Journal of Association of Professional Bankers of Sri Lanka December 2005 Issue

Internet Banking and e-Commerce You are not completely wrong about your perceptions
Priam Kasturiratna
MBA (Sri.J), AIB (SL) Senior Executive, Systems Development Sampath Bank Sri Lanka is one of the first countries in South Asia to embrace Internet in the mid 90s. Since then, our country has achieved a good range of Internet Banking and Electronic Commerce services (Internet Services). Banks and Financial Service organisations in this context, have played and will continue to play a vital role by developing and maintaining a wide range of Internet Services. With the growth of Internet Services, Customer Profiles and Managerial/Technical views on Internet Services have developed. These views are based on industry experiences, and general viewpoints. The purpose of this article is to share some honest insights on the Internet Services Customer Profile with professionals in the Banking Industry. Some generally accepted views about Internet Services are 1. Internet Services are popular mostly among younger generation Sri Lankan computing was born in late 1960s. The general assumption is that those who were older than their learning age at that time did not have an opportunity to gather much in computing. From a sample of 12,200 Internet Banking Users with verified birth data, it was revealed that 26% of users are 30 years old or younger and 67% of them are 40 years old or younger. Eighty nine percent are 50 years or younger. Another 10% are in the 50-70 age group, and the remaining 1% is an exception which included among others, 60 Internet Service users in their seventies and eighties. As a country, 14% of the population is older than 55 years, which is increasing1. While agreeing on the basic idea of Internet being popular among younger generation, it is necessary that we appreciate the fact that more and more older people are getting converted to Internet Services, and young users today get older over the years. 2. Internet Services are always popular among IT Savvy and IT Professionals This is an extremely difficult statement to prove or reject, but most bankers would intuitively agree on this. Though there is not much argument about this statement, one should be careful in distinguishing IT Savvy individuals from IT professionals, and individuals working in the IT Industry. A research conducted with 100 individuals showed that over 80% of the participants were positive about using Internet Services. Twenty participants had Masters Level IT qualifications and 4 of them (20%) did not favour Internet Services. The ratio of IT Masters favouring, and not favouring Internet Services were equal.2 This shows that being an IT Qualified person does not necessarily make him/her an Internet Services User. On the other hand, many non IT professionals in Accounting, Financial Services, Auditing, Marketing, Management, Training etc. are found to be serious Internet Service users. Therefore, it would be more appropriate to say that the Professionals and IT
1

Central Bank of Sri Lanka, Annual Report 2004, 2005 2 Priam Kasturiratna, Customer Preference Behaviour on E-Business Operations in Banking, Postgraduate Institute of Management, 2002

Savvy prefer Internet Services rather than using the category IT Savvy and IT Professionals as a whole. 3. You need good computer literacy to use Internet Services Today, Internet Services like Bill Payments, Credit Card Payments, InterBank Payments and Doctor Channelling are used by many people who possess only an average level of Computer Literacy. Only 4% of the households in the country has a personal computer. Assuming equal population distribution, we could take 1955 age group in these households to be around 390,0003. In contrast, an industry estimate of Internet Service users in the country is less than 100,000. These two pieces of information raise the questions whether good IT literacy is a must for Internet Service use, or whether IT Literacy alone could stimulate one to use Internet Services. It is also observed that the User Friendliness combined with Serving a Useful Purpose or compulsion to use Internet Services generates more influence than computer literacy. 4. Internet Services should be marketed to Managerial Levels and Professionals to get good results. Professional and Managerial segments are one of the most successful market segments of Internet Services. Does this statement assume that professionals will accept Internet Services as a logically viable, safe and convenient way for obtaining financial services? Consider the varying individual perceptions of Internet Security Risks. As noted above, even some IT professionals rate risks of Internet Services too high to deal with. Similarly, some professionals could be facing access difficulties or high cost of
3

personal access, which eliminate the likelihood of use even if the willingness exists. Less focus/need on financial management activities could be another reason why some professionals still adopt traditional methods for obtaining similar services. Why bother to use Internet Services when the methods I am well used to are conveniently available? A self-evaluation among the middle and upper management in the Banking and Financial Services industry would probably elaborate the situation. 5. More people will use Internet Services if Security Features like firewalls; SSL Encryption and User Authentication etc. are available Sample of 100 respondents showed that 3% are dissatisfied with the existing security features, 37% were not much aware of security, which could mean not concerned or willing to go along with others, and 60% indicated that they were satisfied with the existing Security Precautions implemented by Internet Services Providers. However, 31% of respondents who were willing to use Internet Services indicated their minimal knowledge and concern for Internet Service Security 4. Analysing the security implementations of popular Sri Lankan Internet Services, one would note that almost all of them have implemented Security at levels acceptable worldwide. Taking this fact together with the research statistics denote that Service Providers are seriously managing security, and a clear majority of users are comfortable on the level of Security provided. Is this serving as a healthy condition for safe future of Internet Services in Sri
4

