Organizational Responsibilities for Fraud
Prevention
"Where there is Money, There
will be Frauds" is a truth every financial professional knows. The
increased use of technology in the Banking, Financial Services and
Insurance (BFSI) business has introduced the dimension of "Fraud
Management" as part of business responsibilities of BFSI business. Banks
and other financial entities have been quick to adapt to the technological
revolution and have converted most of their businesses online. This of
course makes good commercial sense since costs might be reduced and
customers may enjoy anytime anywhere services. However, what is necessary
to take note is the increased fraud risks accompanied by the change in
procedures accompanying the use of technology.
The use of technology in
business has also changed the profile of the people who work in BFSI
industries. Most of them are young and technically more skilled than their
superiors. As a result, technology power and administrative responsibility
is in different hands.
This situation of "Immature
Procedures and disengagement of power and responsibility" is a sure recipe
for proliferation of frauds. Hence we can foresee a quantum increase in
financial frauds in the coming days and the BFSI industry will be the worst
hit with this trend. It is therefore no surprise when "Cyber Crime Studies"
show that there is an increasing number of "Organized attacks on Banking
institutions". The Broking and Insurance industries may not be as much as
in news as the Banks. The reason could be that the fraudsters are first
milking the Banking industry and may look at other industries when the
getting goes tough in the Banking. Alternatively it may be a fact that
frauds in the Broking and Insurance industry are more subtle and difficult
to find out. Cyber Financial Frauds are therefore like time bombs
ticking to explode some time and in some cases may even take the
institution down under.
The impact of Frauds is
often felt first by the customers. For example, a customer of a Bank is
affected by a "Phishing Fraud" and loses money. Here the Bank may feel that
there was negligence on the part of the customer and hence the loss should
be borne by him. Bank considers itself not liable for the loss. Similarly
there may be a "Pump and Dump Scam" in which a phishing mail in the name of
an online broking firm might have been used. The Broking firm may feel that
it is not liable for the loss.
But it is necessary for the
BFSI managers to recognize that it will not be long before the liabilities
will be shifted to the institutions from the customers. World wide, this is
the trend. If some body wants to create a commercial venture built on a
technology platform, it is the responsibility of the owner of the venture
to make it safe for the customers. This principle is now part of the legal
mandate and often manifests itself in the form of "Legal Compliance", and
"Mandatory Information Security Audits".
A
recent survey of U.S. Internet users by the Ponemon Institute agrees with
this premise, finding that over three-fifths of the survey respondents
believed it "unacceptable" for a bank to not respond to phishing schemes
that use the bank's identity as the means of gaining the victim's trust.
Nearly 96 percent of the respondents said that banks need to use technology
to provide protection to their banking customers.
Naavi.org has been
suggesting that "Phishing" involves Section 66 offence under ITA 2000. When
this is read with Section 85 of ITA 2000, the responsibility for prevention
of Phishing becomes part of the "Due Diligence" requirements envisaged
under the Act, failure of which transfers the liability to the Bank and its
executives. This view was upheld in a recent German case, when a Bank
has been held responsible for a Phishing loss by a customer.
Though the
interpretation of responsibilities under GLBA is still not as strict as
HIPAA, it is expected that other countries would soon follow the footsteps
of the German case and expect a higher level of IS compliance from the
Banks. The IS compliance is not considered complete just with the
installation of a Firewall or a good Anti Virus system, it should be
complete with all aspects of information security including encryption, use
of digital signatures etc.
One of the most critical
aspects of compliance is "Creation of Cyber Crime Awareness amongst Staff
members". This should be the starting point for any security initiatives
since Staff participation is a part of any successful security
practice. It is in this context that Naavi has been suggesting "Cyber
Ethics Certification" for IT employees. Banking sector is perhaps the most
suitable industry where such a certification should be made mandatory.
It is in this context that Cyber Law College has been suggesting
"Cyber Ethics Certification" for IT employees. While it is expected that
sooner or later the regulatory authorities may make it mandatory for Banks
to conduct Cyber Crime Awareness programmes for all their staff members,
progressive Banks need to consider being pro-active in making Cyber Ethics
Certification as part of their recruitment and training policy.
Cyber Law College has pioneered a
“Cyber Ethics Certification Programme” which consists of a half day
“Awareness Workshop” including a presentation, Exit Test and signing of an
“Ethical Declaration”.
Such a programme is being successfully
implemented for the members of IT Companies engaged in Health Information
Processing for US clients where HIPAA has made such training mandatory.
Cyber Law College has also developed similar standards for Legal BPOs under
the LIPS 1008 (Legal Information protection Standard) and is in the process
of developing an Indian Financial Services Information Protection Standard
(IFIPS) addressing the needs of Information Security needs of small Banks,
online brokers and Insurance companies.
It is high
time that RBI makes it mandatory for all Banks in India to undertake a
training programme for its staff for certifying them as “Ethical Cyber
Bankers”.
Naavi
Nov 18, 2008
Related Article
Phishing Liability
Concerns Online Banks
Banks are liable for phishing attacks on customers, says German court
