to illiterate
customers, two percent says online banking and one percent says both online as wellas
manual banking is friendly to the illiterate customers
 In what way I.T. in banks affects the work of the employees.

Increases the work Decreases the work

Same at both levels
ANALYSIS: -

Bank of Maharashtra ICICI HDFC

Increases the work 45% 30% 40%

Decreases the work 50% 63% 55%
Same at both levels 5% 7% 5%

GRAPH: -

100%
80%
60%
40%

20%

0%
Bank of ICICI HDFC
Maharashtra

Increases the work Decreases the work Same at both levels

EXPLANATION: -

According to the above data collected it is clear that approximately thirty eight
percent says I.T. in banks increases the work of the employees, fifty six percent says
decreases the work andsix percent says it is same at both the levels.
 Does I.T. in banks increasing the cost of banking operations /banking transaction.

02

0%
15%
Yes No Equal

%
ANALYSIS: -
Bank of Maharashtra ICICI HDFC

100%
98%

94%
Yes 98% 94% 100%
No 2% 5% 0%
Equal 0% 1% 0%

GRAPH: -

100%

80%

60%

40%

20%

0%
Bank of ICICI HDFC
Maharashtra

Yes No Equal

EXPLANATION: -

According to the above data collected it is clear that approximately eighty seven
percent of employees says yes i.e. I.T. increases the cost of banking operations or banking
transactions, twopercent says no and one percent says equal.
10. SECONDARY DATA AND ANALYSIS

Indian Scenario

Major players in the Indian Market

Banks No. of cards in lakhs

2002 2003
16 20
Citibank
14 18
Stan Chart
9 13
SBI-GE

According to an analyst, it is estimated that the Indian smart card industry is growing around
45% annually, would reach the size of $6 bn by 2010. In the next five years, the number of
smart cards being used in the country can touch 400 million from around 50 million cards
today.
To standardize the smart card, the Government has recently standardized the technical
aspects of smart cards. An operating system called “SCOSTA” (Smart Card Operating
System for Transport Application) developed by IIT Kanpur has been chosen asthe standard
operating system for transport-related projects. India is planning to issue smart card based
identity cards to citizens. State Governments are also planning to issue smart card based
driving licenses. Kerala recently tried a ration card project at Thiruvananthapuram. But the
lack of resources with state governments may halt many such projects. States like Kerala
have stopped several smart card related projects due to resources crunch.
“ It is the market for SIM cards for mobile phone that is growing faster in India-at about 70-
80% annually.
11. FINDINGS AND CONCLUSIONS

According to the survey conducted in Bank of Maharashtra, ICICI Bank & HDFC Bank,
the following points are concluded:
1. I.T. in banking sector is much more advanced than traditional banking.
2. Online transactions are widely used than manual transactions.
3. Manual banking facility is more friendly to
illiterate customers.
4. I.T. in banks to some extents reduces the work of employees.
5. I.T. in banks to some extent encourages online frauds.
6. Online banking is much more costlier than manual banking. It increases the cost of
banking operations.
7. Online banking facility can lead to progress of the banking sector.
. SUGGESTIONS AND RECOMMENDATIONS

1. Some highly advanced softwares / programs should be implemented in banking

sector in order to prevent hackers and frauds.

2. Online banking operations cost or banking transaction cost should be reduced so that
middle class customer can have access to online banking facility.

12. BIBLIOGRAPHY

Arora, Kalpana, Indian banking managing transformation through IT¡¬, Indian Banking
Association Bulletin ,Vol. 25(3), pp. 134-38. March 2006.
Avasthi, G. P. and Sharma , M, Informaion technology in banking : challenges for
regulations¡¬ ,
Prajnan Vol.29(4) ,pp. 17-22, 2004.
Janki, Unleasing employee productivity : need for a paradigm shift¡¬ Indian Banking
Association
Bulletin, Vol. 24(3) ,pp.7-9, 2003.
Bhasin, T. M., E-Commerce in Indian banking,¡¬ Indian Banking Association Bulletine,
Vol.
23(4&5), 2001
Rao, N. V., Changing Indian banking scenario : A paradigm shift . Indian Banking
Association
Bulletin , Vol. 24(1) pp.12-20, 2002.
Shapiro, C., Will E-Commerce erode liberty¡¬, Harvard Business Review , May-June 2000.
Sabnani, P.- Universal Banking , IBA Bulletin, Vol. 22(7) July 2000, pp34-36
Uppal, R.K. and Jatana, Rimpi - Indian banking moving towards information technology,
New
Delhi : Mahamaya,254p, 2008.
Vageesh, N.S.- New private banks : new kids on the Block¡¬, Business line, March 2009.
Verma ,” Banking on change ¡¬ ICFAI Reader ,May 2007, pp.69-72
]Singh,H.K.and Tigga Amar-Impact Of IT On Indian Banking Services June2008,,IBA.,Vol
25(4),pp