Central Bank of Sri Lanka, Annual Report 2004, 2005

Priam Kasturiratna, Customer Preference Behaviour on E-Business Operations in Banking, Postgraduate Institute of Management, 2002

Lanka? Though the present status is good, users need to be continuously aware of the risks involved, and be able to critically analyse the services they use. Low level of security awareness in users could lead Internet Service Providers into comfort zones, which would prove unhealthy for the industry. 6. One of the main reasons for non use of Internet Services is Access Unavailability; More people will use Internet Services if access is provided. The highest computer awareness of 32% was reported from the Colombo district. The next higher percentages (18% 29%) were reported from a belt of districts consisted of Matara, Galle, Kalutara, Gampaha, Kurunegala, Matale, and Ampara districts. Lowest percentages (4.7% - 7.7%) were reported from Mannar, Baticaloa, Nuwara Eliya and Monaragala districts5. However, if we analyse the usage volumes at free Internet Service Points provided by several banks, the free access facility does not seem to be attractive. From an analytical viewpoint, it could be said that Free Internet Service Access Points are not utilised at their full potential even in districts where computer awareness is comparatively high. 7. Serving Internet Service Customers is a tricky business. They are so fast, so busy and you just cannot delay fixing an issue for more than a couple of days at the maximum. Serving an Internet Service customer is more difficult, and demanding than a traditional banking customer. The customer is accessing the system from a remote location and there is no way to obtain personal assistance if any clarifications need to be made. Therefore, the possibility for getting irritated by the slightest system lapse is unavoidable. The frustration could also get aggravated if issues are not resolved quickly.
5

On the other hand, Internet Services are linked with Core Banking Systems, Credit Card Switches and other Applications/Databases. These links make Internet Service Systems more complex, and dependent on external systems which warrant more time to diagnose and resolve issues. It is practically seen that customers face frustration mostly due to banks inability to resolve issues within a reasonable period of time. Issues due to software bugs calling for a software modification could take a few days or more due to product management, Software Quality Assurance, Audit and Security concerns. Most customers appreciate the fact that some issues could take time to resolve. But, on the other hand, banks are usually forced to kill time for weeks, months, and sometimes for years to get a bug fixed even by global vendor giants in software. Therefore, what happens practically is that some of the issues in Internet Services get resolved long after both the customer and bank/provider would like to have it. While a relatively few users quit Internet Services due to frustration, the majority understand the situation and exercise patience during genuinely time consuming issues. 8. Maintaining Internet Services is a high risk exercise, but good security infrastructure will greatly reduce the risk. This is a popular statement, which is being used repeatedly, and in good faith. This should be looked at with a professional mind. Vulnerabilities change over time, new threats are created, and threatening capabilities grow. Does security infrastructure include humans and controls? This leads us to a more difficult question whether the residual risk in a security

Department of Census www.statistics.gov.lk, 2004

&

Statistics,

infrastructure is as low as the acceptable level? Answers to this question vary from specific situation to situation. It could change over time and circumstances. However, there are few core concepts, which are more or less fixed. Firstly the definition of good security infrastructure, should include physical security to systems, Passwords, SSL encryption, Site Certification, Secure ID etc. Thereafter the elements of the security program which should include the Policies, Standards, Procedures and Guidelines. These areas could be more elaborated to include Process Controls, periodic audits, Risk Assessments, Penetration tests and Business Continuity. Thirdly is the human factor. This includes Systems Administrator Training/Education which makes administrators understand their role and responsibilities in ensuring safety, Incident Response rehearsals, which create and maintain human capabilities to identify and respond to threats promptly and appropriately. Fourth is the compliance with Legal and Regulatory requirements applicable to the jurisdiction in which the Internet Services are operated. This will include electronic transaction laws, central bank regulations, exchange controls, tax regulations, credit card procedures and regulations, and legal relationships between Internet Services providers, Internet Vendors and end users. The last, but not the least is Internet Services User Education, which is rather out of focus of many, but a vital element in maintaining a good Internet Service. Internet Services users with good Password Management, safe sign-on practices and vigilance are extremely helpful in controlling risks in Internet Services. In summary, there is much to be done for maintaining a proper security framework, which cultivates a safer environment for

