Report on Internet Ban ing

Chapter-1- Introduction Chapter-2- Internet Ban ing - a new medium Chapter-3 - International experience Chapter -4 -The Indian Scenario Chapter- 5- Types of ris s associated with Internet ban ing Chapter- 6- Technology and Security Standards for Internet Ban ing Chapter -7 - Legal Issues involved in Internet Ban ing Chapter- 8- Regulatory and supervisory concerns Chapter-9 Recommendations Annexure-1 Annexure -2 Annexure-3 Annexure-4 Annexure-5

Chapter1 Introduction 1.1 Bac ground 1.1.1Ban s have traditionally been in the forefront of harnessing technology to improve their products, services and efficiency. They have, over a long time, be en using electronic and telecommunication networ s for delivering a wide range o f value added products and services. The delivery channels include direct dial u p connections, private networ s, public networ s etc and the devices include tel ephone, Personal Computers including the Automated Teller Machines, etc. With th e popularity of PCs, easy access to Internet and World Wide Web (WWW), Internet is increasingly used by ban s as a channel for receiving instructions and delive ring their products and services to their customers. This form of ban ing is gen erally referred to as Internet Ban ing, although the range of products and servi ces offered by different ban s vary widely both in their content and sophisticat ion. 1.1.2Broadly, the levels of ban ing services offered through INTERNET can be cat egorized in to three types: (i) The Basic Level Service is the ban s websites whi ch disseminateinformation on different products and services offered to customer s and members of public in general. It may receive and reply to customers queries through e-mail, (ii) Inthe next level are Simple Transactional Websites which a llow customers to submit theirinstructions, applications for different services, queries on their account balances, etc,but do not permit any fund-based transac tions on their accounts, (iii) The third level of Internet ban ing services are offered by Fully Transactional Websites which allow thecustomers to operate on t heir accounts for transfer of funds, payment of different bills,subscribing to o ther products of the ban and to transact purchase and sale of securities, etc. The above forms of Internet ban ing services are offered by traditionalban s, as an additional method of serving the customer or by new ban s, who deliverban in g services primarily through Internet or other electronic delivery channels as t hevalue added services. Some of these ban s are nown as virtual ban s or Internetonly ban s and may not have any physical presence in a country despite offeringdi fferent ban ing services. 1.1.3From the perspective of ban ing products and services being offered through Internet,Internet ban ing is nothing more than traditional ban ing services del ivered through anelectronic communication bac bone, viz, Internet. But, in the p rocess it has thrownopen issues which have ramifications beyond what a new deliv ery channel wouldnormally envisage and, hence, has compelled regulators world ov

er to ta e note of thisemerging channel. Some of the distinctive features of i-b an ing are: 1.It removes the traditional geographical barriers as it could reach out to cust omersof different countries / legal jurisdiction. This has raised the question o f jurisdictionof law / supervisory system to which such transactions should be s ubjected, 2.It has added a new dimension to different inds of ris s traditionally associa ted withban ing, heightening some of them and throwing new ris control challeng es, 3.Security of ban ing transactions, validity of electronic contract, customers pr ivacy,etc., which have all along been concerns of both ban ers and supervisors h aveassumed different dimensions given that Internet is a public domain, not subj ect tocontrol by any single authority or group of users, 4.It poses a strategic ris of loss of business to those ban s who do not respon d intime, to this new technology, being the efficient and cost effective deliver y mechanism of ban ing services, 5.A new form of competition has emerged both from the existing players and newpl ayers of the mar et who are not strictly ban s. 1.1.4The Regulatory and Supervisory concerns in i-ban ing arise mainly out of th edistinctive features outlined above. These concerns can be broadly addressed un derthree broad categories, viz, (i) Legal and regulatory issues, (ii) Security a nd technologyissues and (iii) Supervisory and operational issues. Legal issues c over those relating tothe jurisdiction of law, validity of electronic contract i ncluding the question of repudiation, gaps in the legal / regulatory environment for electronic commerce. On thequestion of jurisdiction the issue is whether to apply the law of the area where access toInternet has been made or where the tr ansaction has finally ta en place. Allied to this isthe question where the incom e has been generated and who should tax such income.There are still no definite answers to these issues. 1.1.5Security of i-ban ing transactions is one of the most important areas of co ncerns to theregulators. Security issues include questions of adopting internati onally accepted state-of-the art minimum technology standards for access control , encryption / decryption (minimum ey length etc), firewalls, verification of d igital signature, Public KeyInfrastructure (PKI) etc. The regulator is equally c oncerned about the security policyfor the ban ing industry, security awareness a nd education. 1.1.6The supervisory and operational issues include ris control measures, advan ce warningsystem, Information technology audit and re-engineering of operational procedures.The regulator would also be concerned with whether the nature of pro ducts andservices offered are within the regulatory framewor and whether the tr ansactions donot camouflage money-laundering operations. 1.1.7The Central Ban may have its concern about the impact of Internet ban ing on itsmonetary and credit policies. As long as Internet is used only as a medium for delivery of ban ing services and facilitator of normal payment transactions , perhaps, it may notimpact monetary policy. However, when it assumes a stage wh ere private sectorinitiative produces electronic substitution of money li e e-ch eque, account based cardsand digital coins, its li ely impact on monetary system can not be overloo ed. Evencountries where i-ban ing has been quite developed, its impact on monetary policy has not been significant. In India, such concern, forthe present is not addressed as theInternet ban ing is still in its formative stage 1.1.8The world over, central ban ers and regulators have been addressing themsel ves tomeet the new challenges thrown open by this form of ban ing. Several studi es havepointed to the fact that the cost of delivery of ban ing service through Internet isseveral times less than the traditional delivery methods. This alone is enough reason forban s to floc to Internet and to deliver more and more of t heir services throughInternet and as soon as possible. Not adopting this new tec hnology in time has the ris of ban s getting edged out of competition. In such a scenario, the thrust of regulatorythin ing has been to ensure that while the b

an s remain efficient and cost effective, theymust be aware of the ris s involve d and have proper built-in safeguards, machinery andsystems to manage the emergi ng ris s. It is not enough for ban s to have systems inplace, but the systems mu st be constantly upgraded to changing and well-testedtechnologies, which is a mu ch bigger challenge. The other aspect is to provideconducive regulatory environm ent for orderly growth of such form of ban ing. CentralBan s of many countries h ave put in place broad regulatory framewor for i-ban ing. 1.1.9In India, too i-ban ing has ta en roots. A number of ban s have set up ban ingportals allowing their customers to access facilities li e obtaining informat ion, queryingon their accounts, etc. Soon, still higher level of online services will be made available.Other ban s will sooner than later, ta e to Internet ban ing. The Indian scenario isdiscussed in detail in Chapter-4 of this report. 1.2 Constitution of the Wor ing Group 1.2.1In the above bac ground Reserve Ban of India constituted a Wor ing Group t oexamine different issues relating to i-ban ing and recommend technology, securi ty,legal standards and operational standards eeping in view the international b estpractices. The Group is headed by the Chief General ManagerinCharge of theDepar tment of Information Technology and comprised experts from the fields of ban ing regulation and supervision, commercial ban ing, law and technology. TheBan als o constituted an Operational Group under its Executive Director comprisingoffice rs from different disciplines in the ban , who would guide implementation of the recommendations. The composition of both the Groups is at Annexure-2 andAnnexure -3. 1.2.2 Terms of reference The Wor ing Group, as its terms of reference, was to examine different aspects o f Internet ban ing from regulatory and supervisory perspective and recommendappr opriate standards for adoption in India, particularly with reference to thefollo wing:1. Ris s to the organization and ban ing system, associated with Internet b an ing andmethods of adopting International best practices for managing such ris s.2. Identifying gaps in supervisory and legal framewor with reference to the existingban ing and financial regulations, IT regulations, tax laws, depositor p rotection,consumer protection, criminal laws, money laundering and other cross b order issuesand suggesting improvements in them.3. Identifying international bes t practices on operational and internal control issues, andsuggesting suitable w ays for adopting the same in India.4. Recommending minimum technology and securi ty standards, in conformity withinternational standards and addressing issues li e system vulnerability, digitalsignature ,information system audit etc.5. Clear ing and settlement arrangement for electronic ban ing and electronic moneytransf er; lin ages between i-ban ing and e-commerce6. Any other matter, which the Wor ing Group may thin as of relevance to Internetban ing in India. 1.3. Approach of the Group : 1.3.1The first meeting of the Wor ing Group was held on July 19, 2000. It was de cidedthat members of both Wor ing Group and Operational Group would participate in allmeetings and deliberations. The Group, in its first meeting identified the broadparameters within which it would focus its deliberations. 1.3.2The Group agreed that Internet ban ing is a part of the electronic ban ing (e-ban ing), the main difference being that in i-ban ing the delivery channel wa sInternet, a public domain.Although the concerns of e-ban ing and i-ban ing have many things in common, the fact that Internet is a public domain called for addi tionalsecurity measures. It was agreed that the Group would primarily focus its attention on I - ban ing and to the extent there were commonality between i-ban ing and e-ban ing, its recommendation would also apply to e-ban ing. 1.3.3The Group further held that i-ban ing did not mean any basic change in the nature of ban ing and the associated ris s and returns. All the same, being a pu blic domain anda highly cost effective delivery channel, it does impact both the dimension andmagnitude of traditional ban ing ris s. In fact, it adds new inds of ris to ban ing.Some of the concerns of the Regulatory Authority in i-ban in g relate to technologystandards including the level of security and uncertaintie s of legal jurisdiction etc. Itscost effective character provides opportunities

for efficient delivery of ban ingservices and higher profitability and a threat to those who fail to harness it. 1.3.4The Group decided to focus on above three major areas, where supervisory at tentionwas needed. Accordingly, three sub-groups were formed for loo ing into th reespecific areas: (i) technology and security aspects, (ii) legal aspects and ( iii)regulatory and supervisory issues. The sub-groups could see help of externa l expertsin the relevant fields, if needed. 1.4 Layout of the Report: 1.4.1.The views of the Group were crystallized after several rounds of deliberat ions of members of both the Wor ing Group and the Operational Group. The reports prepared by the three sub-groups were discussed and assimilated in to this repor t.The report is presented in nine chapters. Chapter1, the introductory chapter, g ivesthe bac ground leading to the formation of the Group, its composition, terms of reference and the approach adopted by the Group in finalizing its recommenda tions. 1.4.2.The basic structure of Internet and its characteristics are described in C hapter2 inorder to explain the nature of concerns addressed in the chapters to fo llow. Alsoexplained in the chapter is the growth of Internet ban ing and differe nt products anddifferent e-commerce concepts. 1.4.3.Chapter3 describes International experience in i-ban ing, particularly with referenceto USA, United Kingdom and other Scandinavian countries, who are pione ers in thisform of ban ing. Chapter- 4 loo s at the Indian scenario as it prevai ls now. 1.4.4.Chapter5 discusses different types of ris s associated with ban ing in gene ral and i-ban ing in particular. Emphasis is given on normal ris s associated wi th ban ingwhich gets accentuated when the services are delivered through Interne t. Ris srelating to money laundering and other cross border transactions are dis cussed. 1.4.5.Technology and security standards are core concerns for Regulatory Authori ties inrelation to Internet ban ing. A separate sub-group loo ed in to these iss ues, whichare discussed in detail in Chapter6. Emphasis is given on technology an d securitystandards and policy issues rather than on products and technical tool s. 1.4.6Another important regulatory concern is the legal environment in which i-ba n ingtransactions are carried out. It is of importance to identify gaps in the e xistingframewor and to suggest changes required. The legal sub-group had made a detailedanalysis of legal questions involved, which are discussed in Chapter 7. 1.4.7Chapter8 deals with various control measures required to be adopted by ban s tomanage ris s discussed in earlier chapters. Operational aspects li e internal control,early detection system, IT audit, technical manpower, etc are also disc ussed. Theimpact of i-ban ing on clearing and settlement arrangements has also b een addressed.The sub-group on Regulatory and Supervisory issues had addressed t he abovequestions. 1.4.8Chapter9 contains recommendations of the Wor ing Group. Shri S. H. Bhojani h addisagreement with some of the observations / recommendations by the Group and anote of dissent is appended as Annexure-1. 1.5. Ac nowledgement 1.5.1The group wishes to ac nowledge and put on record its appreciation of suppo rtreceived from various quarters in completing the Report. 1.5.2The Central Ban s and Regulatory Authorities of different countries and the Ban forInternational Settlement were approached for papers compiled by them on the subjectand for details of regulations already in place. All relevant materi als were receivedfrom them promptly. The Group gratefully ac nowledges their sup port andcooperation. 1.5.3Shri Girish Vaidya of Infosys technologies Ltd. had made an erudite present ation onInternet Ban ing to the Group, which was very useful in finalizing this report. TheGroup gratefully ac nowledges his efforts. 1.5.4Three sub-groups were formed to focus deliberations on three important aspe cts ofInternet ban ing. These sub-groups utilized the expertise of professionals / ban ers infinalizing their views. The convenors and members of sub-groups wor

ed mostdiligently to produce reports of very high quality. The Group gratefully than s themfor their efforts. The Group gratefully ac nowledges the contributio ns made byS/Shri G. Subba Rao, Head, Internal Audit , ABN Amro Ban , Shri P. C N arayan,Executive Vice President, Global Trust Ban and Shri Sasidharan Menon , H ead,Internal Audit , Deutsche Ban as members of sub-group on Regulatory andSupe rvisory Issues. 1.5.5The Department of Ban ing Operations and Development provided secretarial s erviceto the Wor ing Group. The Group wishes to put on record its appreciation o f effortsput in by the secretarial team consisting of DGMs (Shri SR. Das, Shri A rnab Roy),AGM (Shri Indrajit Roy) and Managers (Shri Chetan N Balwir, Dr. T KKar thy eyan, Shri JP Bansal) in organizing the meetings, arranging the bac groundpa pers and drafting of the Report. 1.5.6The Group wishes to place on record its appreciation of contributions made by allmembers of the Operational Group who participated in the deliberations and offeredtheir valuable suggestions and guidance. 1.5.7The Member-secretary of the Wor ing Group, Shri M. P. Kothari, wor ed withu tmost zeal in ensuring smooth conduct of the entire process right from the incep tionof the Wor ing Group till the finalization of the Report. The Group grateful lyac nowledges his efforts, but for which the Report would not have been complet ed Chapter2 Internet Ban ing - a new medium 2.1 Internet its basic structure and topology 2.1.1Internet is a vast networ of individual computers and computer networ s co nnected toand communicate with each other using the same communication protocol TCP/IP(Transmission Control Protocol / Internet Protocol). When two or more comp uters areconnected a networ is created; connecting two or more networ s create i nter-networ or Internet. The Internet, as commonly understood, is the largest ex ample of such a system. Internet is often and aptly described as Information Supe rhighway, ameans to reach innumerable potential destinations. The destination can be any one of the connected networ s and host computers. 2.1.2Internet has evolved to its present state out of a US Department of Defence projectARPANet (Advanced Research Project Administration Networ ), developed in the late1960s and early 1970s as an experiment in wide area networ ing. A major perceivedadvantage of ARPANet was that the networ would continue to operate ev en if asegment of it is lost or destroyed since its operation did not depend on operation of anysingle computer. Though originally designed as a defence networ , over the years itwas used predominantly in areas of scientific research and co mmunication. By the1980s, it moved out of Pentagons control and more independent networ s from USand outside got connected to it. In 1986, the US National Scienc e Foundation (NSF)established a national networ based on ARPA protocol using co mmercial telephonelines for connectivity. The NSFNet was accessible by a much la rger scientificcommunity, commercial networ s and general users and the number o f host computersgrew rapidly. Eventually, NSFNet became the framewor of todays I nternet.ARPANet was officially decommissioned in 1990. 2.1.3It has become possible for innumerable computers operating on different pla tformstocommunicate with each other over Internet because they adopt the samecom munication protocol, viz, TCP/IP. The latter, which stands for TransmissionContro l Protocol / Internet Protocol, is a set of rules which define how computerscommu nicate with each other. In order to access Internet one must have an account ina host computer, set up by any one of the ISPs (Internet Service Providers). Thea ccounts can be SLIP (Serial Line Internet Protocol) or PPP (Point to Point Proto col)account. These accounts allow creating temporary TCP/IP sessions with the ho st,thereby allowing the computer to join the Internet and directly establish com municationwith any other computer in the Internet. Through this type of connecti on, the clientcomputer does not merely act as a remote terminal of the host, but can run whateverprograms are available on the web. It can also run several prog rams simultaneously,subject to limitations of speed and memory of the client com puter and modem. TCP/IPprotocol uses a unique addressing scheme through which ea

ch computer on thenetwor is identified. 2.1.4TCP / IP protocol is insecure because data pac ets flowing through TCP / IP networ sare not normally encrypted. Thus, any one who interrupts communication between twomachines will have a clear view of the data, passwords and the li e. This has beenaddressed through Secured Soc et Layer(SSL), a Transport Layer Secu rity (TLS)system which involves an encrypted session between the client browser and the webserver. 2.1.5FTP or File Transfer Protocol is a mechanism for transferring files between computerson the Internet. It is possible to transfer a file to and from a compu ter (ftp site) withouthaving an account in that machine. Any organization intend ing to ma e available topublic its documents would normally set up a ftp site fr om which any one can accessthe documents for download. Certain ftp sites are ava ilable to validated users with anaccount ID and password. 2.1.6e-mail:The most common and basic use of Internet is the exchange of e-mail( electronic mail). It is an extremely powerful and revolutionary result of Intern et, whichhas facilitated almost instantaneous communication with people in any p art of theglobe. With enhancements li e attachment of documents, audio, video an d voice mail,this segment of Internet is fast expanding as the most used communi cation medium forthe whole world. Many websites offer e-mail as a free facility to individuals. Manycorporates have interfaced their private networ s with Inter net in order to ma e their e-mail accessible from outside their corporate networ . 2.1.7 World Wide Web (WWW) 2.1.7.1 Internet encompasses any electronic communication between computers usin gTCP/IP protocol, such as e-mail, file transfers etc. WWW is a segment of Intern et,which uses Hyper Text Mar up Language (HTML) to lin together files containin gtext, rich text, sound, graphics, video etc. and offers a very convenient means of navigating through the net. It uses hypertext transfer protocol (HTTP) forco mmunication between computers. Web documents, which are referred to as pages,can contain lin s to other related documents and so on, in a tree li e structure. T heperson browsing one document can access any other lin ed page. The web documen tsand the web browsers which are the application programs to access them, are de signedto be platform independent. Thus any web document can be accessed irrespec tive of theplatform of the computer accessing the document and that of the host computer. Theprogramming capabilities and platform independence of Java and Java applets havefurther enriched the web. The point and clic method of browsing is e xtremely simplefor any lay user of the net. In fact, the introduction of web sin ce early 1990 has madeInternet an extremely popular medium and its use in busine ss has been enhanceddramatically. 2.1.7.2 The next in the HTML genre is the Extensible Mar up Language (XML), whic hallows automated two-way information flow between data stores and browser scree ns.XML documents provide both the raw content of data and the data structure and isprojected by its proponents as ta ing the web technology beyond the limits of HTML. 2.1.8Wireless Application Protocol (WAP): WAP is the latest industry standard which provides wireless access to Internet t hroughhandheld devices li e a cellular telephone. This is an open standard promo ted by WAPforum and has been adopted by worlds all major handset manufacturers. W AP issupplemented by Wireless Application Environment (WAE), which provides indu strywise standard for developing applications and services for wireless communic ationnetwor s. This is based on WWW technology and provides for application for smallscreens, with interactive capabilities and adequate security. Wireless Tran sactionProtocol (WTP), which is the equivalent of TCP, sets the communication ru les andWireless Transport Layer Security (WTLS) provides the required security b yencrypting all the session data. WAP is set to revolutionize the commercial use of net. 2.1.9Security:One of the biggest attractions of Internet as an electronic medium is its openness andfreedom. It is a public domain and there is no restriction o n who can use it as long asone adheres to its technical parameters. This has als

o given rise to concerns over thesecurity of data and information transfer and p rivacy. These concerns are common toany networ including closed user group netw or s. But over the Internet, thedimensions of ris are larger while the control measures are relatively fewer. Theseissues are discussed in detail in Chapter5 an d Chapter6 of the report. It will besufficient to say here that the ey component s of such concern are, (i) authentication,viz., assurance of identity of the per son in a deal, (ii) authorization, viz., a party doing atransaction is authorize d to do so, (iii) the privacy or confidentiality of data,information relating to any deal, (iv) data integrity, viz., assurance that the data has notbeen altere d and (v) non repudiation, viz., a party to the deal can not deny that itorigina ted the communication or data. 2.2 E-Commerce 2.2.1Even though started as networ primarily for use by researchers in defence andscientific community, with the introduction of WWW in early 1990s, use of Int ernet forcommerce has grown tremendously. E-commerce involves individuals and bu sinessorganizations exchanging business information and instructions over electr onic mediausing computers, telephones and other telecommunication equipments. Su ch form of doing business has been in existence ever since electronic mode of da ta / informationexchange was developed, but its scope was limited only as a medi um of exchange of information between entities with a pre-established contractua l relationship. However,Internet has changed the approach to e-commerce; it is n o longer the same businesswith an additional channel for information exchange, b ut one with new strategy andmodels. 2.2.2A business model generally focuses on (i) where the business operates, that is, themar et, the competitors and the customers, (ii) what it sells, that is, its products andservices (iii) the channels of distribution, that is, the medium for sale and distribution of its products and (iv) the sources of revenue and e xpenditure and how these areaffected. Internet has influenced all the four compo nents of business model and thus hascome to influence the business strategy in a profound way. The size of the mar et hasgrown enormously as technically, one ca n access the products and services from anypart of the world. So does the potent ial competition. The methods of reaching out tocustomers, receiving the response and offering services have a new, simpler andefficient alternative, now, that i s, Internet. The cost of advertisement, offer and deliveryof services through In ternet has reduced considerably, forcing most companies torewor their strategie s to remain in competition. 2.2.3A research note by Paul Timmers of European commission had identified eleve nbusiness models, which have been commercially implemented. These are e-shop, eprocurement, e-auction, e-mall, Third-party mar et place, Virtual communities, V aluechain service providers, Value chain integrators, Collaboration platforms an dInformation bro ers. He classified business models along two dimensions, i.e, d egree of innovation and extent of integration of functions. The innovation range d from theelectronic version of a traditional way of doing business (e-shop) to more innovativeways by offering functions that did not exist before. The second dimension, i.e, extentof integration ranges from a single function business mode l (li e e-shop) to fullyintegrated functionality (value chain integrator). In th e top end of the graph are models,which cannot be implemented in a traditional w ay and are critically dependent uponinformation technology and creating value fr om information flow. Business models, inbetween these two limits are a combinati on of both dimensions in different degrees andhave some degree of analogy in tra ditional firms. 2.2.4There are two types of e-commerce ventures in operation: the old bric and mortarcompanies, who have adopted electronic medium, particularly Internet, to e nhancetheir existing products and services, and / or to offer new products and s ervices andthe pure e-ventures who have no visible physical presence. This diffe rence has widerramifications than mere visibility when it comes to issues li e c ustomers trust, brandequity, ability to service the customers, adopting new busin ess culture and cost.These aspects of e-commerce will be touched upon in the fol lowing discussions.

2.2.5Another wayof classifying the e-commerce is by the targeted counterpart of a business,viz, whether the counterpart is a final consumer or another business in the distributionchain. Accordingly, the two broad categories are: Business-to -Consumer (B2C) andBusiness-to-Business (B2B) 2.2.6 Business-to-Consumers (B2C 2.2.6.1In the B2C category are included single e-shops, shopping malls, e-bro in g, e-auction, e-ban ing, service providers li e travel related services, financi al services etc.,education, entertainment and any other form of business targete d at the final consumer.Some of the features, opportunities and concerns common to this category of businessirrespective of the business segment, are the follow ing. 2.2.6.2Opportunities: 2.2.6.2.1Internet provides an ever-growing mar et both in terms of number of pot entialcustomers and geographical reach. Technological development has made acces s toInternet both cheaper and faster. More and more people across the globe are accessingthe net either through PCs or other devices. The purchasing power and n eed for qualityservice of this segment of consumers are considerable. Anybody ac cessing Internet is apotential customer irrespective of his or her location. Thu s, any business targeting finalconsumers cannot ignore the business potential of Internet. 2.2.6.2.2Internet offers a unique opportunity to register business presence in a global mar et.Its effectiveness in disseminating information about ones business at a relatively costeffective manner is tremendous. Time sensitive information can be updated faster thanany other media. A properly designed website can conve y a more accurate and focussedimage of a product or service than any other media . Use of multimedia capabilities, i.e.,sound, picture, movies etc., has made Int ernet as an ideal medium for informationdissemination. However, help of other me dia is necessary to draw the potentialcustomers to the web site. 2.2.6.2.3The quality of service is a ey feature of any e-commerce venture. The ability to sellones product at anytime and anywhere to the satisfaction of custom ers is essential fore-business to succeed. Internet offers such opportunity, sin ce the business presence isnot restricted by time zone and geographical limitati ons. Replying to customersqueries through e-mail, setting up (Frequently As ed Qu estions) FAQ pages foranticipated queries, offering interactive help line, accep ting customers complaintsonline 24 hours a day and attending to the same, etc. ar e some of the features of e-business which enhance the quality of service to the customers. It is of crucial importance for an e-venture to realize that just as it is easier to approach a customerthrough Internet, it is equally easy to lose him. The customer has the same facility tomove over to another site. 2.2.6.2.4Cost is an important issue in an e-venture. It is generally accepted th at the cost of overhead, servicing and distribution, etc. through Internet is le ss compared to thetraditional way of doing business. Although the magnitude of d ifference variesdepending on the type of business and the estimates made, but th ere is unanimity thatInternet provides a substantial cost advantage and this, in fact, is one of the majordriving forces for more number of traditional business adopting to e-commerce andpure e-commerce firms to sprout. 2.2.6.2.5Cost of communication through WWW is the least compared to any other me dium.Many a time ones presence in the web may bring in international enquiries, w hich thebusiness might not have targeted. The business should have proper plans to addresssuch opportunities. 2.2.6.3Concerns: 2.2.6.3.1There are a number of obstacles, which an e-commerce venture needs to o vercome.Trust of customers in a web venture is an important concern. Many custom ers hesitateto deal with a web venture as they are not sure of the type of produ cts and servicesthey will receive. This is particularly true in a B2C venture li e e-shop, e-mall or e-auction site. Traditional business with well established brands and goodwill and havinga physical presence face less resistance from cust omers in this regard than a pure e-venture.

2.2.6.3.2Many B2C ventures have ultimately to deliver a product or service in ph ysical formto the customer for a deal contracted through Internet. This needs pr oper logistics, anefficient distribution networ , and control over quality of pr oduct or service delivered.These issues are not technology related and any let o ff in this area can drive thecustomer away to the competitor or from e-commerce. 2.2.6.3.3The privacy of information on the customers preferences, credit card and ban account details etc. and customers faith in a system where such privacy is stated to beensured are important issues to be addressed. These are mainly techn ological issues, buthuman factor is important both at the business and at the cu stomers end and also inbuilding the trust in the system. 2.2.6.3.4Security of a transaction, authenticity of a deal, identification of a customer etc. areimportant technological and systems issues, which are major sou rces of concern to e-commerce. Equally important are questions of repudiation of a deal, applicability of law, jurisdiction of tax laws etc. These are important to all forms of e-commerce,whether B2C or B2B and all segments of business, i.e , manufacturing, services andfinance and are addressed in different chapters of this report. 2.2.6.3.5Accessibility to Internet by the consumers is an important issue in B2C domain.This is particularly so in countries li e India where penetration of PCs and otherdevices to households for access to Internet is minimal. Also importan t are availabilityof bandwidth and other infrastructure for faster and easier ac cess. Considering that e-commerce aims at global mar et, deficiencies of these inds in the developing world areno longer concerns confined to these areas, but are global e-commerce concerns. 2.2.7Business to Business (B2B) 2.2.7.1As opposed to B2C e-commerce, in B2B domain, the parties to a deal are at differentpoints of the product supply chain. Typically, in a B2B type domain, a company, itssuppliers, dealers and ban ers to all the parties are networ ed to finalize and settle allaspects of a deal, online. Perhaps, only the goods in dif ferent stages of processingphysically move from the supplier to the dealer. This scenario can be extended toinclude the shipper, providers of different ancillar y services, IT service provider and the payment system gateway, etc., depending on the degree of sophistication of the available systems. 2.2.7.2Another important feature of a B2B domain, as distinct from B2C, is that business information / data is integrated to the bac office systems of parties to a deal and the state of straight through processing (STP) or near STP is achi eved. This is a very significant aspect of B2B model of e-commerce, which result s in improved profits through lowering cost and reducing inventories. 2.2.7.3For example, in a B2B environment, typically, the bac office system of a company controls inventory requirement with reference to the order boo positio n updated regularly on the basis of orders received from dealers through Interne t. At the optimum level of inventory it raises a purchase order with the supplie r, whose system in turn processes the order and confirms supply. Buyer companys s ystem issues debitinstructions on its ban account for payment to the supplier. The buyers ban creditssellers ban with the cost of sale though a payment gateway or through RTGS system.Similar series of transaction processes are also initiat ed between the company and itsdealers and their respective ban s. Once e-commerc e relationship is establishedbetween the firms, the transactions of the type sho wn above can be processed withminimal human intervention and on 24 hours a day a nd 7 day a wee basis. 2.2.7.4New business models are emerging in B2B domain. There are portals which o ffer ameeting ground to buyers and sellers of different products in supply chain , more li e abuyer-seller meet in international business. This has enabled relat ively smallercompanies to enter the global mar et. Ban s in the portal offer fin ancial services fordeals settled through the portal. 2.2.7.5Technology and networ ing are important constituents of a B2B type of bus inessdomain. Earlier, only large firms could have access to such technology and they usedprivate networ s with interface to each other for information flow and transactionprocessing. A major concern used to be compatibility of EDI platforms across differentB2B partners. Internet with WWW and other standard technology h

ave offeredopportunity to relatively smaller and medium sized firms to integrate their operations inB2B model and ta e advantage of the benefits it offers. It h as also led tostandardization of software platforms. 2.2.7.6Other new forms of business models in B2B domain are Application ServiceP roviders (ASP) and Service Integrators. ASPs offer application software online t o e-commerce companies who pay for the same according to the use without owning it.Often entire bac office processing is ta en care of by ASPs and other servic eintegrators. However, the utility of such service providers will to a large ext ent dependon the business strategy of the e-venture. 2.2.7.7The concerns of B2B e-commerce are similar to those of B2C, discussed ear lier. Thesecurity issues are more pronounced because of high value transfers ta ing placethrough the net. So also are the issues relating to privacy of informat ion, law, taxrepudiation etc. The other issues of importance to a B2B firm are t he choice of appropriate technology, the issue of build or outsource, maintenanc e and training ofpersonnel, etc., since they involve large investments and are c ritical to success. 2.2.7.8Several studies have attempted to assess the relative importance of B2B a nd B2Cbusiness domains. There is wide difference in estimates of volume of busin esstransacted over Internet and its components under B2C and B2B. However, mosts tudies agree that volume of transactions in B2B domain far exceeds that in B2C. Thisis expected result. There is also a growing opinion that the future of e-bus iness lies inB2B domain, as compared to B2C. This has several reasons some of wh ich arealready discussed earlier, li e low penetration of PCs to households, low bandwidthavailability etc., in a large part of the world. The success of B2C ve ntures depends toa large extent on the shopping habits of people in different pa rts of the world. Asurvey sponsored jointly by Confederation of Indian Industrie s and InfrastructureLeasing and Financial Services on e-commerce in India in 199 9 made the followingobservations. 62% of PC owners and 75% of PC non-owners but who have access toInternet would not buy through the net, as they were not sure of the product offered.The same study estimated the size of B2B business in Indi a by the year 2001 to bevarying between Rs. 250 billion to Rs. 500 billion. In a recent study done by ArthurAnderson, it has been estimated that 84% of total ebusiness revenue is generatedfrom B2B segment and the growth prospects in this s egment are substantial. It hasestimated the revenues to be anywhere between US $ 2.7 trillion to over US $ 7trillion within the next three years (2003). 2.3The Growth of Internet Ban ing and common products: 2.3.1Internet Ban ing (Fig. 1) is a product of e-commerce in the field of ban in g andfinancial services. In what can be described as B2C domain for ban ing indu stry,Internet Ban ing offers different online services li e balance enquiry, req uests forcheque boo s, recording stop-payment instructions, balance transfer ins tructions,account opening and other forms of traditional ban ing services. Mostl y, these aretraditional services offered through Internet as a new delivery chan nel. Ban s are alsooffering payment services on behalf of their customers who sh op in different e-shops, e-malls etc. Further, different ban s have different le vels of such services offered, startingfrom level-1 where only information is di sseminated through Internet to level-3 whereonline transactions are put through. These aspects have been dealt with in brief in theintroductory chapter and agai n detailed products and services are discussed in chapters3 and 4. Hence, in the following paragraphs I-ban ing concerns in B2B domain arediscussed. 2.3.2Considering the volume of business e-commerce, particularly in B2B domain, has beengenerating, it is natural that ban ing would position itself in an inter mediary role insettling the transactions and offering other trade related servic es. This is true both inrespect of B2C and B2B domains. Besides, the traditional role of financial intermediaryand settlement agents, ban s have also exploited new opportunities offered by Internetin the fields of integrated service provide rs, payment gateway services, etc. However,the process is still evolving and ban s are repositioning themselves based on newemerging e-commerce business models. 2.3.3In B2B scenario, a new form of e-commerce mar et place is emerging where va riousplayers in the production and distribution chain are positioning themselves and areachieving a ind of integration in business information flow and process

ing (STP ornear STP) leading to efficiencies in the entire supply chain and acro ss industries. Ban sare positioning themselves in such a mar et in order to be a part of the financialsettlements arising out of transactions of this mar et and providing wholesale financialservices. This needs integration of business infor mation flow not only across the playersin the supply chain, but with the ban s a s well. 2.3.4With the integration of business information flow and higher degree of tra nsparency, theban s and other financial services institutions have lost some of the informationadvantage they used to enjoy and factor in to pricing of their pr oducts. However, suchinstitutions have the advantage of long standing relationsh ips, goodwill and brand,which are important sources of assurance in a virtual ma r et. Ban s are in fact,converting this goodwill into a business component in ecommerce scenario inproviding settlement and other financial services. Some ban s have also moved toproviding digital certificates for transactions through e-ma r ets. 2.3.5Ban s strategies in B2B mar et are responses to different business models em erging ine-commerce. A recent study by Arthur Andersen shows that ban s and fina ncial serviceinstitutions generally adopt one of three business models to respon d to e-businesschallenges. In the first place, they treat it as an extension of existing business withoutany significant changes other than procedural and what technology demands. Thesecond strategy ta es the same approach as the first but introduces structural changesto the underlying business. In the third approach b an s launch e-business platform as adifferent business from the existing core bu siness and as a different brand of product.There is no definite answer as to whi ch approach is appropriate. Perhaps it depends onthe type of mar et the ban is operating, its existing competencies and the legal andregulatory environment. It is, however, sure that e-ban ing is evolving beyond thetraditional limits of ba n ing and many new products / services are li ely to emerge as e-commerce mature s.

Chapter-3 - International experience 3.1Internet ban ing has presented regulators and supervisors worldwide with newc hallenges. The Internet, by its very nature, reaches across borders and is, for thisreason, engaging the attention of regulatory and supervisory authorities all over theworld. The experience of various countries, as far as Internet ban ing is concerned, isoutlined in this chapter. 3.2 U.S.A. 3.2.1In the USA, the number of thrift institutions and commercial ban s with tra nsactionalweb-sites is 1275 or 12% of all ban s and thrifts. Approximately 78% o f allcommercial ban s with more than $5 billion in assets, 43% of ban s with $50 0 millionto $5 billion in assets, and 10% of ban s under $ 500 million in assets havetransactional web-sites. Of the 1275-thrifts/commercial ban s offering tran sactionalInternet ban ing, 7 could be considered virtual ban s. 10 traditional ban s haveestablished Internet branches or divisions that operate under a unique br and name.Several new business process and technological advances such as Electro nic BillPresentment and Payment (EBPP), handheld access devices such as Personal DigitalAssistants (PDAs), Internet Telephone and Wireless Communication channel s andphones are emerging in the US mar et. A few ban s have become Internet Serv iceProviders (ISPs), and ban s may become Internet portal sites and online servi ceproviders in the near future. Reliance on third party vendors is a common feat ure of electronic ban ing ventures of all sizes and degrees of sophistication in the US.Currently, payments made over the Internet are almost exclusively conduc ted throughexisting payment instruments and networ s. For retail e-commerce in t he US, mostpayments made over the Internet are currently completed with credit c ards and arecleared and settled through existing credit card clearing and settle ment systems.Efforts are under way to ma e it easier to use debit cards, cheques and the AutomatedClearing House (ACH) to ma e payments over the Internet. Versi

ons of e-money,smart cards, e-cheques and other innovations are being experiment ed with to supportretail payments over the Internet. 3.2.2There is a matrix of legislation and regulations within the US that specifi cally codifiesthe use of and rights associated with the Internet and e-commerce in ge neral, andelectronic ban ing and Internet ban ing activities in particular. Fede ral and state laws,regulations, and court decisions, and self-regulation among i ndustries groups providethe legal and operational framewor for Internet commerc e and ban ing in the USA.The international model laws promulgated by the United Nations Commission onInternational Trade Law (UNCITRAL) provide the guidance to the member nations onthe necessity for revising existing legal structures to acc ommodate electronictransactions. Some important laws of general application to c ommercial activity overthe Internet within the US are the Uniform Commercial Code (UCC), the UniformElectronic Transaction Act (UETA) (which prov ides that electronic documents andcontracts should not be disqualified as legal documents particularly because of theirelectronic form), various state laws and regulations on digital signatures and nationalencryption standards and export re gulations. Many states already have digital signatureand other legislation to en able e-commerce. State laws in this area differ but the trendis towards creating legislation, which is technology neutral. The E-sign Act, a new USlaw that too effect on October 1, 2000, validates contracts concluded by electronicsignature s and equates them to those signed with in on paper. Under the Act,electronic s ignatures using touch-tones (on a telephone), retinal scans and voicerecognition are also acceptable ways of entering into agreements. The E-sign Act ta esa tec hnological neutral approach and does not favor the use of any particulartechnolo gy to validate an electronic document. The Act however does not addressissues re lating to which US states laws would govern an online transaction and whichstates code would have jurisdiction over a dispute. 3.2.3The Gramm - Leach Bliley (GLB) Act has substantially eased restrictions on theability of ban s to provide other financial services. It has established new rules for theprotection of consumer financial information. The Inter-agency Stat ement onElectronic Financial Services and Consumer Compliance (July 1998) addres sesconsumer protection laws and describe how they can be met in the context of e lectronicdelivery. In addition, the Federal Reserve Board has issued a request f or comment onrevised proposals that would permit electronic delivery of federall y mandateddisclosures under the five consumer protection regulations of the FRB (Regulations B,DD, E, M & Z). 3.2.4The Interpretive Ruling of the Office of the Comptroller of Currency (OCC) authorizesa national ban to perform, provide or deliver through electronic means and facilitiesany activity, functions, product or service that it is otherwise authorized to perform,provide or deliver. The concerns of the Federal Reserve are limited to ensuring thatInternet ban ing and other electronic ban ing services are implemented with properattention to security, the safety and soundness of th e ban , and the protection of theban s customers. Currently, all ban s, whether t hey are Internet only or traditionalban s must apply for a charter according to ex isting guidelines. The five federalagencies - Federal Deposit Insurance Corporat ion (FDIC), Federal Reserve System(FRS), Office of the Comptroller of Currency ( OCC), Office of Thrift Supervision(OTS) and the National Credit Union Associatio n (NCUA) supervise more than 20,000institutions. In addition, each state has a s upervisory agency for the ban s that itcharters. Most financial institutions in the US face no prerequisite conditions ornotification requirements for an existi ng ban ing institution to begin electronic ban ingactivities. For these ban s, s upervisors gather information on electronic ban ing duringroutine annual examina tion. Newly chartered Internet ban s are subject to the standardchartering proce dures. For thrift institutions, however, OTS has instituted a 30-dayadvance noti fication requirement for thrift institutions that plan to establish atransaction al web site. A few State ban ing departments have instituted a similarnotificati on requirement for transactional Internet ban ing web sites. 3.2.5Supervisory policy, licensing, legal requirements and consumer protection a re generallysimilar for electronic ban ing and traditional ban ing activities. I

nternet ban s are alsosubject to the same rules, regulations and policy statemen t as traditional ban s.However, in response to the ris s posed by electronic ban ing, federal ban ing agencieshave begun to issue supervisory guidelines and exa mination procedures for examinerswho review and inspect electronic ban ing appli cations. Although specialized ban ingprocedures are used in some areas of Intern et ban ing activities, the existinginformation technology examination framewor that addresses access controls,information security, business recovery and other ris areas generally continues to be applicable. To assist supervisors in monitoring the expansion of Internet ban in g, statechartered and national ban s have been required since June 1999 to repor t theirwebsites Uniform Resource Locators (URL) in the Quarterly Reports of Financi alCondition that are submitted to supervisors. In addition, examiners review the potentialfor reputational ris associated with web-site information or activiti es, the potentialimpact of various Internet strategies on an institutions financi al condition, and the needto monitor and manage outsourcing relationships. To ad dress these ris s, the OCC isdeveloping specific guidance for establishing Intern et only ban s within the US. TheBan ing Industry Technology Secretariat recently announced the formation of asecurity lab to test and validate the security of so ftware and hardware used by ban ingorganizations. If a ban is relying on a thir d party provider, it is accepted that it shouldbe able to understand the provide d information security programme to effectivelyevaluate the security systems abil ity to protect ban and customer data. Examinationof service providers operations , where necessary, is conducted by one or more Federalban ing agencies pursuant to the Ban Services Company Act, solely to supportsupervision of ban ing organi zations. 3.2.6The Federal Financial Institutions Examination Council (FFIEC) introduced t heInformation Systems (IS) rating system to be used by federal and state regulat ors toassess uniformly financial and service provider ris s introduced by inform ationtechnology and to identify those institutions and service providers requiri ng specialsupervisor attention. The FFIEC has recently renamed the system as Uni form RatingSystem for IT (URSIT), which has enhanced the audit function. The imp ortance of ris management procedure has been reinforced under the revised syste m. 3.2.7Some characteristics of e-money products such as their relative lac of phy sical bul ,their potential anonymity and the possibility of effecting fast and r emote transfers ma ethem more susceptible than traditional systems to money laun dering activities. TheOCC guidelines lay down an effective now your customer poli cy. Federal financialinstitutions, regulators, Society for Worldwide Interban F inancial Telecommunications(SWIFT) and Clearing House Interban Payment System ( CHIPS) have issuedstatements encouraging participants to include information on originators and beneficiaries. 3.3 U.K. 3.3.1Most ban s in U.K. are offering transactional services through a wider rang e of channels including Wireless Application Protocol (WAP), mobile phone and T. V. Anumber of non-ban s have approached the Financial Services Authority (FSA) a boutcharters for virtual ban s or clic s and mortar operations. There is a move to wardsban s establishing portals. 3.3.2The Financial Services Authority (FSA) is neutral on regulations of electro nic ban s.The current legislation, viz. the Ban ing Act 1987 and the Building So cieties Act,provides it with the necessary powers and the current range of super visory tools. Anew legislation, the Financial Services and Mar et Bill, offers a significant addition inthe form of an objective requiring the FSA to promote pu blic understanding of thefinancial system. There is, therefore, no special regim e for electronic ban s. A draftElectronic Ban ing Guidance for supervisors has, however, been developed. A guideto Ban Policy has also been published by the FS A which is technology neutral, butspecifically covers outsourcing and fraud. The FSA also maintains bilateral discussionswith other national supervisors and mon itors developments in the European Union(EU) including discussions by the Ban in g Advisory Committee and Group deContract. New legislation on money laundering h as been proposed and both the BritishBan ers Association and the FSA have issued