Internet Service users, rather than just concentrating on a technically secure systems infrastructure. 9. In Sri Lanka, you need a receipt as a Proof of Payment of a bill; people are not likely to pay through Internet Services, as it will only give an Online Receipt. What happens if the phone is disconnected even after paying the bill through an Internet Service? Most of us would share this concern in paying any Utility Bill. Financial Institutions and Utility companies have managed to handle this controversy by promptly resolving user issues. Let us look at the practical conditions. The Estimated number of current Internet transactions in Sri Lanka per month is over 10,000. This can be considered as a substantial number considering the 108,305 internet/email subscribers (2005 provisional) in the country6. What could be observed here is that Internet Services Users are not deterred by the nonavailability of a printed receipt. Electronic Proof of Payments is now legally accepted as evidence in growing number of countries, and Sri Lanka is positively working towards enacting necessary legal amendments. Expected changes would take us towards acceptance of Online Proof of Payments. 10. It is not safe to use Credit Cards (and Internet Banking) on the internet. Sensitive financial information can be compromised over the Internet Services. This statement had some validity years before. Today, Credit Card Frauds generally affect Merchants/Sellers on the internet than users. Michael Bloch elaborates, If online credit card fraud scares consumers, then it absolutely terrifies merchants! While consumers have some protection against
6

Telecommunication Regulatory Commission of Sri Lanka, www.trc.gov.lk, 2005

fraud, fraudulent credit card transactions are costing e-commerce merchants many millions of dollars annually.7 Globally accepted Security standard today is to have minimum 128-bit SSL (Secure Socket Layer) encryption implemented for any Internet Credit Card Payment Switch. Theoretically, breaking 128-bit encryption with todays computing power would take close to 10 trillion years. Therefore, the possibility of decrypting financial messages from secure internet sites by a third party is rather non existent. Apart from the traditional fears about eavesdropping, todays Internet Services Users should guard themselves against developments in technology-aided mechanisms which permit unauthorised access to sensitive information. Examples are keystroke recording software in public terminals, hidden cameras etc. However, users need to be careful or secretive about their own sensitive information like Account Numbers, passwords etc. Common examples for lapses are, writing passwords on paper, divulging passwords, using Internet Services via public/unsafe computer terminals, common passwords, having easily predictable passwords (immediate family members names, birthday), using Credit Cards at unsecured internet sites, using Credit Cards at suspicious merchant locations etc. Finally, users should be aware of Social Engineering, which is common, highly risky and completely non technical way of gathering sensitive information. Social Engineering involves using ones persuasive or tactical powers to extract sensitive confidential information from anyone who legitimately possesses such information. 11. Can you pay an unknown seller and have confidence that he will provide you good quality goods or services?
7

Common scenarios in this context are, Firstly - Experienced users buying from reputed sellers or repeat purchases from trusted sellers. There will be minimal doubt in such transactions. Secondly - Experienced users buying from unknown or relatively less reputed sellers. This concern is valid unless and until the buyer gets value for money, and trust is established. ThirdlyInexperienced users buying from reputed/known sellers. There will be some doubt until the buyer gets value for money, and trust is established. The risk is minimal. Finally - Inexperienced users buying from unknown sellers. Buyer takes a high risk in these situations. Risks like damage/theft of goods in transit, political and economic risks which could apply to any commercial transaction are also applicable to Internet Transactions. Having noted that, we should also look at the growing numbers of Internet Transactions around the globe. As noted before, responsible behaviour of Financial Institutions, Credit Card Issuers and Internet Sellers have helped immensely to establish Internet buying as a convenient way to buy. Apart from that, the ability to buy goods from entirely distant part of the world at no additional cost, ability to pass the financial consideration conveniently from buyer to seller, and more favourable pricing than traditional purchasing have jointly contributed for the popularity of Internet Transactions despite the risks.

Conclusion
An uncommon perspective was used throughout the article to look at standard perceptions on Internet Services. One needs to appreciate fuzzy logic equally with classical logic to correctly understand the Internet Services Market.

Michael Bloch, Preventing Credit Card Chargebacks, Anit-fraud Strtergies, www.tamingthebeast.net

At the rate of technology and human behaviour changes today, we should realise that it is difficult to be right all the time. Speed of change is so fast. Some perceptions may lead you along the correct path, but it could be not for long. As Churchill noted, It is a mistake to try to look too far ahead. The chain of destiny can only be grasped one link at a time