guidance papers in this regard. 3.3.3The FSA is actively involved in the Basle Committee e-ban ing group which h asidentified authorization, prudential standards, transparency, privacy, money l aunderingand cross border provision as issues where there is need for further wo r . The FSA hasalso been supporting the efforts of the G7 Financial Stability Fo rum, which is exploringcommon standards for financial mar et, which is particula rly relevant to the Internet,which reaches across all borders. 3.3.4The Financial Services and Mar ets Bill will replace current powers under t he 1987Ban ing Act giving the FSA statutory authority for consumer protection an d promotionof consumer awareness. Consumer compliance is required to be ensured via des basedand on site supervision. The FSA has an Authorization and Enforcem ent Division,which sees if web sites referred to them are in violation of U.K. l aws. 3.3.5The FSA has issued guidelines on advertising in U.K. by ban s for deposits. investments and other securities, which apply to Internet ban ing also. The guid elinesinclude an Appendix on Internet ban ing. The FSAs supervisory policy and po wers inrelation to breaches in the advertising code (viz. invitation by any auth orized person tota e a deposit within U.K., fraudulent inducements to ma e a dep osit, illegal use of ban ing names and descriptions, etc.) are the same for Inte rnet ban ing as they are forconventional ban ing. The FSA does not regard a ban authorized overseas, which istargeting potential depositors in its home mar et or in third countries as falling withinU.K. regulatory requirements solely by re ason of its web site being accessible toInternet users within the U.K., as the a dvertisements are not aimed at potential U.K.depositors. 3.4 Scandinavia 3.4.1Swedish and Finnish mar ets lead the world in terms of Internet penetration and therange and quality of their online services. Merita Nordban en (MRB) (now NordicBan Holding, a merger between Finlands Merita and Nordban er of Sweden) l eads inlog-ins per month with 1.2 million Internet customers, and its penetration rate inFinland (around 45%) is among the highest in the world for a ban of bric andmortar origin. Standinavis a Eas ilda Ban en (SEB) was Swedens first Internetb an , having gone on-line in December 1996. It has 1,000 corporate clients for it sTrading Station an Internet based trading mechanism for forex dealing, stoc -in dexfutures and Swedish treasury bills and government bonds. Swedban , is another large-sized Internet ban . Almost all of the approximately 150 ban s operating in Norwayhad established net ban s. In Denmar , the Internet ban ing service of De n Dans eoffers funds transfers, bill payments, etc. 3.4.2The basic on-line activity is paying bills. Swedban was the first ban in the world tointroduce Electronic Bill Presentment and Payment (EBPP) and now han dles 2 millionbill payment a month. E-shopping is another major Internet ban ing service. MNB hasan on-line mall of, more than 900 shops, which accepts its Solo pay ment system.Swedban has a similar system called Direct. Besides using advanced en cryptiontechnology, the Scandenavian ban s have adopted a basic but effective sy stem nownas challenge response logic, which involves a list of code numbers sent to everyonline client and used in sequence, in combination with their password o r PIN. Thisgives each transaction a unique code, and has so far proved safe. Som e ban s use evenmore sophisticated versions of the same technique. It is not a c ommon practice to usethird party vendors for services. 3.4.3In Sweden, no formal guidance has been given to examiners by the Sverigesba n on e-ban ing. General guidelines apply equally to Internet ban ing activities . Contractualregularization between customers and the ban is a concern for regu lators and is beingloo ed into by the authorities. 3.4.4The role of the Ban of Finland (Suomen Par i) has been, as part of genera l oversightof financial mar ets in Finland, mainly to monitor the ongoing develo pment of Internetban ing without active participation. Numerous issues concernin g Internet ban inghave, however, been examined by the Ban of Finland. 3.4.5All Internet ban ing operating from a Norwegian platform are subject to all regularban ing regulations, just as any other ban . As part of the standard reg ulation, there isalso a specific regulation on the ban s use of IT. This regulati on dates from 1992when Internet ban ing was not the main issue, but it covers al

l IT systems, includingInternet ban ing. The regulation secures that ban s purcha se, development, use andphase out of IT systems is conducted in a safe and contr olled manner. An Act relatingto Payment systems defines payment systems as those which are based on standardizedterms for transfer of funds from or between cust omer accounts in ban s/financialunderta ings when the transfer is based on use o f payment cards, numeric codes or anyother form of independent user identificati on. Internet ban ing is covered by thisregulation. The Ban ing, Insurance and Se curities Commission may order forimplementation of measures to remedy the situat ion if there is a violation of provisions. 3.4.6In addition to their national laws, countries in Europe are also expected t o implementEuropean Union (EU) directives. In 1995, the EU passed a Europe-wide DataProtection Directive aimed at granting individuals greater protection from a buses of their personal information. It also passed the Telecommunications Direc tive thatprescribes special protection in relation to telephones, digital TVs, m obilecommunications, etc. Every EU country is to have a privacy commissioner to enforcethe regulations as they apply within the EU. The EU directive on electron ic signature isalso required to be implemented in national laws.

3.5 Other Countries 3.5.1 Australia: 3.5.1.1Internet Ban ing in Australia is offered in two forms: web-based and thro ugh theprovision of proprietary software. Initial web-based products have focuse d on personalban ing whereas the provision of proprietary software has been targ eted at thebusiness/corporate sector. Most Australian-owned ban s and some forei gn subsidiariesof ban s have transactional or interactive web-sites. Online ban ing services rangefrom FIs websites providing information on financial products t o enabling accountmanagement and financial transactions. Customer services offer ed online includeaccount monitoring (electronic statements, real-time account ba lances), accountmanagement (bill payments, funds transfers, applying for product s on-line) and financialtransactions (securities trading, foreign currency trans actions). Electronic BillPresentment and Payment (EBPP) is at an early stage. Fe atures offered in proprietarysoftware products (enabling business and corporatio n customers to connect to thefinancial institutions (via dial-up/leased line/ext ranet) include account reporting,improved reconciliation, direct payments, payro ll functionality and funds transferbetween accounts held at their own or other b an s. Apart from closed paymentsystems (involving a single payment-provider), In ternet ban ing and e-commercetransactions in Australia are conducted using longstanding payment instruments andare cleared and settled through existing clearin g and settlement system. Ban s rely onthird party vendors or are involved with o utside providers for a range of products andservices including e-ban ing. Genera lly, there are no virtual ban s licensed to operatein Australia. 3.5.1.2The Electronic Transactions Act, 1999 provides certainty about the legal status of electronic transactions and allows for Australians to use the Internet to provideCommonwealth Departments and agencies with documents which have the s ame legalstatus as traditional paperwor . The Australian Securities and Investme ntsCommission (ASIC) is the Australian regulator with responsibility for consume r aspectsof ban ing, insurance and superannuation and as such, it is responsible for developingpolicy on consumer protection issues relating to the Internet and e-commerce. ASICcurrently has a draft proposal to expand the existing Electroni c Funds Transfer Code of Conduct (a voluntary code that deals with transactions initiated using a card and a PIN)to cover all forms of consumer technologies, in cluding stored value cards and othernew electronic payment products. Australias a nti-money laundering regulator is theAustralian Transaction Reports and Analysis Centre (AUSTRAC). 3.5.1.3Responsibility for prudential supervisory matters lies with the Australia n PrudentialRegulation Authority (APRA). APRA does not have any Internet specifi c legislation,regulations or policy, and ban s are expected to comply with the e stablished legislationand prudential standards. APRAs approach to the supervision

of e-commerceactivities, li e the products and services themselves, is at an ea rly stage and is stillevolving. APRAs approach is to visit institutions to discus s their Internet ban inginitiatives. However, APRA is underta ing a survey of ecommerce activities of allregulated financial institutions. The growing reliance on third party or outside providersof e-ban ing is an area on which APRA is inc reasingly focusing. 3.5.2New Zealand: 3.5.2.1Major ban s offer Internet ban ing service to customers, operate as a div ision of theban rather than as a separate legal entity. 3.5.2.2Reserve Ban of New Zealand applies the same approach to the regulation o f bothInternet ban ing activities and traditional ban ing activities. There are however,ban ing supervision regulations that apply only to Internet ban ing. Sup ervision isbased on public disclosure of information rather than application of detailed prudentialrules. These disclosure rules apply to Internet ban ing activ ity also. 3.5.3Singapore: 3.5.3.1The Monetary Authority of Singapore (MAS) has reviewed its current framew or forlicensing, and for prudential regulation and supervision of ban s, to ens ure its relevancein the light of developments in Internet ban ing, either as an additional channel or in theform of a specialized division, or as stand-alone en tities (Internet Only Ban s), ownedeither by existing ban s or by new players en tering the ban ing industry. The existingpolicy of MAS already allows all ban s licensed in Singapore to use the Internet toprovide ban ing services. MAS is sub jecting Internet ban ing, including IOBs, to thesame prudential standards as tra ditional ban ing. It will be granting new licences toban ing groups incorporated in Singapore to set up ban subsidiaries if they wish to pursue new business models and give them flexibility to decide whether to engage inInternet ban ing through a subsidiary or within the ban (where no additional licence isrequired). MAS also will be admitting branches of foreign incorporate d IOBs within theexisting framewor of admission of foreign ban s. 3.5.3.2As certain types of ris are accentuated in Internet ban ing, a ris base d supervisoryapproach, tailored to individual ban s circumstances and strategies, is considered moreappropriate by MAS than one-size-fits-all regulation. MAS requi res publicdisclosures of such underta ings, as part of its requirement for all b an s and enhancedisclosure of their ris management systems. It is issuing a con sultative document onInternet ban ing security and technology ris management. I n their ris managementinitiatives for Internet ban ing relating to security and technology related ris s, ban sshould (a) implement appropriate wor flow, authe nticated process and controlprocedures surrounding physical and system access (b ) develop, test, implement andmaintain disaster recovery and business contingenc y plans (c) appoint an independentthird party specialist to assess its security and operations (d) clearly communicate tocustomers their policies with reference to rights and responsibilities of the ban andcustomer, particularly issues ari sing from errors in security systems and relatedprocedures. For liquidity ris , ban s, especially IOBs, should establish robust liquiditycontingency plans and a ppropriate Asset-Liability Management systems. As regardsoperational ris , ban s should carefully manage outsourcing of operations, and maintaincomprehensive au dit trails of all such operations. As far as business ris is concerned,IOBs sho uld maintain and continually update a detailed system of performancemeasurement. 3.5.3.3MAS encourages financial institutions and industry associations such as t heAssociations of Ban s in Singapore (ABS) to play a proactive role in educating consumers on benefits and ris s on new financial products and services offered b yban s, including Internet ban ing services. 3.5.4 Hong Kong: 3.5.4.1There has been a spate of activity in Internet ban ing in Hong Kong. Two virtualban s are being planned. It is estimated that almost 15% of transactions are processedon the Internet. During the first quarter of 2000, seven ban s have begun Internet services. Ban s are participating in strategic alliances for e-c ommerce ventures and areforming alliances for Internet ban ing services delivere d through Jetco (a ban consortium operating an ATM networ in Hong Kong). A few

ban s have launchedtransactional mobile phone ban ing earlier for retail custom ers. 3.5.4.2The Hong Kong Monetary Authority (HKMA) requires that ban s must discuss theirbusiness plans and ris management measures before launching a transactiona l website.HKMA has the right to carry out inspections of security controls and o btain reportsfrom the home supervisor, external auditors or experts commissioned to producereports. HKMA is developing specific guidance on information security with theguiding principle that security should be fit for purpose. HKMA requires that ris s inInternet ban ing system should be properly controlled. The onus of maintainingadequate systems of control including those in respect of Internet ba n ing ultimatelylies with the institution itself. Under the Seventh Schedule to the Ban ing ordinance,one of the authorization criteria is the requirement to ma intain adequate accountingsystem and adequate systems control. Ban s should cont inue to acquire state-of-the arttechnologies and to eep pace with developments in security measures. The HKMAssupervisory approach is to hold discussions with i ndividual institutions who wish toembar on Internet ban ing to allow them to de monstrate how they have properlyaddressed the security systems before starting t o provide such services, particularly inrespect of the following (i) encryption by industry proven techniques of dataaccessible by outsiders, (ii) preventive me asures for unauthorized access to the ban sinternal computer systems, (iii) set o f comprehensive security policies and procedures,(iv) reporting to HKMA all secu rity incidents and adequacy of security measures on atimely basis. At present, i t has not been considered necessary to codify securityobjectives and requirement s into a guideline. The general security objectives forinstitutions intending to offer Internet ban ing services should have been consideredand addressed by suc h institutions. 3.5.4.3HKMA has issued guidelines on Authorization of Virtual Ban s under Section1 6(10) of the Ban ing Ordinance under which (i) the HKMA will not object to thees tablishment of virtual ban s in Hong Kong provided they can satisfy the sameprud ential criteria that apply to conventional ban s, (ii) a virtual ban which wish es tocarry on ban ing business in Hong Kong must maintain a physical presence in HongKong; (iii) a virtual ban must maintain a level of security which is appro priate to thetype of business which it intends to carry out. A copy of report on security of computer hardware, systems, procedures, controls etc. from a qualif ied independentexpert should be provided to the HKMA at the time of application, (iv) a virtual ban must put in place appropriate policies, procedures and cont rols to meet the ris sinvolved in the business; (v) the virtual ban must set ou t clearly in the terms andconditions for its service what are the rights and obl igations of its customers (vi)Outsourcing by virtual ban s to a third party serv ice provider is allowed, providedHKMAs guidelines on outsourcing are complied wit h. There are principles applicableto locally incorporated virtual ban s and thos e applicable to overseas-incorporatedvirtual ban s. 3.5.4.4Consumer protection laws in Hong Kong do not apply specifically to e-ban ing butban s are expected to ensure that their e-services comply with the releva nt laws. TheCode of Ban ing Practice is being reviewed to incorporate safeguards for customers of e-ban ing. 3.5.4.5Advertising for ta ing deposits to a location outside Hong Kong is a viol ation unlessdisclosure requirements are met. Consideration is being given as to whether this is nottoo onerous in the context of the global nature of the Intern et. 3.5.4.6Recognising the relevance of Public Key Infrastructure (PKI) in Hong Kong to thedevelopment of Internet ban ing and other forms of e-commerce, the govern ment of Hong Kong has invited the Hong Kong Postal Authority to serve as public CertificateAuthority (CA) and to establish the necessary PKI infrastructure. The re is no bar,however, on the private sector setting up CAs to serve the specific needs of individualnetwor s. There should be cross-references and mutual recogn ition of digitalsignatures among CAs. The Government is also considering whether and, if so, howthe legal framewor should be strengthened to provide firm legal basis for electronictransactions (particularly for digital signatures to ensure non-repudiation of electronicmessages and transactions).

3.5.5 Japan: 3.5.5.1Ban s in Japan are increasingly focusing on e-ban ing transactions with c ustomers.Internet ban ing is an important part of their strategy. While some ban s provideservices such as inquiry, settlement, purchase of financial products a nd loan application,others are loo ing at setting up finance portals with non-fi nance business corporations.Most ban s use outside vendors in addition to in-hou se services. 3.5.5.2The current regulations of the Ban of Japan on physical presence of ban branchesare undergoing modifications to ta e care of licensing of ban s and the ir branches withno physical presence. The Report of the Electronic Financial Ser vices Study Group(EFSSG) has made recommendations regarding the supervision and regulation of electronic financial services. Financial institutions are required to ta e sufficientmeasures for ris management of service providers and the aut horities are required toverify that such measures have been ta en. Providing inf ormation about non-financialbusinesses on a ban web site is not a violation as long as it does not constitute abusiness itself. 3.5.5.3With respect to consumer protection it is felt that guidance and not regu lations shouldencourage voluntary efforts of individual institutions in this are a. Protection of privateinformation, however, is becoming a burning issue in Jap an both within and outside thefield of e-ban ing. Japanese ban s are currently r equested to place disclosurepublications in their offices (branches) by the law. However, Internet Only ban s arefinding it difficult to satisfy this requirement. The Report of the EFSSG recommendsthat financial service providers that operate transactional website should practice onlinedisclosure through electronic means at the same timing and of equivalent contents aspaper based disclosure. They sh ould also explain the ris s and give customers a fairchance to as queries. The Government of Japan intends to introduce comprehensiveData Protection Legislatio n in the near future. . 3.5.5.4There are no restrictions or requirements on the use of cryptography. The Ministryof International Trade and Industry (MITI)s approval is required to repo rt encryptiontechnology. 3.6Conclusion World over, electronic ban ing is ma ing rapid strides due to evolving communica tiontechnology. Penetration of Internet ban ing is increasing in most countries. WirelessApplication Protocol (WAP) is an emerging service which ban s worldwide are also offering. The stiff competition in this area exposes ban s to substantial ris s. Theneed is being felt overseas that transparency and disclosure requirements sh ould be metby the e-ban ing community. While existing regulations and legislatio ns applicable totraditional ban ing are being extended to ban s Internet ban ing and electronicban ing services, it is recognized that Internet security, custome r authentication andother issues such as technology outsourcing pose unique ris s. Central Ban sworldwide are addressing such issues with focused attention. Spe cial legislations andregulations are being framed by the regulators and supervis ors for proper managementof the different types of ris s posed by these services . The reliance on outsourcing is anarea where overseas regulators and supervisor s are focusing their attention, with ban shaving to regularly review and test bu siness continuity, recovery and incidence responseplans in order to maintain the ir reputation of trust. Consumer protection and dataprivacy are areas which assu me great significance when ban ing transactions are carriedover a medium as inse cure as the Internet. Many countries are loo ing at specialconsumer protection/d ata privacy legislation for an e-commerce environment. Thepresence of virtual ban s or Internet only ban s and the licensing requirementsrequired for such entities are also areas which are being loo ed into by overseasauthorities. There has als o been co-operation among the regulators and supervisors tomeet the challenges o f virtual cross border e-ban ing, particularly in the light of thepossibility of i ncreased money laundering activities through the medium of Internet.Internet ban ing is universally seen as a welcome development, and efforts are beingmade to put in place systems to manage and control the ris s involved withoutrestricting this service.

Chapter -4 -The Indian Scenario 4.1 The entry of Indian ban s into Net Ban ing 4.1.1Internet ban ing, both as a medium of delivery of ban ing services and as a strategictool for business development, has gained wide acceptance internationa lly and is fastcatching up in India with more and more ban s entering the fray. India can be said tobe on the threshold of a major ban ing revolution with net b an ing having already beenunveiled. A recent questionnaire to which 46 ban s res ponded, has revealed that atpresent, 11 ban s in India are providing Internet ba n ing services at different levels, 22ban s propose to offer Internet ban ing in near future while the remaining 13 ban shave no immediate plans to offer such f acility. 4.1.2At present, the total Internet users in the country are estimated at 9 la h . However,this is expected to grow exponentially to 90 la h by 2003. Only about 1% of Internetusers did ban ing online in 1998. This increased to 16.7% in March 2000.* Thegrowth potential is, therefore, immense. Further incentives provided by ban s woulddissuade customers from visiting physical branches, and thus get ho o ed to theconvenience of arm-chair ban ing. The facility of accessing their acco unts fromanywhere in the world by using a home computer with Internet connection , isparticularly fascinating to Non-Resident Indians and High Networth Individua ls havingmultiple ban accounts. 4.1.3Costs of ban ing service through the Internet form a fraction of costs thro ughconventional methods. Rough estimates assume teller cost at Re.1 per transact ion,ATM transaction cost at 45 paise, phone ban ing at 35 paise, debit cards at 20 paiseand Internet ban ing at 10 paise per transaction. The cost-conscious ban s in thecountry have therefore actively considered use of the Internet as a cha nnel forproviding services. Fully computerized ban s, with better management of theircustomer base are in a stronger position to cross-sell their products throu gh thischannel.* Source : India Research May 29 , 2000 , Kota Securities 4.2 Products and services offered 4.2.1Ban s in India are at different stages of the web-enabled ban ing cycle. In itially, aban , which is not having a web site, allows its customer to communica te with itthrough an e-mail address; communication is limited to a small number of branches andoffices which have access to this e-mail account. As yet, many sc heduled commercialban s in India are still in the first stage of Internet ban in g operations. 4.2.2With gradual adoption of Information Technology, the ban puts up a web-sit e thatprovides general information on the ban s, its location, services availabl e e.g. loan anddeposits products, application forms for downloading and e-mail o ption for enquiriesand feedbac . It is largely a mar eting or advertising tool. For example, Vijaya Ban provides information on its web-site about its NRI and other services. Customers arerequired to fill in applications on the Net and can later receive loans or other productsrequested for at their local branch. A few ban s provide the customer to enquire intohis demat account (securities/shares) holding details, transaction details and status of instructions given by him. T hese web sites still do not allow online transactions fortheir customers. 4.2.3Some of the ban s permit customers to interact with them and transact elect ronicallywith them. Such services include request for opening of accounts, requi sition forcheque boo s, stop payment of cheques, viewing and printing statements of accounts,movement of funds between accounts within the same ban , querying o n status of requests, instructions for opening of Letters of Credit and Ban Gua rantees etc. Theseservices are being initiated by ban s li e ICICI Ban Ltd., HD FC Ban Ltd. Citiban ,Global Trust Ban Ltd., UTI Ban Ltd., Ban of Madura Ltd. , Federal Ban Ltd. etc.Recent entrants in Internet ban ing are Allahabad Ban ( for its corporate customersthrough its Allnet service) and Ban of Punjab Ltd. Sta te Ban of India hasannounced that it will be providing such services soon. Cert ain ban s li e ICICI Ban Ltd., have gone a step further within the transactiona l stage of Internet ban ing byallowing transfer of funds by an account holder to any other account holder of theban . 4.2.4Some of the more aggressive players in this area such as ICICI Ban Ltd., H DFCBan Ltd., UTI Ban Ltd., Citiban , Global Trust Ban Ltd. and Ban of Punjab

Ltd.offer the facility of receipt, review and payment of bills on-line. These b an s have tiedup with a number of utility companies. The Infinity service of ICICI Ban Ltd. also allows online real time shopping mall payments to be made by customers. HDFC Ban Ltd. has made e-shopping online and real time with the launch of its payment g ateway.It has tied up with a number of portals to offer business-to-consumer (B2 C) e-commerce transactions. The first online real time e-commerce credit card tr ansaction inthe country was carried out on the Easy3shoppe.com shopping mall, en abled by HDFCBan Ltd. on a VISA card. 4.2.Ban s li e ICICI Ban Ltd., HDFC Ban Ltd. etc. are thus loo ing to position themselves as one stop financial shops. These ban s have tied up with computertr aining companies, computer manufacturers, Internet Services Providers and portal sfor expanding their Net ban ing services, and widening their customer base. ICI CIBan Ltd. has set up a web based joint venture for on-line distribution of its retailban ing products and services on the Internet, in collaboration with Saty am Infoway, aprivate ISP through a portal named as icicisify.com. The customer b ase of www.satyamonline.com portal is also available to the ban . Setting up of Internet ios s and permeation through the cable television route to widen custom er base areother priority areas in the agendas of the more aggressive players. C enturion Ban Ltd.has ta en up equity sta e in the teauction.com portal, which a ims to bring togetherbuyers, sellers, registered bro ers, suppliers and associat ions in the tea mar et andsubstitute their physical presence at the auctions ann ounced. 4.2.6Ban s providing Internet ban ing services have been entering into agreement s withtheir customers setting out the terms and conditions of the services. The terms andconditions include information on the access through user-id and secret password,minimum balance and charges, authority to the ban for carrying out tr ansactionsperformed through the service, liability of the user and the ban , dis closure of personalinformation for statistical analysis and credit scoring also, non-transferability of thefacility, notices and termination, etc. 4.2.7The race for mar et supremacy is compelling ban s in India to adopt the lat esttechnology on the Internet in a bid to capture new mar ets and customers. HDF CBan Ltd. with its Freedom- the e-Age Saving Account Service, Citiban withSuvidha and ICICI Ban Ltd. with its Mobile Commerce service have tied up withcellphone op erators to offer Mobile Ban ing to their customers. Global Trust Ban Ltd. has al so announced that it has tied up with cellular operators to launch mobileban ing services. Under Mobile Ban ing services, customers can scan their accountsto se e balance and payments status or instruct ban s to issue cheques, pay bills ord eliver statements of accounts. It is estimated that by 2003, cellular phones wil l havebecome the premier Internet access device, outselling personal computers. Mobileban ing will further minimise the need to visit a ban branch. 4.3 The Future Scenario 4.3.1Compared to ban s abroad, Indian ban s offering online services still have a long wayto go. For online ban ing to reach a critical mass, there has to be su fficient number of users and the sufficient infrastructure in place. The Infinity product of ICICI Ban Ltd. gets only about 30,000 hits per month, with around 3, 000 transactions ta ing placeon the Net per month through this service. Though v arious security options li e lineencryption, branch connection encryption, firew alls, digital certificates, automatic sign-offs, random pop-ups and disaster rec overy sites are in place or are being loo ed at,there is as yet no Certification Authority in India offering Public Key Infrastructurewhich is absolutely necess ary for online ban ing. The customer can only be assured of a secured conduit fo r its online activities if an authority certifying digital signatures is inplace . The communication bandwidth available today in India is also not enough tomeet the needs of high priority services li e online ban ing and trading. Ban s offe ringonline facilities need to have an effective disaster recovery plan along wit hcomprehensive ris management measures. Ban s offering online facilities also n eed tocalculate their downtime losses, because even a few minutes of downtime in a wee could mean substantial losses. Some ban s even today do not have uninter ruptedpower supply unit or systems to ta e care of prolonged power brea down. Pr

operencryption of data and effective use of passwords are also matters that leav e a lot to bedesired. Systems and processes have to be put in place to ensure th at errors do notta e place. 4.3.2Users of Internet Ban ing Services are required to fill up the application forms onlineand send a copy of the same by mail or fax to the ban . A contractua l agreement isentered into by the customer with the ban for using the Internet ban ing services. Inthis way, personal data in the applications forms is being h eld by the ban providing the service. The contract details are often one-sided, with the ban having the abso lutediscretion to amend or supplement any of the terms at any time. For these re asonsdomestic customers for whom other access points such as ATMs, teleban ing, personalcontact, etc. are available, are often hesitant to use the Internet ban ing servicesoffered by Indian ban s. Internet Ban ing, as an additional delivery channel, may,therefore, be attractive / appealing as a value added service to d omestic customers.Non-resident Indians for whom it is expensive and time consumi ng to access their ban accounts maintained in India find net ban ing very conve nient and useful. 4.3.3The Internet is in the public domain whereby geographical boundaries are el iminated.Cyber crimes are therefore difficult to be identified and controlled. I n order to promoteInternet ban ing services, it is necessary that the proper leg al infrastructure is in place.Government has introduced the Information Technolo gy Bill, which has already beennotified in October 2000. Section 72 of the Infor mation Technology Act, 2000 casts anobligation of confidentiality against disclo sure of any electronic record, register,correspondence and information, except f or certain purposes and violation of thisprovision is a criminal offence. Notifi cation for appointment of Authorities to certifydigital signatures, ensuring con fidentiality of data, is li ely to be issued in the comingmonths. Comprehensive enactments li e the Electronic Funds Transfer Act in U.K. anddata protection rul es and regulations in the developed countries are in place abroad toprevent unau thorized access to data, malafide or otherwise, and to protect theindividuals rig hts of privacy. The legal issues are, however, being debated in ourcountry and i t is expected that some headway will be made in this respect in the nearfuture. 4.3.4Notwithstanding the above drawbac s, certain developments ta ing place at p resent,and expected to ta e place in the near future, would create a conducive e nvironmentfor online ban ing to flourish. For example, Internet usage is expecte d to grow withcheaper bandwidth cost. The Department of Telecommunications (DoT) is moving fastto ma e available additional bandwidth, with the result that Inte rnet access will becomemuch faster in the future. This is expected to give a fil lip to Internet ban ing in India. 4.3.5The proposed setting up of a Credit Information Bureau for collecting and s haringcredit information on borrowers of lending institutions online would give a fillip toelectronic ban ing. The deadline set by the Chief Vigilance Commissio ner forcomputerisation of not less than 70 percent of the ban s business by end of January2001 has also given a greater thrust to development of ban ing techno logy. Therecommendations of the Vasudevan Committee on Technological Upgradation of Ban s in India have also been circulated to ban s for implementation. In thi sbac ground, ban s are moving in for technological upgradation on a large scale. Internet ban ing is expected to get a boost from such developments. 4.3.6Reserve Ban of India has ta en the initiative for facilitating real time f unds transferthrough the Real Time Gross Settlement (RTGS) System. Under the RTG S system,transmission, processing and settlements of the instructions will be do ne on acontinuous basis. Gross settlement in a real time mode eliminates credit and liquidityris s. Any member of the system will be able to access it through o nly one specifiedgateway in order to ensure rigorous access control measures at the user level. Thesystem will have various levels of security, viz., Access sec urity, 128 bit cryptography,firewall, certification etc. Further, Generic Archit ecture ( see fig. 2), both domestic andcross border, aimed at providing inter-connectivit y across ban s has been accepted forimplementation by RBI. Following a reference made this year, in the Monetary andCredit Policy statement of the Governor, ban

s have been advised to develop domesticgeneric model in their computerization p lans to ensure seamless integration. Theabovementioned efforts would enable onli ne ban ing to become more secure andefficient. 4.3.7With the process of dematerialisation of shares having gained considerable ground inrecent years, ban s have assumed the role of depository participants. I n addition tocustomers deposit accounts, they also maintain demat accounts of the ir clients. Onlinetrading in equities is being allowed by SEBI. This is another area which ban s are eento get into. HDFC Ban Ltd., has tied up with about 25 equity bro erages for enablingthird party transfer of funds and securities throu gh its business-to-business (B2B)portal, e-Net. Demat account holders with the ban can receive securities directlyfrom the bro ers accounts. The ban has extended its web interface to the softwarevendors of National Stoc Exchange through a t ie-up with NSE.IT the infotech armof the exchange. The ban functions as the pay ment ban for enabling funds transferfrom its customers account to bro ers account s. The ban is also setting up a netbro ing arm, HDFC Securities, for enabling t rading in stoc s through the web. Thefocus on capital mar et operations through the web is based on the ban s strategy ontapping customers interested in trading in equities through the Internet. Internetban ing thus promises to become a popu lar delivery channel not only for retail ban ingproducts but also for online sec urities trading. 4.3.8An upcoming payment gateway is being developed by ICICI and Global Tele Sys tem,which will enable customers to transfer funds to ban s which are part of the project.Transfer of funds can be made through credit/debit/ smart cards and che ques, with thecentral payment switch enabling the transactions. Ban s are showin g interest in thisnew concept, which will facilitate inter-ban funds transfers and other e-commercetransactions, thus highlighting the role of ban s in e-comme rce as intermediariesbetween buyers and sellers in the whole payment process. 4.3.9WAP (Wireless Application Protocol) telephony is the merger of mobile telep hony withthe Internet. It offers two-way connectivity, unli e Mobile Ban ing whe re thecustomer communicates to a mailbox answering machine. Users may surf their accounts, download items and transact a wider range of options through the cellp honescreen. WAP may provide the infrastructure for P2P (person to person) or P2M (person to merchant) payments. It would be ideal for transactions that do not ne ed anycash bac up, such as online investments. Use of this cutting edge technolo gy couldwell determine which ban obtains the largest mar et share in electronic ban ing. IDBIBan Ltd. has recently launched its WAP- based mobile phone ban in g services(offering facilities such as ban ing enquiry, cheque boo request, sta tements request,details of the ban s products etc). 4.3.10At present, there are only 2.6 phone connections per 100 Indians, against the worldaverage of 15 connections per 100. The bandwidth capacity available in the country isonly 3.2 gigabits per second, which is around 60% of current deman d. Demand forbandwidth is growing by 350% a year in India. With the help of the latest technology,Indian networ s will be able to handle 40 gigabits of Net traf fic per second (ascompared to 10 gigabits per second in Malaysia). Companies li e Reliance, BhartiTelecom and the Tata Group are investing billions of rupees to build fibre optic linesand telecom infrastructure for data, voice and Internet telephony. The onlinepopulation has increased from just 500,000 in 1998 to 5 mil lion in 2000. By 2015, theonline population is expected to reach 70 million. IT services is a $1.5 billion industryin India growing at a rate of 55% per annum. Keeping in view all the abovedevelopments, Internet ban ing is li ely to grow at a rapid pace and most ban s willenter into this area soon. Rapid strides are al ready being made in ban ing technology inIndia and Internet ban ing is a manifes tation of this. Every day sees new tie-ups,innovations and strategies being anno unced by ban s. State Ban of India has recentlyannounced its intention to form an IT subsidiary. A sea change in ban ing services ison the cards. It would, how ever, be essential to have in place a proper regulatory,supervisory and legal fr amewor , particularly as regards security of transactions overthe Net, for regul ators and customers ali e to be comfortable with this form of ban ing Chapter- 5- Types of ris s associated with I internet ban ing

5.1A major driving force behind the rapid spread of i-ban ing all over the world is itsacceptance as an extremely cost effective delivery channel of ban ing ser vices ascompared to other existing channels. However, Internet is not an unmixed blessing tothe ban ing sector. Along with reduction in cost of transactions, it has also broughtabout a new orientation to ris s and even new forms of ris s to which ban sconducting i-ban ing expose themselves. Regulators and supervisors a ll over the worldare concerned that while ban s should remain efficient and cost effective, they must beconscious of different types of ris s this form of ban i ng entails and have systems inplace to manage the same. An important and distinc tive feature is that technology playsa significant part both as source and tool for control of ris s. Because of rapid changesin information technology, there i s no finality either in the types of ris s or their controlmeasures. Both evolve continuously. The thrust of regulatory action in ris control hasbeen to identi fy ris s in broad terms and to ensure that ban s have minimum systems inplace to address the same and that such systems are reviewed on a continuous basis in ee ping with changes in technology. In the following paragraphs a generic set of ri s sare discussed as the basis for formulating general ris control guidelines, w hich thisGroup will address. 5.2 Operational ris :Operational ris , also referred to as transactional ris is the most common form of ris associated with i-ban ing. It ta es the form of in accurate processing of transactions,non enforceability of contracts, compromises in data integrity, data privacy andconfidentiality, unauthorized access / intru sion to ban s systems and transactions etc.Such ris s can arise out of wea nesses in design, implementation and monitoring of ban s information system. Besides in adequacies in technology, human factors li enegligence by customers and employee s, fraudulent activity of employees and crac ers / hac ers etc. can become poten tial source of operational ris . Often there is thin line of difference between operational ris and security ris and both terminologies are used interchangeab ly. 5.3 Security ris : 5.3.1Internet is a public networ of computers which facilitates flow of data / informationand to which there is unrestricted access. Ban s using this medium fo r financialtransactions must, therefore, have proper technology and systems in p lace to build asecured environment for such transactions. 5.3.2Security ris arises on account of unauthorized access to a ban s critical i nformationstores li e accounting system, ris management system, portfolio manag ement system,etc. A breach of security could result in direct financial loss to the ban . For example,hac ers operating via the Internet, could access, retrieve and use confidential customerinformation and also can implant virus. This may r esult in loss of data, theft of ortampering with customer information, disabling of a significant portion of ban sinternal computer system thus denying service, cost of repairing these etc. Other relatedris s are loss of reputation, infringi ng customers privacy and its legal implications etc.Thus, access control is of pa ramount importance. Controlling access to ban s systemhas become more complex in the Internet environment which is a public domain andattempts at unauthorized ac cess could emanate from any source and from anywhere inthe world with or without criminal intent. Attac ers could be hac ers, unscrupulousvendors, disgruntled e mployees or even pure thrill see ers. Also, in a networ edenvironment the securi ty is limited to its wea est lin . It is therefore, necessary thatban s critical ly assess all interrelated systems and have access control measures in placein e ach of them. 5.3.3In addition to external attac s ban s are exposed to security ris from int ernal sourcese.g. employee fraud. Employees being familiar with different system s and theirwea nesses become potential security threats in a loosely controlled environment. Theycan manage to acquire the authentication data in order to acces s the customer accountscausing losses to the ban . 5.3.4Unless specifically protected, all data / information transfer over the Int ernet can bemonitored or read by unauthorized persons. There are programs such a s snifferswhich can be set up at web servers or other critical locations to collec t data li eaccount numbers, passwords, account and credit card numbers. Data pri

vacy andconfidentiality issues are relevant even when data is not being transfer red over the net.Data residing in web servers or even ban s internal systems are susceptible tocorruption if not properly isolated through firewalls from Interne t. 5.3.5The ris of data alteration, intentionally or unintentionally, but unauthor ized is real in anetwor ed environment, both when data is being transmitted or s tored. Proper accesscontrol and technological tools to ensure data integrity is of utmost importance toban s. Another important aspect is whether the systems ar e in place to quic ly detectany such alteration and set the alert. 5.3.6Identity of the person ma ing a request for a service or a transaction as a customer iscrucial to legal validity of a transaction and is a source of ris t o a ban . A computerconnected to Internet is identified by its IP (Internet Prot ocol) address. There aremethods available to masquerade one computer as another, commonly nown as IPSpoofing. Li ewise user identity can be misrepresented. Hence , authentication controlis an essential security step in any e-ban ing system. 5.3.7Non-repudiation involves creating a proof of communication between two part ies, saythe ban and its customer, which neither can deny later. Ban s system mus t betechnologically equipped to handle these aspects which are potential sources of ris . 5.4 System architecture and design 5.4.1Appropriate system architecture and control is an important factor in manag ing various inds of operational and security ris s. Ban s face the ris of wrong choice of technology, improper system design and inadequate control processes. For example, if access to a system is based on only an IP address, any user can gain access bymasquerading as a legitimate user by spoofing IP address of a genu ine user. Numerousprotocols are used for communication across Internet. Each pro tocol is designed forspecific types of data transfer. A system allowing communic ation with all protocols, sayHTTP (Hyper Text Transfer Protocol), FTP (File Tran sfer Protocol), telnet etc. is moreprone to attac than one designed to permit s ay, only HTTP. 5.4.2Choice of appropriate technology is a potential ris ban s face. Technology which isoutdated, not scalable or not proven could land the ban in investment loss, avulnerable system and inefficient service with attendant operational and security ris sand also ris of loss of business. 5.4.3Many ban s rely on outside service providers to implement, operate and main tain theire-ban ing systems. Although this may be necessary when ban s do not ha ve therequisite expertise, it adds to the operational ris . The service provider gains access toall critical business information and technical systems of the b an , thus ma ing thesystem vulnerable. In such a scenario, the choice of vendor, the contractualarrangement for providing the service etc., become critical comp onents of ban ssecurity. Ban should educate its own staff and over dependencies on these vendorsshould be avoided as far as possible. 5.4.4Not updating ban s system in eeping with the rapidly changing technology, i ncreasesoperational ris because it leaves holes in the security system of the b an . Also, staff may fail to understand fully the nature of new technology emplo yed. Further, if updating is left entirely at customers end, it may not be update d as required by theban . Thus education of the staff as well as users plays an important role to avoidoperational ris . 5.4.5Approaches to reduce security related operational ris are discussed in det ail inChapter-6. These include access control, use of firewalls, cryptographic t echniques,public ey encryption, digital signature etc. 5.5 Reputational ris 5.5.1Reputational ris is the ris of getting significant negative public opinio n, which mayresult in a critical loss of funding or customers. Such ris s arise from actions whichcause major loss of the public confidence in the ban s abilit y to perform criticalfunctions or impair ban -customer relationship. It may be d ue to ban s own action ordue to third party action. 5.5.2The main reasons for this ris may be system or product not wor ing to thee xpectations of the customers, significant system deficiencies, significant secur itybreach (both due to internal and external attac ), inadequate information to

customersabout product use and problem resolution procedures, significant proble ms withcommunication networ s that impair customers access to their funds or acco untinformation especially if there are no alternative means of account access. S uchsituation may cause customer-discontinuing use of product or the service. Dir ectlyaffected customers may leave the ban and others may follow if the problem ispublicized. 5.5.3Other reasons include losses to similar institution offering same type of s ervices causingcustomer to view other ban s also with suspicion, targeted attac s on a ban li ehac er spreading inaccurate information about ban products, a v irus disturbing ban ssystem causing system and data integrity problems etc. 5.5.4Possible measures to avoid this ris are to test the system before implemen tation, bac -up facilities, contingency plans including plans to address custome r problems duringsystem disruptions, deploying virus chec ing, deployment of eth ical hac ers forplugging the loopholes and other security measures. 5.5.5It is significant not only for a single ban but also for the system as a w hole. Underextreme circumstances, such a situation might lead to systemic disrup tions in theban ing system as a whole. Thus the role of the regulator becomes ev en moreimportant as not even a single ban can be allowed to fail. 5.6 Legal ris 5.6.1Legal ris arises from violation of, or non-conformance with laws, rules, r egulations, orprescribed practices, or when the legal rights and obligations of parties to a transactionare not well established. 5.6.2Given the relatively new nature of Internet ban ing, rights and obligations in some casesare uncertain and applicability of laws and rules is uncertain or ambiguous, thus causinglegal ris . 5.6.3Other reasons for legal ris s are uncertainty about the validity of some ag reementsformed via electronic media and law regarding customer disclosures and p rivacyprotection. A customer, inadequately informed about his rights and obligat ions, maynot ta e proper precautions in using Internet ban ing products or servi ces, leading todisputed transactions, unwanted suits against the ban or other r egulatory sanctions. 5.6.4In the enthusiasm of enhancing customer service, ban may lin their Intern et site toother sites also. This may cause legal ris . Further, a hac er may use the lin ed site todefraud a ban customer. 5.6.5If ban s are allowed to play a role in authentication of systems such as ac ting as aCertification Authority, it will bring additional ris s. A digital cert ificate is intended toensure that a given signature is, in fact, generated by a given signer. Because of this, thecertifying ban may become liable for the fina ncial losses incurred by the party relying on the digital certificate. 5.7 Money laundering ris 5.7.1As Internet ban ing transactions are conducted remotely ban s may find it d ifficult toapply traditional method for detecting and preventing undesirable cri minal activities.Application of money laundering rules may also be inappropriate for some forms of electronic payments. Thus ban s expose themselves to the mone y laundering ris . Thismay result in legal sanctions for non-compliance with now your customer laws. 5.7.2To avoid this, ban s need to design proper customer identification and scre eningtechniques, develop audit trails, conduct periodic compliance reviews, fram e policiesand procedures to spot and report suspicious activities in Internet tr ansactions. 5.8 Cross border ris s 5.8.1Internet ban ing is based on technology that, by its very nature, is design ed to extendthe geographic reach of ban s and customers. Such mar et expansion c an extendbeyond national borders. This causes various ris s. 5.8.2It includes legal and regulatory ris s, as there may be uncertainty about l egalrequirements in some countries and jurisdiction ambiguities with respect to theresponsibilities of different national authorities. Such considerations may e xpose ban sto legal ris s associated with non-compliance of different national l aws and regulations,including consumer protection laws, record- eeping and repor

ting requirements,privacy rules and money laundering laws. 5.8.3If a ban uses a service provider located in another country, it will be mo re difficult tomonitor it thus, causing operational ris . Also, the foreign-base d service provider orforeign participants in Internet ban ing are sources of cou ntry ris to the extent thatforeign parties become unable to fulfil their obliga tions due to economic, social orpolitical factors. 5.8.4Cross border transaction accentuates credit ris , since it is difficult to appraise anapplication for a loan from a customer in another country compared to a customer froma familiar customer base. Ban s accepting foreign currencies in payment for electronicmoney may be subjected to mar et ris because of movements in foreign exchangerates. 5.9 Strategic Ris 5.9.1This ris is associated with the introduction of a new product or service. Degree of thisris depends upon how well the institution has addressed the vario us issues related todevelopment of a business plan, availability of sufficient r esources to support this plan,credibility of the vendor (if outsourced) and leve l of the technology used in comparisonto the available technology etc. 5.9.2For reducing such ris , ban s need to conduct proper survey, consult expert s fromvarious fields, establish achievable goals and monitor performance. Also t hey need toanalyse the availability and cost of additional resources, provision of adequatesupporting staff, proper training of staff and adequate insurance cov erage. Duediligence needs to be observed in selection of vendors, audit of their performance andestablishing alternative arrangements for possible inability of a vendor to fulfil itsobligation . Besides this, periodic evaluations of new tec hnologies and appropriateconsideration for the costs of technological upgradatio n are required. 5.10 Other ris s 5.10.1Traditional ban ing ris s such as credit ris , liquidity ris , interest ra te ris and mar etris are also present in Internet ban ing. These ris s get int ensified due to the verynature of Internet ban ing on account of use of electron ic channels as well as absenceof geographical limits. However, their practical c onsequences may be of a differentmagnitude for ban s and supervisors than operat ional, reputational and legal ris s. Thismay be particularly true for ban s that engage in a variety of ban ing activities, ascompared to ban s or ban subsidia ries that specialize in Internet ban ing. 5.10.2 Credit ris is the ris that a counter party will not settle an obligation for full value,either when due or at any time thereafter. Ban s may not be able to properly evaluatethe credit worthiness of the customer while extending credi t through remote ban ingprocedures, which could enhance the credit ris . Present ly, ban s generally deal withmore familiar customer base. Facility of electronic bill payment in Internet ban ing maycause credit ris if a third party intermed iary fails to carry out its obligations withrespect to payment. Proper evaluatio n of the creditworthiness of a customer and auditof lending process are a must t o avoid such ris . 5.10.3Another facility of Internet ban ing is electronic money. It brings variou s types of ris s associated with it. If a ban purchases e-money from an issuer in order to resell itto a customer, it exposes itself to credit ris in the even t of the issuer defaulting on itsobligation to redeem electronic money,. 5.10.4 Liquidity Ris arises out of a ban s inability to meet its obligations when theybecome due without incurring unacceptable losses, even though the ban mayu ltimately be able to meet its obligations. It is important for a ban engaged in electronic money transfer activities that it ensures that funds are adequate to coverredemption and settlement demands at any particular time. Failure to do so, besidesexposing the ban to liquidity ris , may even give rise to legal action and reputationalris . 5.10.5Similarly ban s dealing in electronic money face interest rate ris becaus e of adversemovements in interest rates causing decrease in the value of assets relative tooutstanding electronic money liabilities. Ban s also face mar et ris because of lossesin on-and-off balance sheet positions arising out of movements in mar et pricesincluding foreign exchange rates. Ban s accepting foreign curre

ncy in payment forelectronic money are subject to this type of ris .. 5.10.6Ris of unfair competition: Internet ban ing is going to intensify the com petitionamong various ban s. The open nature of Internet may induce a few ban s to use unfairpractices to ta e advantage over rivals. Any lea s at networ conne ction or operatingsystem etc., may allow them to interfere in a rival ban s syste m. 5.11Thus one can find that along with the benefits, Internet ban ing carries var ious ris s forban itself as well as ban ing system as a whole. The rapid pace o f technologicalinnovation is li ely to eep changing the nature and scope of ris s ban s face. Theseris s must be balanced against the benefits. Supervisory and regulatory authorities arerequired to develop methods for identifying new ris s , assessing ris s, managing ris sand controlling ris exposure. But authorities need to eep in consideration that thedevelopment and use of Internet ban ing ar e still in their early stages, and policies thathamper useful innovation and exp erimentation should be avoided. Thus authorities needto encourage ban s to devel op a ris management process rigorous and comprehensiveenough to deal with nown ris s and flexible enough to accommodate changes in thetype and intensity of th e ris s. Chapter- 6- Technology and Security Standards For Internet Ban ing 6.1 IntroductionThe Internet has provided a new and inexpensive channel for ban s to reach out to theircustomers. It allows customers to access ban s facilities round the cloc and 7 days awee . It also allows customers to access these facil ities from remote sites/home etc.However, all these capabilities come with a pri ce. The highly unregulated Internetprovides a less than secure environment for t he ban s to interface. The diversity incomputer, communication and software tech nologies used by the ban s vastly increasesthe challenges facing the online ban ers. In this chapter, an effort has been made togive an overview of the technolo gies commonly used in Internet ban ing. An attempthas been made to describe conc epts, techniques and technologies related to privacy andsecurity including the p hysical security. The ban s planning to offer Internet ban ingshould have explic it policies on security. An outline for a possible framewor forsecurity policy and planning has also been given. Finally, recommendations have beenmade for ens uring security in Internet ban ing. 6.2 Technologies 6.2.1Computer networ ing & Internet 6.2.1.1The purpose of computer networ ing is sharing of computing resources and dataacross the whole organization and the outside world. Computer Networ s can b eprimarily divided into two categories based on speed of data transfers and geog raphicalreach. A Local area networ (LAN) connects many servers and wor stations within asmall geographical area, such as a floor or a building. Some of the com mon LANtechnologies are 10 MB Ethernet, 100 MB Ethernet, 1GB Ethernet, Fiber Dis tributedData Interface (FDDI) and Asynchronous Transfer Mode (ATM). The data tra nsferrates here are very high. They commonly use broadcast mode of data transfer . TheWide Area Networ (WAN), on the other hand, is designed to carry data over greatdistances and are generally point-to-point. Connectivity in WAN set-up is p rovided byusing dial-up modems on the Public Switched Telephone Networ (PSTN) o r leasedlines, VSAT networ s, an Integrated Services Digital Networ (ISDN) or T 1 lines,Frame Relay/X.25 (Permanent Virtual Circuits), Synchronous Optical Netwo r (SONET), or by using Virtual Private Networ s (VPN) which are software-defined dedicated and customized services used to carry traffic over the Internet. The d ifferenttopologies, technologies and data communication protocols have different implicationson safety and security of services. 6.2.1.2To standardize on communications between systems, the International Organ izationof Standards developed the OSI model (the Open System Interconnection Ref erenceModel) in 1977. The OSI brea s up the communication process into 7 layers anddescribe the functions and interfaces of each layer. The important services p rovided bysome of the layers are mentioned below. It is necessary to have a good understandingof these layers for developing applications and for deploying fire

walls (described later).Application Layer: Networ Management, File Transfer Pro tocol, Informationvalidation, Application-level access securitychec ing.Session Layer: establishing, managing and terminating connections (sessions)between appl icationsTransport Layer: Reliable transparent transfer of data between end point s, end to endrecovery & flow control.Networ Layer: Routing, switching, traffic monitoring and congestion control,control of networ connections, logical channe ls and data flow.Data Lin Layer: Reliable transfer of data across physical lin and control of flow of data from one machine to another. 6.2.1.3Protocols:The data transmission protocol suite used for the Internet is nown as theTransmission Control Protocol/Internet Protocol (TCP/IP). The Interne t is primarily anetwor of networ s. The networ s in a particular geographical a rea are connectedinto a large regional networ . The regional networ s are connec ted via a high speedbac bone. The data sent from one region to another is first t ransmitted to aNetwor Access Point (NAP) and are then routed over the bac bone. Each computerconnected to the Internet is given a unique IP address (such as 14 2.16.111.84) and ahierarchical domain name(such as cse.iitb.ernet.in).The Intern et can be accessed usingvarious application-level protocols such as FTP (File Tr ansfer Protocol), Telnet(Remote Terminal Control Protocol), Simple Mail Transpor t Protocol (SMTP),Hypertext Transfer Protocol (HTTP). These protocols run on top of TCP/IP. The mostinnovative part of the Internet is the World Wide Web (WWW). The web useshyperlin s, which allow users to move from any place on the web to any other place.The web consists of web pages, which are multimedia pages compos ed of text,graphics, sound and video. The web pages are made using Hypertext Mar upLanguage (HTML). The web wor s on a client-server model in which the clientso ftware, nown as the browser, runs on the local machine and the server software, called the web server, runs on a possibly remote machine. Some of the popularbro wsers are Microsoft Internet Explorer and Netscape Navigator. 6.2.1.4With the popularity of web, organizations find it beneficial to provide a ccess to theirservices through the Internet to its employees and the public. In a typical situation, acomponent of the application runs ( as an applet) within the browser on userswor station. The applet connects to the application (directly us ing TCP/IP or throughweb server using HTTP protocols) on the organizations applic ation and databaseservers. These servers may be on different computer systems. T he web-basedapplications provide flexible access from anywhere using the familia r browsers thatsupport graphics and multimedia. The solutions are also scalable and easy to extend.Fig. 6.1 below shows some of the components and technologies/ products commonlyused in the design of web-based applications.Fig. 6.1: Componen ts of a web-based application 6.2.2 Ban ing Product: Internet Ban ing applications run on diverse platforms, o peratingsystems and use different architectures. The product may support central ized (ban -wide) operations or branch level automation. It may have a distribute d, client server orthree tier architecture based on a file system or a DBMS pac age. Moreover, theproduct may run on computer systems of various types ranging f rom PCs, open (Unixbased) systems, to proprietary main frames. These products al low different levels of access to the customers and different range of facilitie s. The products accessiblethrough Internet can be classified into three types ba sed on the levels of access granted: 1.Information only systems: General-purpose information li e interest rates,bran ch locations, product features, FAQs, loan and deposit calculators are providedo n the ban s web (WWW) site. The sites also allow downloading of applicationforms. Interactivity is limited to a simple form of e-mail. No identification orauthenti cation of customers is done and there is no interaction between the ban sproducti on system (where current data of accounts are ept and transactions areprocessed ) and the customer. 2.Electronic Information Transfer System :These systems provide customer-specific information in the form of account bala nces, transaction details, statement of account etc. The information is still la rgely read only. Identification andauthentication of customer ta es place using re latively simple techniques (li epasswords). Information is fetched from the Ban s production system in either thebatch mode or offline. Thus, the ban s main appli

cation system is not directlyaccessed. 3.Fully Transactional System : These systems provide bi-directional transactioncapabilities. The ban allows customers to submit transactions on its systems andthese directly update custome r accounts. Therefore, security & control system needto be strongest here. 6.2.3 Application architecture A computer-based application may be built as a monolithic software, or may bestr uctured to run on a clientserver environment, or even have three or multi-tiereda rchitecture. A computer application typically separates its 3 main tas s: intera ctionswith the user, processing of transactions as per the business rules, and t he storage of business data. The three tas s can be viewed as three layers, whic h may run on thesame system (possibly a large, proprietary computer system), or may be separated on tomultiple computers (across the Internet), leading to three -tier or multi-tier architecture.These layers can be briefly described as follow s: 1.Presentation Layer: This layer is responsible for managing the front-end devic es,which include browsers on personal computers, Personal Digital Assistants (PD As),mobile phones, Internet ios s, Web TV etc. The presentation layer ta es car e of user interface related issues li e display details, colour, layout, image e tc. It also hasimportant responsibilities in user authentication and session man agement activity. 2.Application layer: It contains the business logic (for processing of data andt ransactions) and necessary interfaces to the data layer. It processes requests f romthe presentation layer, connects to the data layer, receives and processes th einformation and passes results bac to the presentation layer. It is responsibl e forensuring that all the business rules are incorporated in the software. The issues of scalability, reliability and performance of the services to a great ex tent depend uponthe application layer architecture. 3.Data Layer: The data layer uses a database pac age to store, retrieve and upda teapplication data. The database may be maintained on one or multiple servers. A database pac age also supports bac -up and recovery of data, as well as logging of all transactions. 6.2.4Issues in administration of systems and applications:The role of the networ andthedatabase administrator is pivotal in securing the information systems of anyorganization. The role extends across various job functions and any laxity i n any of thefunctions leaves the system open for malicious purposes. A few impor tant functions of the administrator and how they relate to or impinge on system security are discussedbelow: a. Installation of software: A software (whether system or application) needs to becarefully installed as per the developers instructions. The software system may containbugs and security ho les, which over a period are fixed through appropriate patches. It isnecessary t o now the latest and correct configuration of all software pac ages.Hac ers and intruders are often aware of these bugs and may exploit nownwea nesses in the software; hence, care should be ta en to install only the latestversions of soft ware with the latest patches. Further, improper installation may lead todegradat ion of services. Installation of pirated software is not only illegal and unethi cal but may also contain trojans and viruses, which may compromise system security. Inthe case of installation of outsourced software, care should be ta en to compa re thesource code and the executable code using appropriate tools as unscrupulou sdevelopers may leave bac door traps in the software and for illegal access and updateto the data. In addition, while installing software care should be ta en t hat onlynecessary services are enabled on a need to use basis. B: Access controls and user maintenance: An administrator has to create useraccounts on different computer systems, and g ive various access permissions to theusers. Setting access controls to files, ob jects and devices reduces intentional andunintentional security breaches. A ban s system policy should specify access privilegesand controls for the information

stored on the computers. The administrators createneeded user groups and assign users to the appropriate groups. The execution privilegeof most systemrelated uti lities should be limited to system administrators so that usersmay be prevented from ma ing system level changes. The write / modify accesspermissions for all e xecutables and binary files should be disabled. If possible, all logfiles should be made append only. All sensitive data should be made more secure byusing encryp tion. The system and database administrators are also responsible for themainten ance of users and the deletion of inactive users. Proper logs should bemaintaine d of dates of user creation and validity period of users. There should be afrequ ent review to identify unnecessary users and privileges, especially of temporary users such as system maintenance personnel and system auditors. c. Bac up, recovery & business continuity: Bac -up of data, documentation andsoftware is an important function of the admin istrators. Both data and software shouldbe bac ed up periodically. The frequency of bac up should depend on the recoveryneeds of the application. Online / real time systems require frequent bac ups within aday. The bac -up may be increment al or complete. Automating the bac up proceduresis preferred to obviate operato r errors and missed bac -ups. Recovery and businesscontinuity measures, based on criticality of the systems, should be in place and adocumented plan with the or ganization and assignment of responsibilities of the eydecision ma ing personne l should exist. An off-site bac up is necessary for recoveryfrom major failures / disasters to ensure business continuity. Depending on criticality different technologies based on bac up, hot sites, warm sites or cold sites sho uld beavailable for business continuity. The business continuity plan should be frequentlytested. 4.System & networ logging: Operating systems, database pac ages and evenbusines s applications produce a log of various tas s performed by them. Mostoperating sys tems eep a log of all user actions. Log files are the primary record of suspici ous behavior. Log files alert the administrator to carry out further investigati onin case of suspicious activity and help in determining the extent of intrusion . Log filescan also provide evidence in case of legal proceedings. The administr ator has to selecttypes of information to be logged, the mechanisms for logging, locations for logging,and locations where the log files are stored. The informa tion required to be loggedshould include Login/Logout information, location and time of failed attempts, changesin status, status of any resource, changes in sy stem status such as shutdowns,initializations and restart; file accesses, change to file access control lists, mail logs,modem logs, networ access logs, web se rver logs, etc. The log files must be protectedand archived regularly and secure ly. 6.3 Security and Privacy Issues 6.3.1Terminology: 1.Security:Security in Internet ban ing comprises both the computer andcommunica tion security. The aim of computer security is to preserve computingresources ag ainst abuse and unauthorized use, and to protect data from accidentaland deliber ate damage, disclosure and modification. The communication securityaims to prote ct data during the transmission in computer networ and distributedsystem. 2. Authentication:It is a process of verifying claimed identity of an individual user,machine, software component or any other entity. For example, an IP Addres sidentifies a computer system on the Internet, much li e a phone number identifi es atelephone. It may be to ensure that unauthorized users do not enter, or forv erifying the sources from where the data are received. It is important because i tensures authorization and accountability. Authorization means control over thea ctivity of user, whereas accountability allows us to trace uniquely the action t o aspecific user. Authentication can be based on password or networ address or oncryptographic techniques. 3. Access Control:It is a mechanism to control the access to the system and itsf acilities by a given user up to the extent necessary to perform his job function . Itprovides for the protection of the system resources against unauthorized acc ess. Anaccess control mechanism uses the authenticated identities of principals and theinformation about these principals to determine and enforce access rights

. It goeshand in hand with authentication. In establishing a lin between a ban s internalnetwor and the Internet, we may create a number of additional access p oints intothe internal operational system. In this situation, unauthorized acces s attemptsmight be initiated from anywhere. Unauthorized access causes destructi on,alterations, theft of data or funds, compromising data confidentiality, denia l of service etc. Access control may be of discretionary and mandatory types. 4. Data Confidentiality:Theconcept of providing for protection of data fromunaut horized disclosure is called data confidentiality. Due to the open nature of Int ernet, unless otherwise protected, all data transfer can be monitored or read by others. Although it is difficult to monitor a transmission at random, because of numerous paths available, special programs such as Sniffers, set up at anopportun e location li e Web server, can collect vital information. This may includecredi t card number, deposits, loans or password etc. Confidentiality extendsbeyond da ta transfer and include any connected data storage system includingnetwor stora ge systems. Password and other access control methods help inensuring data confi dentiality .5.Data Integrity:It ensures that information cannot be modified in unexpected w ay.Loss of data integrity could result from human error, intentional tampering, or evencatastrophic events. Failure to protect the correctness of data may rende r datauseless, or worse, dangerous. Efforts must be made to ensure the accuracy andsoundness of data at all times. Access control, encryption and digital signat ures arethe methods to ensure data integrity .6. Non-Repudiation:Non-Repudiation involves creating proof of the origin ordeli very of data to protect the sender against false denial by the recipient that da tahas been received or to protect the recipient against false denial by the send er thatthe data has been sent. To ensure that a transaction is enforceable, step s must beta en to prohibit parties from disputing the validity of, or refusing t o ac nowledge,legitimate communication or transaction. 7.Security Audit Trail:A security audit refers to an independent review andexami nation of system s records and activities, in order to test for adequacy of syst em controls. It ensures compliance with established policy and operationalproced ures, to detect breaches in security, and to recommend any indicated changesin t he control, policy and procedures. Audit Trail refers to data generated by thesy stem, which facilitates a security audit at a future date. 6.3.2 Attac s and Compromises: When a ban s system is connected to the Internet, an attac could originate at an ytime from anywhere. Some acceptable level of security must be established befor ebusiness on the Internet can be reliably conducted. An attac could be any form li e: 1.The intruder may gain unauthorized access and nothing more 2.The intruder gains access and destroys, corrupt or otherwise alters data 3.The intruder gains access and seizes control partly or wholly, perhaps denying access to privileged users 4.The intruder does not gain access, but instead forges messages from your syste m 5.The intruder does not gain access, but instead implements malicious procedures that cause the networ to fail, reboot, and hang.Modern security techniques have made crac ing very difficult but not impossible.Further more, if the system is not configured properly or the updated patches are notinstalled then hac ers may crac the system using security hole. A wide range of information regarding sec urity hole and their fixes is freely available on the Internet.System administra tor should eep himself updated with this information.Common crac ing attac s in clude: 1.E-mail bomb and List lin ing 2.Denial-of-Service 3.Sniffer attac 4.Utilizing security hole in the system software 5. E-mail bomb:This is a harassment tool. A traditional e-mail bomb is simply as eries of message (perhaps thousands) sent to your mailbox. The attac ers objectis to fill the mailbox with jun .

6. Denial-of-Service (DoS) attac s:DoS attac s can temporarily incapacitate thee ntire networ (or at least those hosts that rely on TCP/IP). DoS attac s stri e a tthe heart of IP implementations. Hence they can crop up at any platform, a sing leDoS attac may well wor on several target operating systems. Many DoSattac s are well nown and well documented. Available fixes must be applied. 7.Sniffer Attac :Sniffers are devices that capture networ pac ets. They are ac ombination of hardware and software. Sniffers wor by placing the networ interf ace into promiscuous mode. Under normal circumstances, all machines onthe networ can hear the traffic passing through, but will only respond to dataaddressed spe cifically to it. Nevertheless, if the machine is in promiscuous modethen it can capture all pac ets and frames on the networ . Sniffers can capturepasswords and other confidential information. Sniffers are extremely difficult todetect becau se they are passive programs. Encrypted session provides a goodsolution for this . If an attac er sniffs encrypted data, it will be useless to him.However, not a ll applications have integrated encryption support. 8. Holes:A hole is any defect in hardware, software or policy that allows attac ersto gain unauthorized access to your system. The networ tools that can haveho les are Routers, Client and Server software, Operating Systems and Firewalls. 6.3.3 Authentication Techniques: As mentioned earlier, authentication is a process to verify the claimed identity . Thereare various techniques available for authentication. Password is the most extensivelyused method. Most of the financial institutions use passwords along with PIN(Personal Identification Number) for authentication. Technologies such a s to ens,smart cards and biometrics can be used to strengthen the security struc ture by requiringthe user to possess something physical. 1.To entechnology relies on a separate physical device, which is retained by ani ndividual, to verify the users identity. The to en resembles a small hand-held card or calculator and is used to generate passwords. The device is usuallysynch ronized with security software in the host computer such as an internalcloc or an identical time based mathematical algorithm. To ens are well suitedfor one-ti me password generation and access control. A separate PIN is typicallyrequired t o activate the to en. 2.Smart cardsresemble credit cards or other traditional magnetic stripe cards, b utcontain an embedded computer chip. The chip includes a processor, operatingsys tem, and both Read Only Memory (ROM) and Random Access Memory(RAM). They can be used to generate one-time passwords when prompted by ahost computer, or to carry cryptographic eys. A smart card reader is requiredfor their use. 3. Biometricsinvolves identification and verification of an individual based on somephysical characteristic, such as fingerprint analysis, hand geometry, or ret inascanning. This technology is advancing rapidly, and offers an alternative mea ns toauthenticate a user. 6.3.4 Firewalls :The connection between internal networ s and the outside world must be watched andmonitored carefully by a gate eeper of sorts. Firewalls do th is job. Otherwise, there is aris of exposing the internal networ and systems, often leaving them vulnerable andcompromising the integrity and privacy of data. Firewalls are a component or set of components that restrict access between a p rotected networ and the outside world(i.e., the Internet). They control traffic between outside and inside a networ , providinga single entry point where acces s control and auditing can be imposed. All firewallsexamine the pieces or pac et s of data flowing into and out of a networ and determinewhether a particular pe rson should be given access inside the networ . As a result,unauthorized compute rs outside the firewall are prevented from directly accessing thecomputers insid e the internal networ . Broadly, there are three types of firewalls i.e.Pac et f iltering firewalls, Proxy servers and stateful inspection firewall. Pac et filtering routers:Pac et filtering routers are the simplest form of firewa lls. They are connected betweenthe host computer of an Internal networ and the Internet gateway as shown in Fig.6.2. The bastion host directs message accepted by the router to the appropriateapplication servers in the protected networ . Th eir function is to route data of anetwor and to allow only certain types of dat

a into the networ by chec ing the typeof data and its source and destination ad dress. If the router determines that the data issourced from an Internet address which is not on its acceptable or trusted sources list,the connection would be simply refused. The advantage of this type of firewall is that itis simple and c heaper to implement and also fast and transparent to the users. Thedisadvantage is that if the security of the router were compromised, computers on theinternal networ would be open to external networ for attac s. Also, the filtering rule scan be difficult to configure, and a poorly configured firewall could result in securityloopholes by unintentionally allowing access to an internal networ

Fig. 2 : A filtering router with a bastion host or proxy server Proxy servers:Proxy servers control incoming and outgoing traffic for a networ b y executing specificproxy program for each requested connection. If any computer outside the internalnetwor wants to access some application running on a compu ter inside the internalnetwor , then it would actually communicate with the prox y server, and proxy server inturn will pass the request to the internal computer and get the response which will begiven to the recipient (outside user). That i s, there is no direct connection between theinternal networ and Internet. This approach allows a high level of control and in-depthmonitoring using logging and auditing tools. However, since it doubles the amount of processing, this approa ch may lead to som degradation in performance. Fig. 3 shows atypical firewall or ganization consisting of militarized zone that separates the protectednetwor from the Internet. a.Stateful Inspection firewall:This type of firewalls thoroughly inspects all pa c ets of information at the networ level as in the case of proxy servers. Speci fications of each pac et of data, such as theuser and the transportation method, the application used are all queried and verified inthe inspection process. The information collected is maintained so that all futuretransmissions are inspect ed and compared to past transmission. If both the state of the transmission and th e context in which it is used deviate from normal patterns, theconnection would be refused. This type of firewalls are very powerful but performancewould also dec line due to the intensive inspection and verification performed. 6.3.5Cryptography:The process of disguising a message in such a way as to hide i ts substance is calledencryption. An encrypted message is called cipher text. Th e process of turning a ciphertext bac into plain text is called decryption. Cry ptography is the art and science of eeping messages secure. It uses a ey for enc rypting or decrypting a message. Boththe method of encryption and the size of e y are important to ensure confidentiality of amessage. There are two types of en cryption: Symmetric ey and Asymmetric eyencryption. In the symmetric ey crypt ography scheme, the same ey is used to encryptand decrypt the message. Common s ymmetric algorithms include One-time padencryption, Data Encryption Standard (DE S), Triple DES, LOKI, Twofish, Blowfish,International Data Encryption Algorithm (IDEA). DES and Triple DES are thecommonly used techniques. Asymmetric ey crypt ography scheme is also nown asPublic ey crypto-system. Here two eys are used. One ey is ept secret and thereforeit is referred as private ey. The other ey is made widely available to anyone whowants it, and is referred as Public ey. The Public ey and Private ey aremathematically related so that information encryp ted using the public ey can only bedecrypted by the corresponding private ey a nd vice-versa. Importantly, it is near toimpossible to find out the private ey from the public ey. Common and more popularpublic ey cryptosystem algorithms a re Diffie-Hellman, RSA, Elliptic Curve etc. In allthese, the confidentiality is directly related to the ey size. Larger the ey size, thelonger it ta es to bre a the encrypted message. Diffie-Hellman: This is the first public ey algorithm invented. It gets its sec

urityfrom the difficulty of calculating discrete logarithms in a finite field. D iffie-Hellmanmethod can be used for distribution of eys to be used for symmetri c encryption. RSA:Named after its three inventors, Ron Rivest, Adi Shamir and LeonardAdleman, who first introduced the algorithm in 1978, RSA gets its security fromthe diffic ulty of factoring large numbers. The public and private eys are function of a p air of large (100 or 200 digits or even larger) prime numbers. The pair is usedf or asymmetric encryption. 6.3.6Digital Signature and certification: 6.3.6.1Digital signatures authenticate the identity of a sender, through the pri vate,cryptographic ey. In addition, every digital signature is different becaus e it is derivedfrom the content of the message itself. The combination of identi ty authentication andsingularly unique signatures results in a transmission that can not be repudiated. 6.3.6.2Digital signature can be applied to any data transmission, including e-ma il. Togenerate digital signature, the original, unencrypted message is processed throughmathematical algorithms that generate a message digest (a unique character representation of data). This process is nown as hashing. The message digest is t henencrypted with the private ey and sent along with the message (could be encr yptedalso). The recipient receives both the message and encrypted message digest . Therecipient decrypts the message digest using the senders public ey, and then runs themessage through the hash function again. If the resulting message diges t matches theone sent with the message, the message has not been altered and dat a integrity isverified. Because the message digest was encrypted using the priva te ey, the sendercan be identified and bound to the specific message. 6.3.6.3Certification Authorities and Digital Certificates: Certificate Authorities and Digital Certificates are emerging to further addres s theissues of authentication, non-repudiation, data privacy and cryptographic eymanagement. A Certificate Authority (CA) is a trusted third party that verifie s theidentity of a party to a transaction. To do this, the CA vouches for the id entity of aparty by attaching the CAs digital signature to any messages, public eys, etc., whichare transmitted. The CA must be trusted by the parties involved, and identities musthave been proven to the CA beforehand. Digital certificates are messages that aresigned with the CAs private ey. They identify the CA, the represented party, and eveninclude the re presented partys public ey

Fig.6.4 : Flow of messages in SSL-based security (at conceptual level) 6.3.6.4Secure Soc et Layer (SSL):SSL is designed to ma e use of TCP to provide a reliable end-to-end secure service.The SSL servers have digital certificates is sued by Certifying Authorities so that theclients can authenticate the service p rovider (a ban in our case). The servers use apassword /PIN/digital certificate to authenticate clients. Once the clients and serverhave authenticated each oth er, they establish a session ey for encryption of messages.The diagram above sh ows flow of messages in SSL. The flow of authenticationmessages in SSL is shown in Fig.6.4. 6.3.7Public Key Infrastructure (PKI): 6.3.7.1Public ey cryptography can play an important role in providing needed se curityservices including confidentiality, authentication, digital signatures and integrity. Public ey cryptography uses two electronic eys: a public ey and a private ey. The public ey can be nown by anyone while the private ey is ept secret by its owner. As longas there is strong binding between the owner and the owners public ey, the identity ofthe originator of a message can be traced to t

he owner of the private ey. A Public KeyInfrastructure (PKI) provides the means to bind public eys to their owners and helps inthe distribution of reliable pu blic eys in large heterogeneous networ s. Public eys arebound to their owners by public ey certificates. These certificates contain informationsuch as the ow ners name and the associated public ey and are issued by a reliableCertification Authority (CA). 6.3.7.2PKI consists of the following components : b.Key Certificate- An electronic record that binds a public ey to the identity of theowner of a public-private ey pair and is signed by a trusted entity. c.Certification Authority (CA)- A trusted entity that issues and revo es public eycertificates d. Registration Authority (RA)- An entity that is trusted by the CA to register orvouch for the identity of users to the CA. e.Certificate Repository- An electronic site that holds certificates and CRLs. C Aspost certificates and CRLs to repositories. f.Certificate Revocation List (CRL)- A list of certificates that have been revo ed.The list is usually signed by the same entity that issued the certificates. C ertificates canbe revo ed for several reasons. For example, a certificate can be revo ed if the ownersprivate ey has been lost or if the owners name changes. g.Certificate User - An entity that uses certificates to now, with certainty, t he public ey of another entity. 6.3.7.3The widespread use of PKI technology to support digital signatures can he lp increaseconfidence of electronic transactions. For example, the use of a digi tal signature allowsa seller to prove that goods or services were requested by a buyer and thereforedemand payment. The use of a PKI allows parties without prio r nowledge of eachother to engage in verifiable transactions. 6.3.7.4Confidentiality and PKI : A PKI could also support confidentiality services using apublic-private ey pair that is different from the one used for signing. In this case, usersneed to obt ain a separate certificate for the confidentiality public ey. To send anencrypt ed message, a user could obtain the recipients confidentiality certificate from a certificate repository and verify that it is valid. Then the sender can encrypt the messageusing the public ey. Only the recipient, in possession of the privat e ey, will be able todecrypt the message. 6.3.7.5Certificates:Although there have been several proposed formats for public eycertificates, most certificates available today are based on an internationa l standard(ITU-T X.509 version 3). This standard defines a certificate structure that includesseveral optional extensions. The use of X.509v3 certificates is im portant because itprovides interoperability between PKI components. Also, the st andards definedextensions offer flexibility to support specific business needs. 6.3.7.6PKI Architectures:A PKI is often composed of many CAs lin ed by trust pat hs. The CAs may be lin ed inseveral ways. They may be arranged hierarchically un der a "root CA" that issuescertificates to subordinate CAs. The CAs can also be arranged independently in anetwor . Recipients of a signed message with no relat ionship with the CA that issuedthe certificate for the sender of the message can still validate the senders certificate byfinding a path between their CA and the one that issued the senders certificate. TheNational Institute of Standards and Technology (NIST) has developed a hybridarchitecture specification based on both a hierarchical and a networ architecture modelin the document, Public Key Infr astructure (PKI) Technical Specifications (Version2.3): Part C - Concept of Oper ations. 6.3.8Tools:Tools are extremely useful in monitoring and controlling networ s, sy stems and users.Some of the system administration and networ management tools a re Scanners,Sniffers, Logging and Audit tools. a.Scanners:Scanners query the TCP/IP port and record the targets response andcan reveal the information li e services that are currently running, users owning th oseservices, whether anonymous logins are supported, and whether certain networ services require authentication. Scanners are important because they reveal wea nessesin the networ . There are many security vulnerabilities on any given plat form. Scannerscan do an excellent security audit and then system can be suitably

upgraded. Scannersare programs that automatically detect security wea nesses in remote or local hosts.System administrators may use them to find out wea nesses in their system and ta e preventive measures. Scanners can be used to gather preliminary data for an audi t.Scanners offer a quic overview of TCP/IP security. b.Sniffer:Sniffers are devices that capture networ pac ets. They analyze networ traffic and identify potential areas of concern. For example, suppose one segm ent of thenetwor is performing poorly. Pac et delivery seems incredibly slow or machinesinexplicably loc up on a networ boot. Sniffers can determine the prec ise cause.Sniffers are always a combination of hardware and software components. Proprietarysniffers are generally expensive (vendors often pac age them on spec ial computers thatare optimized for sniffing). c. Intrusion Detection Tools:An intrusion attempt or a threat is defined to be t hepotential possibility of a deliberate unauthorized attempt to access or manipu lateinformation or render a system unreliable or unusable. Different approaches are used todetect these intrusion attempts. Some Intrusion Detection Systems (ID S) are based onaudit logs provided by the operating system i.e. detecting attac s by watching forsuspicious patterns of activity on a single computer system. Th is type of IDS calledHost based IDS is good at discerning attac s that are initi ated by local users whichinvolve misuse of the capabilities of one system. The H ost based IDS can interpret onlyhigh level logging information and they can not detect low level networ events such asDenial of Service attac s. The networ -ba sed approach can be effectively used todetect these low level Denial of Service attac s. Distributed intrusion detection systems(DIDS) ta e data from various ho sts, networ components and networ monitors andtry to detect intrusions from th e collected data. d.Networ based Intrusion Detection Systems (NIDS) are based on interpretation o f raw networ traffic. They attempt to detect attac s by watching for patterns o f suspicious activity in this traffic. NIDS are good at discerning attac s that involve low-level manipulation of the networ , and can easily correlate attac s against multiplemachines on a networ . An Intrusion Detection System detects the attac s in real-timeand informs system administrator about it to ta e appropria te action. As a result,exposure to the intrusion and the possible damage caused to the data or systems can becountered. 6.3.9Physical Security: 6.3.9.1Physical security is a vital part of any security plan and is fundamental to all securityefforts--without it, information security, software security, us er access security, andnetwor security are considerably more difficult, if not impossible, to initiate. Physicalsecurity is achieved predominantly by controlle d and restricted physical access to thesystems resources. Access controlbroadly provides the ability to grant selective accessto certain people at certain times and deny access to all others at all times. Physicalsecurity involves the prote ction of building sites and equipment (and all information andsoftware contained therein) from theft, vandalism, natural disaster, manmadecatastrophes and accid ental damage (e.g., from electrical surges, extreme temperaturesand spilled coff ee). It requires solid building construction, suitable emergencypreparedness, re liable power supplies, adequate climate control, and appropriateprotection from intruders. Thus, in broad terms, the focus is on restricting access to thecomput er area, controlling access to all vulnerable and sensitive areas of thedepartme nt, and monitoring of all staff and visitors. 6.3.9.3Physical Access can be secured through the following means: Bolting Door loc s andCombination Loc s, Electronic Door Loc s, Biometric Door Loc s, Manual Logging,Electronic Logging, Photo Identification Badges, Video Cameras stationed at strategicpoints, Controlled Visitor Access. A ban should also have in place environmentalcontrols to manage exposures from fire, natural disasters, power f ailure, air-conditioning failure, water damage, bomb threat / attac etc. A few means of obtainingcontrol over environmental exposure are: 1.The server room and any other unattended equipment room should have waterdetec tor. Fire extinguishers should be placed at all strategic points, supplementing firesuppression systems with smo e detectors, use of fire resistant materials in

officematerials including furniture, redundant power supply from two substation s, electricalwiring placed in fire resistant panels and conduits and documented and testedevacuation plans. 2.It is important to educate all sta e-holders (users, employees, etc) about theim portance of physical security. This education should be carried out as part of so cialengineering. 6.3.10Security Policy: 6.3.10.1The information security policy is the systemization of approaches and p olicies relatedto the formulation of information security measures to be employe d within theorganization to assure security of information and information syste ms owned by it.The security policy should address the following items: 1.Basic approach to information security measures. 2.The information and information systems that must be protected, and the reason sfor such protection. 3.Priorities of information and information systems that must be protected. 4.Involvement and responsibility of management and establishment of an informati onsecurity coordination division. 5.Chec s by legal department and compliance with laws / regulations. 6.The use of outside consultants. 7.Identification of information security ris s and their management. 8.Impact of security policies on quality of service to the customers (for exampl e,disabling an account after three unsuccessful logins may result in denial of s ervice whenit is done by somebody else mischievously or when restoration ta es u nduly long time). 9.Decision ma ing process of carrying out information security measures. 10.Procedures for revising information security measures. 11.Responsibilities of each officer and employee and the rules (disciplinary act ion etc)to be applied in each case. 12.Auditing of the compliance to the security policy. 13.User awareness and training regarding information security. 14.Business continuity Plans. 15.Procedures for periodic review of the policy and security measures. 6.3.10.2The top management of the ban must express a commitment to security bym anifestly approving and supporting formal security awareness and training. This mayrequire special management level training. Security awareness will teach peop le not todisclose sensitive information such as password file names. Security gu idelines, policiesand procedures affect the entire organization and as such, sho uld have the support andsuggestions of end users, executive management, security administration, IS personneland legal counsel. 6.4 Recommendations 6.4.1Security Organization:Organizations should ma e explicit security plan and documentit. There should be a separate Security Officer / Group dealing exclusiv ely withinformation systems security. The Information Technology Division will a ctuallyimplement the computer systems while the Computer Security Officer will d eal with itssecurity. The Information Systems Auditor will audit the information systems. 6.4.2 Access Control:Logical access controls should be implemented on data, syst ems,application software, utilities, telecommunication lines, libraries, system software, etc.Logical access control techniques may include user-ids, passwords, smart cards orother biometric technologies. 6.4.3Firewalls:At the minimum, ban s should use the proxy server type of firewal l so thatthere is no direct connection between the Internet and the ban s system. It facilitates ahigh level of control and in-depth monitoring using logging and auditing tools. Forsensitive systems, a stateful inspection firewall is recomme nded which thoroughlyinspects all pac ets of information, and past and present t ransactions are compared.These generally include a real-time security alert. 6.4.4 Isolation of Dial Up Services:All the systems supporting dial up services throughmodem on the same LAN as the application server should be isolated to pre ventintrusions into the networ as this may bypass the proxy server. 6.4.5Security Infrastructure:At present, PKI is the most favored technology for

secureInternet ban ing services. However, it is not yet commonly available. Whil e PKIinfrastructure is strongly recommended, during the transition period, until IDRBT orGovernment puts in the PKI infrastructure, the following options are re commended 1.Usage of SSL, which ensures server authentication and the use of client sidece rtificates issued by the ban s themselves using a Certificate Server 2.The use of at least 128-bit SSL for securing browser to web servercommunicatio ns and, in addition, encryption of sensitive data li e passwords intransit withi n the enterprise itself. 6.4.6 Isolation of Application Servers: It is also recommended that all unnecessary serviceson the application server su ch as ftp, telnet should be disabled. The application servershould be isolated f rom the e-mail server. 6.4.7Security Log (audit Trail):All computer accesses, including messages receiv ed, shouldbe logged. All computer access and security violations (suspected or a ttempted) shouldbe reported and follow up action ta en as the organizations escal ation policy. 6.4.8Penetration Testing:The information security officer and the information sy stemauditor should underta e periodic penetration tests of the system, which sho uld include: 1.Attempting to guess passwords using password-crac ing tools. 2.Search for bac door traps in the programs. 3.Attempt to overload the system using DdoS (Distributed Denial of Service) & Do S(Denial of Service) attac s. 4.Chec if commonly nown holes in the software, especially the browser and the e-mail software exist. 5.The penetration testing may also be carried out by engaging outside experts (o ftencalled Ethical Hac ers). 6.4.9Physical Access Controls:Though generally overloo ed, physical access contr olsshould be strictly enforced. The physical security should cover all the infor mationsystems and sites where they are housed both against internal and external threats. 6.4.10 Bac up & Recovery:The ban should have a proper infrastructure and sched ules forbac ing up data. The bac ed-up data should be periodically tested to ens ure recoverywithout loss of transactions in a time frame as given out in the ban s security policy.Business continuity should be ensured by having disaster recov ery sites where bac ed-up data is stored. These facilities should also be tested periodically. 6.4.11 Monitoring against threats: The ban s should acquire tools for monitoring systemsand the networ s against in trusions and attac s. These tools should be used regularly toavoid security brea ches. 6.4.12 Education & Review:The ban s should review their security infrastructure andsecurity policies regularly and optimize them in the light of their own exper iences andchanging technologies. They should educate on a continuous basis their securitypersonnel and also the end-users. 6.4.13 Log of Messages:The ban ing applications run by the ban should have prop er record eeping facilities for legal purposes. It may be necessary to eep all received and sentmessages both in encrypted and decrypted form. (When stored in encrypted form, itshould be possible to decrypt the information for legal purpos e by obtaining eys withowners consent.) 6.4.14Certified Products:The ban s should use only those security solutions/prod ucts whichare properly certified for security and for record eeping by independ ent agencies (suchas IDRBT). 6.4.15 Maintenance of Infrastructure:Security infrastructureshould be properly t estedbefore using the systems and applications for normal operations. The ban shouldupgrade the systems by installing patches released by developers to remov e bugs andloopholes, and upgrade to newer versions which give better security an d control. 6.4.16 Approval for I-ban ing:All ban s having operations in India and intending

to offerInternet ban ing services to public must obtain an approval for the sam e from RBI. Theapplication for approval should clearly cover the systems and pro ducts that the ban plans to use as well as the security plans and infrastructur e. RBI may call for variousdocuments pertaining to security, reliability, availa bility, auditability, recoverability, andother important aspects of the services . RBI may provide model documents forSecurity Policy, Security Architecture, and Operations Manual. 6.4.17Standing Committee:RBI may set up a standing Committee to monitor security policyissues and technologies, to review prescribed standards, and to ma e fres hrecommendations on a regular basis. Chapter -7 - Legal Issues I involved I n Internet Ban ing 7.1.1The legal framewor for ban ing in India is provided by a set of enactments , viz., theBan ing Regulations Act, 1949, the Reserve Ban of India Act, 1934, a nd the ForeignExchange Management Act, 1999. Broadly, no entity can function as a ban in Indiawithout obtaining a license from Reserve Ban of India under Ban ing RegulationsAct, 1949. Different types of activities which a ban may underta e and otherprudential requirements are provided under this Act. Accepting of de posit from publicby a non-ban attracts regulatory provisions under Reserve Ban of India Act 1934.Under the Foreign Exchange Management Act 1999, no Indian res ident can lend, opena foreign currency account or borrow from a non resident, in cluding non-residentban s, except under certain circumstances provided in law. B esides these, ban ingactivity is also influenced by various enactments governing trade and commerce, suchas, Indian Contract Act, 1872, the Negotiable Instrumen ts Act, 1881, Indian EvidenceAct, 1872, etc. 7.1.2As discussed earlier, Internet ban ing is an extension of the traditional b an ing, whichuses Internet both as a medium for receiving instructions from the customers and alsodelivering ban ing services. Hence, conceptually, various prov isions of law, which areapplicable to traditional ban ing activities, are also a pplicable to Internet ban ing.However, use of electronic medium in general and I nternet in particular in ban ingtransactions, has put to question the legality o f certain types of transactions in thecontextof existing statute. The validity o f an electronic message / document,authentication, validity of contract entered into electronically, non-repudiation etc. areimportant legal questions having a bearing on electronic commerce and Internetban ing. It has also raised the issue of ability of ban s to comply with legalrequirements / practices li e secrecy o f customers account, privacy, consumerprotection

etc. given the vulnerability of data / information passing through Internet.Ther e is also the question of adequacy of law to deal with situations which aretechn ology driven li e denial of service / data corruption because of technologicalfa ilure, infrastructure failure, hac ing, etc. Cross border transactions carried t hroughInternet pose the issue of jurisdiction and conflict of laws of different nations. 7.1.3This dichotomy between integration of trade and financeover the globe throu gh e-commerce and divergence of national laws is perceived as a major obstacle f or e-commerce / i-ban ing and has set in motion the process of harmonization and standardization of laws relating to money, ban ing and financial services. A maj orinitiative in this direction is the United Nations Commission on International Trade Law(UNICITRAL)s Model law, which was adopted by the General Assembly of Un itedNations and has been recommended to the member nations for consideration whi lerevising / adopting their laws of electronic trade. 7.1.4 Government of India has enacted The Information Technology Act, 2000, in o rderto provide legal recognition for transactions carried out by means of electr onic datainterchange and other means of electronic communication, commonly refer red to aselectronic commerce The Act, which has also drawn upon the Model Law, cameinto force with effect fro m October 17, 2000. The Act has also amended certainprovisions of the Indian Pen

al Code, the Indian Evidence Act, 1872, The Ban ers Boo of Evidence Act, 1891 a nd Reserve Ban of India Act 1934 in order to facilitate e-commerce in India. Ho wever, this Act will not apply to:1.A negotiable instrument as defined in section 13 of the Negotiable Instruments Act, 1881; 2.A power-of-attorney as defined in section 1A of the Power-of-Attorney Act,1882 ; 3.A trust as defined in section 3 of the Indian Trusts Act, 1882; 4.A will as defined in clause (h) of section 2 of the Indian Succession Act, 192 5; 5.Any contract for the sale or conveyance of immovable property or any interesti n such property; 6.Any such class of documents or transactions as may be notified by the CentralG overnment in the official Gazette. 7.1.5In the course of providing Internet ban ing services the ban s in India are facing newchallenges relating to online opening of accounts, authentication, se crecy of customersaccounts, non-repudiation, liability standards and consumer pr otection, etc., each of which has been examined in the context of existing legal framewor . 7.2.1Online opening of account:The ban s providing Internet ban ing service, at presentare only willing to accept the request for opening of accounts. The accou nts are openedonly after proper physical introduction and verification. This is primarily for thepurpose of proper identification of the customer and also to av oid benami accounts asalso money laundering activities that might be underta en by the customer. Supervisorsworld over, expect the Internet ban s also to follow the practice of now yourcustomer. 7.2.2As per Section 131 of the Negotiable Instruments Act, 1881 (the Act) a ban er whohas in good faith and without negligence received payment for a customer o f a chequecrossed generally or specially to himself shall not, in case the title to the cheque provesdefective, incur any liability to the true owner of the che que by reason only of havingreceived such payment. The ban ers action in good fai th and without negligence havebeen discussed in various case laws and one of the relevant passages from the judgmentof Justice Chagla in the case of Bapulal Pre mchand Vs Nath Ban Ltd. (AIR 1946Bom.482) is as follows: Primarily, inquiry as to negligence must be directed in order to find out whether there is negligence in collecting the cheque and not in opening the account, bu t if there is any antecedent or present circumstance which aroused the suspicion of theban er then it would be his duty before he collects the cheque to ma e th e necessaryenquiry and undoubtedly one of the antecedent circumstances would be the opening of the account. In certain cases failure to ma e enquiries as to the integrity of the proposed customer would constitute negligence. 7.2.3Further the Supreme Court of India in Indian Overseas Ban Ltd. Vs. Industr ial ChainConcern [JT1989(4)SC 334] has stated that as a general rule, before acc epting acustomer, the ban must ta e reasonable care to satisfy himself that the person inquestion is in good reputation and if he fails to do so, he will run t he ris of forfeitingthe protection given by Section 131 of Negotiable Instrumen ts Act, 1881 butreasonable care depends upon the facts and circumstances of the case. Similarly, theDelhi High Court was also of the view that the modern ban in g practice requires that aconstituent should either be nown to the ban or shou ld be properly introduced. Theunderlying object of the ban insisting on produci ng reliable references is only to findout if possible whether the new constituen t is a genuine party or an imposter or a fraudulent rogue [Union of India Vs National Overseas Grindlays Ban Ltd. (1978) 48 Com.Cases 277 (Del)]. 7.2.4Thus, the introduction of a new customer by a third party reference is a we ll-recognizedpractice followed by the ban s before opening new accounts in order to prove thereasonable care and absence of any negligence in permitting the new customer to openthe account. Further, in order to establish the reasonable care

the ban s have to ma eenquiries about the integrity/reputation of the prospecti ve customer. It is not a mereenquiry about the identity of the person. The Group , therefore, endorses the practicepresently followed by the ban s in see ing pro per introduction before allowing theoperations of the customers accounts. In the context of Internet ban ing and after thecoming into force of the Information Te chnology Act, 2000, it may be possible for theban s to rely on the electronic si gnatures of the introducer. But this may have to awaittill the certification mac hinery as specified in the Information Technology Act, 2000comes into operation. 7.3.1Authentication:One of the major challenges faced by ban s involved in Inter netban ing is the issue relating to authentication and the concerns arising in s olvingproblems unique to electronic authentication such as issues of data integr ity, non-repudiation, evidentiary standards, privacy, confidentiality issues and the consumerprotection. The present legal regime does not set out the parameter s as to the extent towhich a person can be bound in respect of an electronic ins truction purported to havebeen issued by him. Generally, authentication is achie ved by what is nown as securityprocedure. Methods and devices li e the personal identification numbers (PIN), codenumbers, telephone-PIN numbers, relationship numbers, passwords, account numbersand encryption are evolved to establish authe nticity of an instruction. From a legalperspective, the security procedure requi res to be recognized by law as a substitute forsignature. Different countries ha ve addressed these issues through specific laws dealingwith digital signatures. In India, the Information Technology Act, 2000 (the "Act") inSection 3 (2) provi des that any subscriber may authenticate an electronic record byaffixing his dig ital signature. However the Act only recognizes one particulartechnology as a me ans of authenticating the electronic records (viz, the asymmetriccrypto system a nd hash function which envelop and transform the initial electronic record into another electronic record). This might lead to the doubt of whether the lawwould recognize the existing methods used by the ban s as a valid method of authentic ating the transactions. In this regard as noted in paragraph [3.2.2] of Chapter[ 3] of this Report, the approach in the other countries has been to eep the legi slationtechnology neutral. The Group is of the view that the law should be techn ology neutralso that it can eep pace with the technological developments withou t requiringfrequent amendments to the law as there exists a lot of uncertainty a bout futuretechnological and mar et developments in Internet ban ing. This howev er would notimply that the security ris s associated with Internet ban ing shoul d go unregulated. 7.3.2Hence, Section 3 (2) of the Information Technology Act 2000 may need to bea mended to provide that the authentication of an electronic record may be effecte deither by the use of the asymmetric crypto system and hash function, or a syste m asmay be mutually determined by the parties or by such other system as may bep rescribed or approved by the Central Government. If the agreed procedure is foll owedby the parties concerned it should be deemed as being an authenticate transa ction. Aclarification to this effect by way of an amendment of the aforesaid Act will facilitatethe Internet ban ing transactions. 7.3.3Further, the ban s may be allowed to apply for a license to issue digital s ignaturecertificate under Section 21 of the Information Technology Act, 2000 and become acertifying authority for facilitating Internet ban ing. The certifying authority acts li e atrusted notary for authenticating the person, transaction a nd information transmittedelectronically. Using a digital certificate from trust ed certificate authority li e a ban shall provide a level of comfort to the par ties of an Internet ban ing transaction.Hence, it is recommended by the Committe e that the Reserve Ban of India mayrecommend to the Central Government to notif y the business of the certifying authorityunder Clause (o) of Section 6(1) of th e Ban ing Regulation Act, 1949, to permit theban s to act as such trusted third parties in e-commerce transactions. 7.4.1 Mode of Payment under the Income Tax Act, 1961: Section 40A(3) of the Income taxAct, 1961, dealing with deductible expenses, pro vides that in cases where the amountexceeds Rs. 20,000/-, the benefit of the sai d section will be available only if thepayment is made by a crossed cheque or a crossed ban draft. One of the servicesprovided by the ban s offering Internet b

an ing service is the online transfer of fundsbetween accounts where cheques are not used, in which the above benefit will not beavailable to the customers. 7.4.2The primary intention behind the enactment of Section 40 A of the Income ta x Act,1961 is to chec tax evasion by requiring payment to designated accounts. In the caseof a funds transfer, the transfer of funds ta es place only between i dentified accounts,which serves the same purpose as a crossed cheque or a crosse d ban draft. Hence, theCommittee recommends that Section 40A of the Income Tax Act, 1961, may beamended to recognise even electronic funds transfer. 7.5.1.Secrecy of Customer s Account:The existing regime imposes a legal obligati on on theban ers to maintain secrecy and confidentiality about the customers acco unt. The lawat present requires the ban er to ta e scrupulous care not to disclo se the state of hiscustomer s account except on reasonable and proper occasions. 7.5.2.While availing the Internet ban ing services the customers are allotted pr oper User ID,passwords and/or personal identification numbers and/or the other a greedauthentication procedure to access the Internet ban ing service and only us ers withsuch access methodology and in accordance with the agreed procedure are authorizedto access the Internet ban ing services. In other words a third party would not be ableto withdraw money from an account or access the account of the customer unless thecustomer had divulged his/her password in the first place. 7.5.3However, if the password or the identification number is misplaced or lost or gets intothe hands of the wrong person and such person procures details about the customersaccount then the ban er may be faced with legal proceedings on the grounds of violation of the obligation to maintain secrecy of the customer s ac counts. This concernof the ban ers is very high especially in the case of joint accounts where both theparties share one personal identification numbers or rela tionship numbers and operatethe account jointly. Further, by the very nature of Internet the account of a customeravailing Internet ban ing services would be ex posed to the ris of being accessed byhac ers and inadvertent finders. 7.5.4The Internet ban ing services at present are being provided by most of the ban s bysystems which are only accessible through "secure zones" or SSL (Secure Soc etsLayer) to secureand authenticate the user through a secure browser. Most of the ban shave adopted 128 Bit strong encryption which is widely accepted worl dwide as astandard for securing financial transaction. To reduce the ris of the customersaccount information being accessed by third parties, it is very importa nt that the ban scontinue to be obliged to protect the customer account. However , it is equallyimportant to note that the ban s may still be exposed tothe ris of liability tocustomers and hence they should adopt all reasonable safety contr ols and detectionmeasures li e establishment of firewalls, net security devices, etc. Further, ban s shouldput in place adequate ris control measures in order to minimize possible ris arisingout of breach of secrecy due to loss/ misplacem ent/ theft of customers ID/PIN, etc. 7.6.1 Revocation and Amendment of Instructions:The general revocation and amendm entinstructions to the ban s are intended to correct errors, including the sendi ng of aninstruction more than once. Occasionally, a revocation or amendment may be intendedto stop a fraud. Under the existing law, ban s are responsible for ma ing and stoppingpayment in good faith and without negligence. In an Internet ba n ing scenario there isvery limited or no stop-payment privileges since it becom es impossible for the ban s tostop payment in spite of receipt of a stop payment instruction as the transactions arecompleted instantaneously and are incapable of being reversed. Hence the ban soffering Internet ban ing services may clearly notify the customers the time frame andthe circumstances in which an y stop payment instructions could be accepted. 7.7.1 Rights and Liabilities of the Parties:Typically, the ban er-customer relat ionship isembodied in a contract entered into by them. The ban s providing the I nternet ban ingservices currently enter into agreements with their customers sti pulating their respectiverights and responsibilities including the disclosure re quirements in the case of Internetban ing transactions, contractually. A Standar d format/minimum consent requirementto be adopted by the ban s offering Internet ban ing facility, could be designed by theIndian Ban s Association capturing, in ter alia, access requirements, duties andresponsibilities of the ban s as well a

s customers and any limitations on the liabilities of the ban s in case of negli gence and non-adherence to the terms of agreement bycustomers. 7.8.1Internet Ban ing and Money Laundering:One of the major concerns associated with Internet Ban ing has been that the Internetban ing transactions may become untraceable and are incredibly mobile and may easilybe anonymous and may not lea ve a traditional audittrail by allowing instantaneoustransfer of funds. It is pe rtinent to note that money-laundering transactions are cashtransactions leaving no paper trail .Such an apprehension will be more in the case of useof electronic money or e-c ash. In the case of Internet Ban ing the transactions areinitiated and concluded between designated accounts. Further Section 11 of theproposed Prevention of Mo ney Laundering Bill, 1999 imposes an obligation on everyBan ing Company, Financi al Institution and intermediary to maintain a record of all thetransactions or s eries of transactions ta ing place within a month, the nature and valueof which may be prescribed by the Central Government. These records are to bemaintained f or a period of five years from the date of cessation of the transactionbetween t he client and the ban ing company or the financial institution or theintermediar y. This would apply to ban s offering physical or Internet ban ing services.This will adequately guard against any misuse of the Internet ban ing services for t hepurpose of money laundering. Further the requirement of the ban ing companies topreserve specified ledgers, registers and other records for a period of 5 to 8 years, asper the Ban ing Companies (Period of Preservation of Records) Rules, 1 985promulgated by the Central Government also adequately ta es care of this conc ern. 7.9.1 Maintenance of Records:Section 4 of the Ban ers Boo s Evidence Act, 1891,pr ovides that a certified copy of any entry in a ban ers boo shall in all legalpro ceedings be received as a prima facie evidence of the existence of such an entry . TheBan ing Companies (Period of Preservation of Records) Rules, 1985 promulgat ed bythe Central Government requires ban ing companies to maintain ledgers, reco rds,boo s and other documents for a period of 5 to 8 years. A fear has been expr essed asto whether the above details of the transactions if maintained in an ele ctronic form willalso serve the above purpose. The Group is of the considered op inion that that this hasbeen adequately ta en care of by Section 7 and Third Sch edule of the InformationTechnology Act, 2000. 7.10.1Inter-Ban Electronic Funds Transfer:The Electronic Funds Transfer via the Internet,in its present form is provided only between accounts with the same ba n . Thetransaction is effected by the originator who gives the electronic paymen t order to onebranch of a ban offering the Internet ban ing facility ("the Send ing Branch"). Theelectronic instruction is processed by the bac end software of the branch to confirm theaccount number and the persons identification and instru ction is issued by the SendingBranch to the branch having the account of the ben eficiary ("Beneficiary Branch") tocredit the account of the beneficiary. The Sen ding Branch debits the account of theoriginator at its end. At present there is no clearing mechanism in place for settlement of inter-ban electronic funds tra nsfer. The entire gamut of electronic funds transfer andthe legal issues and ris s involved in the same are currently being examined by acommittee set up by the Reserve Ban of India. The 4thSchedule to the InformationTechnology Act, 2000 h as amended the Reserve Ban of India Act. 1934 empoweringthe Reserve Ban of Ind ia to regulate electronic funds transfer between ban s and ban sand other financ ial institutions. 7.11.1 Miscellaneous:During the course of deliberations, the Group discussed cer tain issueswhere the legal position is not clear but have a bearing on Internet ban ing. Certain issueshave also not been addressed by the Information Technolog y Act, 2000. Such issues arebriefly discussed below. The Consumer Protection Act 1986 defines the rights of consumers in India and is applicable to ban ing serv ices as well. The issues of privacy,secrecy of consumers accounts and the rights and liabilities of customers and ban s, etc.in the context of Internet ban ing h ave been discussed in earlier paragraphs. In caseswhere bilateral agreements def ining customers rights and liabilities are adverse toconsumers than what are enj oyed by them in the traditional ban ing scenario, it isdebatable whether such ag

reements are legally tenable. For example, whether a ban canclaim immunity if m oney is transferred unauthorizedly by a hac er from a customersaccount, on the p retext that it had ta en all reasonable and agreed networ securitymeasures. In a traditional ban ing scenario, a ban has normally no protection againstpayment of a forged cheque. If the same logic is extended, the ban providing I-ban ing may not absolve itself from liability to the customers on account of unauthorize d transferthrough hac ing. Similar position may obtain in case of denial of serv ice. Even though,The Information Technology Act, 2000 has provided for penalty f or denial of access to a computer system (Section-43) and hac ing (Section 66), the liability of ban s in suchsituations is not clear. The Group was of the view that the ban s providing Internetban ing may assess the ris and insure themselves against such ris s. 7.11.2There was no specific enactment in India which protects privacy of custome rs.Ban ers secrecy obligation mostly followed from different case laws. In UK, th e DataProtection Act 1984 specifically prohibits personal data from being disclo sed forpurposes other than for which the data is held. This prohibits use of cus tomer datarelating to their spending habits, preferences etc., for any commercia l purpose. TheOffice of the Comptroller of Currency have also issued directions to US ban s enforcingcustomers privacy. The Information Technology Act, 2000, in Section 72 has providedfor penalty for breach of privacy and confidentiality. Fu rther, Section 79 of the Act hasalso provided for exclusion of liability of a ne twor service provider for data travellingthrough their networ subject to certa in conditions. Thus, the liability of ban s forbreach of privacy when data is tr avelling through networ is not clear. This aspect needsdetailed legal examinati on. The issue of ownership of transactional data stored in ban scomputer systems also needs further examination. 7.11.3The applicability of various existing laws and ban ing practices to e-ban ing is nottested and is still in the process of evolving, both in India and abro ad. With rapidchanges in technology and innovation in the field of e-ban ing, th ere is a need forconstant review of different laws relating to ban ing and comme rce. The Group,therefore, recommends that the Reserve Ban of India may constitu te a multidisciplinary high level standing committee to review the legal and tec hnologicalrequirements of e-ban ing on continual basis and recommend appropriate measures asand when necessary Chapter- 8- Regulatory and supervisory concerns 8.1Ban ing on the Internet provides benefits to the consumer in terms of conveni ence, andto the provider in terms of cost reduction and greater reach. The Inter net itself however is not a secure medium, and thus poses a number of ris s of c oncern toregulators and supervisors of ban s and financial institutions. World o ver, regulatorsand supervisors are still evolving their approach towards the reg ulation and supervisionof Internet ban ing. Regulations and guidelines issued by some countries include thefollowing. 1.Requirement to notify about web site content 2.Prior authorization based on ris assessment made by external auditors 3.On-site examination of third party service providers 4.Off-site policing the perimeters to loo for infringement. 5.Prohibition on hyper lin s to non ban business sites 6.Specification of the architectureIn some countries supervisors have followed a hands-off approach to regulation of such activities, while others have adopted a wait and watch attitude. This chaptersuggests approaches to supervision of Inter net ban ing activities, drawing upon thebest international practices in this are a as relevant to the Indian context. 8.2Major supervisory concerns 8.2.1These concerns can be clubbed into the following: 1.Operational ris issues 2.Cross border issues 3.Customer protection and confidentiality issues 4.Competitiveness and profitability issues 8.2.2Operational ris issues:The open architecture of the Internet exposes the b an s systems to decide accessthrough the easy availability of technology. The dep

endence of ban s on third partyproviders places nowledge of ban s systems in a p ublic domain and leaves the ban sdependent upon relatively small firms which hav e high turnover of personnel. Further,there is absence of conventional audit tra ils as also relative anonymity of transactionsdue to remote access. It is impera tive that security and integrity of the transactions areprotected so that the po tentiality for loss arising out of criminal activities, such as fraud,money laun dering, tax evasion etc. and a disruption in delivery systems either byaccident or by design, are mitigated. The supervisory responses to manage operationalris matters include issue of appropriate guidance on the ris (including outsourcin gris ) control and record maintenance, issue of minimum standards of technology andsecurity appropriate to the conduct of transactional business, extension of n ow yourcustomer rules for transactions on the Internet, and insistence on appropr iate andvisible disclosure to inform customers of the ris s that they face on do ing business onthe Internet. 8.2.3Cross border issues:The Internet nows no frontiers, and ban s can source d eposits from jurisdiction wherethey are not licensed or supervised or have acces s to payment systems. Customers canPotentiality Par their funds in jurisdiction s where their national authorities have noaccess to records. The issues of juris diction, territoriality and recourse become evenmore blurred in the case of virt ual ban s. Cross border issues would also come intoplay where ban s choose to lo cate their processing centres, records or bac up centresin different jurisdicti ons. While country - specific approaches are being adopted at thenational level, the Group on e-ban ing set up by the Basle Committee on Ban ingSupervision (BCBS) is engaged in bringing about harmonization in approaches at aninternational lev el. 8.2.4Customer protection and confidentiality issues:The loss of customer confide ntiality may pose a reputation ris to ban s and theban ing system as a whole. T ransacting business on the Internet exposes data beingsent across the Internet t o interception by unauthorized agents, who may then use thedata without the appr oval of the customers. There has also been incidence whereglitches have develope d in web sites permitting customers to access each othersaccounts. To address the se ris s, customers need to be educated through adequatedisclosures of such ris s. 8.2.5Competitiveness and profitability issues:While Internet ban ing is expected to substantially reduce the cost of doing transactions in the long run, the limited business being done on the Internet has yet to pay for theinfrastructure in which ban s have invested. This includes the tie up wit h technologycompanies in setting up payment gateways, portals and Internet solut ions and thealliance with other businesses for cross-selling products. The comin g years mayhowever see a scenario where the margins of conventional ban s come u nder pressurebecause of competition from Internet ban ing, including virtual ban s, which need noinfrastructure expenses. These issues have to be ept in mind b y supervisors whiledeciding their approach to e-ban ing. 8.3 Broad regulatory framewor It would be necessary to extend the existing regulatory framewor over ban s toI nternet ban ing also. Such an approach would need to ta e into account the provi sionsof both the Ban ing Regulation Act 1949 and the Foreign Exchange Management Act,1999. 1.Only such ban s which are licensed and supervised in India and have a physical presence here should be permitted to offer Internet ban ing products to resident s of India. 2.These products should be restricted to account holders only and should not beo ffered in other jurisdictions. 3.The services should only offer local currency products and that too by entitie s whoare part of the local currency payment systems. 4.The in-out scenario where customers in cross border jurisdictions are offeredban ing services by Indian ban s (or branches of foreign ban s in India) and the out -in scenario where Indian residents are offered ban ing services by ban s operati ng incross-border jurisdictions are generally not permitted and this approach sh ould becarried over to Internet ban ing also.

5.The existing exceptions for limited purposes under FEMA i.e. where residentInd ians have been permitted to continue to maintain their accounts with overseas ba n setc., would however be permitted transactions. 6.Overseas branches of Indian ban s would be permitted to offer Internet ban ing services to their overseas customers subject to their satisfying, in addition to the hostsupervisor, the home supervisor in eeping with the supervisory approac h outlined inthe next section. 7.This extension of approach would apply to virtual ban s as well. Thus, both ba n sand virtual ban s incorporated outside the country and having no physical pre sencehere would not, for the present, be permitted to offer Internet services to Indiandepositors. 8.4 Recommendations With the above approach in mind, the Group recommends that the regulatory andsup ervisory concerns relating to Internet ban ing can be met in the manner outlined inthe following paragraphs. 8.4.1All ban s which propose to offer transactional services on the Internet sho uld obtain anin-principle approval from RBI prior to commencing these services. The applicationshould be accompanied by a note put up to the Board of the ban a long with Boardresolution passed. The Board note should cover the reasons for th e ban choosing toenter into such business, the potential penetration it see s t o achieve, a cost-benefitanalysis, a listing of products it see s to offer, the technology and business partners forthe products, and all third party support se rvices and service providers with their trac record and agreements with them, a nd the systems and the s ills and capabilities it hasin this regard and most mat erially the systems, controls and procedures it has put orintends to put in plac e to identify and manage the ris s arising out of the proposedventures. The ban should also enclose a security policy framed in this regard whichshould cover a ll the recommendations made in Chapter 6 of this report and produce acertificati on from a reputed external auditor who is CISA or otherwise appropriatelyqualifi ed that the security measures ta en by the ban are adequate and meet therequire ments and that ris management systems are in place to identify and mitigate the ris s arising out of the entire gamut of Internet ban ing operations. 8.4.2The RBI could require the ban together with the auditor to hold discussion s with theRBI in this regard before granting such approval. After this initial a pproval is given,the ban would be obliged to inform the RBI of any material cha nges in web-sitecontent and launch of new products. 8.4.3The assurance about security controls and procedures, which is sought from thespecialist external auditors, should be periodically obtained, with the perio dicity depending on the ris assessment of the supervisor. Further, ban s would also be required to report every breach or failure of the security systems and procedure s toRBI, who may decide to subject the failure to an on-site examination or even commission an auditor to do so. 8.4.4The RBI as supervisor would cover the entire ris s associated with electron ic ban ingas part of its annual inspections. For this purpose, a chec list could be developed alongthe lines of those covering general computerized ban ing feat ured in the manualdeveloped for inspection of computerized branches. Till such t ime as the RBI builds upsufficient capability to do this in-house, it is recomme nded that this function beoutsourced to qualified EDP auditors. 8.4.5The focus of the supervisory approach would mainly be the transactional Int ernetban ing services offered by existing ban s as an alternative channel. To so me extentthe concerns in this regard are the same as those arising out of electr onic ban ing ingeneral. The RBI has issued guidelines in the recent past on the R is s and Controls inComputers and Telecommunications which would be applicable eq ually to Internetban ing. Another supervisory focus would be on Record Maintenan ce and theiravailability for inspection and audit. Again, RBI has issued guideli nes for thesePreservation and Record Maintenance which need to be updated to inclu de the ris sheightened by ban ing on the net. Broadly, the record preservation a nd maintenancepolicy must encompass record eeping, record retention, record med ia and recordlocation. The ey features of this enhancement would be as follows:

1.The cornerstone of this policy should be security. Access to all ban -relatede lectronic data should be restricted to authorized individuals. 2.All transactional, financial and managerial data pertaining to the previous fi nancialyear must be archived before 1 July of the subsequent financial year. 3.A senior officer / executive of the Ban possessing appropriate qualifications ,education and/or bac ground should be designated in-charge of the archived data . Apossible designation could be Archived Data Security Officer. 4.All access to archived data should be with the authentic (written or by e-mail )approval of this Archived Data Security Officer (ADSO). 5.The role and responsibilities of the ADSO should be clearly delineated and wel l publicized within the ban . 6. Data so archived should be on such a platform and using such a technology thatfu ture alteration / modification / deletion of the data is not possible, once the data isarchived. 7.If the technology and/or platform used for data storage involves compressionan d/or dis-aggregation of data, ban s should have in place adequate software/hardw arewhich will ensure easy restoration of the data as and when required by the ba n s owndepartments and also by RBI as well as other statutory authorities. 8.All transactional, financial and managerial data should be available on-line. If, forreasons of paucity of on-line storage, such data (of the current financia l year) has beenbac ed-up and removed from on-line storage, it must be available in a format and at alocation which ensures that the data can be restored on-lin e within a maximum of 24hours from the date and time at which the demand for suc h data is made by users fromwithin the ban or from RBI or other statutory autho rities. 9.Similarly, transactional, financial and managerial data of the previous financ ial yearshould be made available within a maximum of 48 hours of the date and ti me at whichsuch request is made by the ban s own users or by the RBI and other st atutoryauthorities. 8.4.6A vulnerability which is accentuated in Internet ban ing is the reliance up on thirdparty providers and support services and this requires ban s to effectiv ely manage theris s of all outsourced activities. In turn the supervisors should have the ability toassess the ris s arising out of such liaisons. Direct supervision of the third party bythe supervisor is not envisaged. Accordi ngly, as part of the Internet policy, ban sshould develop outsourcing guidelines , which mitigate the ris s of disruption anddefective service. Alternatively, th e IBA (Indian Ban s Association) or IDRBT(Institute for Development and Research in Ban ing Technology) could be as edto develop broad guidelines for the use of the ban ing community. 8.4.7Payment Gateway: 8.4.7.1An externally shared service, which will develop, as the pivot of the Int ernet ban ingwould be the payment gateway. With the increasing popularity of e-Co mmerce i.e.,buying and selling over the Internet, electronic payments and settlem ents for suchpurchases, is a natural and expected requirement. Ban s, which are the vital segmentof the payment system in the country, will therefore be require d to equip themselves tomeet this emerging challenge. In its basic form, the Inte r-Ban Payment Gateway forpayments and settlements of e-Commerce transactions is not very different from thetraditional cheque clearing system, which is perhaps the most widely prevalent form of Inter-Ban settlement of funds, or the net set tlement system of the international cardagencies li e Visa, Master Cards and Ame rican Express, for the credit card payments. 8.4.7.2With the emergence of the Internet and the ability to buy and sell over t he Internet, ithas become imperative to deploy a similar Inter-Ban Payment Gate way to facilitateauthorization for payments and settlement between participating institutions forcommercial transactions carried out over the Internet. No one p articular model forsetting up an Inter-Ban Payment Gateway for such payments ha s been established asyet and we are, therefore, in a situation where the regulat ory and supervisoryframewor itself needs to be evolved.

8.4.7.3Given the above considerations, the following framewor for setting up In ter-Ban Payment Gateways for Internet payments in India is suggested: 1.Only institutions that are members of the cheque clearing system in the countr y maybe permitted to participate in the Inter-Ban Payment Gateway initiatives f or Internetpayments. 2.Both net-settlement and gross-settlement capabilities might be necessary, netsettl ement being the settlement mode for transaction below a certain pre-specifiedthr eshold value and gross settlement for transactions higher than the pre-specified value. 3.The Inter-Ban Payment Gateway should have one nominated ban as the clearingb an to settle all transactions. 4.The approval for setting up the Inter-Ban Payment Gateway should be grantedon ly by the Reserve Ban of India, in their capacity as the Regulator of ban s and Payment Systems in the country. The norms to become eligible to set up the Inter -Ban Payment Gateway should be specified by the Reserve Ban of India, on the b asisof which institutions may see formal approval to set up the Inter-Ban Paym entGateway. 5.It is expected that there will not be more than two or three Inter Ban Paymen tGateways in the Country and all ban s who wish to participate in the payment an dsettlement for e-Commerce transactions originated over the Internet could becom e amember of one or more of these Inter-Ban Payment Gateways. 6.All payments routed through the Inter-Ban Gateways should only cover directde bits and direct credits to the accounts maintained with the participating Ban s by theparties involved in the e-Commerce transaction. 7.Payments effected using credit cards should not be routed through the Inter-Ba n Payment Gateway. These should be authorized by the payer ban (i.e., acquirin g ban )directly through its credit card authorization capability. 8.It should be obligatory on the part of the Inter-Ban Payments Gateway toestab lish, at any time, the complete trace of any payment transactions routed through it.The trace should cover date and time stamp when the transaction was originat ed andauthorized, the payee details (account number and name of the payee ban ), the payersdetails (account number and name of the payer ban ), as well as a uni que TransactionalReference Number (TRN) provided by both the Payee Ban and Paye r Ban for eachtransaction. 9.Connectivity between the Inter-Ban Payment Gateway and the computer system of the member Ban s should be achieved using a leased line networ (not over theIn ternet), with appropriate data encryption standards. 10.All settlements over the Inter-Ban Payment Gateway should be intra-day, as f ar aspossible in real time. 11.Until the exchange control aspects with regard to cross-border issues of e-Co mmerce transactions are fully discussed and documented, payment and settlement o f such transactions should not be permitted over the Inter-Ban Payment Gateway. 12.Only Inter Ban Payments and Settlements (i.e. transactions involving more th anone Ban ) should be routed through the Inter-Ban Payment Gateway. Intra-ban payments (i.e., transactions involving only one Ban ) should be handled by the b an sown internal system. 13.The responsibility for the credit ris associated with every payment transact ionrouted over the Inter Ban Payment Gateway will rest with the appropriate Pay eeBan . 14.The mandate and the related documentation (that would form the basis foreffec ting payments for transactions carried out over the Internet) should be bilatera l innature i.e., (a) between the Payee and the Payees ban (b) the Payer and Paye rs ban ,(c) between the participating ban s and the service provider who is respo nsible for theoperations of the Inter Ban Payment Gateway, and (d) between the ban s themselveswho are participating in the Inter Ban Payment Gateway Initiati ve. The rights andobligations of each party should be clearly stated in the mand ate and should be valid ina court of law. 15.All transactions must be authenticated using a user ID and password. SSL/128 bitencryption must be used as the minimum level of security. As and when the reg ulatoryframewor is in place, all such transactions should be digitally certifie

d by one of thelicensed Certification Authorities. 16.The Service Provider who is responsible for the operations of the Inter-Ban Payment Gateway must ensure adequate firewalls and related security measure toen sure privacy to the participating institution, i.e., every institution can acces s datapertaining to only itself and its customer transactions. 17.Internationally accepted standards such as ISO8583 must be used for transmitt ingpayment and settlement messages over the Networ . 18.It may also be appropriate to have a panel of approved Auditors who will bere quired to certify the security of the entire infrastructure both at the Inter-Ba n Payment Gateway as well as the participating institutions end prior to ma ing thefacility available for customer use. A process of perpetual audit must also b e instituted. 8.4.8It is not enough for the ris identification and assessment exercise to be between theban and the supervisor alone. The customer too needs to be enlighten ed of the ris sinherent in doing business on the net, and this would be served b y having a mandatorydisclosure template which would list the ris s to the custom er and the responsibilitiesand possible liability of the ban s and the customer. Ban s should also provide theirmost recent published financial results on their web-site. 8.4.9The issue of reputation ris due to customers misunderstanding the hyper-li n s on theweb-sites of ban s also needs to be addressed. Fundamentally there are two scenarioswhere hyperlin s are necessary between non-ban business sites and ban -sites: 1.Where the Ban is required to inform visitors to its own Web Site about the Po rtalswith whom they have a payment arrangement or Portals that the ban would wa nt itscustomers to visit. These out-bound hyperlin s are unli ely to have any ma jor securityimplications to the ban . In order to reflect the stability of the b an ing system, ban sshould not be seen as sponsors of or promoters of the produc ts of unrelated businessesor of any businesses, which they are not licensed to r un. The hyperlin s should hencebe confined to only those portals with which they have a payment arrangement or thesites of their subsidiaries or principals. 2.The second type of hyperlin is where the Portal sites lin to the ban site t o passinformation pertaining to a payment by one of their Internet Shoppers. Thi s usuallyinvolves ma ing a URL (Universal Resource Locator) lin to the ban sit e to requestauthorization for payment. Such lin s deliver to the ban site infor mation regarding thecustomer (typically his registration no) and the value of th e payment to be authorized.Unless the ban exercises the right level of authenti cation and security, this type of URL lin s can be the source of a number of sec urity breaches. It is thereforeimperative that every ban ensures at least the f ollowing minimum-security precautionsin order that the ban s as well as its cus tomers interests are protected. 8.4.9.1Upon receiving the URL request from the Portal site, the ban should auth enticatethe customer who has originated the transaction by as ing him to ey in, on thebrowser screen, his user ID and password which the ban would have provid ed him tofacilitate access to his accounts with the ban . 8.4.9.2Upon such authentication and due verification, the ban should re-submit thetransaction information on the customers browser terminal i.e., the name of th e Portalsite to whom the payment is to be effected as well as the value of the t ransactions andsee the explicit approval of the customer to authorize the payme nt. 8.4.9.3Depending on the nature of the payment, the payment authorization request should berouted either to the credit card authorizing system if payment is requ ested using creditcard, or to the ban s host system in case of a direct debit or to the Inter-Ban PaymentGateway in case of debit to customer account in another ban . 8.4.9.4Upon receiving the payment authorization, the ban should return the URL request tothe originating Portal, with a unique reference number for the transac tion, as aconformation to pay as per the settlement cycle agreed with the Portal . 8.4.9.5All interactions with the Portal sites as well as the customers browser t

erminal shouldbe secured using SSL/128 bit encryption as a minimum requirement a nd should in duecourse be also augmented with the digital certification requirem ent as and when digitalcertificate deployment is enabled in the country. 8.5It was deliberated whether ban s underta ing Internet ban ing should be subje ct to anyadditional capital charge because of the potentially higher proneness t o unexpectedlosses. As yet standards have not been developed for measuring addit ional capitalcharge on account of operational ris s. However, this will be cover ed in a way oncethe ban s move towards ris -based supervision where supervisory intervention will belin ed to the ris profile of individual institutions. In su ch a scenario, an enhancedsupervisory ris assessment on this account could warr ant an additional capital charge,which would also be consistent with the second pillar approach of the new capitalaccord. 8.6The Basle Committee for Ban ing Supervision (BCBS) has constituted an Electro nicBan ing Group (EBG) to develop guiding principles for the prudent ris manage mentof e-ban ing activities as an extension of the existing Basel Committee Ris Management Principles. The Group will identify the areas of concern for supervi sion of cross border e-ban ing activities and will promote cooperative internati onal effortswithin the ban ing industry. It will evolve sound practices and will encourage andfacilitate exchange of information, training material, guidance et c., developed by othermembers and supervisors around the world. Therefore, there is a need for continuedinteraction among the central ban s and supervisors with a view to enhancing theabilities of the supervisory community to eep pace with the dynamic e-ban ingactivities. This Wor ing Group, therefore, recommends that the Reserve Ban of Indiashould maintain close contact with regulating / superv isory authorities of differentcountries as well as with the Electronic Ban ing G roup of BCBS and review itsregulatory framewor in eeping with developments els ewhere in the world. Chapter9 Recommendations Keeping in view the terms of reference, the Group has made a number of recommend ations in preceding chapters. A summary of these recommendations is givenbelow. 9.1Technology and Security Standards: 9.1.1The role of the networ and database administrator is pivotal in securing t heinformation system of any organization. Some of the important functions of the administrator via-a-vis system security are to ensure that only the latest versi ons of thelicensed software with latest patches are installed in the system, pro per user groupswith access privileges are created and users are assigned to appr opriate groups as pertheir business roles, a proper system of bac up of data an d software is in place and isstrictly adhered to, business continuity plan is in place and frequently tested and there isa robust system of eeping log of all n etwor activity and analyzing the same.(Para 6.2.4) 9.1.2Organizations should ma e explicit security plan and document it. There should be aseparate Security Officer / Group dealing exclusively with information systems security.The Information Technology Division will actually implement the computer systemswhile the Computer Security Officer will deal with its security. The InformationSystems Auditor will audit the information systems .(Para 6.3.10, 6.4.1) 9.1.3 Access Control:Logical access controls should be implemented on data, syst ems,application software, utilities, telecommunication lines, libraries, system software, etc.Logical access control techniques may include user-ids, passwords, smart cards orother biometric technologies.(Para 6.4.2) 9.1.4Firewalls:At the minimum, ban s should use the proxy server type of firewal l so thatthere is no direct connection between the Internet and the ban s system. It facilitates ahigh level of control and in-depth monitoring using logging and auditing tools. Forsensitive systems, a stateful inspection firewall is recomme nded which thoroughlyinspects all pac ets of information, and past and present t ransactions are compared. These generally include a real-time security alert.(Para 6.4.3) 9.1.5 Isolation of Dial Up Services:All the systems supporting dial up services

throughmodem on the same LAN as the application server should be isolated to pre ventintrusions into the networ as this may bypass the proxy server.(Para 6.4.4) 9.1.6Security Infrastructure:PKI is the most favoured technology for secure Inte rnetban ing services. However, it is not yet commonly available. While PKI infra structureis strongly recommended, during the transition period, until IDRBT or G overnmentputs in place the PKI infrastructure, the following options are recomme nded 1. Usage of SSL, which ensures server authentication and the use of client sidec ertificates issued by the ban s themselves using a Certificate Server. 2.The use of at least 128-bit SSL for securing browser to web server communicati onsand, in addition, encryption of sensitive data li e passwords in transit with in theenterprise itself.(Para 6.4.5) 9.1.7 Isolation of Application Servers:It is also recommended that all unnecessa ry serviceson the application server such as ftp, telnet should be disabled. The application servershould be isolated from the e-mail server.(Para 6.4.6) 9.1.8Security Log (audit Trail):All computer accesses, including messages receiv ed, shouldbe logged. All computer access and security violations (suspected or a ttempted) shouldbe reported and follow up action ta en as the organizations escal ation policy.(Para 6.4.7) 9.1.9Penetration Testing:The information security officer and the information sy stemauditor should underta e periodic penetration tests of the system, which sho uld include: 1.Attempting to guess passwords using password-crac ing tools. 2.Search for bac door traps in the programs. 3.Attempt to overload the system using DdoS (Distributed Denial of Service) & Do S(Denial of Service) attac s. 4.Chec if commonly nown holes in the software, especially the browser and the e